diff options
Diffstat (limited to 'lib/ansible/plugins/lookup/password.py')
-rw-r--r-- | lib/ansible/plugins/lookup/password.py | 42 |
1 files changed, 15 insertions, 27 deletions
diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index b08845a7..1fe97f14 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -28,23 +28,26 @@ DOCUMENTATION = """ required: True encrypt: description: - - Which hash scheme to encrypt the returning password, should be one hash scheme from C(passlib.hash; md5_crypt, bcrypt, sha256_crypt, sha512_crypt). + - Which hash scheme to encrypt the returning password, should be one hash scheme from C(passlib.hash); + V(md5_crypt), V(bcrypt), V(sha256_crypt), V(sha512_crypt). - If not provided, the password will be returned in plain text. - Note that the password is always stored as plain text, only the returning password is encrypted. - Encrypt also forces saving the salt value for idempotence. - Note that before 2.6 this option was incorrectly labeled as a boolean for a long time. ident: description: - - Specify version of Bcrypt algorithm to be used while using C(encrypt) as C(bcrypt). - - The parameter is only available for C(bcrypt) - U(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#passlib.hash.bcrypt). + - Specify version of Bcrypt algorithm to be used while using O(encrypt) as V(bcrypt). + - The parameter is only available for V(bcrypt) - U(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#passlib.hash.bcrypt). - Other hash types will simply ignore this parameter. - - 'Valid values for this parameter are: C(2), C(2a), C(2y), C(2b).' + - 'Valid values for this parameter are: V(2), V(2a), V(2y), V(2b).' type: string version_added: "2.12" chars: version_added: "1.4" description: - A list of names that compose a custom character set in the generated passwords. + - This parameter defines the possible character sets in the resulting password, not the required character sets. + If you want to require certain character sets for passwords, you can use the P(community.general.random_string#lookup) lookup plugin. - 'By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9, and punctuation (". , : - _").' - "They can be either parts of Python's string module attributes or represented literally ( :, -)." - "Though string modules can vary by Python version, valid values for both major releases include: @@ -130,7 +133,7 @@ import time import hashlib from ansible.errors import AnsibleError, AnsibleAssertionError -from ansible.module_utils._text import to_bytes, to_native, to_text +from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text from ansible.module_utils.six import string_types from ansible.parsing.splitter import parse_kv from ansible.plugins.lookup import LookupBase @@ -364,6 +367,7 @@ class LookupModule(LookupBase): try: # make sure only one process finishes all the job first first_process, lockfile = _get_lock(b_path) + content = _read_password_file(b_path) if content is None or b_path == to_bytes('/dev/null'): @@ -381,34 +385,18 @@ class LookupModule(LookupBase): except KeyError: salt = random_salt() - ident = params['ident'] + if not ident: + ident = params['ident'] + elif params['ident'] and ident != params['ident']: + raise AnsibleError('The ident parameter provided (%s) does not match the stored one (%s).' % (ident, params['ident'])) + if encrypt and not ident: - changed = True try: ident = BaseHash.algorithms[encrypt].implicit_ident except KeyError: ident = None - - encrypt = params['encrypt'] - if encrypt and not salt: + if ident: changed = True - try: - salt = random_salt(BaseHash.algorithms[encrypt].salt_size) - except KeyError: - salt = random_salt() - - if not ident: - ident = params['ident'] - elif params['ident'] and ident != params['ident']: - raise AnsibleError('The ident parameter provided (%s) does not match the stored one (%s).' % (ident, params['ident'])) - - if encrypt and not ident: - try: - ident = BaseHash.algorithms[encrypt].implicit_ident - except KeyError: - ident = None - if ident: - changed = True if changed and b_path != to_bytes('/dev/null'): content = _format_content(plaintext_password, salt, encrypt=encrypt, ident=ident) |