Ansible lookup plugin throws json.decoder.JSONDecodeError

Installation Issues
1

I thought I had the Ansible lookup plugin working since solving Ansible lookup plugin throws TypeError: encoding without a string argument, however the tests I did there where freshly created passwords by the dedicated Ansible Passbolt user. And that all seems to work correctly now.

But now I tried looking up a password that has been in our Passbolt instance for a long time, I just shared it with the Ansible Passbolt user so that the lookup plugin would be able to read the resource.
On that password resource the plugin now fails with:

exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ansible/template/__init__.py", line 831, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
  File "/usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py", line 305, in run
    or json.loads(
  File "/usr/lib64/python3.9/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python3.9/json/decoder.py", line 340, in decode
    raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 1 column 2 (char 1)
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'anatomicjc.passbolt.passbolt'. Error was a <class 'json.decoder.JSONDecodeError'>, original message: Extra data: line 1 column 2 (char 1). Extra data: line 1 column 2 (char 1)"

I tried both a lookup on the name of the resource and on the uuid with the per_uuid='true' flag. The result is the same.

I added

print(self.p.decrypt(self.p.get_resource_secret(resource.get("id"))))

on line 295 of /usr/share/ansible/collections/ansible_collections/anatomicjc/passbolt/plugins/lookup/passbolt.py to debug this:

When I lookup a recent password created by the Ansible Passbolt user itself, it prints out a valid JSON:

{"description": "Ansible Generated", "password": "Test123"}

and the plugin works as expected.
On the lookup of the password that was created previously and shared with that user, it just prints out the password without quotes or any JSON formatting thus is not a valid JSON. Hence the plugin fails to interpret the string as a JSON and bails out.

I’m not sure, but possibly that password was defined in a Passbolt version prior to when it was possible to encrypt the description field. Could that be the cause ?

2

Yes both content types are supported. Depending on when the password was created, and which client it was created from the content type may be a string (password alone) or a JSON object with password and description.

3

@AnatomicJC: It seems the plugin does not (yet) support an unencrypted description field as it currently always expects a JSON from the decrypted resource secrets.
Meanwhile I found out that it was already a reported issue.
I have submitted a pull request with a fix that currently works for me.

4

Thank you very much @Robinr for your time and contributions. I will have a look at it as soon as possible.

Your AWX how-to in the other thread and this bugfix is very appreciated :+1:

Once tested on my side (I have to test the gnupg library as well), I will do a new release of the ansible passbolt lookup.

Cheers,

1 Like
5

Hi :wave:

I merged your pull request and added a commit to properly handle gnupg library.

Thanks again @Robinr for your contribution. It is very helpful. :+1:

Best regards,

2 Likes