1 files changed, 149 insertions, 0 deletions

diff --git a/test/integration/targets/lookup_password/tasks/main.yml b/test/integration/targets/lookup_password/tasks/main.yml
new file mode 100644
index 0000000..dacf032
--- /dev/null
+++ b/test/integration/targets/lookup_password/tasks/main.yml
@@ -0,0 +1,149 @@
+- name: create a password file
+  set_fact:
+    newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: stat the password file directory
+  stat: path="{{output_dir}}/lookup"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0700'
+
+- name: stat the password file
+  stat: path="{{output_dir}}/lookup/password"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0600'
+
+- name: get password length
+  shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
+  register: wc_result
+
+- debug: var=wc_result.stdout
+
+- name: read password
+  shell: cat {{output_dir}}/lookup/password
+  register: cat_result
+
+- debug: var=cat_result.stdout
+
+- name: verify password
+  assert:
+    that:
+        - "wc_result.stdout == '9'"
+        - "cat_result.stdout == newpass"
+        - "' salt=' not in cat_result.stdout"
+
+- name: fetch password from an existing file
+  set_fact:
+    pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: read password (again)
+  shell: cat {{output_dir}}/lookup/password
+  register: cat_result2
+
+- debug: var=cat_result2.stdout
+
+- name: verify password (again)
+  assert:
+    that:
+        - "cat_result2.stdout == newpass"
+        - "' salt=' not in cat_result2.stdout"
+
+
+
+- name: create a password (with salt) file
+  debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
+
+- name: read password and salt
+  shell: cat {{output_dir}}/lookup/password_with_salt
+  register: cat_pass_salt
+
+- debug: var=cat_pass_salt.stdout
+
+- name: fetch unencrypted password
+  set_fact:
+    newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
+
+- debug: var=newpass
+
+- name: verify password and salt
+  assert:
+    that:
+        - "cat_pass_salt.stdout != newpass"
+        - "cat_pass_salt.stdout.startswith(newpass)"
+        - "' salt=' in cat_pass_salt.stdout"
+        - "' salt=' not in newpass"
+
+
+- name: fetch unencrypted password (using empty encrypt parameter)
+  set_fact:
+    newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
+
+- name: verify lookup password behavior
+  assert:
+    that:
+        - "newpass == newpass2"
+
+- name: verify that we can generate a 1st password without writing it
+  set_fact:
+    newpass: "{{ lookup('password', '/dev/null') }}"
+
+- name: verify that we can generate a 2nd password without writing it
+  set_fact:
+    newpass2: "{{ lookup('password', '/dev/null') }}"
+
+- name: verify lookup password behavior with /dev/null
+  assert:
+    that:
+        - "newpass != newpass2"
+
+- name: test both types of args and that seed guarantees same results
+  vars:
+    pns: "{{passwords_noseed['results']}}"
+    inl: "{{passwords_inline['results']}}"
+    kv: "{{passwords['results']}}"
+    l: [1, 2, 3]
+  block:
+  - name: generate passwords w/o seed
+    debug:
+      msg: '{{ lookup("password", "/dev/null")}}'
+    loop: "{{ l }}"
+    register: passwords_noseed
+
+  - name: verify they are all different, this is not guaranteed, but statisically almost impossible
+    assert:
+      that:
+        - pns[0]['msg'] != pns[1]['msg']
+        - pns[0]['msg'] != pns[2]['msg']
+        - pns[1]['msg'] != pns[2]['msg']
+
+  - name: generate passwords, with seed inline
+    debug:
+      msg: '{{ lookup("password", "/dev/null seed=foo")}}'
+    loop: "{{ l }}"
+    register: passwords_inline
+
+  - name: verify they are all the same
+    assert:
+      that:
+        - inl[0]['msg'] == inl[1]['msg']
+        - inl[0]['msg'] == inl[2]['msg']
+
+  - name: generate passwords, with seed k=v
+    debug:
+      msg: '{{ lookup("password", "/dev/null", seed="foo")}}'
+    loop: "{{ l }}"
+    register: passwords
+
+  - name: verify they are all the same
+    assert:
+      that:
+        - kv[0]['msg'] == kv[1]['msg']
+        - kv[0]['msg'] == kv[2]['msg']
+        - kv[0]['msg'] == inl[0]['msg']