passwordstore: Prevent using path as password #4192
Conversation
ansibullbot
added
bug
felixfontein
added
backport-4
check-before-release
|
Thanks for your contribution! Could you please add a changelog fragment? I would also suggest to split this up into two PRs, one for the path check, and the other for locking. Combining unrelated things into one PR is something that should really be avoided. Also regarding locking: I think this should only be done on creation, not in every case. The correct solution for the gpg issues is |
|
Hi @felixfontein, thanks for reviewing.
I'll look into it.
To me, they are related from a user perspective, as both issues result in passwordstore returning unexpected/inconsistent passwords. If you insist, I can split it into two PRs once the discussion on the PR finished.
Locking needs to happen in all cases (reads and writes), as
I don't think the overhead added by the lock is problematic, looking at the overall cost of passwordstore operations. IMHO the benefit of having predictable behavior, not having to worry about synchronization in playbooks, and not requiring to adjust gpg-agent.conf (plus reloading the agent) and/or any other special configuration outweighs this little extra overhead. It also makes maintaining the code in passwordstore.py easier and more robust in case |
grembo
force-pushed
the
passwordstore-fixes
branch
from
80f351f to
af84ce7
Compare
It would be good to split them up. The one is a proper bugfix (and shoul be backported to stable-3 and stable-4), the other more a feature than a bugfix (and thus only should be backported to stable-4). Keeping them in the same PR prevents this from being backported to stable-3.
But that's only true if
When
While this is annoying, it is the correct fix. Putting ugly hacks everywhere just because gpg has stupid defaults is bad practice.
I disagree here. Especially because passwordstore operations are expensive, locking makes the whole situation worse because with locking, all operations must be done sequentially and cannot be done in parallel.
I disagree with this, and I don't think this decision should be forced on every user of this plugin. |
changelogs/fragments/4192-improve-passwordstore-consistency.yml
Outdated
Show resolved
Hide resolved
changelogs/fragments/4192-improve-passwordstore-consistency.yml
Outdated
Show resolved
Hide resolved
They are both bugfixes to me (unless you consider preventing undefined behavior a feature). We don't have to agree on that part and I can split them up of course. I wouldn't describe it as a "minor_change" though, as it fixes broken behavior (or if it's intentional: broken design) that causes problems.
Are you certain that there is no scenario where a write is partially done and a read could suffer from that?
I think that what's even worse than gpg having "stupid defaults" is to know about them and let users run into the same problem over and over again. Do you have an idea how the plugin could check if gpg-agent is configured correctly? We certainly don't want users to learn about that it should be configured differently by spending hours figuring out why a playbook that worked yesterday suddenly failed. If we can detect it reliably, we can make the plugin fail with a helpful error message if gpg-agent is misconfigured. If not, we should make locking the default and add a configuration option to disable it for those who understand the implications.
I prefer a playbook to work reliably (even if it's slightly slower), as that's consuming the machine's time, while breakage costs my time and causes fallout. That said, if we can find a fix that satisfies both positions, all the better. |
grembo
changed the title
grembo
force-pushed
the
passwordstore-fixes
branch
2 times, most recently
from
b78112b to
7a5c2de
Compare
|
@felixfontein I reduced this PR to the path fix, I'll create a follow-up PR with locking once ready. |
grembo
force-pushed
the
passwordstore-fixes
branch
from
7a5c2de to
2454b38
Compare
ansibullbot
added
needs_ci
grembo
force-pushed
the
passwordstore-fixes
branch
from
2454b38 to
de5ea02
Compare
|
@felixfontein Follow-up for configurable locking is #4194, currently stacked on top of this one. |
grembo
force-pushed
the
passwordstore-fixes
branch
from
de5ea02 to
29619d5
Compare
|
@felixfontein This change made the logic more obvious (e.g., getting rid of the superfluous |
grembo
force-pushed
the
passwordstore-fixes
branch
from
29619d5 to
c66f057
Compare
ansibullbot
added
the
needs_ci
ansibullbot
added
the
needs_revision
grembo
force-pushed
the
passwordstore-fixes
branch
2 times, most recently
from
d8d5bbd to
e19c473
Compare
ansibullbot
removed
needs_ci
Given a password stored in _path/to/secret_, requesting the password _path/to_ will literally return `path/to`. This can lead to using weak passwords by accident/mess up logic in code, based on the state of the password store. This is worked around by applying the same logic `pass` uses: If a password was returned, check if there is a .gpg file it could have come from. If not, treat it as missing. Fixes ansible-collections#4185
grembo
force-pushed
the
passwordstore-fixes
branch
from
e19c473 to
0e50713
Compare
|
@felixfontein This should be ready to land now. Reg. the localization issue: Turns out this will be as easy setting |
|
Since nobody else commented here, I assume nobody else has an opinion, so I'll just merge so that the depending PRs can continue. |
felixfontein
removed
the
check-before-release
Backport to stable-3: 💚 backport PR created✅ Backport PR branch: Backported as #4217 🤖 @patchback |
Given a password stored in _path/to/secret_, requesting the password _path/to_ will literally return `path/to`. This can lead to using weak passwords by accident/mess up logic in code, based on the state of the password store. This is worked around by applying the same logic `pass` uses: If a password was returned, check if there is a .gpg file it could have come from. If not, treat it as missing. Fixes #4185 (cherry picked from commit da49c09)
Backport to stable-4: 💚 backport PR created✅ Backport PR branch: Backported as #4218 🤖 @patchback |
|
@grembo thanks a lot for your contribution! |
Given a password stored in _path/to/secret_, requesting the password _path/to_ will literally return `path/to`. This can lead to using weak passwords by accident/mess up logic in code, based on the state of the password store. This is worked around by applying the same logic `pass` uses: If a password was returned, check if there is a .gpg file it could have come from. If not, treat it as missing. Fixes #4185 (cherry picked from commit da49c09)
@felixfontein And you for taking the time to review. |
Given a password stored in _path/to/secret_, requesting the password _path/to_ will literally return `path/to`. This can lead to using weak passwords by accident/mess up logic in code, based on the state of the password store. This is worked around by applying the same logic `pass` uses: If a password was returned, check if there is a .gpg file it could have come from. If not, treat it as missing. Fixes #4185 (cherry picked from commit da49c09) Co-authored-by: grembo <[email protected]>
Given a password stored in _path/to/secret_, requesting the password _path/to_ will literally return `path/to`. This can lead to using weak passwords by accident/mess up logic in code, based on the state of the password store. This is worked around by applying the same logic `pass` uses: If a password was returned, check if there is a .gpg file it could have come from. If not, treat it as missing. Fixes #4185 (cherry picked from commit da49c09) Co-authored-by: grembo <[email protected]>
SUMMARY
Given a password stored in path/to/secret, requesting the password
path/to will literally return
path/to. This can lead to usingweak passwords by accident/mess up logic in code, based on the
state of the password store.
This is worked around by applying the same logic
passuses:If a password was returned, check if there is a .gpg file it could
have come from. If not, treat it as missing.
Fixes #4185
ISSUE TYPE
COMPONENT NAME
passwordstore
plugins/lookup/passwordstore
ADDITIONAL INFORMATION
See: