Lookup password omit salt (#16361)

* Lookup unencrypted password must not include salt * Integration test lookup: remove previous directory * Test that lookup password doesn't return salt * Lookup password: test behavior with empty encrypt parameter Closes #16189
2025-10-23 04:24:00 -07:00 · 2016-06-27 19:44:25 +02:00 · 2016-06-27 19:44:25 +02:00 · b361bf90d7
commit b361bf90d7
parent 7ba71fc2d2
2 changed files with 71 additions and 19 deletions
--- a/test/integration/roles/test_lookups/tasks/main.yml
+++ b/test/integration/roles/test_lookups/tasks/main.yml
@ -35,10 +35,11 @@

 # PASSWORD LOOKUP

- name: remove previous password files
-  file: dest={{output_dir}}/lookup/password state=absent
+- name: remove previous password files and directory
+  file: dest={{item}} state=absent
  with_items:
  - "{{output_dir}}/lookup/password"
+  - "{{output_dir}}/lookup/password_with_salt"
  - "{{output_dir}}/lookup"

 - name: create a password file
@ -80,6 +81,59 @@
    that:
        - "wc_result.stdout == '9'"
        - "cat_result.stdout == newpass"
+        - "' salt=' not in cat_result.stdout"
+
+- name: fetch password from an existing file
+  set_fact:
+    pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: read password (again)
+  shell: cat {{output_dir}}/lookup/password
+  register: cat_result2
+
+- debug: var=cat_result2.stdout
+
+- name: verify password (again)
+  assert:
+    that:
+        - "cat_result2.stdout == newpass"
+        - "' salt=' not in cat_result2.stdout"
+
+
+
+- name: create a password (with salt) file
+  debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
+
+- name: read password and salt
+  shell: cat {{output_dir}}/lookup/password_with_salt
+  register: cat_pass_salt
+
+- debug: var=cat_pass_salt.stdout
+
+- name: fetch unencrypted password
+  set_fact:
+    newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
+
+- debug: var=newpass
+
+- name: verify password and salt
+  assert:
+    that:
+        - "cat_pass_salt.stdout != newpass"
+        - "cat_pass_salt.stdout.startswith(newpass)"
+        - "' salt=' in cat_pass_salt.stdout"
+        - "' salt=' not in newpass"
+
+
+- name: fetch unencrypted password (using empty encrypt parameter)
+  set_fact:
+    newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
+
+- name: verify lookup password behavior
+  assert:
+    that:
+        - "newpass == newpass2"
+

 # ENV LOOKUP