Merge pull request #149 from guidograzioli/139_already_masked_passwds

Allow mixing masked and unmasked passwords

molecule/mask_passwords/converge.yml

@@ -31,6 +31,9 @@
       - user: other
         password: amqotherpass
         roles: [ consumer, producer ]
+      - user: otherencoded
+        password: ENC(2048:A403CF9448176AA4B4F2115755A0EE5F0BCCCC2E30DC435A1DDC6C65B2D41019:EC39BB29552E97F9EAEF68FC7799D0A67AA93E1834582007133AF65BA3AACD5B8454ACFD0531CCBA670E0A327A33572717997C6844A11607FD262C5CFAFED800)
+        roles: [ admin ]
     activemq_roles:
       - name: admin
         permissions: [ createNonDurableQueue, deleteNonDurableQueue, createDurableQueue, deleteDurableQueue, createAddress, deleteAddress, consume, browse, send, manage ]

molecule/mask_passwords/verify.yml

@@ -42,6 +42,11 @@
         quiet: true
         fail_msg: "Wrong ownership of instance directories"
 
+    - name: Retrieve users and roles from cli
+      ansible.builtin.command: "/opt/amq/amq-broker/bin/artemis user list --user otherencoded --password amqbrokerpass"
+      changed_when: False
+      register: user_roles
+
     - name: Retrieve users and roles from cli
       ansible.builtin.command: "/opt/amq/amq-broker/bin/artemis user list --user amq --password amqbrokerpass"
       changed_when: False
@@ -50,6 +55,7 @@
     - name: Verify users and roles
       ansible.builtin.assert:
         that:
+          - "'\"otherencoded\"(admin)' in user_roles.stdout"
           - "'\"other\"()' in user_roles.stdout"
           - "'\"amq\"(admin)' in user_roles.stdout"
         quiet: true
@@ -63,6 +69,7 @@
     - name: Verify users and roles with ldap account
       ansible.builtin.assert:
         that:
+          - "'\"otherencoded\"(admin)' in user_roles.stdout"
           - "'\"other\"()' in user_roles.stdout"
           - "'\"amq\"(admin)' in user_roles.stdout"
         quiet: true

roles/activemq/tasks/mask_password.yml

@@ -1,9 +1,10 @@
 ---
-- name: Set masked (hashed) user password
+- name: "Set masked (hashed) user password for {{ item.user }}"
   block:
     - name: Parse passwd hash for existing user
       ansible.builtin.set_fact:
         existing_user: "{{ existing_users.content | b64decode | regex_search('\\b' + item.user + ' ?= ?ENC\\([0-9]+:([^:]+):([^)]+)\\)', '\\1', '\\2') | default([]) }}"
+        mask_pwd: ''
     - name: Parse passwd for existing user salt
       ansible.builtin.set_fact:
         hash_password: "{{ item.password | middleware_automation.amq.pbkdf2_hmac(hashname=activemq_mask_password_hashname, iterations=activemq_mask_password_iterations, hexsalt=existing_user[0]) }}"
@@ -17,13 +18,21 @@
       changed_when: false
       no_log: true
       when: existing_user | length == 0 or hash_password != existing_user[1]
-    - name: Add masked password to users list
+    - name: Add new masked password to users list
       ansible.builtin.set_fact:
         masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': mask_pwd.stdout | regex_search('result: (.+)', '\\1', multiline=true) | first, 'roles': item.roles }] }}"
       no_log: true
       when:
         - existing_user | length == 0 or hash_password != existing_user[1]
         - item.password is defined and item.password | length > 0
+        - not item.password is regex('^ENC\\([0-9]{4,}:[^:]+:[^:]+\\)')
+    - name: Add already masked password to users list
+      ansible.builtin.set_fact:
+        masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': item.password | regex_search('ENC\\((.+)\\)', '\\1', multiline=true) | first, 'roles': item.roles }] }}"
+      no_log: true
+      when:
+        - item.password is defined and item.password | length > 0
+        - item.password is regex('^ENC\\([0-9]{4,}:[^:]+:[^:]+\\)')
     - name: Add existing user to users list
       ansible.builtin.set_fact:
         masked_users: "{{ masked_users | default([]) + [{ 'user': item.user, 'password': activemq_mask_password_iterations | string + ':' + existing_user[0] + ':' + existing_user[1], 'roles': item.roles }] }}"
@@ -32,3 +41,4 @@
         - existing_user | length > 0
         - hash_password == existing_user[1]
         - item.password is defined and item.password | length > 0
+        - not item.password is regex('^ENC\\([0-9]{4,}:[^:]+:[^:]+\\)')