2013-07-17 22:37:04 +02:00
|
|
|
#!/usr/bin/python
|
2013-06-25 03:18:05 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
|
|
# (c) 2013, Nimbis Services, Inc.
|
|
|
|
|
#
|
|
|
|
|
# This file is part of Ansible
|
|
|
|
|
#
|
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
2013-06-24 22:24:55 +02:00
|
|
|
DOCUMENTATION = """
|
|
|
|
|
module: htpasswd
|
2013-11-19 00:55:49 +01:00
|
|
|
version_added: "1.3"
|
2013-06-24 22:24:55 +02:00
|
|
|
short_description: manage user files for basic authentication
|
|
|
|
|
description:
|
|
|
|
|
- Add and remove username/password entries in a password file using htpasswd.
|
|
|
|
|
- This is used by web servers such as Apache and Nginx for basic authentication.
|
|
|
|
|
options:
|
|
|
|
|
path:
|
|
|
|
|
required: true
|
|
|
|
|
aliases: [ dest, destfile ]
|
|
|
|
|
description:
|
|
|
|
|
- Path to the file that contains the usernames and passwords
|
|
|
|
|
name:
|
|
|
|
|
required: true
|
|
|
|
|
aliases: [ username ]
|
|
|
|
|
description:
|
|
|
|
|
- User name to add or remove
|
|
|
|
|
password:
|
|
|
|
|
required: false
|
|
|
|
|
description:
|
2014-02-03 18:52:37 +01:00
|
|
|
- Password associated with user.
|
2014-01-30 07:05:05 +01:00
|
|
|
- Must be specified if user does not exist yet.
|
2013-09-05 12:05:01 +02:00
|
|
|
crypt_scheme:
|
|
|
|
|
required: false
|
2014-01-30 07:05:05 +01:00
|
|
|
choices: ["apr_md5_crypt", "des_crypt", "ldap_sha1", "plaintext"]
|
2013-09-05 12:05:01 +02:00
|
|
|
default: "apr_md5_crypt"
|
|
|
|
|
description:
|
2014-12-07 12:01:55 +01:00
|
|
|
- Encryption scheme to be used. As well as the four choices listed
|
|
|
|
|
here, you can also use any other hash supported by passlib, such as
|
|
|
|
|
md5_crypt and sha256_crypt, which are linux passwd hashes. If you
|
|
|
|
|
do so the password file will not be compatible with Apache or Nginx
|
2013-06-24 22:24:55 +02:00
|
|
|
state:
|
|
|
|
|
required: false
|
|
|
|
|
choices: [ present, absent ]
|
|
|
|
|
default: "present"
|
|
|
|
|
description:
|
|
|
|
|
- Whether the user entry should be present or not
|
|
|
|
|
create:
|
|
|
|
|
required: false
|
|
|
|
|
choices: [ "yes", "no" ]
|
|
|
|
|
default: "yes"
|
|
|
|
|
description:
|
|
|
|
|
- Used with C(state=present). If specified, the file will be created
|
|
|
|
|
if it does not already exist. If set to "no", will fail if the
|
|
|
|
|
file does not exist
|
2013-09-19 03:43:13 +02:00
|
|
|
notes:
|
2013-10-02 14:24:21 +02:00
|
|
|
- "This module depends on the I(passlib) Python library, which needs to be installed on all target systems."
|
|
|
|
|
- "On Debian, Ubuntu, or Fedora: install I(python-passlib)."
|
|
|
|
|
- "On RHEL or CentOS: Enable EPEL, then install I(python-passlib)."
