mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
1a13287788
* add sops lookup plugin * fix pylint * fix undefined encrypted_file variable * decode sops output as text by default * add variable to control decrypted content print in logs * use Sops class decryption method * lookup should return text, use appropriate ansible facility * use ansible.module_utils._text.to_native As required by Ansible documentation on [raising errors][raising-errors] from plugins, use to_native to wrap errors to ensure string compatibility between Python versions. [raising-errors]: https://docs.ansible.com/ansible/latest/dev_guide/developing_plugins.html#id3 * use with_items instead of with_file in sops lookup documentation [with_file][with-file], per Ansible documentation, returns the content of the file. As sops is not able to decrypt a string by itself but requires the file is passed as argument, passing the content breaks the lookup plugin as reported by [here][bug-report]. [with_items][with-items] should be used instead. [with-file]: https://docs.ansible.com/ansible/2.4/playbooks_loops.html#looping-over-files [with-items]: https://docs.ansible.com/ansible/2.4/playbooks_loops.html#standard-loops [bug-report]: https://github.com/ansible/ansible/pull/59639#issuecomment-540803722 * uniform sops exception handling between plugins * Apply suggestions from code review Co-Authored-By: Felix Fontein <felix@fontein.de> * remove sops lookup plugin print option Is no longer possible to print the decrypted secrets directly from this plugin, but `debug` module can be used instead. * add github handle to author * add setup_sops integration target * extract sops module * add lookup_sops integration tests * use sops module * Update plugins/module_utils/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/module_utils/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/module_utils/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/module_utils/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update test/integration/targets/lookup_sops/tasks/ubuntu.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/module_utils/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update test/integration/targets/lookup_sops/files/simple.sops.yaml Co-authored-by: Felix Fontein <felix@fontein.de> * Adding aliases file * Emtpy spaces * Update plugins/lookup/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update test/integration/targets/lookup_sops/tasks/ubuntu.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/sops.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update test/integration/targets/lookup_sops/tasks/ubuntu.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update test/integration/targets/lookup_sops/tasks/ubuntu.yml Co-authored-by: Felix Fontein <felix@fontein.de> * gpg -> gnupg2 * with_items -> loop * Move error logic to module_utils. * Make Sops.decrypt() also handle errors and decode output. * Improve error handling. * Improve example formatting. * Reorganize tests. * Add test. * Remove version_added. Co-authored-by: Edoardo Tenani <edoardo.tenani@protonmail.com> Co-authored-by: Edoardo Tenani <edoardo.tenani@gmail.com> Co-authored-by: Edoardo T <endorama@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de>
79 lines
2.6 KiB
Python
79 lines
2.6 KiB
Python
# Copyright (c), Edoardo Tenani <e.tenani@arduino.cc>, 2018-2020
|
|
# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
|
|
from ansible.module_utils._text import to_text, to_native
|
|
|
|
from subprocess import Popen, PIPE
|
|
|
|
|
|
# From https://github.com/mozilla/sops/blob/master/cmd/sops/codes/codes.go
|
|
# Should be manually updated
|
|
SOPS_ERROR_CODES = {
|
|
1: "ErrorGeneric",
|
|
2: "CouldNotReadInputFile",
|
|
3: "CouldNotWriteOutputFile",
|
|
4: "ErrorDumpingTree",
|
|
5: "ErrorReadingConfig",
|
|
6: "ErrorInvalidKMSEncryptionContextFormat",
|
|
7: "ErrorInvalidSetFormat",
|
|
8: "ErrorConflictingParameters",
|
|
21: "ErrorEncryptingMac",
|
|
23: "ErrorEncryptingTree",
|
|
24: "ErrorDecryptingMac",
|
|
25: "ErrorDecryptingTree",
|
|
49: "CannotChangeKeysFromNonExistentFile",
|
|
51: "MacMismatch",
|
|
52: "MacNotFound",
|
|
61: "ConfigFileNotFound",
|
|
85: "KeyboardInterrupt",
|
|
91: "InvalidTreePathFormat",
|
|
100: "NoFileSpecified",
|
|
128: "CouldNotRetrieveKey",
|
|
111: "NoEncryptionKeyFound",
|
|
200: "FileHasNotBeenModified",
|
|
201: "NoEditorFound",
|
|
202: "FailedToCompareVersions",
|
|
203: "FileAlreadyEncrypted"
|
|
}
|
|
|
|
|
|
class SopsError(Exception):
|
|
''' Extend Exception class with sops specific informations '''
|
|
|
|
def __init__(self, filename, exit_code, message):
|
|
if exit_code in SOPS_ERROR_CODES:
|
|
exception_name = SOPS_ERROR_CODES[exit_code]
|
|
message = "error with file %s: %s exited with code %d: %s" % (filename, exception_name, exit_code, to_native(message))
|
|
else:
|
|
message = "could not decrypt file %s; Unknown sops error code: %s" % (filename, to_native(exit_code))
|
|
super(SopsError, self).__init__(message)
|
|
|
|
|
|
class Sops():
|
|
''' Utility class to perform sops CLI actions '''
|
|
|
|
@staticmethod
|
|
def decrypt(encrypted_file, display=None):
|
|
# Run sops directly, python module is deprecated
|
|
command = ["sops", "--decrypt", encrypted_file]
|
|
process = Popen(command, stdout=PIPE, stderr=PIPE)
|
|
(output, err) = process.communicate()
|
|
exit_code = process.returncode
|
|
|
|
# output is binary, we want UTF-8 string
|
|
output = to_text(output, errors='surrogate_or_strict')
|
|
# the process output is the decrypted secret; be cautious
|
|
|
|
# sops logs always to stderr, as stdout is used for
|
|
# file content
|
|
if err and display:
|
|
display.vvvv(err)
|
|
|
|
if exit_code > 0:
|
|
raise SopsError(encrypted_file, exit_code, err)
|
|
|
|
return output.rstrip()
|