Always remove temporary file containing passwords

When generating or updating the passwords.yml file for kolla-ansible,
kayobe writes out various stages of the process to temporary files
in /tmp, in plain text. One of these files can be left in place if
there are no changes to apply to the file.

This change ensures that we always remove temporary files containing
passwords. We also switch from shutil.copy2 to shutil.copyfile, to
keep the permissions of the destination rather than applying those of
the source, which are typically more open (644 vs 600).

Depends-On: https://review.openstack.org/647858
Change-Id: Icb290fd22dc01567a4297a42f5e4d765e3b57d37
Story: 2005299
Task: 30187

ansible/roles/kolla-ansible/library/kolla_passwords.py

@@ -111,13 +111,13 @@ def kolla_passwords(module):
     temp_file_path = create_named_tempfile()
     try:
         # Start with kolla's sample password file.
-        shutil.copy2(module.params['sample'], temp_file_path)
+        shutil.copyfile(module.params['sample'], temp_file_path)
 
         # If passwords exist, decrypt and merge these in.
         if module.params['src'] and os.path.isfile(module.params['src']):
             src_path = create_named_tempfile()
             try:
-                shutil.copy2(module.params['src'], src_path)
+                shutil.copyfile(module.params['src'], src_path)
                 if module.params['vault_password']:
                     vault_decrypt(module, src_path)
                 kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
@@ -142,7 +142,7 @@ def kolla_passwords(module):
             if module.params['vault_password']:
                 dest_path = create_named_tempfile()
                 try:
-                    shutil.copy2(module.params['dest'], dest_path)
+                    shutil.copyfile(module.params['dest'], dest_path)
                     vault_decrypt(module, dest_path)
                     checksum_dest = module.sha1(dest_path)
                 finally:
@@ -162,10 +162,10 @@ def kolla_passwords(module):
         if changed and not module.check_mode:
             module.atomic_move(temp_file_path, module.params['dest'])
     except Exception as e:
-        try:
+        module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
+    finally:
+        if os.path.isfile(temp_file_path):
             os.unlink(temp_file_path)
-        finally:
-            module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
 
     if not module.check_mode:
         # Update the file's attributes.

releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml

@@ -0,0 +1,25 @@
+---
+security:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.
+fixes:
+  - |
+    Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
+    where if the contents of the file have not changed, a plain text copy of the
+    file would be left in /tmp on the Ansible control host.
+
+    The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
+    user that runs kayobe, with permissions 664 (rw-rw-r--).
+
+    It is recommended to check any systems on which Kayobe has been run for
+    copies of the passwords file in /tmp. A simple check for this is `grep -rn
+    database_password /tmp`.