ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

add option to ansible-vault to read new password from file for rekey

Browse source 
The --new-vault-password-file option works the same as
--vault-password-file but applies only to rekeying (when
--vault-password-file sets the old password). Also update the manpage
to document these options more fully.
This commit is contained in:
Richard Poole 2015-07-28 10:48:57 +01:00 committed by Abhijit Menon-Sen
parent 846f0b0510
commit 3090a45891
4 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
docs/man/man1/ansible-vault.1
View file

@ -2,12 +2,12 @@
.\" Title: ansible-vault .\" Title: ansible-vault
.\" Author: [see the "AUTHOR" section] .\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12/09/2014 .\" Date: 07/28/2015
.\" Manual: System administration commands .\" Manual: System administration commands
.\" Source: Ansible 1.9 .\" Source: Ansible 2.0.0
.\" Language: English .\" Language: English
.\" .\"
.TH "ANSIBLE\-VAULT" "1" "12/09/2014" "Ansible 1\&.9" "System administration commands" .TH "ANSIBLE\-VAULT" "1" "07/28/2015" "Ansible 2\&.0\&.0" "System administration commands"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -43,7 +43,12 @@ The following options are available to all sub\-commands:
.PP .PP
\fB\-\-vault\-password\-file=\fR\fIFILE\fR \fB\-\-vault\-password\-file=\fR\fIFILE\fR
.RS 4 .RS 4
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
.RE
.PP
\fB\-\-new\-vault\-password\-file=\fR\fIFILE\fR
.RS 4
A file containing the new vault password to be used when rekeying a file\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
.RE .RE
.PP .PP
\fB\-h\fR, \fB\-\-help\fR \fB\-h\fR, \fB\-\-help\fR

10
docs/man/man1/ansible-vault.1.asciidoc.in
View file

@ -36,7 +36,15 @@ The following options are available to all sub-commands:
*--vault-password-file=*'FILE':: *--vault-password-file=*'FILE'::
A file containing the vault password to be used during the encryption/decryption A file containing the vault password to be used during the encryption/decryption
steps. Be sure to keep this file secured if it is used. steps. Be sure to keep this file secured if it is used. If the file is executable,
it will be run and its standard output will be used as the password.
*--new-vault-password-file=*'FILE'::
A file containing the new vault password to be used when rekeying a
file. Be sure to keep this file secured if it is used. If the file
is executable, it will be run and its standard output will be used as
the password.
*-h*, *--help*:: *-h*, *--help*::

4
lib/ansible/cli/__init__.py
View file

@ -258,6 +258,10 @@ class CLI(object):
parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE, parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE,
dest='vault_password_file', help="vault password file", action="callback", dest='vault_password_file', help="vault password file", action="callback",
callback=CLI.expand_tilde, type=str) callback=CLI.expand_tilde, type=str)
parser.add_option('--new-vault-password-file',
dest='new_vault_password_file', help="new vault password file for rekey", action="callback",
callback=CLI.expand_tilde, type=str)
if subset_opts: if subset_opts:
parser.add_option('-t', '--tags', dest='tags', default='all', parser.add_option('-t', '--tags', dest='tags', default='all',

10
lib/ansible/cli/vault.py
View file

@ -77,6 +77,10 @@ class VaultCLI(CLI):
else: else:
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False) self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
if self.options.new_vault_password_file:
# for rekey only
self.new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file)
if not self.vault_pass: if not self.vault_pass:
raise AnsibleOptionsError("A password is required to use Ansible's Vault") raise AnsibleOptionsError("A password is required to use Ansible's Vault")
@ -125,7 +129,11 @@ class VaultCLI(CLI):
for f in self.args: for f in self.args:
if not (os.path.isfile(f)): if not (os.path.isfile(f)):
raise AnsibleError(f + " does not exist") raise AnsibleError(f + " does not exist")
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
if self.new_vault_pass:
new_password = self.new_vault_pass
else:
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
for f in self.args: for f in self.args:
this_editor = VaultEditor(None, self.vault_pass, f) this_editor = VaultEditor(None, self.vault_pass, f)