Initial support for vault in v2

TODO:
* password prompting needs to be implemented, but is being worked on
  as part of the become privilege escalation changes

v2/ansible/plugins/strategies/linear.py

@@ -224,6 +224,7 @@ class StrategyModule(StrategyBase):
                     def __repr__(self):
                         return "%s (%s): %s" % (self._filename, self._args, self._hosts)
 
+                # FIXME: this should also be moved to the base class in a method
                 included_files = []
                 for res in host_results:
                     if res._task.action == 'include':
@@ -253,6 +254,9 @@ class StrategyModule(StrategyBase):
 
                             inc_file.add_host(res._host)
 
+                # FIXME: should this be moved into the iterator class? Main downside would be
+                #        that accessing the TQM's callback member would be more difficult, if
+                #        we do want to send callbacks from here
                 if len(included_files) > 0:
                     noop_task = Task()
                     noop_task.action = 'meta'
@@ -263,7 +267,14 @@ class StrategyModule(StrategyBase):
                     for included_file in included_files:
                         # included hosts get the task list while those excluded get an equal-length
                         # list of noop tasks, to make sure that they continue running in lock-step
-                        new_tasks = self._load_included_file(included_file)
+                        try:
+                            new_tasks = self._load_included_file(included_file)
+                        except AnsibleError, e:
+                            for host in included_file._hosts:
+                                iterator.mark_host_failed(host)
+                            # FIXME: callback here?
+                            print(e)
+
                         noop_tasks = [noop_task for t in new_tasks]
                         for host in hosts_left:
                             if host in included_file._hosts:

v2/ansible/utils/vault.py

@@ -0,0 +1,56 @@
+# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import subprocess
+
+from ansible import constants as C
+from ansible.errors import AnsibleError
+from ansible.utils.path import is_executable
+
+def read_vault_file(vault_password_file):
+    """
+    Read a vault password from a file or if executable, execute the script and
+    retrieve password from STDOUT
+    """
+
+    this_path = os.path.realpath(os.path.expanduser(vault_password_file))
+    if not os.path.exists(this_path):
+        raise AnsibleError("The vault password file %s was not found" % this_path)
+
+    if is_executable(this_path):
+        try:
+            # STDERR not captured to make it easier for users to prompt for input in their scripts
+            p = subprocess.Popen(this_path, stdout=subprocess.PIPE)
+        except OSError, e:
+            raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e))
+        stdout, stderr = p.communicate()
+        vault_pass = stdout.strip('\r\n')
+    else:
+        try:
+            f = open(this_path, "rb")
+            vault_pass=f.read().strip()
+            f.close()
+        except (OSError, IOError), e:
+            raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
+
+    return vault_pass
+

v2/bin/ansible-playbook

@@ -15,6 +15,7 @@ from ansible.playbook.task import Task
 from ansible.utils.cli import base_parser
 from ansible.utils.unicode import to_unicode
 from ansible.utils.vars import combine_vars
+from ansible.utils.vault import read_vault_file
 from ansible.vars import VariableManager
 
 # Implement an ansible.utils.warning() function later
@@ -34,8 +35,8 @@ def main(args):
         check_opts=True,
         diff_opts=True
     )
-    #parser.add_option('--vault-password', dest="vault_password",
+    parser.add_option('--vault-password', dest="vault_password",
-    #    help="password for vault encrypted files")
+        help="password for vault encrypted files")
     parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
         help="set additional variables as key=value or YAML/JSON", default=[])
     parser.add_option('-t', '--tags', dest='tags', default='all',
@@ -61,47 +62,14 @@ def main(args):
         parser.print_help(file=sys.stderr)
         return 1
 
-    #---------------------------------------------------------------------------------------------------
+    vault_pass = None
-    # FIXME: su/sudo stuff needs to be generalized
+    if options.ask_vault_pass:
-    # su and sudo command line arguments need to be mutually exclusive
+        # FIXME: prompt here
-    #if (options.su or options.su_user or options.ask_su_pass) and \
+        pass
-    #            (options.sudo or options.sudo_user or options.ask_sudo_pass):
+    elif options.vault_password_file:
-    #        parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') "
+        # read vault_pass from a file
-    #                     "and su arguments ('-su', '--su-user', and '--ask-su-pass') are "
+        vault_pass = read_vault_file(options.vault_password_file)
-    #                     "mutually exclusive")
-    #
-    #if (options.ask_vault_pass and options.vault_password_file):
-    #        parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
-    #
-    #sshpass = None
-    #sudopass = None
-    #su_pass = None
-    #vault_pass = None
-    #
-    #options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
-    #
-    #if options.listhosts or options.syntax or options.listtasks:
-    #    (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass)
-    #else:
-    #    options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS
-    #    # Never ask for an SSH password when we run with local connection
-    #    if options.connection == "local":
-    #        options.ask_pass = False
-    #    options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
-    #    options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
-    #    (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
-    #    options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER
-    #    options.su_user = options.su_user or C.DEFAULT_SU_USER
-    #
-    ## read vault_pass from a file
-    #if not options.ask_vault_pass and options.vault_password_file:
-    #    vault_pass = utils.read_vault_file(options.vault_password_file)
-    # END FIXME 
-    #---------------------------------------------------------------------------------------------------
 
-    # FIXME: this hard-coded value will be removed after fixing the removed block
-    #        above, which dealt wtih asking for passwords during runtime
-    vault_pass = 'testing'
     loader = DataLoader(vault_password=vault_pass)
 
     extra_vars = {}