Revised patch for more password entropy

2013-11-01 09:51:35 -05:00 · 2013-11-01 09:51:35 -05:00 · 0824f004d9
commit 0824f004d9
parent dc4d589ce0
4 changed files with 16 additions and 6 deletions
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@ -19,6 +19,7 @@ import os
 import pwd
 import sys
 import ConfigParser
+from string import ascii_letters, digits

 # copied from utils, avoid circular reference fun :)
 def mk_boolean(value):
@ -148,6 +149,8 @@ ACCELERATE_TIMEOUT             = get_config(p, 'accelerate', 'accelerate_timeout
 ACCELERATE_CONNECT_TIMEOUT     = get_config(p, 'accelerate', 'accelerate_connect_timeout', 'ACCELERATE_CONNECT_TIMEOUT', 1.0, floating=True)
 PARAMIKO_PTY                   = get_config(p, 'paramiko_connection', 'pty', 'ANSIBLE_PARAMIKO_PTY', True, boolean=True)

+# characters included in auto-generated passwords
+DEFAULT_PASSWORD_CHARS = ascii_letters + digits + ".,:-_"

 # non-configurable things
 DEFAULT_SUDO_PASS         = None
--- a/lib/ansible/runner/lookup_plugins/password.py
+++ b/lib/ansible/runner/lookup_plugins/password.py
@ -20,7 +20,6 @@
 from ansible import utils, errors
 import os
 import errno
-import random
 from string import ascii_letters, digits


@ -33,10 +32,7 @@ class LookupModule(object):

    def random_salt(self):
        salt_chars = ascii_letters + digits + './'
-        salt = []
-        for _ in range(8):
-            salt.append(random.choice(salt_chars))
-        return ''.join(salt)
+        return utils.random_password(length=8, chars=salt_chars)

    def run(self, terms, inject=None, **kwargs):

@ -76,7 +72,7 @@ class LookupModule(object):
                if not os.path.isdir(pathdir):
                    os.makedirs(pathdir)
                chars = ascii_letters + digits + ".,:-_"
-                password = ''.join(random.choice(chars) for _ in range(length))
+                password = utils.random_password(length)
                if encrypt is not None:
                    salt = self.random_salt()
                    content = '%s salt=%s' % (password, salt)
--- a/lib/ansible/utils/init.py
+++ b/lib/ansible/utils/init.py
@ -1006,4 +1006,13 @@ def combine_vars(a, b):
    else:
        return dict(a.items() + b.items())

+def random_password(length=20, chars=C.DEFAULT_PASSWORD_CHARS):
+    '''Return a random password string of length containing only chars.'''

+    password = []
+    while len(password) < length:
+        new_char = os.urandom(1)
+        if new_char in chars:
+            password.append(new_char)
+
+    return ''.join(password)
--- a/library/cloud/linode
+++ b/library/cloud/linode
@ -174,6 +174,8 @@ def randompass():
    # we play it safe :)
    import random
    import string
+    # as of python 2.4, this reseeds the PRNG from urandom
+    random.seed() 
    lower = ''.join(random.choice(string.ascii_lowercase) for x in range(6))
    upper = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
    number = ''.join(random.choice(string.digits) for x in range(6))