mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Initial support for vault in v2
TODO: * password prompting needs to be implemented, but is being worked on as part of the become privilege escalation changes
This commit is contained in:
parent
eb850bf81a
commit
b1d78a61fc
3 changed files with 78 additions and 43 deletions
|
@ -224,6 +224,7 @@ class StrategyModule(StrategyBase):
|
|||
def __repr__(self):
|
||||
return "%s (%s): %s" % (self._filename, self._args, self._hosts)
|
||||
|
||||
# FIXME: this should also be moved to the base class in a method
|
||||
included_files = []
|
||||
for res in host_results:
|
||||
if res._task.action == 'include':
|
||||
|
@ -253,6 +254,9 @@ class StrategyModule(StrategyBase):
|
|||
|
||||
inc_file.add_host(res._host)
|
||||
|
||||
# FIXME: should this be moved into the iterator class? Main downside would be
|
||||
# that accessing the TQM's callback member would be more difficult, if
|
||||
# we do want to send callbacks from here
|
||||
if len(included_files) > 0:
|
||||
noop_task = Task()
|
||||
noop_task.action = 'meta'
|
||||
|
@ -263,7 +267,14 @@ class StrategyModule(StrategyBase):
|
|||
for included_file in included_files:
|
||||
# included hosts get the task list while those excluded get an equal-length
|
||||
# list of noop tasks, to make sure that they continue running in lock-step
|
||||
new_tasks = self._load_included_file(included_file)
|
||||
try:
|
||||
new_tasks = self._load_included_file(included_file)
|
||||
except AnsibleError, e:
|
||||
for host in included_file._hosts:
|
||||
iterator.mark_host_failed(host)
|
||||
# FIXME: callback here?
|
||||
print(e)
|
||||
|
||||
noop_tasks = [noop_task for t in new_tasks]
|
||||
for host in hosts_left:
|
||||
if host in included_file._hosts:
|
||||
|
|
56
v2/ansible/utils/vault.py
Normal file
56
v2/ansible/utils/vault.py
Normal file
|
@ -0,0 +1,56 @@
|
|||
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Make coding more python3-ish
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
from ansible import constants as C
|
||||
from ansible.errors import AnsibleError
|
||||
from ansible.utils.path import is_executable
|
||||
|
||||
def read_vault_file(vault_password_file):
|
||||
"""
|
||||
Read a vault password from a file or if executable, execute the script and
|
||||
retrieve password from STDOUT
|
||||
"""
|
||||
|
||||
this_path = os.path.realpath(os.path.expanduser(vault_password_file))
|
||||
if not os.path.exists(this_path):
|
||||
raise AnsibleError("The vault password file %s was not found" % this_path)
|
||||
|
||||
if is_executable(this_path):
|
||||
try:
|
||||
# STDERR not captured to make it easier for users to prompt for input in their scripts
|
||||
p = subprocess.Popen(this_path, stdout=subprocess.PIPE)
|
||||
except OSError, e:
|
||||
raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e))
|
||||
stdout, stderr = p.communicate()
|
||||
vault_pass = stdout.strip('\r\n')
|
||||
else:
|
||||
try:
|
||||
f = open(this_path, "rb")
|
||||
vault_pass=f.read().strip()
|
||||
f.close()
|
||||
except (OSError, IOError), e:
|
||||
raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
|
||||
|
||||
return vault_pass
|
||||
|
|
@ -15,6 +15,7 @@ from ansible.playbook.task import Task
|
|||
from ansible.utils.cli import base_parser
|
||||
from ansible.utils.unicode import to_unicode
|
||||
from ansible.utils.vars import combine_vars
|
||||
from ansible.utils.vault import read_vault_file
|
||||
from ansible.vars import VariableManager
|
||||
|
||||
# Implement an ansible.utils.warning() function later
|
||||
|
@ -34,8 +35,8 @@ def main(args):
|
|||
check_opts=True,
|
||||
diff_opts=True
|
||||
)
|
||||
#parser.add_option('--vault-password', dest="vault_password",
|
||||
# help="password for vault encrypted files")
|
||||
parser.add_option('--vault-password', dest="vault_password",
|
||||
help="password for vault encrypted files")
|
||||
parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
|
||||
help="set additional variables as key=value or YAML/JSON", default=[])
|
||||
parser.add_option('-t', '--tags', dest='tags', default='all',
|
||||
|
@ -61,47 +62,14 @@ def main(args):
|
|||
parser.print_help(file=sys.stderr)
|
||||
return 1
|
||||
|
||||
#---------------------------------------------------------------------------------------------------
|
||||
# FIXME: su/sudo stuff needs to be generalized
|
||||
# su and sudo command line arguments need to be mutually exclusive
|
||||
#if (options.su or options.su_user or options.ask_su_pass) and \
|
||||
# (options.sudo or options.sudo_user or options.ask_sudo_pass):
|
||||
# parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') "
|
||||
# "and su arguments ('-su', '--su-user', and '--ask-su-pass') are "
|
||||
# "mutually exclusive")
|
||||
#
|
||||
#if (options.ask_vault_pass and options.vault_password_file):
|
||||
# parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
|
||||
#
|
||||
#sshpass = None
|
||||
#sudopass = None
|
||||
#su_pass = None
|
||||
#vault_pass = None
|
||||
#
|
||||
#options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
|
||||
#
|
||||
#if options.listhosts or options.syntax or options.listtasks:
|
||||
# (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass)
|
||||
#else:
|
||||
# options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS
|
||||
# # Never ask for an SSH password when we run with local connection
|
||||
# if options.connection == "local":
|
||||
# options.ask_pass = False
|
||||
# options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
|
||||
# options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
|
||||
# (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
|
||||
# options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER
|
||||
# options.su_user = options.su_user or C.DEFAULT_SU_USER
|
||||
#
|
||||
## read vault_pass from a file
|
||||
#if not options.ask_vault_pass and options.vault_password_file:
|
||||
# vault_pass = utils.read_vault_file(options.vault_password_file)
|
||||
# END FIXME
|
||||
#---------------------------------------------------------------------------------------------------
|
||||
vault_pass = None
|
||||
if options.ask_vault_pass:
|
||||
# FIXME: prompt here
|
||||
pass
|
||||
elif options.vault_password_file:
|
||||
# read vault_pass from a file
|
||||
vault_pass = read_vault_file(options.vault_password_file)
|
||||
|
||||
# FIXME: this hard-coded value will be removed after fixing the removed block
|
||||
# above, which dealt wtih asking for passwords during runtime
|
||||
vault_pass = 'testing'
|
||||
loader = DataLoader(vault_password=vault_pass)
|
||||
|
||||
extra_vars = {}
|
||||
|
|
Loading…
Reference in a new issue