Merge "Always remove temporary file containing passwords"

c4a5c464 · Zuul · Gerrit Code Review · 749ef824 · 7ca0cd0c · c4a5c464
Commit c4a5c464 authored 6 years ago by Zuul Committed by Gerrit Code Review 6 years ago
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@@ -111,13 +111,13 @@ def kolla_passwords(module):
    temp_file_path = create_named_tempfile()
    try:
        # Start with kolla's sample password file.
-        shutil.copy2(module.params['sample'], temp_file_path)
+        shutil.copyfile(module.params['sample'], temp_file_path)

        # If passwords exist, decrypt and merge these in.
        if module.params['src'] and os.path.isfile(module.params['src']):
            src_path = create_named_tempfile()
            try:
-                shutil.copy2(module.params['src'], src_path)
+                shutil.copyfile(module.params['src'], src_path)
                if module.params['vault_password']:
                    vault_decrypt(module, src_path)
                kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
@@ -142,7 +142,7 @@ def kolla_passwords(module):
            if module.params['vault_password']:
                dest_path = create_named_tempfile()
                try:
-                    shutil.copy2(module.params['dest'], dest_path)
+                    shutil.copyfile(module.params['dest'], dest_path)
                    vault_decrypt(module, dest_path)
                    checksum_dest = module.sha1(dest_path)
                finally:
@@ -162,10 +162,10 @@ def kolla_passwords(module):
        if changed and not module.check_mode:
            module.atomic_move(temp_file_path, module.params['dest'])
    except Exception as e:
-        try:
+        module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
+    finally:
+        if os.path.isfile(temp_file_path):
            os.unlink(temp_file_path)
-        finally:
-            module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))

    if not module.check_mode:
        # Update the file's attributes.

--- a/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
+++ b/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
+---
+security:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.
+fixes:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.