search

pytest-dev / pytest-testinfra

Testinfra test your infrastructures
https://testinfra.readthedocs.io
Apache License 2.0
2.37k stars 355 forks source link

SUDO user password with ansible connection backend #368

Open fmercier-almerys opened 6 years ago

fmercier-almerys commented 6 years ago

Hi

I checked but it is not possible to inject a password for sudoers not configured with the NOPASSWD option. So it is impossible for me to use testinfra in my company.... I was testing it with ansible connection backend, vault password, decrypt secrets, ansible vars are OK. However sudo password is not taken into account in sudo module. Do you plan something about it ?

for example just modify the 

def get_sudo_command(self, command, sudo_user):
        if sudo_user is None:
            return self.quote("sudo /bin/sh -c %s", command)
        return self.quote(
"sudo -u %s /bin/sh -c %s", sudo_user, command)

into 

def get_sudo_command(self, command, sudo_user):
        if sudo_user is None:
            return self.quote("echo %s|sudo /bin/sh -c %s", password, command)
        return self.quote(
""echo %s|sudo -u %s /bin/sh -c %s", sudo_user_password, sudo_user, command)

with passwod as ansible script parameter (not so secure at all)

crazyhouse33 commented 2 years ago

Same. Took some time to do a testinfra poc but then I was sad to see that the ansible/ssh driver were not able to run the test because of the connection backend not supporting sending the sudoer password. Do you have any recommendation to still use your tool, but without letting ansible user sudo everything?

I am suprised that this issue dont have more attention. I guess there must be a workaround that I miss.

Would be nice to speak about what could be done here and I may do it one day. I think safest option would be to use sudo -S option wich allow send password via the connection, wich is more secure than the echo trick.