Commit graph

38 commits

Author SHA1 Message Date
patchback[bot]
71d8109275
[PR #8952/24f2b980 backport][stable-9] passwordstore: Support subkey creation and update (#8996)
passwordstore: Support subkey creation and update (#8952)

(cherry picked from commit 24f2b980b7)

Co-authored-by: Manuel Luzarreta <mluzarreta.pro@pm.me>
2024-10-07 22:31:04 +02:00
patchback[bot]
176f6a62ae
[PR #8689/8989b6c4 backport][stable-9] Namespace the passwordstore lockfile (#8746)
Namespace the passwordstore lockfile (#8689)

* Namespace the lockfile

When passwordstore needs to grab a lock, it creates a statically file (within /tmp, typically). This is unfortunate, when there might be more than one user using the passwordstore functionality on that machine. Prepend the user to the filename, to bypass further issues.

* Update plugins/lookup/passwordstore.py

specifically reference the argument number in the format string.

Co-authored-by: Felix Fontein <felix@fontein.de>

* Add changelog fragment for PR#8689

* Update 8689-passwordstore-lock-naming.yml

I was sure that was a copy/paste.

* Update changelogs/fragments/8689-passwordstore-lock-naming.yml

specify the type of plugin

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 8989b6c4d4)

Co-authored-by: Adam Tygart <adam.tygart@gmail.com>
2024-08-12 08:06:57 +02:00
patchback[bot]
3726b50a92
[PR #8626/daed4dcc backport][stable-9] Type options of lookup plugins (#8660)
Type options of lookup plugins (#8626)

Type options of lookup plugins.

(cherry picked from commit daed4dcc94)

Co-authored-by: Felix Fontein <felix@fontein.de>
2024-07-21 22:16:02 +02:00
Manuel Luzarreta
da29ea151d
passwordstore: Add missing_subkey parameter (#8166)
* passwordstore: Add missing_subkey parameter

Add ability to trigger error or warning when a subkey is missing in pass file.
By default the behavior is unchanged (if subkey is missing, None is returned).
This option can also be set in ansible.cfg

* passwordstore - missing_subkey: Update changelog/fragments file with PR number

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
2024-04-17 23:23:18 +02:00
Michal Drobny
6a514b6843
Add options for password generation in the passwordstore module (#7426)
* feat: Add options for password generation.

* feat: Add documentations for options for password generation.

* fix: Remove newline from the end of the stored raw password

* fix: Define 'msg' variable before the reference inside the condition block

* feat: Add information when the 'timestamp' parameter was added

Co-authored-by: Felix Fontein <felix@fontein.de>

* feat: Add information when the 'preserve' parameter was added

Co-authored-by: Felix Fontein <felix@fontein.de>

* feat: Add changelog fragment for adding new parameters to the 'passwordstore' module

* feat: Change the evaluation of password modification conditions.

* feat: Change version of parameter 'timestamp' from 8.0.0 to 8.0.1

Co-authored-by: Felix Fontein <felix@fontein.de>

* feat: Change version of parameter 'preserve' from 8.0.0 to 8.0.1

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix: Remove newline character from the timestamp message

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix: Add newline character to the end of 'preserve' message.

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Michal Drobny <494056@muni.cz>
Co-authored-by: Felix Fontein <felix@fontein.de>
2023-11-09 22:21:57 +01:00
Felix Fontein
011b2f8bdc
Start using semantic markup (#6627)
* Start using semantic markup.

* Forgot some places.

* Fix typo.

* Use 'ignore:' prefix until https://github.com/ansible-community/antsibull-docs/pull/155 is out.

* Break too long line.
2023-06-10 09:28:40 +02:00
Felix Fontein
c58dda14c2
passwordstore plugin: vendor FileLock that was removed from ansible-core devel (#6447)
Vendor FileLock that was removed from ansible-core devel.
2023-04-28 12:08:45 +02:00
Felix Fontein
faf4ec7fa6
passwordstore lookup: allow to pass options as lookup options (#5444)
* Allow to pass options as lookup options.

* Adjust tests.
2022-11-02 20:17:08 +01:00
Jan-Philipp Litza
e4b9e098c7
Clearer error logging in passwordstore lookup (#5436)
* Clearer error logging in passwordstore lookup

* Add changelog fragment for passwordstore errmsgs

Co-authored-by: Sylvia van Os <sylvia@hackerchick.me>
2022-11-02 20:12:21 +01:00
Felix Fontein
5f4e593116 Revert "Fix non-matching defaults in docs (#5446)"
This reverts commit a978bff2c7.
2022-11-01 19:12:21 +01:00
Felix Fontein
a978bff2c7
Fix non-matching defaults in docs (#5446)
* Allow to pass options as lookup options.

* Adjust tests.

* Fix non-matching defaults.
2022-11-01 18:11:02 +01:00
Felix Fontein
015566fb06
Normalize more booleans. (#5247) 2022-09-06 20:42:17 +02:00
Felix Fontein
19ce50f6b9
Adjust booleans in misc plugins. (#5161) 2022-08-24 20:00:39 +02:00
Felix Fontein
496bf27b5c
Fix copyright lines (make sure 'Copyright' is there). (#5083) 2022-08-05 22:12:10 +02:00
Felix Fontein
123c7efe5e
Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt (#5065)
* Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt.

