Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

states.user.present: Make usage of hash_password idempotent #47147

Merged
merged 2 commits into from Jun 30, 2018
Merged

states.user.present: Make usage of hash_password idempotent #47147

merged 2 commits into from Jun 30, 2018

Conversation

eliasp
Copy link
Contributor

@eliasp eliasp commented Apr 18, 2018

What does this PR do?

It fixes the non-idempotent behavior of states.user.present when hash_password: True described in #45939
It targets 2018.3, but due to it's trivial nature, it should be easily cherry-picked for backports to older releases.

What issues does this PR fix or reference?

#45939

Previous Behavior

Every time states.user.present with hash_password: True was used, a new shadow hash was generated based on a new randomly generated salt value for hashing which made this state's behavior idempotent.

New Behavior

Before hashing a password, it checks now whether an existing salt can be retrieved.
If yes, it will be re-used for generating the hash.
If not, it defaults to using a new randomly generated salt.

Tests written?

No

Commits signed with GPG?

Yes

@eliasp
Copy link
Contributor Author

eliasp commented Apr 18, 2018

Those failures aren't related to this PR:

@cachedout
Copy link
Contributor

I totally see the case for this but would love to have some tests written around this behavior. Any chance you'd be willing to write some?

@cachedout
Copy link
Contributor

@eliasp Did you see my comment above regarding tests?

@eliasp
Copy link
Contributor Author

eliasp commented Apr 23, 2018
edited

Sorry, I initially planned on adding some tests, but won't have time right now to complete this.
Feel free to take it from here for now:

@cachedout cachedout requested a review from isbm May 1, 2018 17:52
isbm
isbm suggested changes May 1, 2018
View reviewed changes
salt/states/user.py
# hash to change each time and thereby making the
# user.present state non-idempotent.
algorithms = {
'1': 'md5',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this is insecure. I think we should either kill this option or at least scream all around the place in logs if anyone will use this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do agree that "screaming all around the place in logs" is the most reasonable reaction here…

Added a corresponding warning.

@rallytime rallytime requested a review from isbm May 22, 2018 15:05
@rallytime rallytime merged commit 9b364e2 into saltstack:2018.3 Jun 30, 2018
@eliasp eliasp deleted the 2018.3-issue-45939-shadow-hash-salt branch June 16, 2019 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cachedout cachedout cachedout approved these changes

@isbm isbm isbm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@eliasp @cachedout @isbm @rallytime