diff options
-rw-r--r-- | filter_plugins/crypto.py | 55 | ||||
-rw-r--r-- | roles/nginx/auth/basic/tasks/main.yml | 2 |
2 files changed, 56 insertions, 1 deletions
diff --git a/filter_plugins/crypto.py b/filter_plugins/crypto.py new file mode 100644 index 00000000..17a0f6c4 --- /dev/null +++ b/filter_plugins/crypto.py @@ -0,0 +1,55 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import hashlib +from passlib.utils.binary import Base64Engine, HASH64_CHARS, BCRYPT_CHARS +from ansible.module_utils._text import to_bytes, to_text +from ansible import errors + + +def _hash64_salt(seed, length): + h = hashlib.new('sha256') + e = Base64Engine(HASH64_CHARS) + h.update(to_bytes(seed, errors='surrogate_or_strict')) + return to_text(e.encode_bytes(h.digest()[0:length])) + + +def apr_md5_crypt_salt(seed): + ''' generate salt for apr_md5_crypt algorithm based on seed-value ''' + try: + return _hash64_salt(seed, 6) + except Exception as e: + raise errors.AnsibleFilterError("apr_md5_crypt_salt(): %s" % str(e)) + + +def sha2_crypt_salt(seed): + ''' generate salt for sha256/sha512_crypt algorithms based on seed-value ''' + try: + return _hash64_salt(seed, 16) + except Exception as e: + raise errors.AnsibleFilterError("sha2_crypt_salt(): %s" % str(e)) + + +def bcrypt_salt(seed): + ''' generate salt for bcrypt algorithm based on seed-value ''' + try: + h = hashlib.new('sha256') + e = Base64Engine(BCRYPT_CHARS) + h.update(to_bytes(seed, errors='surrogate_or_strict')) + return to_text(e.encode_bytes(h.digest()[0:16])) + except Exception as e: + raise errors.AnsibleFilterError("bcrypt_salt(): %s" % str(e)) + + +class FilterModule(object): + + ''' crypto helpers ''' + filter_map = { + 'apr_md5_crypt_salt': apr_md5_crypt_salt, + 'sha256_salt': sha2_crypt_salt, + 'sha512_salt': sha2_crypt_salt, + 'bcrypt_salt': bcrypt_salt, + } + + def filters(self): + return self.filter_map diff --git a/roles/nginx/auth/basic/tasks/main.yml b/roles/nginx/auth/basic/tasks/main.yml index 1eb99183..6de2c433 100644 --- a/roles/nginx/auth/basic/tasks/main.yml +++ b/roles/nginx/auth/basic/tasks/main.yml @@ -15,5 +15,5 @@ mode: 0640 content: | {% for user,password in nginx_auth_basic_users.items() %} - {{ user }}:{{ password | password_hash('apr_md5_crypt', 65534 | random(seed=(inventory_hostname+user)) | string) }} + {{ user }}:{{ password | password_hash('apr_md5_crypt', (user~'@'~inventory_hostname~'/nginx') | apr_md5_crypt_salt) }} {% endfor %} |