* Replace 'Copyright:' with 'Copyright'

sed -i 's|Copyright:\(.*\)|Copyright\1|' $(rg -l 'Copyright:')

Co-authored-by: Maxwell G <gotmax@e.email>
2022-08-05 12:28:29 +02:00
Sylvia van Os
3eb29eb4b6
Fix returnall for gopass (#5027)
* Fix returnall for gopass

Gopass was always given the --password flag, despite there being no need for this.

* Add changelog fragment

Co-authored-by: Sylvia van Os <sylvia.van.os@politie.nl>
2022-07-29 14:24:15 +02:00
Sylvia van Os
c31e6413f2
Fix path detection for gopass (#4955)
* Fix path detection for gopass

As per fc8c9a2286/docs/features.md (initializing-a-password-store), gopass defaults to ~/.local/share/gopass/stores/root for its password store root location.

However, the user can also override this, and this will be stored in the gopass config file (ed7451678c/docs/config.md (configuration-options)).

This patch ensures that the config setting in gopass is respected, falling back to the default gopass path. pass' behaviour remains unchanged.

* Formatting improvements

Co-authored-by: Felix Fontein <felix@fontein.de>

* Add changelog fragment

* Formatting improvement

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>

Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2022-07-21 07:19:31 +02:00
grembo
006f3bfa89
passwordstore: Make compatible with shims (#4780)
* passwordstore: Make compatible with shims, add backend config

This allows using the passwordstore plugin with scripts that wrap other
password managers. Also adds an explicit configuration (`backend` in
`ini` and `passwordstore_backend` in `vars`) to set the backend to `pass`
(the default) or `gopass`, which allows using gopass as the backend
without the need of a wrapper script. Please be aware that gopass
support is currently limited, but will work for basic operations.

Includes integrations tests.

Resolves #4766

* Apply suggestions from code review
2022-06-15 08:08:04 +02:00
grembo
2416b81aa4
passwordstore: Add configurable locking (#4194)
* passwordstore: Add configurable locking

Passwordstore cannot be accessed safely in parallel, which causes
various issues:

- When accessing the same path, multiple different secrets are
  returned when the secret didn't exist (missing=create).
- When accessing the same _or different_ paths, multiple pinentry
  dialogs will be spawned by gpg-agent sequentially, having to enter
  the password for the same gpg key multiple times in a row.
- Due to issues in gpg dependencies, accessing gpg-agent in parallel
  is not reliable, causing plays to fail (this can be fixed by adding
  `auto-expand-secmem` to _~/.gnupg/gpg-agent.conf_ though).

These problems have been described in various github issues in the past,
e.g., ansible/ansible#23816 and ansible/ansible#27277.

This cannot be worked around in playbooks by users in a non-error-prone
way.

It is addressed by adding new configuration options:

- lock:
  - readwrite: Lock all operations
  - write: Only lock write operations (default)
  - none: Disable locking
- locktimeout: Time to wait for getting a lock (s/m/h suffix)
  (defaults to 15m)

These options can also be set in ansible.cfg, e.g.:

    [passwordstore_lookup]
    lock=readwrite
    locktimeout=30s

Also, add a note about modifying gpg-agent.conf.

* Tidy up locking config

There is no reason why lock configuration should be part of self.paramvals.
Now locking and its configuration happen all in one place.

* Change timeout description wording to the suggested value.

* Rearrange plugin setup, apply PR feedback
2022-02-21 21:14:17 +01:00
grembo
77a0c139c9
passwordstore: Fix error detection for non-English locales (#4219)
The passwordstore lookup plugin depends on parsing GnuPG's
error messages in English language. As a result, detection of
a specific error failes when users set a different locale.

This change corrects this by setting the `LANGUAGE` environment
variable to `C` when invoking `pass`, as this only affects
gettext translations.

See
https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html
2022-02-17 22:00:02 +01:00
grembo
da49c0968d
passwordstore: Prevent using path as password (#4192)
Given a password stored in _path/to/secret_, requesting the password
_path/to_ will literally return `path/to`. This can lead to using
weak passwords by accident/mess up logic in code, based on the
state of the password store.

This is worked around by applying the same logic `pass` uses:
If a password was returned, check if there is a .gpg file it could
have come from. If not, treat it as missing.

Fixes ansible-collections/community.general#4185
2022-02-17 20:58:36 +01:00
Felix Fontein
77b7b4f75b
Get rid of distutils.spawn and distutils.util (#3934)
* Replace distutils.spawn.find_executable.

* Replace distutils.util.strtobool.
2022-01-04 06:56:28 +01:00
Alexei Znamensky
da11a98cb7
fixed the utf-8 marker (#3162) 2021-08-07 15:02:21 +02:00
Alexei Znamensky
047b7ada3c
uf8 marker batch2 (#3128)
* added utf-8 markers to all .py files in plugins/filter

* added utf-8 markers to all .py files in plugins/inventory

* added utf-8 markers to all .py files in plugins/lookup
2021-08-01 12:36:53 +02:00
Felix Fontein
fafabed9e6
Replace ansible.module_utils._text by ansible.module_utils.common.text.converters (#2877)
* Replace ansible.module_utils._text by ansible.module_utils.common.text.converters.

