Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Give warning if user inputs not encrypted password to user module #43615

Merged
merged 8 commits into from
Aug 13, 2018
Merged

Give warning if user inputs not encrypted password to user module #43615

merged 8 commits into from
Aug 13, 2018

Conversation

HD650
Copy link
Contributor

@HD650 HD650 commented Aug 2, 2018

SUMMARY

user module doesn't check the input password and return very little information if users input unencrypted password (which is wrong), it's hard for users to figure out what's wrong. This PR check the format of the input password and give a warning if the password is not encrypted.
Fix #28772

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

/lib/ansible/modules/system/user.py

ANSIBLE VERSION
ansible 2.7.0.dev0 (issue_28772 f5fa73be30) last updated 2018/08/02 13:59:35 (GMT -400)
  config file = None
  configured module search path = [u'/home/zhikangzhang/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/zhikangzhang/Desktop/ansible/lib/ansible
  executable location = /home/zhikangzhang/Desktop/ansible/bin/ansible
  python version = 2.7.15 (default, May 16 2018, 17:50:09) [GCC 8.1.1 20180502 (Red Hat 8.1.1-1)]

Check the password format
3bc2032 
Check the password format and notify user if they
input unencrypted password.
@ansibot
Copy link
Contributor

ansibot commented Aug 2, 2018

cc @samdoran @sfromm
click here for bot help

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 core_review In order to be merged, this PR must follow the core review workflow. feature This issue/PR relates to a feature request. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Aug 2, 2018
@ansibot
Copy link
Contributor

ansibot commented Aug 2, 2018

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/modules/system/user.py:451:23: E111 indentation is not a multiple of four
lib/ansible/modules/system/user.py:465:29: E128 continuation line under-indented for visual indent

click here for bot help

@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Aug 2, 2018
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Aug 2, 2018
samdoran
samdoran reviewed Aug 2, 2018
View reviewed changes
lib/ansible/modules/system/user.py Outdated
else:
maybe_invalid = True
if maybe_invalid:
self.module.warn("The iunput password seems not been hashed, "
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"iunput" --> "input"

@samdoran
Copy link
Contributor

samdoran commented Aug 2, 2018

This is a very nice sanity check. Can you add some integration tests for this as well?

@samdoran samdoran removed the needs_triage Needs a first human triage before being processed. label Aug 2, 2018
@ansibot ansibot added test This PR relates to tests. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Aug 3, 2018
HD650 added 2 commits August 3, 2018 14:34
Missed a task name
4709b6e
Hard code the testing password
6739d48 
Since some testing platfrom has no passlib installed
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Aug 3, 2018
@samdoran
Copy link
Contributor

samdoran commented Aug 3, 2018

Tests look good. Thanks! Please create a changelog fragment and I'll get this merged (sorry I forgot to mention that earlier). See fragments for examples.

@HD650
Copy link
Contributor Author

HD650 commented Aug 7, 2018

@samdoran I have created a changelog fragment, could you review again? Thanks!

ericwb
ericwb suggested changes Aug 7, 2018
View reviewed changes
lib/ansible/modules/system/user.py Outdated
maybe_invalid = True
if maybe_invalid:
self.module.warn("The input password seems not been hashed, "
"please note that 'password' argument requires an encrypted value or the password will not work properly.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The English on this sentence needs to be reworked. "The input password appears not to have been hashed." "The 'password' argument must be encrypted for this module to work properly."

lib/ansible/modules/system/user.py Outdated
else:
fields = self.module.params['password'].split("$")
if len(fields) >= 3:
# contains character outside crypt constrain
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"outside the crypto constraint"

lib/ansible/modules/system/user.py Outdated
if self.module.params['password'] and self.platform != 'Darwin':
maybe_invalid = False
# : for delimiter, * for disable user, ! for lock user
# these character are invalid in password
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/character/characters

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the password"

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Aug 7, 2018
ericwb
ericwb reviewed Aug 7, 2018
View reviewed changes
Copy link
Contributor

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reworking the words

ericwb
ericwb reviewed Aug 7, 2018
View reviewed changes
changelogs/fragments/password_sanity_check.yml Outdated
@@ -0,0 +1,3 @@
---
minor_changes:
- user module - add a sanity check for user password and a more helpful warning message (https://github.com/ansible/ansible/pull/43615)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry one more nit: "a user's password"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem!

@HD650
Copy link
Contributor Author

HD650 commented Aug 9, 2018

@ericwb Fixed the grammar mistake.

@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Aug 9, 2018
@HD650
Copy link
Contributor Author

HD650 commented Aug 10, 2018

@samdoran Need any other change?

@samdoran samdoran merged commit b20d903 into ansible:devel Aug 13, 2018
@ansible ansible locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@samdoran samdoran samdoran left review comments

@ericwb ericwb ericwb approved these changes

Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 core_review In order to be merged, this PR must follow the core review workflow. feature This issue/PR relates to a feature request. module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

password plugin generates inappropriate default passwords
4 participants
@HD650 @ansibot @samdoran @ericwb