1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Commit graph

145 commits

Author SHA1 Message Date
Brian Coca
c063803a91 raise AnsibleError as an 'expected' exception
fixes #14065
2016-01-25 22:20:55 -05:00
Brian Coca
f26adcc7da avoid shredding empty files, also x/0
also cleaned up unused import and exception var
2016-01-21 10:54:56 -05:00
James Cammarata
46e515131e Allow module args as k=v pairs when using the module: option with local_action
This task format is valid in 1.x, but was broken in 2.x:
  - local_action:
     module: shell echo "hello world"
2016-01-18 14:32:44 -05:00
Toshio Kuratomi
4958180333 use integer division instead of floating point division.
Fixes #13855
2016-01-13 12:35:28 -08:00
Eric Feliksik
11ce08b9dd cleaner implementation and random chunk length. 2016-01-05 18:04:38 +01:00
Eric Feliksik
151e09d129 use unix shred if possible, otherwise fast custom impl; do not shred encrypted file 2016-01-05 01:43:42 +01:00
Eric Feliksik
1e911375e8 add docs, remove unnecessary int() cast 2016-01-04 18:13:59 +01:00
Eric Feliksik
7193d27acc add os.fsync() so that the shredding data (hopefully) hits the drive 2016-01-04 17:22:18 +01:00
Eric Feliksik
946b82bef7 shred ansible-vault tmp_file. Also when editor is interruped. 2015-12-30 18:21:34 +01:00
Brian Coca
75e94e0cba allow for non standard hostnames
* Changed parse_addresses to throw exceptions instead of passing None
* Switched callers to trap and pass through the original values.
* Added very verbose notice
* Look at deprecating this and possibly validate at plugin instead
fixes #13608
2015-12-21 13:42:34 -05:00
James Cammarata
8716bf8021 All variables in complex args again
Also updates the CHANGELOG to note the slight change, where bare variables
in args are no longer allowed to be bare variables

Fixes #13518
2015-12-16 16:39:08 -05:00
James Cammarata
2b36343451 Missed one place we were appending the incorrectly escaped item to raw params 2015-12-09 17:58:44 -05:00
James Cammarata
1799de8528 Preserve original token when appending to _raw_params in parse_kv
Fixes #13311
2015-12-08 15:06:36 -05:00
Toshio Kuratomi
a8e015cc22 Add representers so we can output yaml for all the types we read in from yaml 2015-12-06 22:17:47 -08:00
Monty Taylor
d20e67d708 Put in trap for args being None
_normalize_old_style_args can return None. If it does, the loop
"for args in args" blows up.
2015-11-28 13:38:11 -05:00
Yannig Perré
2fc7c8b460 More restrictive test against variable name to allow setting variable starting with _. 2015-11-28 10:35:06 +01:00
Yannig Perré
2c54fb1339 Switch parameters validation after parsing in order to be more consistent between old and new style. 2015-11-26 13:33:58 +01:00
Matteo Acerbi
0127d32652 Fix DataLoader's docstring
DataLoader.__init__ doesn't take an argument named vault_password
2015-11-18 11:20:34 +01:00
Abhijit Menon-Sen
7caefa5cd9 Fix typo 2015-11-03 10:57:48 +05:30
Brian Coca
00bc74404a vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases 2015-10-31 14:13:03 -04:00
Toshio Kuratomi
e3e2db1119 Improve the warning message about duplicate yaml dict keys 2015-10-27 14:20:36 -07:00
Toshio Kuratomi
4203850d1a Break apart a looped dependency to show a warning when parsing playbooks
Display a warning when a dict key is overwritten by pyyaml
Fixes #12888
2015-10-27 12:39:42 -07:00
James Cammarata
86de1429e5 Cleaning up FIXMEs 2015-10-22 16:03:50 -04:00
James Cammarata
0bbe9d5bd0 Make hostvars json/yaml serializable in filters
Fixes #12615
2015-10-18 10:09:05 -04:00
Toshio Kuratomi
b23a083776 Make vault use a mapping of cipher name to classes instead of formatting the name for safety. 2015-10-16 10:05:27 -07:00
Toshio Kuratomi
baa309309d Bundle a new version of python-six for compatibility along with some code to make it easy for distributions to override the bunndled copy if they have a new enough version. 2015-10-16 08:21:28 -07:00
Marius Gedminas
98958ec990 Simplify join expression 2015-10-16 17:39:27 +03:00
Marius Gedminas
56184a3d8c Python 3: avoid %-formatting of byte strings
This is needed for Python 3.4 compatibility; Python 3.5 can use
`b'%s\n' bytestring` again.
2015-10-16 17:18:35 +03:00
Toshio Kuratomi
85abd61001 Add some more info to docstring 2015-10-14 18:57:10 -07:00
Brian Coca
abf2e13955 Revert "Track local_action internally to prevent it from being overridden"
This reverts commit 49ca0eb797.
2015-10-09 13:01:32 -04:00
Brian Coca
101c8785ec removed changes to make local action equate connection=local and brought it back to equate delegate_to=localhost 2015-10-09 13:01:32 -04:00
Brian Coca
3705d54485 fixed error reporting on splitter 2015-10-01 19:03:04 -04:00
Brian Coca
a680ef66dd fixed vault password file script execution 2015-10-01 18:49:51 -04:00
Abhijit Menon-Sen
0bb34fd076 Make «ansible-vault view» not write plaintext to a tempfile
CLI already provides a pager() method that feeds $PAGER on stdin, so we
just feed that the plaintext from the vault file. We can also eliminate
the redundant and now-unused shell_pager_command method in VaultEditor.
2015-09-30 22:13:36 +05:30
Toshio Kuratomi
dcdcd9e9c5 Move is_executable to the toplevel of basic.py so we can utilize it from other code 2015-09-25 07:48:57 -07:00
James Cammarata
95b371dd60 Use AnsibleFileNotFound instead of AnsibleParsingError when YAML files are not found
And update portions of code to expect the proper error.

