From 0ca437361ca2d7aa7850df6c951099f295919d45 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 30 Mar 2022 16:00:07 +0200 Subject: [PATCH] Update to 2022-03-30 16:00 --- roles/bookstack/defaults/main.yml | 4 +- roles/diagrams/defaults/main.yml | 4 +- roles/includes/get_rand_pass.yml | 147 +++++++++++++++++++++++++----- 3 files changed, 128 insertions(+), 27 deletions(-) diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml index 2911d2f..99c3960 100644 --- a/roles/bookstack/defaults/main.yml +++ b/roles/bookstack/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to deploy -bookstack_version: '22.02.3' +bookstack_version: '22.03' # URL of the arhive bookstack_archive_url: https://github.com/BookStackApp/BookStack/archive/v{{ bookstack_version }}.tar.gz # Expected sha256 of the archive -bookstack_archive_sha256: 30f618e2795e3d759fb1ed87e7bb898d47ad0edd71a873797b294cc3e3f0cd79 +bookstack_archive_sha256: 56cebf8c30f2db6c88e8d687812ecb9338de60ee950afca7adeb5a6d068d8f3a # Should ansible handle bookstack upgrades or just the inintial install bookstack_manage_upgrade: True diff --git a/roles/diagrams/defaults/main.yml b/roles/diagrams/defaults/main.yml index 488c406..81f4b9f 100644 --- a/roles/diagrams/defaults/main.yml +++ b/roles/diagrams/defaults/main.yml @@ -1,11 +1,11 @@ --- # Veresion of diagrams to deploy -diagrams_version: 16.6.6 +diagrams_version: 17.2.5 # URL of the WAR file to deploy diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war # Expected sha256 of the WAR file -diagrams_war_sha256: bad6e2d9b989f947e8a7c87f7ca9394a7ba1b26ee4e1c3d552e70fb3a01c2c49 +diagrams_war_sha256: 1faa0fcbac4a2666eb615d414fcd738631398dd6cc2faf3deaae511259999bbb # root directory of the installation diagrams_root_dir: /opt/diagrams # Should ansible manage upgrades, or just initial install ? diff --git a/roles/includes/get_rand_pass.yml b/roles/includes/get_rand_pass.yml index 7d8f858..ce49db7 100644 --- a/roles/includes/get_rand_pass.yml +++ b/roles/includes/get_rand_pass.yml @@ -13,61 +13,162 @@ # Check if a non encrypted file exists. We do it first for backward compatibility - name: Check if password file exists stat: path={{ pass_file }} - register: pass_file_clear + register: rand_pass_file_clear -# Now check if an encrypted file exists +# Check if and encrypted file exists using pbkdf2 key derivation +- name: Check if an encrypted using PBKDF2 password file exists + stat: path={{ pass_file }}.aes256-pbkdf2 + register: rand_pass_file_enc_pbkdf2 + +# Now check if an encrypted file exists (without pbkdf2) - name: Check if an encrypted password file exists stat: path={{ pass_file }}.aes256 - register: pass_file_enc + register: rand_pass_file_enc # When no clear nor encrypted file exists, generate a random pass with pwgen -- name: Generate a random password - shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1 - register: rand_pass - when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists +- when: + - not rand_pass_file_clear.stat.exists + - not rand_pass_file_enc.stat.exists + - not rand_pass_file_enc_pbkdf2.stat.exists + block: + - name: Generate a random password + shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1 + register: rand_pass_new + + - set_fact: rand_pass_new={{ rand_pass_new.stdout | trim }} + +# Check if openssl supports pbkdf2 +- name: Check if openssl supports pbkdf2 key derivation + command: openssl enc -pbkdf2 -list + register: pass_openssl_pbkdf2 + failed_when: False + changed_when: False # New pass generation ? Encrypt it with openssl, unless encryption is disabled, or the global rand_pass_encryption_key isn't defined -- when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined +# If openssl supports PBKDF2 key derivation, use it +- when: + - not rand_pass_file_clear.stat.exists + - not rand_pass_file_enc.stat.exists + - not rand_pass_file_enc_pbkdf2.stat.exists + - encryption | default(True) + - rand_pass_encryption_key is defined block: - name: Encrypt the generated password - shell: openssl enc -e -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }} + shell: openssl enc -e -a -aes256 {% if pass_openssl_pbkdf2.rc == 0 %}-pbkdf2 {% endif %}-pass pass:{{ rand_pass_encryption_key | quote }} args: - stdin: "{{ rand_pass.stdout }}" - register: encrypted_rand_pass - - copy: content={{ encrypted_rand_pass.stdout | trim }} dest={{ pass_file }}.aes256 mode=600 + stdin: "{{ rand_pass_new }}" + register: rand_pass_enc + - copy: content={{ rand_pass_enc.stdout | trim }} dest={{ pass_file }}.aes256{% if pass_openssl_pbkdf2.rc == 0 %}-pbkdf2{% endif %} mode=600 # New pass generation but with encryption disabled, or the global rand_pass_encryption_key not defined # in this case, store the password as plain text -- name: Store the generated password as clear text - copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600 - when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and (not encryption | default(True) or rand_pass_encryption_key is not defined) +- when: + - not rand_pass_file_clear.stat.exists + - not rand_pass_file_enc.stat.exists + - not rand_pass_file_enc_pbkdf2.stat.exists + - not encryption | default(True) or rand_pass_encryption_key is not defined + name: Store the generated password as clear text + copy: content={{ rand_pass_new }} dest={{ pass_file }} mode=600 -# Read the encrypted pass -- when: not pass_file_clear.