archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
devel
stable-2.17
stable-2.16
stable-2.15
stable-2.14
stable-2.12
milestone
stable-2.13
stable-2.9
stable-2.11
stable-2.3
stable-2.10
stable-2.8
stable-2.4
stable-2.5
stable-2.6
stable-2.7
temp-2.10-devel
mazer_role_loader
stable-2.2
threading_plus_forking
threading_instead_of_forking
stable-2.1
stable-1.9
stable-2.0
stable-2.0.0.1
stable-2.0-network
release1.8.4
release1.8.3
release1.8.2
release1.8.1
release1.8.0
release1.7.2
release1.7.1
release1.7.0
release1.6.8
release1.6.10
release1.6.9
release1.6.7
release1.6.6
release1.6.5
release1.6.4
release1.6.3
release1.6.2
release1.6.1
release1.6.0
release1.5.5
release1.5.4
release1.5.3
release1.5.2
release1.5.1
release1.5.0
v2.14.3
v2.13.8
v2.14.3rc1
v2.13.8rc1
v2.14.2
v2.14.2rc1
v2.14.1
v2.13.7
v2.13.7rc1
v2.14.1rc1
v2.13.6
v2.14.0
v2.14.0rc2
v2.13.6rc1
v2.14.0rc1
v2.14.0b3
v2.13.5
v2.12.10
v2.14.0b2
v2.13.5rc1
v2.12.10rc1
v2.14.0b1
v2.12.9
v2.13.4
v2.13.4rc1
v2.12.9rc1
v2.13.3
v2.12.8
v2.12.8rc1
v2.13.3rc1
v2.13.2
v2.13.2rc1
v2.12.7
v2.13.1
v2.12.7rc1
v2.13.1rc1
v2.12.6
v2.11.12
v2.12.6rc1
v2.11.12rc1
v2.13.0
v2.13.0rc1
v2.13.0b1
v2.12.5
v2.11.11
v2.12.5rc1
v2.11.11rc1
v2.13.0b0
v2.12.4
v2.11.10
v2.12.4rc1
v2.11.10rc1
v2.11.9
v2.12.3
v2.12.3rc1
v2.11.9rc1
v2.12.2
v2.11.8
v2.10.17
v2.12.2rc1
v2.11.8rc1
v2.10.17rc1
v2.12.1
v2.11.7
v2.10.16
v2.10.16rc1
v2.11.7rc1
v2.12.1rc1
v2.12.0
v2.12.0rc1
v2.12.0b2
v2.11.6
v2.10.15
v2.9.27
v2.9.27rc1
v2.10.15rc1
v2.11.6rc1
v2.12.0b1
v2.11.5
v2.10.14
v2.9.26
v2.11.5rc1
v2.10.14rc1
v2.9.26rc1
v2.11.4
v2.10.13
v2.9.25
v2.9.25rc1
v2.10.13rc1
v2.11.4rc1
v2.11.3
v2.10.12
v2.9.24
v2.11.3rc1
v2.10.12rc1
v2.9.24rc1
v2.9.23
v2.10.11
v2.11.2
v2.11.2rc1
v2.10.11rc1
v2.9.23rc1
v2.11.1
v2.10.10
v2.9.22
v2.9.22rc1
v2.10.10rc1
v2.11.1rc1
v2.10.9
v2.9.21
v2.10.9rc1
v2.9.21rc1
v2.11.0
v2.8.20
v2.9.20
v2.10.8
v2.11.0rc2
v2.8.20rc1
v2.9.20rc1
v2.10.8rc1
v2.11.0rc1
stable-2.11-branchpoint
v2.11.0b4
v2.11.0b3
v2.11.0b2
v2.10.7
v2.9.19
v2.10.7rc1
v2.9.19rc1
v2.11.0b1
v2.8.19
v2.9.18
v2.10.6
v2.8.19rc1
v2.9.18rc1
v2.10.6rc1
v2.9.17
v2.10.5
v2.10.5rc1
v2.9.17rc1
v2.8.18
v2.9.16