Fixes #12512
2015-09-24 16:27:25 -04:00
Marius Gedminas
fc0dcc3947 Python 3: there's no basestring
Fixes one failing test.

Now technically a filename can be a bytestring, even on Python 3.  I
hope this is unlikely for Ansible.
2015-09-22 08:42:33 +03:00
Toshio Kuratomi
627f9d73ba Detect if core modules aren't installed and warn if that is the case
Fixes #11206
2015-09-21 12:31:51 -07:00
Abhijit Menon-Sen
2d420a9bb7 Allow hexadecimal ranges in IPv6 addresses, not only 0-9 2015-09-17 23:32:58 +05:30
Abhijit Menon-Sen
349eec7855 Fix missing colon (typo) in IPv6 pattern 2015-09-17 19:34:33 +05:30
James Cammarata
4f30db8ca5 Check if path is /dev/null when checking if a file is in fact a file 2015-09-14 14:41:22 -04:00
James Cammarata
49ca0eb797 Track local_action internally to prevent it from being overridden
Fixes #12053
2015-09-14 12:11:58 -04:00
James Cammarata
aa762bb432 Don't split args out unless we're parsing module args using the new style
Fixes #12331
2015-09-12 17:50:05 -04:00
Abhijit Menon-Sen
7479ab47e0 Be stricter about parsing hostname labels
Labels must start with an alphanumeric character, may contain
alphanumeric characters or hyphens, but must not end with a hyphen.
We enforce those rules, but allow underscores wherever hyphens are
accepted, and allow alphanumeric ranges anywhere.

We relax the definition of "alphanumeric" to include Unicode characters
even though such inventory hostnames cannot be used in practice unless
an ansible_ssh_host is set for each of them.

We still don't enforce length restrictions—the fact that we have to
accept ranges makes it more complex, and it doesn't seem especially
worthwhile.
2015-09-11 21:47:19 +05:30
Abhijit Menon-Sen
065bb52109 Be systematic about parsing and validating hostnames and addresses
This adds a parse_address(pattern) utility function that returns
(host,port), and uses it wherever where we accept IPv4 and IPv6
addresses and hostnames (or host patterns): the inventory parser
the the add_host action plugin.

It also introduces a more extensive set of unit tests that supersedes
the old add_host unit tests (which didn't actually test add_host, but
only the parsing function).
2015-09-11 21:47:18 +05:30
Marius Gedminas
b95e3d18a7 Python 3: use the right PyYAML SafeRepresenter for unicode
PyYAML has a SafeRepresenter in lib/... that defines

    def represent_unicode(self, data):
        return self.represent_scalar(u'tag:yaml.org,2002:str', data)

and a different SafeRepresenter in lib3/... that defines

    def represent_str(self, data):
        return self.represent_scalar('tag:yaml.org,2002:str', data)

so the right thing to do on Python 3 is to use represent_str.

(AnsibleUnicode is a subclass of six.text_type, i.e. 'str' on Python 3.)
2015-09-10 08:57:53 +03:00
James Cammarata
ff9f5d7dc8 Starting to add additional unit tests for VariableManager
Required some rewiring in inventory code to make sure we're using
the DataLoader class for some data file operations, which makes mocking
them much easier.

