2015-04-27 20:57:26 +02:00
|
|
|
#!/usr/bin/env python
|
2015-04-20 05:31:44 +02:00
|
|
|
|
|
|
|
# (c) 2014, James Tanner <tanner.jc@gmail.com>
|
|
|
|
#
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
# ansible-vault is a script that encrypts/decrypts YAML files. See
|
|
|
|
# http://docs.ansible.com/playbooks_vault.html for more details.
|
|
|
|
|
|
|
|
__requires__ = ['ansible']
|
|
|
|
try:
|
|
|
|
import pkg_resources
|
|
|
|
except Exception:
|
|
|
|
# Use pkg_resources to find the correct versions of libraries and set
|
|
|
|
# sys.path appropriately when there are multiversion installs. But we
|
|
|
|
# have code that better expresses the errors in the places where the code
|
|
|
|
# is actually used (the deps are optional for many code paths) so we don't
|
|
|
|
# want to fail here.
|
|
|
|
pass
|
|
|
|
|
|
|
|
import os
|
|
|
|
import sys
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
from ansible.errors import AnsibleError
|
2015-04-20 19:42:02 +02:00
|
|
|
from ansible.parsing.vault import VaultEditor
|
2015-04-27 13:31:41 +02:00
|
|
|
from ansible.utils.cli import CLI
|
|
|
|
from ansible.utils.display import Display
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
class VaultCli(CLI):
|
|
|
|
""" Vault command line class """
|
2015-04-20 05:31:44 +02:00
|
|
|
|
|
|
|
VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view")
|
2015-04-27 13:31:41 +02:00
|
|
|
CIPHER = 'AES256'
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def __init__(self, args, display=None):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
|
|
|
self.vault_pass = None
|
2015-04-27 13:31:41 +02:00
|
|
|
super(VaultCli, self).__init__(args, display)
|
2015-04-20 05:31:44 +02:00
|
|
|
|
|
|
|
def parse(self):
|
|
|
|
|
|
|
|
# create parser for CLI options
|
2015-04-27 13:31:41 +02:00
|
|
|
self.parser = CLI.base_parser(
|
2015-04-20 05:31:44 +02:00
|
|
|
usage = "%prog vaultfile.yml",
|
|
|
|
)
|
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
self.set_action()
|
|
|
|
|
|
|
|
# options specific to self.actions
|
|
|
|
if self.action == "create":
|
|
|
|
self.parser.set_usage("usage: %prog create [options] file_name")
|
|
|
|
elif self.action == "decrypt":
|
|
|
|
self.parser.set_usage("usage: %prog decrypt [options] file_name")
|
|
|
|
elif self.action == "edit":
|
|
|
|
self.parser.set_usage("usage: %prog edit [options] file_name")
|
|
|
|
elif self.action == "view":
|
|
|
|
self.parser.set_usage("usage: %prog view [options] file_name")
|
|
|
|
elif self.action == "encrypt":
|
|
|
|
self.parser.set_usage("usage: %prog encrypt [options] file_name")
|
|
|
|
elif action == "rekey":
|
|
|
|
self.parser.set_usage("usage: %prog rekey [options] file_name")
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
self.options, self.args = self.parser.parse_args()
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
if len(self.args) == 0 or len(self.args) > 1:
|
|
|
|
self.parser.print_help()
|
|
|
|
raise AnsibleError("Vault requires a single filename as a parameter")
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def run(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
if self.options.vault_password_file:
|
|
|
|
# read vault_pass from a file
|
|
|
|
self.vault_pass = read_vault_file(self.options.vault_password_file)
|
|
|
|
elif self.options.ask_vault_pass:
|
|
|
|
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
self.execute()
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_create(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
|
|
|
this_editor = VaultEditor(cipher, self.vault_pass, self.args[0])
|
|
|
|
this_editor.create_file()
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_decrypt(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
|
|
|
for f in self.args:
|
2015-04-20 05:31:44 +02:00
|
|
|
this_editor = VaultEditor(cipher, self.vault_pass, f)
|
|
|
|
this_editor.decrypt_file()
|
|
|
|
|
|
|
|
self.display.display("Decryption successful")
|
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_edit(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
for f in self.args:
|
|
|
|
this_editor = VaultEditor(None, self.vault_pass, f)
|
2015-04-20 05:31:44 +02:00
|
|
|
this_editor.edit_file()
|
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_view(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
for f in self.args:
|
|
|
|
this_editor = VaultEditor(None, self.vault_pass, f)
|
2015-04-20 05:31:44 +02:00
|
|
|
this_editor.view_file()
|
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_encrypt(self):
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
|
|
|
for f in self.args:
|
2015-04-20 05:31:44 +02:00
|
|
|
this_editor = VaultEditor(cipher, self.vault_pass, f)
|
|
|
|
this_editor.encrypt_file()
|
|
|
|
|
|
|
|
self.display.display("Encryption successful")
|
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
def execute_rekey(self):
|
|
|
|
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
2015-04-20 05:31:44 +02:00
|
|
|
|
2015-04-27 13:31:41 +02:00
|
|
|
for f in self.args:
|
|
|
|
this_editor = VaultEditor(None, self.vault_pass, f)
|
2015-04-20 05:31:44 +02:00
|
|
|
this_editor.rekey_file(new_password)
|
|
|
|
|
|
|
|
self.display.display("Rekey successful")
|
|
|
|
|
|
|
|
########################################################
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
|
|
|
display = Display()
|
|
|
|
try:
|
2015-04-27 13:31:41 +02:00
|
|
|
cli = VaultCli(sys.argv, display=display)
|
|
|
|
cli.parse()
|
|
|
|
sys.exit(cli.run())
|
2015-04-20 05:31:44 +02:00
|
|
|
except AnsibleError as e:
|
2015-04-27 13:31:41 +02:00
|
|
|
display.display(str(e), stderr=True, color='red')
|
2015-04-20 05:31:44 +02:00
|
|
|
sys.exit(1)
|
|
|
|
except KeyboardInterrupt:
|
2015-04-23 05:12:37 +02:00
|
|
|
display.error("interrupted")
|
2015-04-20 05:31:44 +02:00
|
|
|
sys.exit(1)
|