1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
- name: create a password file
set_fact:
newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
- name: stat the password file directory
stat: path="{{output_dir}}/lookup"
register: result
- name: assert the directory's permissions
assert:
that:
- result.stat.mode == '0700'
- name: stat the password file
stat: path="{{output_dir}}/lookup/password"
register: result
- name: assert the directory's permissions
assert:
that:
- result.stat.mode == '0600'
- name: get password length
shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
register: wc_result
- debug: var=wc_result.stdout
- name: read password
shell: cat {{output_dir}}/lookup/password
register: cat_result
- debug: var=cat_result.stdout
- name: verify password
assert:
that:
- "wc_result.stdout == '9'"
- "cat_result.stdout == newpass"
- "' salt=' not in cat_result.stdout"
- name: fetch password from an existing file
set_fact:
pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
- name: read password (again)
shell: cat {{output_dir}}/lookup/password
register: cat_result2
- debug: var=cat_result2.stdout
- name: verify password (again)
assert:
that:
- "cat_result2.stdout == newpass"
- "' salt=' not in cat_result2.stdout"
- name: create a password (with salt) file
debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
- name: read password and salt
shell: cat {{output_dir}}/lookup/password_with_salt
register: cat_pass_salt
- debug: var=cat_pass_salt.stdout
- name: fetch unencrypted password
set_fact:
newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
- debug: var=newpass
- name: verify password and salt
assert:
that:
- "cat_pass_salt.stdout != newpass"
- "cat_pass_salt.stdout.startswith(newpass)"
- "' salt=' in cat_pass_salt.stdout"
- "' salt=' not in newpass"
- name: fetch unencrypted password (using empty encrypt parameter)
set_fact:
newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
- name: verify lookup password behavior
assert:
that:
- "newpass == newpass2"
- name: verify that we can generate a 1st password without writing it
set_fact:
newpass: "{{ lookup('password', '/dev/null') }}"
- name: verify that we can generate a 2nd password without writing it
set_fact:
newpass2: "{{ lookup('password', '/dev/null') }}"
- name: verify lookup password behavior with /dev/null
assert:
that:
- "newpass != newpass2"
- name: test both types of args and that seed guarantees same results
vars:
pns: "{{passwords_noseed['results']}}"
inl: "{{passwords_inline['results']}}"
kv: "{{passwords['results']}}"
l: [1, 2, 3]
block:
- name: generate passwords w/o seed
debug:
msg: '{{ lookup("password", "/dev/null")}}'
loop: "{{ l }}"
register: passwords_noseed
- name: verify they are all different, this is not guaranteed, but statisically almost impossible
assert:
that:
- pns[0]['msg'] != pns[1]['msg']
- pns[0]['msg'] != pns[2]['msg']
- pns[1]['msg'] != pns[2]['msg']
- name: generate passwords, with seed inline
debug:
msg: '{{ lookup("password", "/dev/null seed=foo")}}'
loop: "{{ l }}"
register: passwords_inline
- name: verify they are all the same
assert:
that:
- inl[0]['msg'] == inl[1]['msg']
- inl[0]['msg'] == inl[2]['msg']
- name: generate passwords, with seed k=v
debug:
msg: '{{ lookup("password", "/dev/null", seed="foo")}}'
loop: "{{ l }}"
register: passwords
- name: verify they are all the same
assert:
that:
- kv[0]['msg'] == kv[1]['msg']
- kv[0]['msg'] == kv[2]['msg']
- kv[0]['msg'] == inl[0]['msg']
|