Make sure password files from lookups are created with restrictive permissions

Also adds checks for the lookup integration test for passwords. Fixes #8652
2025-07-22 12:50:22 -07:00 · 2014-08-19 11:30:04 -05:00 · 2014-08-19 11:30:04 -05:00 · d4ff0d125a
commit d4ff0d125a
parent 3a7aca6066
2 changed files with 32 additions and 5 deletions
--- a/test/integration/roles/test_lookups/tasks/main.yml
+++ b/test/integration/roles/test_lookups/tasks/main.yml
@ -36,20 +36,41 @@
 # PASSWORD LOOKUP

 - name: remove previous password files
-  file: dest={{output_dir}}/password state=absent
+  file: dest={{output_dir}}/lookup/password state=absent
+  with_items:
+  - "{{output_dir}}/lookup/password"
+  - "{{output_dir}}/lookup"

 - name: create a password file
  set_fact: 
-    newpass: "{{ lookup('password', output_dir + '/password length=8') }}"
+    newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: stat the password file directory
+  stat: path="{{output_dir}}/lookup"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0700'
+
+- name: stat the password file
+  stat: path="{{output_dir}}/lookup/password"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0600'

 - name: get password length
-  shell: wc -c {{output_dir}}/password | awk '{print $1}'
+  shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
  register: wc_result

 - debug: var=wc_result.stdout

 - name: read password
-  shell: cat {{output_dir}}/password
+  shell: cat {{output_dir}}/lookup/password
  register: cat_result

 - debug: var=cat_result.stdout