v2.10.4
v2.8.18rc1
v2.9.16rc1
v2.10.4rc1
v2.8.17
v2.9.15
v2.10.3
v2.8.17rc1
v2.9.15rc1
v2.10.3rc1
v2.10.2
v2.9.14
v2.8.16
v2.8.16rc1
v2.9.14rc1
v2.10.2rc1
v2.10.1
v2.10.1rc3
v2.10.1rc2
v2.8.15
v2.9.13
v2.10.0
v2.9.12
v2.8.14
v2.10.0rc4
v2.10.0rc3
v2.10.0rc2
v2.10.0rc1
v2.9.11
v2.8.13
v2.9.10
v2.10.0b1
stable-2.10-branchpoint
v2.9.9
v2.7.18
v2.8.12
v2.9.8
v2.9.7
v2.8.11
v2.7.17
pre-ansible-base
v2.8.10
v2.8.9
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.8.8
v2.7.16
v2.9.2
v2.9.1
v2.8.7
v2.7.15
v2.9.0
v2.9.0rc5
v2.8.6
v2.7.14
v2.9.0rc4
v2.6.20
v2.9.0rc3
v2.9.0rc2
v2.9.0rc1
v2.8.5
v2.9.0b1
stable-2.9-branchpoint
v2.6.19
v2.7.13
v2.8.4
v2.8.3
v2.6.18
v2.7.12
v2.8.2
v2.8.1
v2.7.11
v2.6.17
v2.8.0
v2.8.0rc3
v2.8.0rc2
v2.8.0rc1
v2.8.0b1
v2.8.0a1
v2.6.16
v2.7.10
v2.6.15
v2.7.9
v2.7.8
v2.6.14
v2.5.15
v2.7.7
v2.6.13
v2.6.12
v2.7.6
v2.5.14
v2.7.5
v2.6.11
v2.6.10
v2.7.4
v2.5.13
v2.7.3
v2.6.9
v2.5.12
v2.6.8
v2.7.2
v2.6.7
v2.5.11
v2.7.1
v2.6.6
v2.7.0
v2.6.5
v2.7.0rc4
v2.5.10
v2.7.0rc3
v2.7.0rc2
v2.5.9
v2.6.4
v2.7.0rc1
v2.7.0b1
v2.7.0.a1
v2.6.3
v2.5.8
v2.6.2
v2.5.7
v2.6.1
v2.5.6
v2.4.6.0-1
v2.6.0
v2.6.0rc5
v2.6.0rc4
v2.4.5.0-1
v2.6.0rc3
v2.5.5
v2.4.5.0-0.1.rc1
v2.6.0rc2
v2.6.0rc1
v2.5.4
v2.6.0a2
v2.6.0a1
v2.5.3
v2.5.2
v2.5.1
v2.4.4.0-1
v2.4.4.0-0.3.rc2
v2.5.0
v2.5.0rc3
v2.5.0rc2
v2.4.4-0.2.rc1
v2.3.4.0-0.1.rc1
v2.5.0rc1
v2.4.4-0.1.beta1
v2.5.0b1
v2.5.0a1
v2.4.3.0-1
v2.4.3.0-0.6.rc3
v2.4.3.0-0.5.rc2
v2.4.3.0-0.4.rc1
v2.4.3-0.3.beta3
v2.4.3.0-0.2.beta2
v2.3.3.0-1
v2.4.3.0-0.1.beta1
v2.4.2.0-1
v2.4.2.0-0.5.rc1
v2.4.2.0-0.4.beta4
v2.3.3.0-0.3.rc3
v2.4.2.0-0.3.beta3
v2.4.2.0-0.2.beta2
v2.4.2.0-0.1.beta1
v2.4.1.0-1
v2.4.1.0-0.4.rc2
v2.3.3.0-0.2.rc2
v2.4.1.0-0.3.rc1
v2.4.1.0-0.2.beta2
v2.3.3.0-0.1.rc1
v2.4.1.0-0.1.beta1
v2.4.0.0-1
v2.4.0.0-0.5.rc5
v2.4.0.0-0.4.rc4
v2.4.0.0-0.3.rc3
v2.4.0.0-0.2.rc2
v2.4.0.0-0.1.rc1
v2.3.2.0-1
v2.3.2.0-0.5.rc5
v2.3.2.0-0.4.rc4
v2.3.2.0-0.3.rc3
v2.3.2.0-0.2.rc2
v2.3.2.0-0.1.rc1
v2.1.6.0-1
v2.3.1.0-1
v2.3.1.0-0.2.rc2
v2.2.3.0-1
v2.1.6.0-0.1.rc1
v2.3.1.0-0.1.rc1
v2.3.0.0-1
v2.3.0.0-0.6.rc6
v2.3.0.0-0.5.rc5
v2.3.0.0-0.4.rc4
v2.2.3.0-0.1.rc1
v2.3.0.0-0.3.rc3
v2.3.0.0-0.2.rc2
v2.2.2.0-1
