[mosquitto] create Jinja2 Plugin for user credentials hashing

[shantanoo-desai]

Description

Currently the plain-text credentials users file is encrypted via the eclipse-mosquitto docker container via volume mounts.

A better way to generate the PBKDF2_SHA512 hash digests would be create a custom Ansible Jinja2 Filter as suggested here.

Along with passlib it is possible to possible to generate the required digest, however it does have a different Base64 encoding, where if the string contains . instances, they can be replaced by +.

Create a filter_plugins directory in root to create a mosquitto_passwd filter.

Tasks

• [x] Create filter_plugins/mosquitto_passwd.py
• [x] Use passlib's API hash.pbkdf2_sha512 to generate password
• [x] Remove Ansible Task to encrypt plain-text credentials via Docker Container
• [x] Adapt Tests for Digest checks

[shantanoo-desai]

Filter Plugin: mosquitto_passwd.py

from ansible.errors import AnsibleError

def mosquitto_passwd(passwd):
    try:
        import passlib.hash
    except Exception as e:
        raise AnsibleError('to use this filter, you need passlib pip package installed')
    SALT_SIZE = 12
    ITERATIONS = 101

    digest = passlib.hash.pbkdf2_sha512.using(salt_size=SALT_SIZE, rounds=ITERATIONS).hash(passwd).replace('pbkdf2-sha512', '7').replace('.', '+')

    return digest + '=='

class FilterModule(object):
    def filters(self):
        return {
            'mosquitto_passwd': mosquitto_passwd,
        }

[shantanoo-desai]

diff --git a/tasks/configure-mosquitto.yml b/tasks/configure-mosquitto.yml
index 97c431d..56492b7 100644
--- a/tasks/configure-mosquitto.yml
+++ b/tasks/configure-mosquitto.yml
@@ -37,17 +37,6 @@
         dest: "{{ komponist.deploy_dir }}/mosquitto/users"
         mode: "0755"

-    - name: Encrypting the Users file using Mosquitto Docker Container
-      community.docker.docker_container:
-        name: mosquitto-passgen
-        image: "eclipse-mosquitto:{{ komponist.configuration.mosquitto.version }}"
-        state: started
-        command: mosquitto_passwd -U /mosquitto/config/users
-        pull: true
-        volumes:
-          - "{{ komponist.deploy_dir }}/mosquitto/users:/mosquitto/config/users"
-
-
 - name: '(Mosquitto) Generating Access Control List File for Deployment'
   ansible.builtin.template:
     src: "config/mosquitto/acl.j2"
diff --git a/templates/config/mosquitto/users.j2 b/templates/config/mosquitto/users.j2
index 3741242..6ced775 100644
--- a/templates/config/mosquitto/users.j2
+++ b/templates/config/mosquitto/users.j2
@@ -16,5 +16,5 @@
 #   along with this program.  If not, see <https://www.gnu.org/licenses/>.#}
 {#- users.j2: Jinja2 Template for Mosquitto Authentication -#}
 {%- for user in credentials.mosquitto.users %}
-{{ user.username }}:{{ user.password }}
+{{ user.username }}:{{ user.password | mosquitto_passwd }}
 {% endfor %}
\ No newline at end of file
diff --git a/tests/test_file_contents.yml b/tests/test_file_contents.yml
index 4a14742..35518ca 100644
--- a/tests/test_file_contents.yml
+++ b/tests/test_file_contents.yml
@@ -9,11 +9,11 @@
       ansible.builtin.set_fact:
         mosquitto_users_file: "{{ lookup('ansible.builtin.file', '{{ playbook_dir }}/../{{ komponist.deploy_dir }}/mosquitto/users') }}"

-    - name: (Mosquitto) Assert that plain-text passwords were encrypted by Docker Container mosquitto-passgen
+    - name: (Mosquitto) Assert that plain-text passwords were encrypted by Custom Filter mosquitto_passwd
       ansible.builtin.assert:
         that: "{{ mosquitto_users_file | regex_findall(sequence) | count > 0 }}"
-        fail_msg: "FAIL: Docker Container DID NOT encrypt the plain-text passwords for Mosquitto Users file."
-        success_msg: "PASS: Docker Container did encyrpt the plain-text passwords for Mosquitto Users file."
+        fail_msg: "FAIL: Custom Filter mosquitto_passwd DID NOT encrypt the plain-text passwords for Mosquitto Users file."
+        success_msg: "PASS: Custom Filter mosquitto_passwd did encyrpt the plain-text passwords for Mosquitto Users file."
       vars:
         sequence: ':\$7\$101\$'