* Also adjust tests.
2021-06-26 23:59:11 +02:00
Jan Baier
350380ba8c
Add option missing to passwordstore lookup (#2500)
Add ability to ignore error on missing pass file to allow processing the
output further via another filters (mainly the default filter) without
updating the pass file itself.

It also contains the option to create the pass file, like the option
create=true does.

Finally, it also allows to issue a warning only, if the pass file is not
found.
2021-05-17 13:50:40 +02:00
Florian Bergmann
f955a85848
Add yaml support to passwordstore. (#1681)
Co-authored-by: Florian Bergmann <Florian.Bergmann@datev.de>
2021-01-28 09:24:28 +01:00
Paul Haerle
73b3ec09e5
fix passwordstore.py to be compatible with gopass. (#1589)
* fix passwordstore.py to be compatible with gopass.

...even when used with create=true.

The same output snippet matches for both, `pass` and `gopass`, but while `pass` returns `1` on a non-existant password, `gopass` returns `10`, or `11`, depending on whether a similar named password was stored.

So I'd propose to change `e.returncode == 1` to `e.returncode != 0` to cover both cases here.

What do you think?

* Update passwordstore.py, fix typo

* Add changelog fragment.

* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
2021-01-25 12:29:46 +01:00
Felix Fontein
99cfb993d5
<plugin_type>: -> name: (#1541) 2021-01-12 07:12:03 +01:00
Eike Waldt
491b622041
fix passwordstore.py to be compatible with gopass versions (#1493)
* Be compatible to latest gopass versions.
`gopass show` is deprecated.

* add changelog fragment

* Update changelogs/fragments/1493-fix_passwordstore.py_to_be_compatible_with_gopass_versions.yml

Co-authored-by: Eike Waldt <git@yog.wtf>
Co-authored-by: Felix Fontein <felix@fontein.de>
2021-01-03 11:48:35 +01:00
bratw0rst
28ac4b79e2
Added umask option to passwordstore lookup plugin. (#1156)
* Added umask option to passwordstore lookup plugin.

* Added umask documentation and changelog fragment.

* Added default values to paramvals within the run method.

* removed blank lines (PEP8)

* Update changelogs/fragments/lookup-passwordstore-umask.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/passwordstore.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/lookup-passwordstore-umask.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* passwordstore lookup plugin: changelog fragment update

* passing environment variables to subprocess.Popen()

* Update plugins/lookup/passwordstore.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* rm trailing whitespace

* Don't force default umask in the plugin, pass will take care of this.

* remove default from the documentation string

* remove trailing whitespaces

* prevent KeyErrors when checking if key exits in paramvals.

* Update plugins/lookup/passwordstore.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Fix for TypeError

* revert back to old directory test

Co-authored-by: bratw0rst <c.chmiel@speakup.nl>
Co-authored-by: Felix Fontein <felix@fontein.de>
2020-11-24 08:05:59 +01:00
Felix Fontein
e5da25915d
Improve plugin sanity (#966)
* callback_type -> type.

* Mark authors as unknown.

* Add author field forgotten in #627.

* Fix author entries.

* Add author field forgotten in #127.

* Fix some types.
2020-09-28 21:21:51 +02:00
Felix Fontein
7cf472855c
Fix various sanity errors in plugins (#881)
* Fix deprecation of callables.

* Fix various sanity errors.

* Revert callback_type -> type transform.

* Fix stat_result times: these are float according to https://github.com/python/typeshed/blob/master/stdlib/3/os/__init__.pyi

* Apply suggestions from code review

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2020-09-16 11:06:45 +02:00
Felix Fontein
ea21341686
Fix plugins (names, constants, FQCNs in examples) (#722)
* cobbler inventory: fix NAME

* oc transport: fix transport name

* Inventory plugins: fix plugin identifications

* Use FQCN in lookup plugin examples.

* Use FQCN in callback plugins.

* Add changelog fragment.

* Adjust documentation.

* Fix lookup plugin linting errors.

* Fix quotes.
2020-08-08 22:04:34 +02:00
Andrew Klychkov
4c4a6ab27c
modules: fix examples to use FQCN for builtin plugins (#661) 2020-07-16 14:42:12 +03:00
Andrew Klychkov
c055340ecb
modules: fix examples to use FQCN for builtin modules (#648)
* modules: fix examples to use FQCN for builtin modules

* fix

* fix

* fix

* fix

* fix

* fix

* fix
2020-07-14 18:28:08 +03:00
Abhijeet Kasurde
5dbdf14908
passwordstore: Honor equal sign in userpass (#19)
passwordstore lookup plugin now can handle equal sign in user input

Fixes: ansible/ansible#68265

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2020-03-17 14:20:39 +00:00
Ansible Core Team
aebc1b03fd Initial commit 2020-03-09 09:11:07 +00:00