|
2013-06-24 22:24:55 +02:00
|
|
|
requires: [ passlib>=1.6 ]
|
2015-10-28 19:38:11 +01:00
|
|
|
author: "Ansible Core Team"
|
2013-06-24 22:24:55 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
EXAMPLES = """
|
|
|
|
|
# Add a user to a password file and ensure permissions are set
|
|
|
|
|
- htpasswd: path=/etc/nginx/passwdfile name=janedoe password=9s36?;fyNp owner=root group=www-data mode=0640
|
|
|
|
|
# Remove a user from a password file
|
|
|
|
|
- htpasswd: path=/etc/apache2/passwdfile name=foobar state=absent
|
2014-12-07 12:01:55 +01:00
|
|
|
# Add a user to a password file suitable for use by libpam-pwdfile
|
|
|
|
|
- htpasswd: path=/etc/mail/passwords name=alex password=oedu2eGh crypt_scheme=md5_crypt
|
2013-06-24 22:24:55 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import os
|
2015-06-24 20:23:34 +02:00
|
|
|
import tempfile
|
2013-10-04 03:18:17 +02:00
|
|
|
from distutils.version import StrictVersion
|
2013-06-24 22:24:55 +02:00
|
|
|
|
|
|
|
|
try:
|
2014-12-07 12:01:55 +01:00
|
|
|
from passlib.apache import HtpasswdFile, htpasswd_context
|
|
|
|
|
from passlib.context import CryptContext
|
2013-10-04 03:18:17 +02:00
|
|
|
import passlib
|
2013-06-24 22:24:55 +02:00
|
|
|
except ImportError:
|
|
|
|
|
passlib_installed = False
|
|
|
|
|
else:
|
|
|
|
|
passlib_installed = True
|
|
|
|
|
|
2014-12-07 12:01:55 +01:00
|
|
|
apache_hashes = ["apr_md5_crypt", "des_crypt", "ldap_sha1", "plaintext"]
|
2013-06-24 22:24:55 +02:00
|
|
|
|
2015-12-04 18:18:45 +01:00
|
|
|
|
2013-06-24 22:24:55 +02:00
|
|
|
def create_missing_directories(dest):
|
|
|
|
|
destpath = os.path.dirname(dest)
|
|
|
|
|
if not os.path.exists(destpath):
|
|
|
|
|
os.makedirs(destpath)
|
|
|
|
|
|
|
|
|
|
|
2013-09-05 12:05:01 +02:00
|
|
|
def present(dest, username, password, crypt_scheme, create, check_mode):
|
2013-06-24 22:24:55 +02:00
|
|
|
""" Ensures user is present
|
|
|
|
|
|
|
|
|
|
Returns (msg, changed) """
|
2014-12-07 12:01:55 +01:00
|
|
|
if crypt_scheme in apache_hashes:
|
|
|
|
|
context = htpasswd_context
|
|
|
|
|
else:
|
|
|
|
|
context = CryptContext(schemes = [ crypt_scheme ] + apache_hashes)
|
2013-06-24 22:24:55 +02:00
|
|
|
if not os.path.exists(dest):
|
|
|
|
|
if not create:
|
|
|
|
|
raise ValueError('Destination %s does not exist' % dest)
|
|
|
|
|
if check_mode:
|
|
|
|
|
return ("Create %s" % dest, True)
|
|
|
|
|
create_missing_directories(dest)
|
2013-10-04 03:18:17 +02:00
|
|
|
if StrictVersion(passlib.__version__) >= StrictVersion('1.6'):
|
2014-12-07 12:01:55 +01:00
|
|
|
ht = HtpasswdFile(dest, new=True, default_scheme=crypt_scheme, context=context)
|
2013-10-04 03:18:17 +02:00
|
|
|
else:
|
2014-12-07 12:01:55 +01:00
|
|
|
ht = HtpasswdFile(dest, autoload=False, default=crypt_scheme, context=context)
|
2013-07-21 00:22:58 +02:00
|
|
|
if getattr(ht, 'set_password', None):
|
|
|
|
|
ht.set_password(username, password)
|
|
|
|
|
else:
|
|
|
|
|
ht.update(username, password)
|
2013-06-24 22:24:55 +02:00
|
|
|
ht.save()
|
|
|
|
|
return ("Created %s and added %s" % (dest, username), True)
|
|
|
|
|
else:
|
2013-10-04 03:18:17 +02:00
|
|
|
if StrictVersion(passlib.__version__) >= StrictVersion('1.6'):
|
2014-12-07 12:01:55 +01:00
|
|
|
ht = HtpasswdFile(dest, new=False, default_scheme=crypt_scheme, context=context)
