Bug 1879004

Summary:	[ansible-freeipa] Not able to change symmetric vault password with password file
Product:	Red Hat Enterprise Linux 8	Reporter:	Varun Mylaraiah <mvarun>
Component:	ansible-freeipa	Assignee:	Rafael Jeffman <rjeffman>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	twoerner
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	ansible-freeipa-0.3.0-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 15:51:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Varun Mylaraiah 2020-09-15 07:56:15 UTC

Description of problem:
Not able to change symmetric vault password with password file in the vault module

Version-Release number of selected component (if applicable):
ansible-freeipa-0.1.12-6.el8.noarch


Steps to Reproduce:
---
[root@master ~]# ipa vault-add syvault_pass --type=symmetric --password=tmp_pwd
--------------------------
Added vault "syvault_pass"
--------------------------
  Vault name: syvault_pass
  Type: symmetric
  Salt: 4ekNB7jVmEf27iL8UGCdxA==
  Owner users: admin
  Vault user: admin

[root@master ~]# cat password.txt 
Vault_Pa$$word[


- name: Playbook to ensure symmetric vault password is updated with password file
  hosts: ipaserver
 
  tasks:
  - name: Copy pssword key file to target host.
    copy:
      src: "/root/password.txt"
      dest: "{{ ansible_env.HOME }}/password.txt"
 
  - name: vault module testing
    ipavault:
      ipaadmin_password: <xxxxxpasswordxxxx>
      name: syvault_pass
      old_password: tmp_pwd
      new_password_file: "/root/password.txt"
 
 
[root@ansible ~]# ansible-playbook -vv -i inventory/vault.hosts vault_module.yml
ansible-playbook 2.9.12
  config file = /root/ansible.cfg
  configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /root/ansible.cfg as config file
 
PLAYBOOK: vault_module.yml *******************************************************************************************
1 plays in vault_module.yml
 
PLAY [Playbook to ensure symmetric vault password is updated with password file] *************************************
 
TASK [Gathering Facts] ***********************************************************************************************
task path: /root/vault_module.yml:2
ok: [master.ipadomain.test]
META: ran handlers
 
TASK [Copy pssword key file to target host.] *************************************************************************
task path: /root/vault_module.yml:6
ok: [master.ipadomain.test] => {"changed": false, "checksum": "5fdd45cdaa1eeeb0eba68cda9c4315acb5cd3ff6", "dest": "/root/password.txt", "gid": 0, "group": "root", "mode": "0600", "owner": "root", "path": "/root/password.txt", "secontext": "system_u:object_r:admin_home_t:s0", "size": 14, "state": "file", "uid": 0}
 
TASK [vault module testing] ******************************************************************************************
task path: /root/vault_module.yml:11
fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "vault_archive: syvault_pass: textui"}
 
PLAY RECAP ***********************************************************************************************************
master.ipadomain.test      : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Actual results:

fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "vault_archive: syvault_pass: textui"}
 
Expected results:

Should change the password

Additional info:

####################
CLI console output
####################
[root@master ~]# ipa vault-mod syvault_pass --old-password=tmp_pwd --new-password-file=/root/password.txt
-----------------------------
Modified vault "syvault_pass"
-----------------------------
  Vault name: syvault_pass
  Type: symmetric
  Salt: fXgIPcCYu138qYQkMFqPiw==
  Owner users: admin
  Vault user: admin

Comment 1 Rafael Jeffman 2020-09-17 01:47:00 UTC

Here is the upstream PR for this issue: https://github.com/freeipa/ansible-freeipa/pull/395

Comment 4 Rafael Jeffman 2020-10-28 15:33:33 UTC

A fix was merged upstream.

Comment 8 Varun Mylaraiah 2020-12-11 11:03:25 UTC

Verified:

ansible-freeipa-0.3.1-1.el8.noarch

ansible_freeipa_tests/vault_module.py::TestSymmetricVault::test_symmetric_vault_update_password_with_password_file 
2020-12-11T08:03:41+0000 -------------------------------- live log call ---------------------------------
2020-12-11T08:03:41+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO RUN ['/usr/bin/rpm', '-q', 'ansible-freeipa']
2020-12-11T08:03:41+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['kinit', 'admin']
2020-12-11T08:03:41+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['ipa', 'vault-add', 'syvault_pass', '--type=symmetric', '--password=tmp_pwd']
2020-12-11T08:03:46+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['ipa', 'vault-archive', 'syvault_pass', '--data=dGVzdGFyY2hpdmUK', '--password=tmp_pwd']
2020-12-11T08:03:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO PUT /root/password.txt
2020-12-11T08:03:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO WRITE inventory/vault.hosts
2020-12-11T08:03:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO PUT vault_module.yml
2020-12-11T08:03:49+0000 [pytest_multihost.host.Host.ansible.ParamikoTransport] INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
2020-12-11T08:03:57+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['kinit', 'admin']
2020-12-11T08:03:57+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['ipa', 'vault-show', 'syvault_pass']
2020-12-11T08:03:59+0000 [pytest_multihost.host.Host.master.ParamikoTransport] INFO RUN ['kdestroy', '-A']
2020-12-11T08:03:59+0000 PASSED  


Based on the test result, marking the bug VERIFIED.

Comment 10 errata-xmlrpc 2021-05-18 15:51:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1860