From 3e5c54d4fdb10deda9b7e4deaf2c537b132711c9 Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 31 Jul 2020 11:30:51 -0300

Subject: [PATCH] Fix identification of existing vault type.

In some scenarios, the value of the vault type is returned as a tuple,

rather than a string, this made some changes to existing vault to fail.

With this change, the vault type is correctly retrieved, if it was not

provided by the user.

---

 plugins/modules/ipavault.py | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py

index 6a3c73e..8562ff7 100644

--- a/plugins/modules/ipavault.py

+++ b/plugins/modules/ipavault.py

@@ -494,8 +494,10 @@ def check_encryption_params(module, state, action, vault_type, salt,

                             new_password, new_password_file, res_find):

     vault_type_invalid = []

-    if res_find is not None:

+    if vault_type is None and res_find is not None:

         vault_type = res_find['ipavaulttype']

+        if isinstance(vault_type, (tuple, list)):

+            vault_type = vault_type[0]

     if vault_type == "standard":

         vault_type_invalid = ['public_key', 'public_key_file', 'password',

-- 

2.26.2

From d52364bac923f2935b948882d5825e7488b0e9cf Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 31 Jul 2020 11:32:36 -0300

Subject: [PATCH] Fix random salt generation.

The generation of a random salt, when one was not provided, was in the

wrong place and being generated too late to be used properly. Also, the

generation of the value was duplicated.

---

 plugins/modules/ipavault.py | 13 +++++--------

 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py

index 8562ff7..dffd972 100644

--- a/plugins/modules/ipavault.py

+++ b/plugins/modules/ipavault.py

@@ -768,7 +768,12 @@ def main():

                             commands.append([name, "vault_mod_internal", args])

                     else:

+                        if vault_type == 'symmetric' \

+                           and 'ipavaultsalt' not in args:

+                            args['ipavaultsalt'] = os.urandom(32)

+

                         commands.append([name, "vault_add_internal", args])

+

                         if vault_type != 'standard' and vault_data is None:

                             vault_data = ''

@@ -826,14 +831,6 @@ def main():

                         commands.append(

                             [name, 'vault_remove_owner', owner_del_args])

-                    if vault_type == 'symmetric' \

-                       and 'ipavaultsalt' not in args:

-                        args['ipavaultsalt'] = os.urandom(32)

-

-                    if vault_type == 'symmetric' \

-                       and 'ipavaultsalt' not in args:

-                        args['ipavaultsalt'] = os.urandom(32)

-

                 elif action in "member":

                     # Add users and groups

                     if any([users, groups, services]):

-- 

2.26.2

From daee6a6c744a740329ca231a277229567619e10c Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 31 Jul 2020 11:33:47 -0300

Subject: [PATCH] Fix verification of parameters for modifying `salt`

 attribute.

When modifying an existing vault to change the value of `salt`, the

password must also change. It is fine to "change" the password to the

same value, thus only changing the salt value.

---

 plugins/modules/ipavault.py | 10 ++++++++++

 1 file changed, 10 insertions(+)

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py

index dffd972..a608e64 100644

--- a/plugins/modules/ipavault.py

+++ b/plugins/modules/ipavault.py

@@ -517,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt,

             module.fail_json(

                 msg="Cannot modify password of inexistent vault.")

+        if (

+            salt is not None

+            and not(

+                any([password, password_file])

+                and any([new_password, new_password_file])

+            )

+        ):

+            module.fail_json(

+                msg="Vault `salt` can only change when changing the password.")

+

     if vault_type == "asymmetric":

         vault_type_invalid = [

             'password', 'password_file', 'new_password', 'new_password_file'

-- 

2.26.2

From 4ef4e706b79fdbb43e462b1a7130fc2cad5894b2 Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 31 Jul 2020 11:42:13 -0300

Subject: [PATCH] Modify tests to verify password was changed correctly.

Modify and add tests to verify that a password change has the correct

effect on ipavault.

---

 tests/vault/test_vault_symmetric.yml | 36 ++++++++++++++++++----------

 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml

index bedc221..9294331 100644

--- a/tests/vault/test_vault_symmetric.yml

+++ b/tests/vault/test_vault_symmetric.yml

@@ -178,6 +178,15 @@

     register: result

     failed_when: result.vault.data != 'Hello World.' or result.changed

+  - name: Retrieve data from symmetric vault, with wrong password.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeWRONGpassword

+      state: retrieved

+    register: result

+    failed_when: not result.failed or "Invalid credentials" not in result.msg

+

   - name: Change vault password.

     ipavault:

       ipaadmin_password: SomeADMINpassword

@@ -187,43 +196,44 @@

     register: result

     failed_when: not result.changed

-  - name: Retrieve data from symmetric vault, with wrong password.

+  - name: Retrieve data from symmetric vault, with new password.

     ipavault:

       ipaadmin_password: SomeADMINpassword

       name: symvault

-      password: SomeVAULTpassword

+      password: SomeNEWpassword

       state: retrieved

     register: result

-    failed_when: not result.failed or "Invalid credentials" not in result.msg

+    failed_when: result.data != 'Hello World.' or result.changed

-  - name: Change vault password, with wrong `old_password`.