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined +# Read the encrypted pass (with PBKDF2) +- when: + - not rand_pass_file_clear.stat.exists + - not rand_pass_file_enc.stat.exists + - rand_pass_file_enc_pbkdf2.stat.exists or rand_pass_new is defined + - pass_openssl_pbkdf2.rc == 0 + - encryption | default(True) + - rand_pass_encryption_key is defined + block: + + - name: Read the encrypted (with PBKDF2) password + slurp: src={{ pass_file }}.aes256-pbkdf2 + register: rand_pass_enc_pbkdf2 + + - name: Decrypt (using PBKDF2) the password + shell: openssl enc -d -a -aes256 -pbkdf2 -pass pass:{{ rand_pass_encryption_key | quote }} + args: + stdin: "{{ rand_pass_enc_pbkdf2.content | b64decode | trim }}" + register: rand_pass_dec_pbkdf2 + changed_when: False + + - set_fact: rand_pass_dec_pbkdf2={{ rand_pass_dec_pbkdf2.stdout | trim }} + +# Read the encrypted pass (without PBKDF2) +- when: + - not rand_pass_file_clear.stat.exists + - rand_pass_file_enc.stat.exists or rand_pass_new is defined + - not rand_pass_file_enc_pbkdf2.stat.exists + - encryption | default(True) + - rand_pass_encryption_key is defined block: - name: Read the encrypted password slurp: src={{ pass_file }}.aes256 - register: rand_pass + register: rand_pass_enc - name: Decrypt the password shell: openssl enc -d -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }} args: - stdin: "{{ rand_pass.content | b64decode | trim }}" - register: rand_pass_decrypted + stdin: "{{ rand_pass_enc.content | b64decode | trim }}" + register: rand_pass_dec changed_when: False + - set_fact: rand_pass_dec={{ rand_pass_dec.stdout }} + # Read unencrypted pass file -- when: not encryption | default(True) or rand_pass_encryption_key is not defined or pass_file_clear.stat.exists +- when: not encryption | default(True) or rand_pass_encryption_key is not defined or rand_pass_file_clear.stat.exists block: - name: Read the clear text password slurp: src={{ pass_file }} register: rand_pass_clear + - set_fact: rand_pass_clear={{ rand_pass_clear.content | b64decode | trim }} + +# Reencrypt the password from clear text when possible +- when: + - rand_pass_file_clear.stat.exists + - encryption | default(True) + - rand_pass_encryption_key is defined + block: + + - name: Re encrypt the clear text password + shell: openssl enc -e -a -aes256 {% if pass_openssl_pbkdf2.rc == 0 %}-pbkdf2 {% endif %}-pass pass:{{ rand_pass_encryption_key | quote }} + args: + stdin: "{{ rand_pass_clear }}" + register: rand_pass_reenc + + - name: Store the re encrypted password + copy: content={{ rand_pass_reenc.stdout | trim }} dest={{ pass_file }}.aes256{% if pass_openssl_pbkdf2.rc == 0 %}-pbkdf2{% endif %} mode=600 + + - name: Remove the clear text pass file + file: path={{ pass_file }} state=absent + +# Reencrypt the password from aes256 to aes256 with PBKDF2 when possible +- when: + - rand_pass_file_enc.stat.exists + - not rand_pass_file_enc_pbkdf2.stat.exists + - pass_openssl_pbkdf2.rc == 0 + - encryption | default(True) + - rand_pass_encryption_key is defined + block: + + - name: Re encrypt the password using PBKDF2 + shell: openssl enc -e -a -aes256 -pbkdf2 -pass pass:{{ rand_pass_encryption_key | quote }} + args: + stdin: "{{ rand_pass_dec }}" + register: rand_pass_reenc + + - name: Store the re encrypted password with PBKDF2 + copy: content={{ rand_pass_reenc.stdout | trim }} dest={{ pass_file }}.aes256-pbkdf2 mode=600 + + - name: Remove the encrypted pass file without PBKDF2 + file: path={{ pass_file }}.aes256 state=absent + # Now set either the decrypted, or the clear text pass in the rand_pass variable which will be used by the caller - set_fact: rand_pass: >- - {%- if (rand_pass_decrypted is defined and rand_pass_decrypted.stdout is defined) -%}{{ rand_pass_decrypted.stdout }} - {%- elif rand_pass_clear is defined and rand_pass_clear.content is defined -%}{{ rand_pass_clear.content | b64decode | trim }} + {%- if rand_pass_dec_pbkdf2 is defined and rand_pass_dec_pbkdf2.skipped is not defined -%}{{ rand_pass_dec_pbkdf2 }} + {%- elif rand_pass_dec is defined and rand_pass_dec.skipped is not defined -%}{{ rand_pass_dec }} + {%- elif rand_pass_clear is defined and rand_pass_clear.skipped is not defined -%}{{ rand_pass_clear }} {%- else -%}{%- endif -%}