Also identified two corner cases not currently handled by the code, related
to inventory variable sources and which one "wins". Also noticed we weren't
properly merging variables from multiple group/host_var file locations
(inventory directory vs. playbook directory locations) so fixed as well.
2015-09-04 16:41:38 -04:00
Marius Gedminas
37be9539ff Python 3: use six.text_type instead of unicode
Replace 'unicode' with six.text_type, everywhere but in module_utils.
2015-09-04 08:40:10 +03:00
Toshio Kuratomi
86b2982005 Merge pull request #12112 from amenonsen/vault-stdio
Implement cat-like filtering behaviour for encrypt/decrypt
2015-08-27 11:26:48 -07:00
Abhijit Menon-Sen
090cfc9e03 More helpful prompts from ansible-vault encrypt/decrypt
Now we issue a "Reading … from stdin" prompt if our input isatty(), as
gpg does. We also suppress the "x successful" confirmation message at
the end if we're part of a pipeline.

(The latter requires that we not close sys.stdout in VaultEditor, and
for symmetry we do the same for sys.stdin, though it doesn't matter in
that case.)
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e7eebb6954 Implement cat-like filtering behaviour for encrypt/decrypt
This allows the following invocations:

    # Interactive use, like gpg
    ansible-vault encrypt --output x

    # Non-interactive, for scripting
    echo plaintext|ansible-vault encrypt --output x

    # Separate input and output files
    ansible-vault encrypt input.yml --output output.yml

    # Existing usage (in-place encryption) unchanged
    ansible-vault encrypt inout.yml

…and the analogous cases for ansible-vault decrypt as well.

In all cases, the input and output files can be '-' to read from stdin
or write to stdout. This permits sensitive data to be encrypted and
decrypted without ever hitting disk.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
8fc8bf9439 Simplify VaultEditor methods
We don't need to keep creating VaultLibs everywhere, and we don't need
to keep checking for errors because VaultLib does it already.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e99395f0c0 Don't create a VaultLib in each method; do it in __init__ instead 2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
159887a6c9 Remove deprecated and unused VaultAES encryption code
Now that VaultLib always decides to use AES256 to encrypt, we don't need
this broken code any more. We need to be able to decrypt this format for
a while longer, but encryption support can be safely dropped.
2015-08-27 16:54:39 +05:30
Abhijit Menon-Sen
b84053019a Make the filename the first argument to rekey_file 2015-08-26 19:54:59 +05:30
Abhijit Menon-Sen
20fd9224bb Pass the filename to the individual VaultEditor methods, not __init__
Now we don't have to recreate VaultEditor objects for each file, and so
on. It also paves the way towards specifying separate input and output
files later.
2015-08-26 19:17:37 +05:30
Abhijit Menon-Sen
a27c5741a1 Remove inaccurate outdated comment 2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
f91ad3dabe Don't pass the cipher around so much
It's unused and unnecessary; VaultLib can decide for itself what cipher
to use when encrypting. There's no need (and no provision) for the user
to override the cipher via options, so there's no need for code to see
if that has been done either.
2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
017566a2d9 Use AES256 if the cipher is not write-whitelisted 2015-08-26 18:09:21 +05:30
Abhijit Menon-Sen
47bcdf5952 Remove incorrect copy-pasted comment 2015-08-26 18:09:21 +05:30
Toshio Kuratomi
d2c948dd6a Remove decrypted vault temp_file mistakenly left from patch making vault edit idempotent
This bug was introduced in commit f8bf2ba on July 27.  Hasn't gone out
in a release yet.
2015-08-25 14:51:32 -07:00
Toshio Kuratomi
a3fd4817ef Unicode and other fixes for vault 2015-08-25 12:43:09 -07:00
Brian Coca
144da7e7d1 Merge pull request #11765 from ldx/vault_pbkdf2hmac
Use PBKDF2HMAC() from cryptography for vault keys.
2015-08-21 11:06:00 -04:00
Brian Coca
7a4a156d91 changed local_action to alias to connection=local vs delegate_to=localhost
fixes #11998, but still leaves issue of delegate_to: localhost not working
2015-08-18 18:31:29 -04:00
James Cammarata
eb381bd522 Add one more search path to path_dwim_relative 2015-08-13 09:53:09 -04:00
James Cammarata
d9833f227f Make sure cached data from file loads isn't impacted by modifications
Fixes #11893
2015-08-12 14:30:43 -04:00
Toshio Kuratomi
e8452c864e Restore the relative path handling portion of #11865 2015-08-06 07:28:22 -07:00
Brian Coca
b9433650d1 Revert "Path of group_vars and host_vars were getting the basedir added twice."
in view of simpler solution incomming from james
This reverts commit bae7a02be5.
2015-08-06 10:09:43 -04:00
Toshio Kuratomi
bae7a02be5 Path of group_vars and host_vars were getting the basedir added twice.
Fix inventory so this won't happen and fix DataLoader so that it will
test relative paths relative to self._basedir

Fixes #11789
2015-08-05 17:41:17 -07:00
Chris Church
6969b5ac8b Make sure raw doesn't eat key=value arguments. 2015-08-02 11:57:32 -04:00
Vilmos Nebehaj
58cccce384 Use PBKDF2HMAC() from cryptography for vault keys.
When stretching the key for vault files, use PBKDF2HMAC() from the
cryptography package instead of pycrypto. This will speed up the opening
of vault files by ~10x.

