OSAC-1381: Fix htpasswd generation failure with special characters in password

[maorfr]

Summary

Fixes Ironic API authentication failures (401 Unauthorized) caused by incorrect htpasswd generation when passwords contain special characters.

Problem

Bootstrap deployment fails at the "Check if baremetal node already exists" task when the randomly-generated Metal3 Ironic password contains certain special characters (e.g., #, @, \, }, /, ~, =).

Error:

TASK [Check if baremetal node already exists]
fatal: [localhost]: FAILED! =>
    msg: 'Status code was 401 and not [200, 404]: HTTP Error 401: Unauthorized'
    json:
        error:
            code: 401
            message: Incorrect username or password

Root Cause

Commit 0eb46d5 (April 19, 2026) switched from command module to argv form to fix trailing backslash issues. However, the argv form does not properly handle complex special characters, causing htpasswd to receive mangled input and generate an incorrect hash that doesn't match the stored password.

Timeline:

• ❌ Not in release 0.1.0 (April 17, 2026)
• ⚠️ Introduced in commit 0eb46d5 (April 19, 2026)
• ✅ Fixed by this PR

Solution

Use shell module with Ansible's quote filter instead of argv form. The quote filter uses shlex.quote() to properly escape ALL special characters:

Before:

ansible.builtin.command:
  argv:
    - /usr/bin/htpasswd
    - -nbB
    - "{{ metal3_ironic_username }}"
    - "{{ metal3_ironic_password }}"

After:

ansible.builtin.shell:
  cmd: /usr/bin/htpasswd -nbB {{ metal3_ironic_username | quote }} {{ metal3_ironic_password | quote }}

This properly handles:

• ✅ Trailing backslashes (the original issue from 0eb46d5)
• ✅ Complex special characters like #@\#}/~= (the current issue)
• ✅ Spaces, quotes, and other edge cases

Testing

Validated that shlex.quote() (which backs Ansible's quote filter) correctly handles the problematic password from the failing deployment: #@Ny.MGr76\#}YPvm3W1Y/~=GdjQ0MQV

Related Issues

• Jira: OSAC-1381
• GoRI: #915

Checklist

• Code follows project conventions
• Commit message includes Jira ticket reference
• Changes are minimal and focused on the fix
• Root cause analysis documented

Summary by CodeRabbit

• Chores
  • Improved the internal deployment process for Ironic credential generation, streamlining the implementation while maintaining the same functionality and security measures.

[coderabbitai]

Warning

Review limit reached

@maorfr, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 45 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57e2c838-f292-47e2-ac82-0bb648924061

📥 Commits

Reviewing files that changed from the base of the PR and between 0410e75 and 2048eb9.

📒 Files selected for processing (1)

• playbooks/tasks/deploy_ironic.yaml

Walkthrough

The PR modifies the Ironic credential hashing task in the deployment playbook, changing the execution method from argv-based command to shell-string shell. Quoted credential variables remain protected but now enter a shell interpreter.

Changes

Ironic Htpasswd Generation Method

Layer / File(s)	Summary
Htpasswd generation execution method playbooks/tasks/deploy_ironic.yaml	Task execution switches from ansible.builtin.command with argv array (safe from shell injection) to ansible.builtin.shell with cmd string (requires shell interpretation). Username and password inputs are passed through quote filters, but now traverse a shell interpreter rather than direct argv execution.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Security Risk Assessment: ⚠️ MEDIUM-HIGH SEVERITY
Moving from command to shell expands the attack surface. Although quote filters provide protection in this specific instance, this pattern introduces shell injection vulnerability risk. Even with quoted variables, shell interpretation creates a larger threat model than argv-based execution. Recommend confirming that quote filters are correctly applied to all credential variables and documenting why shell is necessary here (e.g., pipe operators, globbing, or environment variable expansion that command cannot handle).

Poem

🔐 A shell where argv stood tall,
Quotes now guard the credentials' call—
Safe? Perhaps, but risk did grow,
When command's safety let shell flow. ⚠️

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing htpasswd generation failure with special characters in passwords, which directly addresses the root cause of the bootstrap failure identified in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	Credentials use Jinja2 variables ({{ metal3_ironic_username | quote }}), not hardcoded secrets. No API keys, tokens, base64 strings, embedded credentials, or hardcoded passwords detected.
No-Weak-Crypto	✅ Passed	No weak cryptography detected. PR uses bcrypt (strong) via htpasswd -B flag with proper quote filtering. No weak algorithms, custom implementations, or insecure comparisons found.
No-Injection-Vectors	✅ Passed	The shell module usage properly applies Ansible's quote filter (backed by shlex.quote) to both username and password variables, correctly mitigating shell injection vectors.
Container-Privileges	✅ Passed	PR only modifies Ansible playbook for htpasswd fix; no container privilege settings are introduced. Related templates use non-root users and DropCapability=ALL for security.
No-Sensitive-Data-In-Logs	✅ Passed	All sensitive tasks properly use no_log: true. Quote filter safely escapes password. No credentials exposed in debug statements or logs.
Ai-Attribution	✅ Passed	Commit 0410e75 properly attributes AI assistance with "Assisted-by: Claude Code noreply@anthropic.com" trailer; no Co-Authored-By misuse detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ironic-htpasswd-special-characters

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[maorfr]

e2e connected failure related to #469

[maorfr]

Claude Code - How this fix aligns with Bob's diagnosis:

Bob's testing proved that the htpasswd hash stored in metal3-ironic-htpasswd secret doesn't match the password in metal3-ironic-password secret. When he regenerated htpasswd using the stored password, it produced a different hash:

Generated: ironic-vroda7mk:$2y$05$u2Fe3nvnxkoYCBLPwMGwDeTGMohr2vPYRHqFAcLnvAP6RahkqKMmC
From secret: ironic-vroda7mk:$2y$05$n7modRHrfg461OW3SQm3AuEJih5CxAA9Tq1Dc.LmR83sTlaE8jPV2

This mismatch proves the htpasswd generation is broken - it's receiving mangled input.

Root cause: The command module with argv form (introduced in commit 0eb46d5 to fix trailing backslash issues) doesn't properly handle special characters. When the password is #@Ny.MGr76\#}YPvm3W1Y/~=GdjQ0MQV, the argv form passes it incorrectly to htpasswd.

This fix: Using shell module with quote filter ensures htpasswd receives the password exactly as stored in the secret. The quote filter uses shlex.quote() which properly escapes all special characters by wrapping them in single quotes.

Verification: With this fix, regenerating htpasswd from the stored password will produce the same hash every time, eliminating the auth mismatch Bob identified.