From 6b72731ae92c8fcde4dcf830d0c699e25a0daa2b Mon Sep 17 00:00:00 2001 From: John Fulton Date: Thu, 7 May 2026 12:17:34 -0400 Subject: [PATCH] [cephx_key] Add aes256k cipher support Add an optional `cipher` parameter (choices: aes, aes256k; default: aes) to the `cephx_key` Ansible module so CI jobs can generate AES-256k (32-byte, type=2) CephX keys. - Refactor __create_cephx_key() to accept cipher argument; use key_type=2 and os.urandom(32) for aes256k, key_type=1 and os.urandom(16) for aes (default, backward compatible). - Update DOCUMENTATION, EXAMPLES and RETURN docstrings. - Update the "Generate a cephx key" task in hooks/playbooks/ceph.yml to pass `cipher: "{{ cifmw_ceph_key_cipher | default('aes') }}"`, allowing scenarios to opt in via a single variable. - Add tests/unit/modules/test_cephx_key.py with 8 tests covering both cipher modes, invalid input, base64 validity, and key randomness. Jira: OSPRH-29667 Signed-off-by: John Fulton Co-Authored-By: Claude Sonnet 4.6 --- hooks/playbooks/ceph.yml | 1 + plugins/modules/cephx_key.py | 56 +++++++++-- tests/unit/modules/test_cephx_key.py | 136 +++++++++++++++++++++++++++ 3 files changed, 183 insertions(+), 10 deletions(-) create mode 100644 tests/unit/modules/test_cephx_key.py diff --git a/hooks/playbooks/ceph.yml b/hooks/playbooks/ceph.yml index 945be9f1f..13f5ce610 100644 --- a/hooks/playbooks/ceph.yml +++ b/hooks/playbooks/ceph.yml @@ -353,6 +353,7 @@ - name: Generate a cephx key cephx_key: + cipher: "{{ cifmw_ceph_key_cipher | default('aes') }}" register: cephx no_log: "{{ cifmw_nolog | default(true) | bool }}" diff --git a/plugins/modules/cephx_key.py b/plugins/modules/cephx_key.py index d84cff29e..da7f5946b 100644 --- a/plugins/modules/cephx_key.py +++ b/plugins/modules/cephx_key.py @@ -14,17 +14,38 @@ short_description: Generate a random CephX authentication key description: -- Generate a random CephX authentication key and return it +- Generate a random CephX authentication key and return it. +- Supports AES-128 (default, type=1, 16-byte key) and AES-256k (type=2, 32-byte key) ciphers. + +options: + cipher: + description: + - The cipher to use when generating the CephX key. + - Use C(aes) for AES-128 (16-byte key, 40-char base64, type=1). This is the default. + - Use C(aes256k) for AES-256k (32-byte key, 60-char base64, type=2). + type: str + default: aes + choices: [aes, aes256k] author: - John Fulton (@fultonj) """ EXAMPLES = r""" -- name: Generate a cephx key +- name: Generate a cephx key (AES-128, backward compatible default) cifmw.general.cephx_key: register: cephx +- name: Generate a cephx key with explicit AES-128 cipher + cifmw.general.cephx_key: + cipher: aes + register: cephx + +- name: Generate a cephx key with AES-256k cipher + cifmw.general.cephx_key: + cipher: aes256k + register: cephx + - name: Show cephx key debug: msg: "{{ cephx.key }}" @@ -32,11 +53,14 @@ RETURN = r""" key: - description: A random cephx authentication key - type: dict + description: + - A random CephX authentication key encoded as base64. + - AES-128 keys are 40 characters long (ending with ==). + - AES-256k keys are 60 characters long (ending with =). + type: str returned: success sample: - - KEY: AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw== + - AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw== """ @@ -47,21 +71,33 @@ import time -def __create_cephx_key(): +def __create_cephx_key(cipher="aes"): # NOTE(fultonj): Taken from # https://github.com/ceph/ceph-deploy/blob/master/ceph_deploy/new.py#L21 - key = os.urandom(16) - header = struct.pack("