The problem is here in lib/ansible/utils/vault.py:

    hash_function = SHA256

    # make two keys and one iv
    pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

    derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
                        count=10000, prf=pbkdf2_prf)

`PBKDF2()` calls a Python callback function (`pbkdf2_pr()`) 10000 times.
If one has several vault files, this will cause excessive start times
with `ansible` or `ansible-playbook` (we experience ~15 second startup
times).

Testing the original implementation in 1.9.2 with a vault file:

In [2]: %timeit v.decrypt(encrypted_data)
1 loops, best of 3: 265 ms per loop

Having a recent OpenSSL version and using the vault.py changes in this commit:

In [2]: %timeit v.decrypt(encrypted_data)
10 loops, best of 3: 23.2 ms per loop
2015-07-28 14:51:36 +02:00
Pablo Figue
f8bf2ba1bd Encrypt the vault file after editing only if the contents changed 2015-07-26 14:41:34 +05:30
James Cammarata
73aa5686cc Remove octal escapes from unicode escape handling
Fixes #11673
2015-07-25 16:30:11 -04:00
James Cammarata
e526743b4f Allowing args: "{{some_var}}" for task params again
This is unsafe and we debated re-adding it to the v2/2.0 codebase,
however it is a common-enough feature that we will simply mark it
as deprecated for now and remove it at some point in the future.

Fixes #11718
2015-07-24 10:33:12 -04:00
Brian Coca
b9050ecf18 fixed file lookup pathing in dwim functinos, now does specific paths and priorities and is commented
fixes #11672 as cwd is now not part of thos paths:
if full path is supplied, used that
2015-07-22 20:58:24 -04:00
Brian Coca
827b0443c8 now dataloader checkis that you get at least a valid string as a file name 2015-07-21 08:47:13 -04:00
James Cammarata
165fff8a1e Fixing module arg parsing splitting when action is a variable
Fixes #11122
2015-07-15 12:03:02 -04:00
James Cammarata
f40b66d841 Make sure the basedir is unicode
Fixes #10773
2015-07-12 16:40:00 -04:00
Brian Coca
e4097ed279 simplified ansible errors, moved md5 hash import with notes to be more prominent 2015-07-11 14:24:00 -04:00
Toshio Kuratomi
ddac6fa9f3 Update exception handling to be python3 compat 2015-07-08 08:59:42 -07:00
Toshio Kuratomi
49e17b8ff6 Get rid of an unused import so that we don't have circular imports 2015-07-06 14:19:13 -07:00
Toshio Kuratomi
f44f9569e1 Test unquote works as expected and fix two bugs:
* escaped end quote
* a single quote character
2015-07-06 13:16:42 -07:00
James Cammarata
bddadc9565 Fix bug in relative path determination 2015-07-04 23:18:54 -04:00
Brian Coca
b76dbb01cc generalized prereqs check
added vaultfile class for action and lookup plugin usage
2015-06-16 09:20:15 -04:00
Toshio Kuratomi
c3caff5eeb Fix for six version 1.1.0 (rhel6). 2015-06-03 10:25:07 -07:00
Toshio Kuratomi
d8c8ca11cf Add compatibility for old version of six (present on rhel7) 2015-06-03 08:45:36 -07:00
Brian Coca
5622fc23bc fixed frozen set, missing iterable 2015-06-02 23:35:15 -04:00
Brian Coca
48c0d6388f moved RAW var to class and as a frozenset 2015-06-02 23:35:15 -04:00
Brian Coca
e0ef217f97 Revert "Adding raw module to list of modules allowing raw params"
This reverts commit bc041ffea0.
same fix x2 does not fix it 'more'
2015-06-02 13:33:33 -04:00
James Cammarata
bc041ffea0 Adding raw module to list of modules allowing raw params
Fixes #11119
2015-06-02 08:42:24 -05:00
Brian Coca
e251e70178 added raw to 'raw' modules 2015-06-02 08:54:37 -04:00
James Cammarata
4bc7703db3 Fixing some small bugs related to integration tests (v2) 2015-06-01 16:42:10 -05:00
James Cammarata
b94e2a1f4e Fixing bugs related to parsing and fixing up parsing integration tests (v2) 2015-05-13 11:27:12 -05:00
Toshio Kuratomi
3a87b2727d Fix format strings for python2.6 2015-05-08 13:11:04 -07:00
James Cammarata
ce3ef7f4c1 Making the switch to v2 2015-05-03 21:47:26 -05:00