|
2013-10-04 03:18:17 +02:00
|
|
|
else:
|
2014-12-07 12:01:55 +01:00
|
|
|
ht = HtpasswdFile(dest, default=crypt_scheme, context=context)
|
2013-09-05 12:05:01 +02:00
|
|
|
|
2013-07-21 00:22:58 +02:00
|
|
|
found = None
|
|
|
|
|
if getattr(ht, 'check_password', None):
|
|
|
|
|
found = ht.check_password(username, password)
|
|
|
|
|
else:
|
|
|
|
|
found = ht.verify(username, password)
|
|
|
|
|
|
|
|
|
|
if found:
|
2013-06-24 22:24:55 +02:00
|
|
|
return ("%s already present" % username, False)
|
|
|
|
|
else:
|
|
|
|
|
if not check_mode:
|
2013-07-21 00:22:58 +02:00
|
|
|
if getattr(ht, 'set_password', None):
|
|
|
|
|
ht.set_password(username, password)
|
|
|
|
|
else:
|
|
|
|
|
ht.update(username, password)
|
2013-06-24 22:24:55 +02:00
|
|
|
ht.save()
|
|
|
|
|
return ("Add/update %s" % username, True)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def absent(dest, username, check_mode):
|
|
|
|
|
""" Ensures user is absent
|
|
|
|
|
|
|
|
|
|
Returns (msg, changed) """
|
2013-10-04 03:18:17 +02:00
|
|
|
if StrictVersion(passlib.__version__) >= StrictVersion('1.6'):
|
2013-07-21 00:22:58 +02:00
|
|
|
ht = HtpasswdFile(dest, new=False)
|
2013-10-04 03:18:17 +02:00
|
|
|
else:
|
2013-07-21 00:22:58 +02:00
|
|
|
ht = HtpasswdFile(dest)
|
|
|
|
|
|
2013-06-24 22:24:55 +02:00
|
|
|
if username not in ht.users():
|
|
|
|
|
return ("%s not present" % username, False)
|
|
|
|
|
else:
|
|
|
|
|
if not check_mode:
|
|
|
|
|
ht.delete(username)
|
|
|
|
|
ht.save()
|
|
|
|
|
return ("Remove %s" % username, True)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check_file_attrs(module, changed, message):
|
|
|
|
|
|
|
|
|
|
file_args = module.load_file_common_arguments(module.params)
|
2014-03-19 03:39:45 +01:00
|
|
|
if module.set_fs_attributes_if_different(file_args, False):
|
2013-06-24 22:24:55 +02:00
|
|
|
|
|
|
|
|
if changed:
|
|
|
|
|
message += " and "
|
|
|
|
|
changed = True
|
|
|
|
|
message += "ownership, perms or SE linux context changed"
|
|
|
|
|
|
|
|
|
|
return message, changed
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
arg_spec = dict(
|
|
|
|
|
path=dict(required=True, aliases=["dest", "destfile"]),
|
|
|
|
|
name=dict(required=True, aliases=["username"]),
|
2016-06-28 16:21:45 +02:00
|
|
|
password=dict(required=False, default=None, no_log=True),
|
2015-07-10 19:51:04 +02:00
|
|
|
crypt_scheme=dict(required=False, default="apr_md5_crypt"),
|
2013-06-24 22:24:55 +02:00
|
|
|
state=dict(required=False, default="present"),
|
2013-10-11 14:45:13 +02:00
|
|
|
create=dict(type='bool', default='yes'),
|
2013-06-24 22:24:55 +02:00
|
|
|
|
|
|
|
|
)
|
|
|
|
|
module = AnsibleModule(argument_spec=arg_spec,
|
|
|
|
|
add_file_common_args=True,
|
|
|
|
|
supports_check_mode=True)
|
|
|
|
|
|
|
|
|
|
path = module.params['path']
|
|
|
|
|
username = module.params['name']
|
|
|
|
|
password = module.params['password']
|
2013-09-05 12:05:01 +02:00
|
|
|
crypt_scheme = module.params['crypt_scheme']
|
2013-06-24 22:24:55 +02:00
|
|
|
state = module.params['state']
|
|
|
|
|
create = module.params['create']
|
|
|
|
|
check_mode = module.check_mode
|
|
|
|
|
|
|
|
|
|
if not passlib_installed:
|
|
|
|
|
module.fail_json(msg="This module requires the passlib Python library")
