Addresses #6188 Add --vault-password-file to bin/ansible and bin/ansible-playbook

bin/ansible

@@ -19,6 +19,7 @@
 
 ########################################################
 
+import os
 import sys
 
 from ansible.runner import Runner
@@ -75,6 +76,9 @@ class Cli(object):
                          "and su arguments ('-su', '--su-user', and '--ask-su-pass') are "
                          "mutually exclusive")
 
+        if (options.ask_vault_pass and options.vault_password_file):
+            parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
+
         return (options, args)
 
     # ----------------------------------------------
@@ -107,14 +111,34 @@ class Cli(object):
         sshpass = None
         sudopass = None
         su_pass = None
+        vault_pass = None
+
         options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS
         # Never ask for an SSH password when we run with local connection
         if options.connection == "local":
             options.ask_pass = False
         options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
         options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
+        options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
+
         (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
 
+        # read vault_pass from a file
+        if options.vault_password_file:
+            this_path = os.path.expanduser(options.vault_password_file)
+            try:
+                f = open(this_path, "rb")
+                tmp_vault_pass=f.read()
+                f.close()
+            except (OSError, IOError), e:
+                raise errors.AnsibleError("Could not read %s: %s" % (this_path, e))
+
+            # get rid of newline chars        
+            tmp_vault_pass = tmp_vault_pass.strip()
+
+            if not options.ask_vault_pass:
+                vault_pass = tmp_vault_pass
+
         inventory_manager = inventory.Inventory(options.inventory)
         if options.subset:
             inventory_manager.subset(options.subset)

bin/ansible-playbook

@@ -92,6 +92,9 @@ def main(args):
                          "and su arguments ('-su', '--su-user', and '--ask-su-pass') are "
                          "mutually exclusive")
 
+    if (options.ask_vault_pass and options.vault_password_file):
+            parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
+
     inventory = ansible.inventory.Inventory(options.inventory)
     inventory.subset(options.subset)
     if len(inventory.list_hosts()) == 0:
@@ -110,10 +113,25 @@ def main(args):
             options.ask_pass = False
         options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
         options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
+        options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
         (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
         options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER
         options.su_user = options.su_user or C.DEFAULT_SU_USER
 
+        if options.vault_password_file:
+            this_path = os.path.expanduser(options.vault_password_file)
+            try:
+                f = open(this_path, "rb")
+                tmp_vault_pass=f.read()
+                f.close()
+            except (OSError, IOError), e:
+                raise errors.AnsibleError("Could not read %s: %s" % (this_path, e))
+
+            # get rid of newline chars
+            tmp_vault_pass = tmp_vault_pass.strip()
+
+            if not options.ask_vault_pass:
+                vault_pass = tmp_vault_pass
 
     extra_vars = {}
     for extra_vars_opt in options.extra_vars:

lib/ansible/utils/__init__.py

@@ -702,10 +702,12 @@ def base_parser(constants=C, usage="", output_opts=False, runas_opts=False,
         help='use this file to authenticate the connection')
     parser.add_option('-K', '--ask-sudo-pass', default=False, dest='ask_sudo_pass', action='store_true',
         help='ask for sudo password')
-    parser.add_option('--ask-su-pass', default=False, dest='ask_su_pass',
-                      action='store_true', help='ask for su password')
-    parser.add_option('--ask-vault-pass', default=False, dest='ask_vault_pass',
-                      action='store_true', help='ask for vault password')
+    parser.add_option('--ask-su-pass', default=False, dest='ask_su_pass', action='store_true', 
+        help='ask for su password')
+    parser.add_option('--ask-vault-pass', default=False, dest='ask_vault_pass', action='store_true', 
+        help='ask for vault password')
+    parser.add_option('--vault-password-file', default=None, dest='vault_password_file',
+        help="vault password file")
     parser.add_option('--list-hosts', dest='listhosts', action='store_true',
         help='outputs a list of matching hosts; does not execute anything else')
     parser.add_option('-M', '--module-path', dest='module_path',