passwordstore: Distinguish between subdirs and passwords, don't use path names as passwords

[grembo]

Summary

Due to the way pass functions, lookup('passwordstore', 'some/item') either returns:

• The secret from some/item.gpg:

   `--some
       `-- item
  

• The text some/item, in case item happens to be a tree node:

   `--some
       `-- item
         |-- somekey
         `-- anotherkey
  

This makes using passwordstore in ansible playbooks error prone, using
weak passwords by accident when a password is read from the store for
setting up an account. This can be triggered in two ways:

1. Mistake in playbook: Forgetting the last part of a path when looking up a secret
2. Mistake operating password store: Created a subtree by accident

Ideally, pass would provide a command/command line option that could be utilized
to really only retrieve a password and fail otherwise (does anyone know how to
contribute to the project?).

While such a command/command option doesn't exist in pass, some possible workarounds:

• check if $PASSWORD_STORE_DIR/some/item.gpg exists (the more stable option, as this is what pass does internally to check if there is something to decrypt)
• check if the password returned by pass matches the path requested (and if it does, return an error)

Issue Type

Bug Report

Component Name

passwordstore
plugins/lookup/passwordstore

Ansible Version

$ ansible --version
ansible [core 2.12.1]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/local/share/py38-ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/local/share/py38-ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.12 (default, Oct 14 2021, 01:14:41) [Clang 11.0.1 (git@github.com:llvm/llvm-project.git llvmorg-11.0.1-0-g43ff75f2c
  jinja version = 3.0.1
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /usr/local/lib/python3.8/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 4.3.0  

Configuration

$ ansible-config dump --only-changed
<empty>

OS / Environment

FreeBSD 13.0-p7

Steps to Reproduce

Prepare password store:

pass init my@identity
pass add some/item/key
press CTRL-C

Run this example playbook:

- hosts: localhost
  tasks:
  - name: Debug
    debug: msg="{{ lookup('passwordstore', 'some/item') }}"

Expected Results

I would expect this to fail, as the password doesn't exist (missing actions like "create" won't make sense in this context).

Actual Results

TASK [Debug] *******************************************************************************
ok: [localhost] => {
    "msg": "some/item"
}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/lookup/passwordstore.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help