|
|
|
|
|
|
2015-05-23 00:57:06 +02:00
|
|
|
# Check file for blank lines in effort to avoid "need more than 1 value to unpack" error.
|
|
|
|
|
try:
|
2015-06-24 20:23:34 +02:00
|
|
|
f = open(path, "r")
|
|
|
|
|
except IOError:
|
|
|
|
|
# No preexisting file to remove blank lines from
|
|
|
|
|
f = None
|
|
|
|
|
else:
|
2015-05-23 00:57:06 +02:00
|
|
|
try:
|
2015-06-24 20:23:34 +02:00
|
|
|
lines = f.readlines()
|
2015-05-23 00:57:06 +02:00
|
|
|
finally:
|
2015-06-24 20:23:34 +02:00
|
|
|
f.close()
|
|
|
|
|
|
|
|
|
|
# If the file gets edited, it returns true, so only edit the file if it has blank lines
|
|
|
|
|
strip = False
|
|
|
|
|
for line in lines:
|
|
|
|
|
if not line.strip():
|
|
|
|
|
strip = True
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
if strip:
|
|
|
|
|
# If check mode, create a temporary file
|
|
|
|
|
if check_mode:
|
|
|
|
|
temp = tempfile.NamedTemporaryFile()
|
|
|
|
|
path = temp.name
|
|
|
|
|
f = open(path, "w")
|
|
|
|
|
try:
|
|
|
|
|
[ f.write(line) for line in lines if line.strip() ]
|
|
|
|
|
finally:
|
|
|
|
|
f.close()
|
2015-05-23 00:57:06 +02:00
|
|
|
|
2013-06-24 22:24:55 +02:00
|
|
|
try:
|
|
|
|
|
if state == 'present':
|
2013-09-05 12:05:01 +02:00
|
|
|
(msg, changed) = present(path, username, password, crypt_scheme, create, check_mode)
|
2013-06-24 22:24:55 +02:00
|
|
|
elif state == 'absent':
|
2015-12-04 18:18:45 +01:00
|
|
|
if not os.path.exists(path):
|
|
|
|
|
module.exit_json(msg="%s not present" % username,
|
|
|
|
|
warnings="%s does not exist" % path, changed=False)
|
2013-06-24 22:24:55 +02:00
|
|
|
(msg, changed) = absent(path, username, check_mode)
|
|
|
|
|
else:
|
|
|
|
|
module.fail_json(msg="Invalid state: %s" % state)
|
|
|
|
|
|
|
|
|
|
check_file_attrs(module, changed, msg)
|
|
|
|
|
module.exit_json(msg=msg, changed=changed)
|
2016-05-17 19:17:24 +02:00
|
|
|
except Exception:
|
|
|
|
|
e = get_exception()
|
2013-06-24 22:24:55 +02:00
|
|
|
module.fail_json(msg=str(e))
|
|
|
|
|
|
|
|
|
|
|
2013-12-02 21:13:49 +01:00
|
|
|
# import module snippets
|
2013-12-02 21:11:23 +01:00
|
|
|
from ansible.module_utils.basic import *
|
2013-06-24 22:24:55 +02:00
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
main()
|
