From 78b635ae78346fdfb298dd0d0c82ae1ff34b754a Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Tue, 23 Jun 2020 17:53:47 -0300

Subject: [PATCH] Add suppport for changing password of symmetric vaults.

Allows changing passwords of symmetric waults, using a new variable

`new_password` (or the file-base version, `new_password_file`). The

old password must be passed using the `password` or `password_file`

variables that also received new aliases `old_password` and

`old_password_file`, respectively.

Tests were modyfied to reflect the changes.

---

 README-vault.md                               |  23 +++-

 .../vault/change-password-symmetric-vault.yml |   2 +-

 plugins/modules/ipavault.py                   | 129 +++++++++++++++---

 tests/vault/test_vault_symmetric.yml          |  64 +++++++++

 4 files changed, 194 insertions(+), 24 deletions(-)

diff --git a/README-vault.md b/README-vault.md

index c7ae6916..fa1d3e11 100644

--- a/README-vault.md

+++ b/README-vault.md

@@ -165,6 +165,22 @@ Example playbook to make sure vault data is absent in a symmetric vault:

       state: absent

 ```

+Example playbook to change the password of a symmetric:

+

+```yaml

+---

+- name: Playbook to handle vaults

+  hosts: ipaserver

+  become: true

+

+  tasks:

+  - ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      old_password: SomeVAULTpassword

+      new_password: SomeNEWpassword

+```

+

 Example playbook to make sure vault is absent:

 ```yaml

@@ -197,8 +213,11 @@ Variable | Description | Required

 `name` \| `cn` | The list of vault name strings. | yes

 `description` | The vault description string. | no

 `nomembers` | Suppress processing of membership attributes. (bool) | no

-`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no

-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no

+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no

+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no

+`new_password` | Vault new password. | no

+`new_password_file` | File containing Base64 encoded new Vault password. | no

+`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no

 `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no

 `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no

 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no

diff --git a/playbooks/vault/change-password-symmetric-vault.yml b/playbooks/vault/change-password-symmetric-vault.yml

index 3871f45d..396a79f6 100644

--- a/playbooks/vault/change-password-symmetric-vault.yml

+++ b/playbooks/vault/change-password-symmetric-vault.yml

@@ -10,7 +10,7 @@

       ipaadmin_password: SomeADMINpassword

       name: symvault

       password: SomeVAULTpassword

-  - name: Change vault passord.

+  - name: Change vault password.

     ipavault:

       ipaadmin_password: SomeADMINpassword

       name: symvault

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py

index ad5dd413..46c6fcdb 100644

--- a/plugins/modules/ipavault.py

+++ b/plugins/modules/ipavault.py

@@ -69,12 +69,20 @@

     description: password to be used on symmetric vault.

     required: false

     type: string

-    aliases: ["ipavaultpassword", "vault_password"]

+    aliases: ["ipavaultpassword", "vault_password", "old_password"]

   password_file:

     description: file with password to be used on symmetric vault.

     required: false

     type: string

-    aliases: ["vault_password_file"]

+    aliases: ["vault_password_file", "old_password_file"]

+  new_password:

+    description: new password to be used on symmetric vault.

+    required: false

+    type: string

+  new_password_file:

+    description: file with new password to be used on symmetric vault.

+    required: false

+    type: string

   salt:

     description: Vault salt.

     required: false

@@ -235,7 +243,15 @@

     state: retrieved

   register: result

 - debug:

-    msg: "{{ result.data | b64decode }}"

+    msg: "{{ result.data }}"

+

+# Change password of a symmetric vault

+- ipavault:

+    ipaadmin_password: SomeADMINpassword

+    name: symvault

+    username: admin

+    old_password: SomeVAULTpassword

+    new_password: SomeNEWpassword

 # Ensure vault symvault is absent

 - ipavault:

@@ -416,18 +432,29 @@ def check_parameters(module, state, action, description, username, service,

                      shared, users, groups, services, owners, ownergroups,

                      ownerservices, vault_type, salt, password, password_file,

                      public_key, public_key_file, private_key,

-                     private_key_file, vault_data, datafile_in, datafile_out):

+                     private_key_file, vault_data, datafile_in, datafile_out,

+                     new_password, new_password_file):

     invalid = []

     if state == "present":

         invalid = ['private_key', 'private_key_file', 'datafile_out']

+        if all([password, password_file]) \

+           or all([new_password, new_password_file]):

+            module.fail_json(msg="Password specified multiple times.")

+

+        if any([new_password, new_password_file]) \

+           and not any([password, password_file]):

+            module.fail_json(

+                msg="Either `password` or `password_file` must be provided to "

+                    "change symmetric vault password.")

