diff --git a/lib/ansible/parsing/dataloader.py b/lib/ansible/parsing/dataloader.py index c0203d3cc3..bdc62d10b5 100644 --- a/lib/ansible/parsing/dataloader.py +++ b/lib/ansible/parsing/dataloader.py @@ -24,6 +24,10 @@ import os import json import subprocess from yaml import YAMLError +import tempfile + +from yaml import load, YAMLError +>>>>>>> feature/copy-vault-dataloader: Add method get_real_file(file_path) to dataloader from ansible.compat.six import text_type, string_types from ansible.errors import AnsibleFileNotFound, AnsibleParserError, AnsibleError @@ -58,10 +62,15 @@ class DataLoader(): def __init__(self): self._basedir = '.' self._FILE_CACHE = dict() + self._tempfiles = set() # initialize the vault stuff with an empty password self.set_vault_password(None) + def __del__(self): + for f in self._tempfiles: + os.unlink(f) + def set_vault_password(self, vault_password): self._vault_password = vault_password self._vault = VaultLib(password=vault_password) @@ -292,3 +301,65 @@ class DataLoader(): f.close() except (OSError, IOError) as e: raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e)) + + def _create_content_tempfile(self, content): + ''' Create a tempfile containing defined content ''' + fd, content_tempfile = tempfile.mkstemp() + f = os.fdopen(fd, 'wb') + content = to_bytes(content) + try: + f.write(content) + except Exception as err: + os.remove(content_tempfile) + raise Exception(err) + finally: + f.close() + return content_tempfile + + def get_real_file(self, file_path): + """ + If the file is vault encrypted return a path to a temporary decrypted file + If the file is not encrypted then the path is returned + Temporary files are cleanup in the destructor + """ + + if not file_path or not isinstance(file_path, string_types): + raise AnsibleParserError("Invalid filename: '%s'" % str(file_path)) + + if not self.path_exists(file_path) or not self.is_file(file_path): + raise AnsibleFileNotFound("the file_name '%s' does not exist, or is not readable" % file_path) + + if not self._vault: + self._vault = VaultLib(password="") + + real_path = self.path_dwim(file_path) + + try: + with open(real_path, 'rb') as f: + data = f.read() + if self._vault.is_encrypted(data): + # if the file is encrypted and no password was specified, + # the decrypt call would throw an error, but we check first + # since the decrypt function doesn't know the file name + if not self._vault_password: + raise AnsibleParserError("A vault password must be specified to decrypt %s" % file_path) + + data = self._vault.decrypt(data) + # Make a temp file + real_path = self._create_content_tempfile(data) + self._tempfiles.add(real_path) + + return real_path + + except (IOError, OSError) as e: + raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (file_name, str(e))) + + def cleanup_real_file(self, file_path): + """ + Removes any temporary files created from a previous call to + get_real_file. file_path must be the path returned from a + previous call to get_real_file. + """ + if file_path in self._tempfiles: + os.unlink(file_path) + self._tempfiles.remove(file_path); diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py index 9734a29444..7eb805aa5d 100644 --- a/lib/ansible/plugins/action/copy.py +++ b/lib/ansible/plugins/action/copy.py @@ -152,6 +152,8 @@ class ActionModule(ActionBase): diffs = [] for source_full, source_rel in source_files: + source_full = self._loader.get_real_file(source_full) + # Generate a hash of the local file. local_checksum = checksum(source_full) @@ -219,6 +221,8 @@ class ActionModule(ActionBase): # We have copied the file remotely and no longer require our content_tempfile self._remove_tempfile_if_content_defined(content, content_tempfile) + self._loader.cleanup_real_file(source_full) + # fix file permissions when the copy is done as a different user self._fixup_perms(tmp, remote_user, recursive=True) @@ -247,6 +251,8 @@ class ActionModule(ActionBase): # the file module in case we want to change attributes self._remove_tempfile_if_content_defined(content, content_tempfile) + self._loader.cleanup_real_file(source_full) + if raw: # Continue to next iteration if raw is defined. self._remove_tmp_path(tmp) diff --git a/test/integration/Makefile b/test/integration/Makefile index db610c4641..a812ace890 100644 --- a/test/integration/Makefile +++ b/test/integration/Makefile @@ -144,10 +144,10 @@ test_var_precedence: setup ansible-playbook test_var_precedence.yml -i $(INVENTORY) $(CREDENTIALS_ARG) $(TEST_FLAGS) -v -e outputdir=$(TEST_DIR) -e 'extra_var=extra_var' -e 'extra_var_override=extra_var_override' test_vault: setup - ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks -e outputdir=$(TEST_DIR) - ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-hosts -e outputdir=$(TEST_DIR) - ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --syntax-check -e outputdir=$(TEST_DIR) - ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) -e outputdir=$(TEST_DIR) + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks -e outputdir=$(TEST_DIR) -e @$(VARS_FILE) + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-hosts -e outputdir=$(TEST_DIR) -e @$(VARS_FILE) + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --syntax-check -e outputdir=$(TEST_DIR) -e @$(VARS_FILE) + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) -e outputdir=$(TEST_DIR) -e @$(VARS_FILE) # test_delegate_to does not work unless we have permission to ssh to localhost. # Would take some more effort on our test systems to implement that -- probably diff --git a/test/integration/test_vault.yml b/test/integration/test_vault.yml index 3313f32d07..a3b2498766 100644 --- a/test/integration/test_vault.yml +++ b/test/integration/test_vault.yml @@ -8,4 +8,6 @@ - assert: that: - 'secret_var == "secret"' + + - copy: src=vault-secret.txt dest={{output_dir}}/secret.txt diff --git a/test/integration/vault-secret.txt b/test/integration/vault-secret.txt new file mode 100644 index 0000000000..b6bc9bfb17 --- /dev/null +++ b/test/integration/vault-secret.txt @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +39303432393062643236616234306333383838333662386165616633303735336537613337396337 +6662666233356462326631653161663663363166323338320a653131656636666339633863346530 +32326238646631653133643936306666643065393038386234343736663239363665613963343661 +3230353633643361650a363034323631613864326438396665343237383566336339323837326464 +3930