From 3f01dc11f70a9475bd09c1a00477506c64e66c9a Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 4 Jun 2019 18:33:29 +0000 Subject: [PATCH] Use password lookup for run-buildset-registry role Complete a lingering TODO in run-buildset-registry to use a less guessable password for the intermediate registry service. Timestamps (even with microsecond precision and even running through a hash algorithm) are inherently guessable. Someone watching a console stream of the job could probably narrow down the time that task ran to at least second precision, which then requires at most a million guesses to be able to pollute or otherwise compromise the content jobs are relying on. With reasonable network access and a typical personal computer this is a rather small work factor to overcome. Luckily, the Ansible community maintains an in-tree lookup plugin[*] for strong password generation. Its default is 20 mixed-case letters, numbers and punctuation, so the same length as the truncated hash we're replacing. [*] https://docs.ansible.com/ansible/latest/plugins/lookup/password.html Depends-On: https://review.opendev.org/662870 Change-Id: I66e60f767328cc3af540ec4b755121da989b5e56 --- roles/run-buildset-registry/tasks/main.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml index 226e5f764..3c0cab05e 100644 --- a/roles/run-buildset-registry/tasks/main.yaml +++ b/roles/run-buildset-registry/tasks/main.yaml @@ -25,10 +25,9 @@ loop: - certs - auth -# TODO: use password lookup after allowing access to it in Zuul - name: Generate registry password set_fact: - registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}" + registry_password: "{{ lookup('password', '/dev/null') }}" - name: Write htpassword file htpasswd: create: true