Re: [jenkins-ci PATCH] lcitool: Don't encrypt password manually

[Martin Kletzander <mkletzan@xxxxxxxxxx>]

On Tue, Sep 04, 2018 at 01:53:45PM +0200, Andrea Bolognani wrote:
> On Tue, 2018-09-04 at 10:49 +0200, Martin Kletzander wrote:
>
> s/manually/ourselves/ in the subject.
>
> [...]
> >      def get_root_password_file(self):
> > -        root_pass_file = self._get_config_file("root-password")
> > -        root_hash_file = self._get_config_file(".root-password.hash")
> > -
> > -        try:
> > -            with open(root_pass_file, "r") as infile:
> > -                root_pass = infile.readline().strip()
> > -        except Exception:
> > -            raise Error(
> > -                "Missing or invalid root password file ({})".format(
> > -                    root_pass_file,
> > -                )
> > -            )
> > -
> > -        # The hash will be different every time we run, but that doesn't
> > -        # matter - it will still validate the correct root password
> > -        root_hash = crypt.crypt(root_pass, Util.mksalt())
> > -
> > -        try:
> > -            with open(root_hash_file, "w") as infile:
> > -                infile.write("{}\n".format(root_hash))
> > -        except Exception:
> > -            raise Error(
> > -                "Can't write hashed root password file ({})".format(
> > -                    root_hash_file,
> > -                )
> > -            )
> > -
> > -        return root_hash_file
> > +        return self._get_config_file("root-password")
>
> This is a really nice improvement overall, but we can't quite get
> rid of the entire function: we still need to try and open the file,
> or at least stat() it, like we do in get_vault_password_file(), so
> that we can error out early instead of having Ansible bail out on
> us really late in the game.

So what you had in mind is something like the following squashed in?

diff --git i/guests/lcitool w/guests/lcitool
index 609c73c43dbc..2ac98ea69030 100755
--- i/guests/lcitool
+++ w/guests/lcitool
@@ -151,7 +151,22 @@ class Config:
        return vault_pass_file

    def get_root_password_file(self):
-        return self._get_config_file("root-password")
+        root_pass_file = None
+
+        root_pass_file = self._get_config_file("root-password")
+
+        try:
+            with open(root_pass_file, "r") as infile:
+                if not infile.readline().strip():
+                    raise ValueError
+        except Exception:
+            raise Error(
+                "Missing or invalid root password file ({})".format(
+                    root_pass_file,
+                )
+            )
+
+        return root_pass_file


class Inventory:
--

Or we could have the check in ansible itself, but that would be a bigger change
and the codebase is not prepared for that.

TLTTIRN,
Martin

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list