+

         if action == "member":

             invalid.extend(['description'])

     elif state == "absent":

         invalid = ['description', 'salt', 'vault_type', 'private_key',

                    'private_key_file', 'datafile_in', 'datafile_out',

-                   'vault_data']

+                   'vault_data', 'new_password', 'new_password_file']

         if action == "vault":

             invalid.extend(['users', 'groups', 'services', 'owners',

@@ -437,7 +464,7 @@ def check_parameters(module, state, action, description, username, service,

     elif state == "retrieved":

         invalid = ['description', 'salt', 'datafile_in', 'users', 'groups',

                    'owners', 'ownergroups', 'public_key', 'public_key_file',

-                   'vault_data']

+                   'vault_data', 'new_password', 'new_password_file']

         if action == 'member':

             module.fail_json(

                 msg="State `retrieved` do not support action `member`.")

@@ -458,11 +485,17 @@ def check_parameters(module, state, action, description, username, service,

 def check_encryption_params(module, state, action, vault_type, salt,

                             password, password_file, public_key,

                             public_key_file, private_key, private_key_file,

-                            vault_data, datafile_in, datafile_out, res_find):

+                            vault_data, datafile_in, datafile_out,

+                            new_password, new_password_file, res_find):

     vault_type_invalid = []

+

+    if res_find is not None:

+        vault_type = res_find['ipavaulttype']

+

     if vault_type == "standard":

         vault_type_invalid = ['public_key', 'public_key_file', 'password',

-                              'password_file', 'salt']

+                              'password_file', 'salt', 'new_password',

+                              'new_password_file']

     if vault_type is None or vault_type == "symmetric":

         vault_type_invalid = ['public_key', 'public_key_file',

@@ -473,8 +506,14 @@ def check_encryption_params(module, state, action, vault_type, salt,

                 msg="Symmetric vault requires password or password_file "

                     "to store data or change `salt`.")

+        if any([new_password, new_password_file]) and res_find is None:

+            module.fail_json(

+                msg="Cannot modify password of inexistent vault.")

+

     if vault_type == "asymmetric":

-        vault_type_invalid = ['password', 'password_file']

+        vault_type_invalid = [

+            'password', 'password_file', 'new_password', 'new_password_file'

+        ]

         if not any([public_key, public_key_file]) and res_find is None:

             module.fail_json(

                 msg="Assymmetric vault requires public_key "

@@ -487,6 +526,43 @@ def check_encryption_params(module, state, action, vault_type, salt,

                 (param, vault_type or 'symmetric'))

+def change_password(module, res_find, password, password_file, new_password,

+                    new_password_file):

+    """

+    Change the password of a symmetric vault.

+

+    To change the password of a vault, it is needed to retrieve the stored

+    data with the current password, and store the data again, with the new

+    password, forcing it to override the old one.

+    """

+    # verify parameters.

+    if not any([new_password, new_password_file]):

+        return []

+    if res_find["ipavaulttype"][0] != "symmetric":

+        module.fail_json(msg="Cannot change password of `%s` vault."

+                             % res_find["ipavaulttype"])

+

+    # prepare arguments to retrieve data.

+    name = res_find["cn"][0]

+    args = {}

+    if password:

+        args["password"] = password

+    if password_file:

+        args["password"] = password_file

+    # retrieve current stored data

+    result = api_command(module, 'vault_retrieve', name, args)

+    args['data'] = result['result']['data']

+

+    # modify arguments to store data with new password.

+    if password:

+        args["password"] = new_password

+    if password_file:

+        args["password"] = new_password_file

+    args["override_password"] = True

+    # return the command to store data with the new password.

+    return [(name, "vault_archive", args)]

+

+

 def main():

     ansible_module = AnsibleModule(

         argument_spec=dict(

@@ -533,10 +609,18 @@ def main():

             datafile_out=dict(type="str", required=False, default=None,

                               aliases=['out']),

             vault_password=dict(type="str", required=False, default=None,

-                                aliases=['ipavaultpassword', 'password'],

-                                no_log=True),

+                                no_log=True,

+                                aliases=['ipavaultpassword', 'password',

+                                         "old_password"]),

             vault_password_file=dict(type="str", required=False, default=None,

-                                     no_log=False, aliases=['password_file']),

+                                     no_log=False,

+                                     aliases=[

+                                        'password_file', "old_password_file"

+                                     ]),

+            new_password=dict(type="str", required=False, default=None,

+                              no_log=True),

+            new_password_file=dict(type="str", required=False, default=None,

+                                   no_log=False),

             # state

             action=dict(type="str", default="vault",

                         choices=["vault", "data", "member"]),

@@ -546,6 +630,7 @@ def main():

         supports_check_mode=True,

         mutually_exclusive=[['username', 'service', 'shared'],

                             ['datafile_in', 'vault_data'],

+                            ['new_password', 'new_password_file'],

                             ['vault_password', 'vault_password_file'],

                             ['vault_public_key', 'vault_public_key_file']],

     )

@@ -576,6 +661,8 @@ def main():

     salt = module_params_get(ansible_module, "vault_salt")

     password = module_params_get(ansible_module, "vault_password")

     password_file = module_params_get(ansible_module, "vault_password_file")

+    new_password = module_params_get(ansible_module, "new_password")

+    new_password_file = module_params_get(ansible_module, "new_password_file")

     public_key = module_params_get(ansible_module, "vault_public_key")

     public_key_file = module_params_get(ansible_module,

                                         "vault_public_key_file")

