-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
postgresql_user: use standard module hashlib instead of passlib #23686
Conversation
The test
|
7f5c54b
to
b35c107
Compare
@@ -52,8 +52,8 @@ | |||
- > | |||
When passing an encrypted password, the encrypted parameter must also be true, and it must be generated with the format | |||
C('str[\\"md5\\"] + md5[ password + username ]'), resulting in a total of 35 characters. An easy way to do this is: | |||
C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if encrypted is set, the stored password will be hashed whether or not | |||
it is pre-encrypted. | |||
C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if the presented password string is already in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think "presented password string" is not correct, shouldn't it be "provided password string" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, done.
C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if encrypted is set, the stored password will be hashed whether or not | ||
it is pre-encrypted. | ||
C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if the presented password string is already in | ||
MD5-encrypted format, then it is used as-is, regardless of encrypted parameter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's "MD5-hashed", crypto people tend to complain about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
db_password1: '{{ item.password }}' | ||
with_items: | ||
- encrypted: 'yes' | ||
password: 'secretù' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment about ù not being a typo, and being used for Unicode testing ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
<<: *task_parameters | ||
postgresql_user: *parameters | ||
|
||
- name: Check that ansible reports they were created |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that should be "it was created"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (3 occurrences updated).
- include: test_user.yml | ||
vars: | ||
encrypted: '{{ item.encrypted }}' | ||
db_password1: '{{ item.password }}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the value do not change in the loop, wouldn't it be clearer to directly put the password here directly ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
# Cannot check if passlib is not installed, so assume password is different | ||
pwchanging = True | ||
else: | ||
if ((password.startswith('md5') and len(password) == 32+3) or encrypted == 'UNENCRYPTED'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would document why 32+3 (md5 hash + size of 'MD5').
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
if password != current_role_attrs['rolpassword']: | ||
pwchanging = True | ||
|
||
if not pwchanging and encrypted == 'ENCRYPTED': | ||
if md5(to_bytes(password) + to_bytes(user)).hexdigest() != current_role_attrs['rolpassword']: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, if the password start by 'md5', this trigger a special case (that's the whole point of the PR). but why do we compare the md5 of the password + user with current_role_attrs['rolpassword'], since current_role_attrs['rolpassword'] will be prefixed with 'md5' ? (ie, this would always change the password)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I reworked the whole pull-request (the next condition was wrong too) and improved the tests.
b35c107
to
6fe3064
Compare
fa12292
to
065a296
Compare
CI failure due to traceback during integration tests on python 3:
|
My guess is that the change in the test cases (maybe because the new password is now non-ascii?) is revealing a bug in a different part of hte code. |
It seems the second shippable pass with Using locally a Xenial LXC container ( Using docker, I encountered a problem using
so I added
do you known how to disable coverage ? |
I'm guessing the maximum verbosity passing is not due to the verbosity, but the fact that the test is being run a second time. |
Coverage is off by default. The error you're getting indicates the interpreter interception script used by ansible-test is not executable, which is an error I haven't seen before. Is your Regarding the docker error, what are you using for your docker host (platform and docker version)? |
If you don't mind running the tests without docker, you could try this on a system with python 3.5:
|
I can duplicate the exception with the following command from this branch:
When the except is encountered the following variables are in play (with postgresql_user.py modified to display the following):
This relates to:
|
waiting_on: maintainer |
When an unchanged MD5-hashed password was used and passlib was unavailable, an useless 'ALTER USER' query was executed. Once this useless query avoided, the last 'SELECT' query becomes useless too.
This task is only executed when the playbook has already been executed once, for example using 'ansible-test integration' with '--retry-error' switch when the first run fails. This modification allows to recreate default databases (postgres, template0 and template1) using the same encoding that the one used by the Debian package. Default encoding is 'SQL_ASCII' when default locale is not set in /etc/default/locale.
By default, client encoding is determined either from the LANG_*/LC_* environment variables or using encoding of the database. Containers used in the CI don't define a default locale, then encoding of default databases was SQL_ASCII.
d7d9579
to
114888d
Compare
Rebased |
shipit |
2 similar comments
shipit |
shipit |
bot_status |
waiting_on: maintainer |
shipit |
This has gotten enough shipits from various people since the last real change. Merging. |
merged to devel. |
SUMMARY
When
passlib
isn't available, an uselessalter role
query is executed.ISSUE TYPE
COMPONENT NAME
postgresql_user
ANSIBLE VERSION