fixes apache::htpasswd #85
Conversation
encrypted passwords (crypt_password) were encrypted again whereas unencrypted passwords (plain_password) weren't encrypted at all
|
the travis is not failing because of the code change |
|
I'm a bit concerned on the effect of the change on existing setups. |
|
I tried to "tricks" around by using the "clear_password" but due to the missing single quotes in the command this didn't help and I got shell errors.. I have no Idea how to deal with this regarding backwards compatibility.. |
|
Hi, @savar and @alvagante , i changed this because, when i was testing nagios module, i didn't encryted the password. And i looked manual: -p Use plaintext passwords. Though htpasswd will support creation on all platforms, the httpd daemon will only accept plain text pass‐ words on Windows, Netware and TPF. Could you show, @savar , how you tested this? |
|
It's confusing with "crypt_password" and "clear_password". I tried to store an already encrypted password. So $password = '$apr1$Q934vWD/vbvri$asuywqekvcidsasdq./qweqw.fasFFAs'
apache::htpasswd { 'xxxx':
clear_password => $password, # this gave me a syntax error while executing the "exec" .. probably because of the missing single quotes around the password
}
apache::htpasswd { 'yyy':
crypt_password => $password, # this was encrypt the already encrypted password
}So maybe the only necessary change would be the single quotes around the password in line 88. But it's still confusing what the clear_password/crypt_password means.. (also the doc is not really right.. it explains for "crypt_password": Crypted password .. which is not true.. it will be encrypted but you have to put in the clear text password). So in my opinion it would be better to have something like: apache::htpasswd { 'zzz':
password => $password,
encrypt_password => false|md5|bcrypt(?|sha),
} |
|
Yes, you suggested params make more sense, but I think they would be acceptable in a future major release. For the current one, I'd rather document better the parameters and show some sample code. |
now the behavior is like before but the documentation should be a little bit more clear also using an encrypted password in combination with `clear_password` should work now as long as no single quote is being used in it..
|
with my commit 0dc7a99 it is now working for me as well.. and it should be 99,9% backward compatible.. the only thing which won't work anymore is something like that: apache::htpasswd { 'testuser':
clear_password => "somebad\\'thing",
htpasswd_file => $htpasswd_file,
} |
|
Here is the error why I started the pull request (only one line of output but you where seeing the full "help" from the htpasswd command): Notice: /Stage[main]/Role::Nmsserver/Apache::Htpasswd[someuser]/Exec[test -f /etc/apache2/some.passwd || OPT='-c'; htpasswd -bp $OPT /etc/apache2/some.passwd someuser $apr1$XrpakcPm$FhZVRp20ZKhnUCN1FdVc2f]/returns: Usage: |
|
I realize now that I probably could try to escape my "$" inside the password to not change it in any way.. if you think it is not worth to break backward compatibility right now I could try that as well.. |
|
So it works for me now with escaping the $ characters ... so I close this by now.. but I hope it will be changed (and made more clear) in the future.. Sorry if I wasted your time.. |
|
I've come across this issue and I agree with @savar here. From my experience the last commit in the htpasswd.pp manifest (22304f7) has broken BC and works differently from how you would expect by reading the current docs. So I was using this module and I was passing a plain-text (unencrypted) password into the class using the $clear_password parameter. This was being encrypted and added to the specified .htpasswd file as expected. After an update to the module this behaviour was now breaking and my plain-text password was being added to the .htpasswd file unencrypted. My man entry for htpasswd specifies the following, which I think makes things a little clearer:
From the manifest's usage docs, it's clear to me that if you want to pre-encrypt the password (and hence want the value you pass in to be stored as is) then you need to use $crypt_password :
If there are OSes where httpd can only accept plain-text passwords then these values need to be passed in using the $crypt_password option. Yes, this is odd behaviour and I can see where @israelriibeiro might have got confused by this but, for me, this is a better workaround then changing the behaviour and breaking other people's implementations! I like @savar suggestion for the future API and can see why it should wait for a future version (although could we introduce it now alongside the existing options which could be deprecated?) but can we revert this BC-breaking change for now (and maybe update the docs to make them clearer?). I'm happy to pick up where @savar got to and create a new PR if necessary. |
|
@liquorvicar , i changed this cause, when i was testing nagios, it didn't encrypt password, but it should do it: https://github.com/example42/puppet-nagios/blob/master/manifests/prerequisites.pp Your manual and mine say the same thing: if you want to use plain text, or clear_password, you have to put -p, that's why i changed it. But i understood your problem, i did misspeak here, when i wrote: https://github.com/example42/puppet-apache/blob/master/manifests/htpasswd.pp#L37 I should have said: set your password to be encrypted. @alvagante , can i just change this in order to correct the problem i created? Att, Israel Ribeiro |
|
@israelriibeiro I'm sorry your change has broken BC on this module and (IMHO) it needs to be reversed. There is a lot of confusion as the original manifest/docs are not clear at all but I see it basically like this:
I have done a PR to reverse the change, including changing the docs for the manifest to make it clearer. Either way, as I said before, I support the idea to refactor this as per @savar's suggestion. Is there a plan for a new version of the module which we can target with that change? |
|
@israelriibeiro yes, please, submit a PR in line with was has been discussed here, thank you |
|
Actually @liquorvicar already submitted a PR: |
|
ping |
|
In fact, it is. I'm sorry for the mess, i completly forgot about this. |
|
forgot about that.. so it looks it is not required anymore, right? |
encrypted passwords (crypt_password) were encrypted again
whereas unencrypted passwords (plain_password) weren't
encrypted at all