mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Support multiple vault passwords in keyring script
Allows users to specify a key name in a given project’s `ansible.cfg` file and thus handle keyring integration with vaults with different passwords. If no key name is specified, the original default `ansible` key name will be used. Other improvements: * `username` is now optional; defaults to user that invokes the script * change string interpolation to new `.format()` style * clean up and expand upon documentation * enforce PEP 8 compliance
This commit is contained in:
parent
1b8c2a2b0b
commit
fda131504b
1 changed files with 40 additions and 21 deletions
|
@ -1,8 +1,9 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
# (c) 2014, Matt Martz <matt@sivel.net>
|
# (c) 2014, Matt Martz <matt@sivel.net>
|
||||||
|
# (c) 2016, Justin Mayer <https://justinmayer.com/>
|
||||||
#
|
#
|
||||||
# This file is part of Ansible
|
# This file is part of Ansible.
|
||||||
#
|
#
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
# Ansible is free software: you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
@ -17,30 +18,42 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
# =============================================================================
|
||||||
#
|
#
|
||||||
# Script to be used with vault_password_file or --vault-password-file
|
# This script is to be used with vault_password_file or --vault-password-file
|
||||||
# to retrieve the vault password via your OSes native keyring application
|
# to retrieve the vault password via your OS's native keyring application.
|
||||||
#
|
#
|
||||||
# This script requires the ``keyring`` python module
|
# This file *MUST* be saved with executable permissions. Otherwise, Ansible
|
||||||
|
# will try to parse as a password file and display: "ERROR! Decryption failed"
|
||||||
#
|
#
|
||||||
# Add a [vault] section to your ansible.cfg file,
|
# The `keyring` Python module is required: https://pypi.python.org/pypi/keyring
|
||||||
# the only option is 'username'. Example:
|
#
|
||||||
|
# By default, this script will store the specified password in the keyring of
|
||||||
|
# the user that invokes the script. To specify a user keyring, add a [vault]
|
||||||
|
# section to your ansible.cfg file with a 'username' option. Example:
|
||||||
#
|
#
|
||||||
# [vault]
|
# [vault]
|
||||||
# username = 'ansible_vault'
|
# username = 'ansible-vault'
|
||||||
#
|
#
|
||||||
# Additionally, it would be a good idea to configure vault_password_file in
|
# Another optional setting is for the key name, which allows you to use this
|
||||||
# ansible.cfg
|
# script to handle multiple project vaults with different passwords:
|
||||||
|
#
|
||||||
|
# [vault]
|
||||||
|
# keyname = 'ansible-vault-yourproject'
|
||||||
|
#
|
||||||
|
# You can configure the `vault_password_file` option in ansible.cfg:
|
||||||
#
|
#
|
||||||
# [defaults]
|
# [defaults]
|
||||||
# ...
|
# ...
|
||||||
# vault_password_file = /path/to/vault-keyring.py
|
# vault_password_file = /path/to/vault-keyring.py
|
||||||
# ...
|
# ...
|
||||||
#
|
#
|
||||||
# To set your password: python /path/to/vault-keyring.py set
|
# To set your password, `cd` to your project directory and run:
|
||||||
#
|
#
|
||||||
# If you choose to not configure the path to vault_password_file in ansible.cfg
|
# python /path/to/vault-keyring.py set
|
||||||
# your ansible-playbook command may look like:
|
#
|
||||||
|
# If you choose not to configure the path to `vault_password_file` in
|
||||||
|
# ansible.cfg, your `ansible-playbook` command might look like:
|
||||||
#
|
#
|
||||||
# ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml
|
# ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml
|
||||||
|
|
||||||
|
@ -51,29 +64,35 @@ ANSIBLE_METADATA = {'status': ['preview'],
|
||||||
import sys
|
import sys
|
||||||
import getpass
|
import getpass
|
||||||
import keyring
|
import keyring
|
||||||
import ConfigParser
|
|
||||||
|
|
||||||
|
|
||||||
import ansible.constants as C
|
import ansible.constants as C
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
(parser,config_path) = C.load_config_file()
|
(parser, config_path) = C.load_config_file()
|
||||||
try:
|
if parser.has_option('vault', 'username'):
|
||||||
username = parser.get('vault', 'username')
|
username = parser.get('vault', 'username')
|
||||||
except ConfigParser.NoSectionError:
|
else:
|
||||||
sys.stderr.write('No [vault] section configured in config file: %s\n' % config_path)
|
username = getpass.getuser()
|
||||||
sys.exit(1)
|
|
||||||
|
if parser.has_option('vault', 'keyname'):
|
||||||
|
keyname = parser.get('vault', 'keyname')
|
||||||
|
else:
|
||||||
|
keyname = 'ansible'
|
||||||
|
|
||||||
if len(sys.argv) == 2 and sys.argv[1] == 'set':
|
if len(sys.argv) == 2 and sys.argv[1] == 'set':
|
||||||
|
intro = 'Storing password in "{}" user keyring using key name: {}\n'
|
||||||
|
sys.stdout.write(intro.format(username, keyname))
|
||||||
password = getpass.getpass()
|
password = getpass.getpass()
|
||||||
confirm = getpass.getpass('Confirm password: ')
|
confirm = getpass.getpass('Confirm password: ')
|
||||||
if password == confirm:
|
if password == confirm:
|
||||||
keyring.set_password('ansible', username, password)
|
keyring.set_password(keyname, username, password)
|
||||||
else:
|
else:
|
||||||
sys.stderr.write('Passwords do not match\n')
|
sys.stderr.write('Passwords do not match\n')
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
else:
|
else:
|
||||||
sys.stdout.write('%s\n' % keyring.get_password('ansible', username))
|
sys.stdout.write('{}\n'.format(keyring.get_password(keyname,
|
||||||
|
username)))
|
||||||
|
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue