Fix #33 Password shall not be mandatory for opening the db

Author: viczem

README.md

@@ -20,8 +20,8 @@ Requirements: `python 3`, `pykeepass==4.0.3`
 ## Variables
 
 - `keepass_dbx` - path to KeePass file
-- `keepass_psw` - password
-- `keepass_key` - *Optional*. Path to keyfile
+- `keepass_psw` - *Optional*. Password (required if `keepass_key` is not set)
+- `keepass_key` - *Optional*. Path to keyfile (required if `keepass_psw` is not set)
 - `keepass_ttl` - *Optional*. Socket TTL (will be closed automatically when not used). 
 Default 60 seconds.
 

galaxy.yml

@@ -8,7 +8,7 @@ namespace: viczem
 name: keepass
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 0.7.0
+version: 0.7.1
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

plugins/lookup/keepass.py

@@ -21,7 +21,7 @@
 DOCUMENTATION = """
     lookup: keepass
     author: Victor Zemtsov <[email protected]>
-    version_added: '0.6.0'
+    version_added: '0.7.1'
     short_description: Fetching data from KeePass file
     description:
         - This lookup returns a value of a property of a KeePass entry
@@ -76,10 +76,11 @@ def run(self, terms, variables=None, **kwargs):
             if not os.path.isfile(var_key):
                 raise AnsibleError("KeePass: '%s' is not found" % var_key)
 
-        # Check password (required)
+        # Check password (optional)
         var_psw = self._var(variables_.get("keepass_psw", ""))
-        if not var_psw:
-            raise AnsibleError("KeePass: 'keepass_psw' is not set")
+
+        if not var_key and not var_psw:
+            raise AnsibleError("KeePass: 'keepass_psw' and/or 'keepass_key' is not set")
 
         # TTL of keepass socket (optional, default: 60 seconds)
         var_ttl = self._var(str(variables_.get("keepass_ttl", "60")))
@@ -121,7 +122,6 @@ def run(self, terms, variables=None, **kwargs):
                         if resp[1] == "0":
                             success = True
                         else:
-                            sock.send(_rq("close"))
                             raise AnsibleError("KeePass: wrong dbx password")
                     sock.close()
                     break
@@ -229,13 +229,14 @@ def _keepass_socket(kdbx, kdbx_key, sock_path, ttl=60, kdbx_password=None):
 
                         # CMD: password
                         if kp is None:
-                            if arg_len == 0:
-                                conn.send(_resp("password", 1))
-                                break
-                            if cmd == "password" and arg[0]:
+                            if cmd == "password" and arg_len > 0:
                                 kp = PyKeePass(kdbx, arg[0], kdbx_key)
                                 conn.send(_resp("password", 0))
                                 break
+                            elif cmd == "password" and kdbx_key:
+                                kp = PyKeePass(kdbx, None, kdbx_key)
+                                conn.send(_resp("password", 0))
+                                break
                             else:
                                 conn.send(_resp("password", 1))
                                 break

tests/keepass-keyfile-only/ansible.kdbx

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<KeyFile>
+    <Meta>
+        <Version>2.0</Version>
+    </Meta>
+    <Key>
+        <Data Hash="95ED5C71">
+            8810353D 83453EDC 2266A931 A0A073F9
+            54B90B68 1E341EF4 6B47729B F42DBE0A
+        </Data>
+    </Key>
+</KeyFile>

tests/keepass-keyfile-only/ansible.keyx

@@ -0,0 +1,2 @@
+[test]
+127.0.0.1 keepass_dbx=./ansible.kdbx keepass_key=./ansible.keyx keepass_ttl=3

tests/keepass-keyfile-only/hosts.ini

@@ -0,0 +1,11 @@
+---
+- name: test-keepass-keyfile-only
+  hosts: test
+  connection: local
+  vars:
+    test_username: "{{ lookup('viczem.keepass.keepass', 'test', 'username') }}"
+    test_password: "{{ lookup('viczem.keepass.keepass', 'test', 'password') }}"
+
+  tasks:
+    - debug:
+        msg: "fetch entry: '/test'; username: '{{ test_username }}'; password: '{{ test_password }}'"

tests/keepass-keyfile-only/playbook.yml

@@ -0,0 +1,2 @@
+#!/bin/sh
+ansible-playbook -i hosts.ini -vvvv playbook.yml

tests/keepass-keyfile-only/run.sh

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<KeyFile>
+    <Meta>
+        <Version>2.0</Version>
+    </Meta>
+    <Key>
+        <Data Hash="E13D7CBE">
+            D7A7EA4F D6DCBFD7 B2DFE21C E89FFBB0
+            B203AAA5 4A32C405 D6C1B3CA B69C40BF
+        </Data>
+    </Key>
+</KeyFile>

tests/keepass-password-keyfile/ansible.kdbx

@@ -0,0 +1,2 @@
+[test]
+127.0.0.1 keepass_dbx=./ansible.kdbx keepass_psw=spamham keepass_key=./ansible.keyx keepass_ttl=3

tests/keepass-password-keyfile/ansible.keyx

@@ -0,0 +1,11 @@
+---
+- name: test-keepass-keyfile-only
+  hosts: test
+  connection: local
+  vars:
+    test_username: "{{ lookup('viczem.keepass.keepass', 'test', 'username') }}"
+    test_password: "{{ lookup('viczem.keepass.keepass', 'test', 'password') }}"
+
+  tasks:
+    - debug:
+        msg: "fetch entry: '/test'; username: '{{ test_username }}'; password: '{{ test_password }}'"

tests/keepass-password-keyfile/hosts.ini

@@ -0,0 +1,2 @@
+#!/bin/sh
+ansible-playbook -i hosts.ini -vvvv playbook.yml

tests/keepass-password-keyfile/playbook.yml

@@ -0,0 +1,2 @@
+[test]
+127.0.0.1 keepass_dbx=./ansible.kdbx keepass_psw=spamham keepass_ttl=3

tests/keepass-password-keyfile/run.sh

@@ -0,0 +1,11 @@
+---
+- name: test-keepass-keyfile-only
+  hosts: test
+  connection: local
+  vars:
+    test_username: "{{ lookup('viczem.keepass.keepass', 'test', 'username') }}"
+    test_password: "{{ lookup('viczem.keepass.keepass', 'test', 'password') }}"
+
+  tasks:
+    - debug:
+        msg: "fetch entry: '/test'; username: '{{ test_username }}'; password: '{{ test_password }}'"

tests/keepass-password-only/ansible.kdbx

@@ -0,0 +1,2 @@
+#!/bin/sh
+ansible-playbook -i hosts.ini -vvvv playbook.yml