+  - name: Retrieve data from symmetric vault, with old password.

     ipavault:

       ipaadmin_password: SomeADMINpassword

       name: symvault

       password: SomeVAULTpassword

-      new_password: SomeNEWpassword

+      state: retrieved

     register: result

     failed_when: not result.failed or "Invalid credentials" not in result.msg

-  - name: Retrieve data from symmetric vault, with new password.

+  - name: Change symmetric vault salt, changing password

     ipavault:

       ipaadmin_password: SomeADMINpassword

       name: symvault

       password: SomeNEWpassword

-      state: retrieved

+      new_password: SomeVAULTpassword

+      salt: AAAAAAAAAAAAAAAAAAAAAAA=

     register: result

-    failed_when: result.vault.data != 'Hello World.' or result.changed

+    failed_when: not result.changed

-  - name: Try to add vault with multiple passwords.

+  - name: Change symmetric vault salt, without changing password

     ipavault:

       ipaadmin_password: SomeADMINpassword

-      name: inexistentvault

+      name: symvault

       password: SomeVAULTpassword

-      password_file: "{{ ansible_env.HOME }}/password.txt"

+      new_password: SomeVAULTpassword

+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=

     register: result

-    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg

+    failed_when: not result.changed

-  - name: Try to add vault with multiple new passwords.

     ipavault:

       ipaadmin_password: SomeADMINpassword

       name: inexistentvault

-- 

2.26.2

From 8ca282e276477b52d0850d4c01feb3d8e7a5be6d Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 31 Jul 2020 11:44:33 -0300

Subject: [PATCH] Modified and added tests to verify correct `salt` update

 behavior.

---

 tests/vault/test_vault_symmetric.yml | 35 ++++++++++++++++++++++++----

 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml

index 9294331..1604a01 100644

--- a/tests/vault/test_vault_symmetric.yml

+++ b/tests/vault/test_vault_symmetric.yml

@@ -234,14 +234,41 @@

     register: result

     failed_when: not result.changed

+  - name: Try to change symmetric vault salt, without providing any password

     ipavault:

       ipaadmin_password: SomeADMINpassword

-      name: inexistentvault

-      password: SomeVAULTpassword

+      name: symvault

+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=

+    register: result

+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg

+

+  - name: Try to change symmetric vault salt, without providing `password`

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=

       new_password: SomeVAULTpassword

-      new_password_file: "{{ ansible_env.HOME }}/password.txt"

     register: result

-    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg

+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg

+

+  - name: Try to change symmetric vault salt, without providing `new_password`

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=

+      password: SomeVAULTpassword

+    register: result

+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg

+

+  - name: Try to change symmetric vault salt, using wrong password.

+    ipavault:

+      ipaadmin_password: SomeADMINpassword

+      name: symvault

+      password: SomeWRONGpassword

+      new_password: SomeWRONGpassword

+      salt: MDEyMzQ1Njc4OTAxMjM0NQo=

+    register: result

+    failed_when: not result.failed

   - name: Ensure symmetric vault is absent

     ipavault:

-- 

2.26.2

From 3c2700f68beade3513e0e44415d8eb4fb23026e8 Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Fri, 14 Aug 2020 10:43:30 -0300

Subject: [PATCH] Fixed Vault return value usage from `data` to `vault.data`.

A test was failing due to use of old ipavault module return structure

and some places on the documentation were alse referring to it. All

ocurrences were fixed.

---

 README-vault.md                      | 2 +-

 plugins/modules/ipavault.py          | 2 +-

 tests/vault/test_vault_symmetric.yml | 2 +-

 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README-vault.md b/README-vault.md

index 91d311d..e7a31a2 100644

--- a/README-vault.md

+++ b/README-vault.md

@@ -197,7 +197,7 @@ Example playbook to make sure vault is absent:

       state: absent

     register: result

   - debug:

-      msg: "{{ result.data }}"

+      msg: "{{ result.vault.data }}"

 ```

 Variables

diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py

index a608e64..8060976 100644

--- a/plugins/modules/ipavault.py

+++ b/plugins/modules/ipavault.py

@@ -243,7 +243,7 @@ EXAMPLES = """

     state: retrieved

   register: result

 - debug:

-    msg: "{{ result.data }}"

+    msg: "{{ result.vault.data }}"

 # Change password of a symmetric vault

 - ipavault:

diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml

index 1604a01..5394c71 100644

--- a/tests/vault/test_vault_symmetric.yml

+++ b/tests/vault/test_vault_symmetric.yml

@@ -203,7 +203,7 @@

       password: SomeNEWpassword

       state: retrieved

     register: result

-    failed_when: result.data != 'Hello World.' or result.changed

+    failed_when: result.vault.data != 'Hello World.' or result.changed

   - name: Retrieve data from symmetric vault, with old password.

     ipavault:

-- 

2.26.2