@@ -614,7 +701,8 @@ def main():

                      service, shared, users, groups, services, owners,

                      ownergroups, ownerservices, vault_type, salt, password,

                      password_file, public_key, public_key_file, private_key,

-                     private_key_file, vault_data, datafile_in, datafile_out)

+                     private_key_file, vault_data, datafile_in, datafile_out,

+                     new_password, new_password_file)

     # Init

     changed = False

@@ -660,7 +748,7 @@ def main():

                     ansible_module, state, action, vault_type, salt, password,

                     password_file, public_key, public_key_file, private_key,

                     private_key_file, vault_data, datafile_in, datafile_out,

-                    res_find)

+                    new_password, new_password_file, res_find)

                 # Found the vault

                 if action == "vault":

@@ -721,7 +809,6 @@ def main():

                     owner_add_args = gen_member_args(

                         args, owner_add, ownergroups_add, ownerservice_add)

                     if owner_add_args is not None:

-                        # ansible_module.warn("OWNER ADD: %s" % owner_add_args)

                         commands.append(

                             [name, 'vault_add_owner', owner_add_args])

@@ -729,7 +816,6 @@ def main():

                     owner_del_args = gen_member_args(

                         args, owner_del, ownergroups_del, ownerservice_del)

                     if owner_del_args is not None:

-                        # ansible_module.warn("OWNER DEL: %s" % owner_del_args)

                         commands.append(

                             [name, 'vault_remove_owner', owner_del_args])

@@ -758,19 +844,22 @@ def main():

                 if any([vault_data, datafile_in]):

                     commands.append([name, "vault_archive", pwdargs])

+                cmds = change_password(

+                    ansible_module, res_find, password, password_file,

+                    new_password, new_password_file)

+                commands.extend(cmds)

+

             elif state == "retrieved":

                 if res_find is None:

                     ansible_module.fail_json(

                         msg="Vault `%s` not found to retrieve data." % name)

-                vault_type = res_find['cn']

-

                 # verify data encription args

                 check_encryption_params(

                     ansible_module, state, action, vault_type, salt, password,

                     password_file, public_key, public_key_file, private_key,

                     private_key_file, vault_data, datafile_in, datafile_out,

-                    res_find)

+                    new_password, new_password_file, res_find)

                 pwdargs = data_storage_args(

                     args, vault_data, password, password_file, private_key,

@@ -813,7 +902,6 @@ def main():

         errors = []

         for name, command, args in commands:

             try:

-                # ansible_module.warn("RUN: %s %s %s" % (command, name, args))

                 result = api_command(ansible_module, command, name, args)

                 if command == 'vault_archive':

@@ -829,7 +917,6 @@ def main():

                         raise Exception("No data retrieved.")

                     changed = False

                 else:

-                    # ansible_module.warn("RESULT: %s" % (result))

                     if "completed" in result:

                         if result["completed"] > 0:

                             changed = True

diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml

index c9429f4f..a6072d88 100644

--- a/tests/vault/test_vault_symmetric.yml

+++ b/tests/vault/test_vault_symmetric.yml

@@ -178,6 +178,61 @@

     register: result

     failed_when: result.data != 'Hello World.' or result.changed

+  - name: Change vault password.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeVAULTpassword

+      new_password: SomeNEWpassword

+    register: result

+    failed_when: not result.changed

+

+  - name: Retrieve data from symmetric vault, with wrong password.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeVAULTpassword

+      state: retrieved

+    register: result

+    failed_when: not result.failed or "Invalid credentials" not in result.msg

+

+  - name: Change vault password, with wrong `old_password`.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeVAULTpassword

+      new_password: SomeNEWpassword

+    register: result

+    failed_when: not result.failed or "Invalid credentials" not in result.msg

+

+  - name: Retrieve data from symmetric vault, with new password.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeNEWpassword

+      state: retrieved

+    register: result

+    failed_when: result.data != 'Hello World.' or result.changed

+

+  - name: Try to add vault with multiple passwords.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: inexistentvault

+      password: SomeVAULTpassword

+      password_file: "{{ ansible_env.HOME }}/password.txt"

+    register: result

+    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg

+

+  - name: Try to add vault with multiple new passwords.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: inexistentvault

+      password: SomeVAULTpassword

+      new_password: SomeVAULTpassword

+      new_password_file: "{{ ansible_env.HOME }}/password.txt"

+    register: result

+    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg

+

   - name: Ensure symmetric vault is absent

     ipavault:

       ipaadmin_password: SomeADMINpassword

@@ -194,5 +249,14 @@

     register: result

     failed_when: result.changed

+  - name: Try to change password of inexistent vault.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: inexistentvault

+      password: SomeVAULTpassword

+      new_password: SomeNEWpassword

+    register: result

+    failed_when: not result.failed or "Cannot modify password of inexistent vault" not in result.msg

+

   - name: Cleanup testing environment.

     import_tasks: env_cleanup.yml