Skip to content

Commit

Permalink
[WIP] Copy: opt for sha256 instead of sha1
Browse files Browse the repository at this point in the history
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
  • Loading branch information
Akasurde committed Oct 9, 2024
1 parent 56bab1d commit de8d9d4
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 16 deletions.
4 changes: 2 additions & 2 deletions lib/ansible/modules/assemble.py
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,7 @@ def main():
module.fail_json(msg="validate must contain %%s: %s" % validate)

path = assemble_from_fragments(src, delimiter, compiled_regexp, ignore_hidden, module.tmpdir)
path_hash = module.sha1(path)
path_hash = module.sha256(path)
result['checksum'] = path_hash

# Backwards compat. This won't return data if FIPS mode is active
Expand All @@ -254,7 +254,7 @@ def main():
result['md5sum'] = pathmd5

if os.path.exists(dest):
dest_hash = module.sha1(dest)
dest_hash = module.sha256(dest)

if path_hash != dest_hash:
if validate:
Expand Down
11 changes: 6 additions & 5 deletions lib/ansible/modules/copy.py
Original file line number Diff line number Diff line change
Expand Up @@ -112,9 +112,10 @@
version_added: '2.4'
checksum:
description:
- SHA1 checksum of the file being transferred.
- SHA256 checksum of the file being transferred.
- Used to validate that the copy of the file was successful.
- If this is not provided, ansible will use the local calculated checksum of the src file.
- Ansible 2.19 and onwards, SHA256 is default instead of SHA1.
type: str
version_added: '2.5'
extends_documentation_fragment:
Expand Down Expand Up @@ -238,10 +239,10 @@
type: str
sample: 2a5aeecc61dc98c4d780b14b330e3282
checksum:
description: SHA1 checksum of the file after running copy.
description: SHA256 checksum of the file after running copy.
returned: success
type: str
sample: 6e642bb8dd5c2e027bf21dd923337cbb4214f827
sample: e1ace7b1f177f35749523ce34721d2b1e1ad0b1e3196754f476a69730d24cb53
backup_file:
description: Name of backup file created.
returned: changed and if backup=yes
Expand Down Expand Up @@ -562,9 +563,9 @@ def main():

if os.path.isfile(src):
try:
checksum_src = module.sha1(src)
checksum_src = module.sha256(src)
except (OSError, IOError) as e:
module.warn("Unable to calculate src checksum, assuming change: %s" % to_native(e))
module.warn(f"Unable to calculate src checksum, assuming change: {to_native(e)}")
try:
# Backwards compat only. This will be None in FIPS mode
md5sum_src = module.md5(src)
Expand Down
1 change: 1 addition & 0 deletions lib/ansible/modules/fetch.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
C(fail_when) or C(ignore_errors) to get this ability. They may
also explicitly set O(fail_on_missing) to V(false) to get the
non-failing behaviour.
- Ansible 2.19 and onwards, SHA256 is used to calculate checksum.
seealso:
- module: ansible.builtin.copy
- module: ansible.builtin.slurp
Expand Down
4 changes: 2 additions & 2 deletions lib/ansible/plugins/action/assemble.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@
from ansible import constants as C
from ansible.errors import AnsibleError, AnsibleAction, _AnsibleActionDone, AnsibleActionFail
from ansible.module_utils.common.text.converters import to_native, to_text
from ansible.module_utils.common.hashing import secure_hash_s
from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase
from ansible.utils.hashing import checksum_s


class ActionModule(ActionBase):
Expand Down Expand Up @@ -122,7 +122,7 @@ def run(self, tmp=None, task_vars=None):
# Does all work assembling the file
path = self._assemble_from_fragments(src, delimiter, _re, ignore_hidden, decrypt)

path_checksum = checksum_s(path)
path_checksum = secure_hash_s(path, hash_func=hashlib.sha256)
dest = self._remote_expand_user(dest)
dest_stat = self._execute_remote_stat(dest, all_vars=task_vars, follow=follow)

Expand Down
5 changes: 3 additions & 2 deletions lib/ansible/plugins/action/copy.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

from __future__ import annotations

import hashlib
import json
import os
import os.path
Expand All @@ -31,7 +32,7 @@
from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase
from ansible.utils.hashing import checksum
from ansible.utils.hashing import secure_hash


# Supplement the FILE_COMMON_ARGUMENTS with arguments that are specific to file
Expand Down Expand Up @@ -278,7 +279,7 @@ def _copy_file(self, source_full, source_rel, content, content_tempfile,
return None

# Generate a hash of the local file.
local_checksum = checksum(source_full)
local_checksum = secure_hash(source_full, hash_func=hashlib.sha256)

if local_checksum != dest_status['checksum']:
# The checksums don't match and we will change or error out.
Expand Down
11 changes: 6 additions & 5 deletions lib/ansible/plugins/action/fetch.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,16 @@
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from __future__ import annotations

import os
import base64
import hashlib
import os
from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleActionFail, AnsibleActionSkip
from ansible.module_utils.common.text.converters import to_bytes, to_text
from ansible.module_utils.six import string_types
from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase
from ansible.utils.display import Display
from ansible.utils.hashing import checksum, checksum_s, md5, secure_hash
from ansible.utils.hashing import md5, secure_hash, secure_hash_s
from ansible.utils.path import makedirs_safe, is_subpath

display = Display()
Expand Down Expand Up @@ -127,7 +128,7 @@ def run(self, tmp=None, task_vars=None):
if slurpres['encoding'] == 'base64':
remote_data = base64.b64decode(slurpres['content'])
if remote_data is not None:
remote_checksum = checksum_s(remote_data)
remote_checksum = secure_hash_s(remote_data, hash_func=hashlib.sha256)

# calculate the destination name
if os.path.sep not in self._connection._shell.join_path('a', ''):
Expand Down Expand Up @@ -167,7 +168,7 @@ def run(self, tmp=None, task_vars=None):
dest = os.path.normpath(dest)

# calculate checksum for the local file
local_checksum = checksum(dest)
local_checksum = secure_hash(dest, hash_func=hashlib.sha256)

if remote_checksum != local_checksum:
# create the containing directories, if needed
Expand All @@ -183,7 +184,7 @@ def run(self, tmp=None, task_vars=None):
f.close()
except (IOError, OSError) as e:
raise AnsibleActionFail("Failed to fetch the file: %s" % e)
new_checksum = secure_hash(dest)
new_checksum = secure_hash(dest, hash_func=hashlib.sha256)
# For backwards compatibility. We'll return None on FIPS enabled systems
try:
new_md5 = md5(dest)
Expand Down

0 comments on commit de8d9d4

Please sign in to comment.