v2.1.5.0-1
v2.3.0.0-0.1.rc1
v2.1.5.0-0.2.rc2
v2.2.2.0-0.2.rc2
v2.1.5.0-0.1.rc1
v2.2.2.0-0.1.rc1
v2.1.4.0-1
v2.2.1.0-1
v2.1.4.0-0.3.rc3
v2.2.1.0-0.5.rc5
v2.1.4.0-0.2.rc2
v2.2.1.0-0.4.rc4
v2.1.4.0-0.1.rc1
v2.2.1.0-0.3.rc3
v2.2.1.0-0.2.rc2
v2.2.1.0-0.1.rc1
v2.1.3.0-1
v2.2.0.0-1
v2.2.0.0-0.4.rc4
v2.1.3.0-0.3.rc3
v2.1.3.0-0.2.rc2
v2.2.0.0-0.3.rc3
v2.1.3.0-0.1.rc1
v2.2.0.0-0.2.rc2
v2.2.0.0-0.1.rc1
v2.1.2.0-1
v2.1.2.0-0.5.rc5
v2.1.2.0-0.4.rc4
v2.1.2.0-0.3.rc3
v2.1.2.0-0.2.rc2
v2.1.2.0-0.1.rc1
v2.1.1.0-1
v2.1.1.0-0.5.rc5
v2.1.1.0-0.4.rc4
v2.1.1.0-0.3.rc3
v2.1.1.0-0.2.rc2
v2.1.1.0-0.1.rc1
v2.1.0.0-1
v2.1.0.0-0.4.rc4
v2.1.0.0-0.2.rc2
v2.1.0.0-0.3.rc3
v2.1.0.0-0.1.rc1
v2.0.2.0-1
v1.9.6-1
v2.0.2.0-0.4.rc4
v2.0.2.0-0.3.rc3
v1.9.6-0.1.rc1
v2.0.2.0-0.2.rc2
v2.0.2.0-0.1.rc1
v1.9.5-1
v1.9.5-0.1.rc1
v2.0.1.0-1
v2.0.1.0-0.2.rc2
v2.0.1.0-0.1.rc1
v2.0.0.2-1
v2.0.0.1-1
v2.0.0.0-1
v2.0.0-0.9.rc4
v2.0.0-0.8.rc3
v2.0.0-0.7.rc2
v2.0.0-0.6.rc1
v2.0.0-0.5.beta3
v2.0.0-0.4.beta2
v1.9.4-1
v2.0.0-0.3.beta1
v1.9.4-0.3.rc3
v1.9.4-0.2.rc2
v1.9.4-0.1.rc1
v2.0.0-0.2.alpha2
v1.9.3-1
v2.0.0-0.1.alpha1
v1.9.3-0.3.rc3
v1.9.3-0.2.rc2
v1.9.3-0.1.rc1
v1.9.2-1
v1.9.2-0.2.rc2
v1_last
v1.9.2-0.1.rc1
v1.9.1-1
v1.9.1-0.4.rc4
v1.9.1-0.3.rc3
v1.9.1-0.2.rc2
v1.9.1-0.1.rc1
v1.9.0.1-1
v1.9.0-2
v1.9.0-1
v1.9.0-0.2.rc2
v1.9.0-0.1.rc1
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.2
v1.7.1
v1.7.0
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
0.8
0.7.2
0.7
0.6
0.5
0.4.1
0.4
0.3.1
0.3
0.01
0.0.1
0.0.2
0.7.1
v0.9
v2.13.10
v2.13.10rc1
v2.13.11
v2.13.11rc1
v2.13.12
v2.13.12rc1
v2.13.13
v2.13.13rc1
v2.13.9
v2.13.9rc1
v2.14.10
v2.14.10rc1
v2.14.11
v2.14.11rc1
v2.14.12
v2.14.12rc1
v2.14.13
v2.14.14
v2.14.14rc1
v2.14.15
v2.14.15rc1
v2.14.16
v2.14.16rc1
v2.14.17
v2.14.17rc1
v2.14.4
v2.14.4rc1
v2.14.5
v2.14.5rc1
v2.14.6
v2.14.6rc1
v2.14.7
v2.14.7rc1
v2.14.8
v2.14.8rc1
v2.14.9
v2.14.9rc1
v2.15.0
v2.15.0b1
v2.15.0b2
v2.15.0b3
v2.15.0rc1
v2.15.0rc2
v2.15.1
v2.15.10
v2.15.10rc1
v2.15.11
v2.15.11rc1
v2.15.12
v2.15.12rc1
v2.15.1rc1
v2.15.2
v2.15.2rc1
v2.15.3
v2.15.3rc1
v2.15.4
v2.15.4rc1
v2.15.5
v2.15.5rc1
v2.15.6
v2.15.6rc1
v2.15.7
v2.15.7rc1
v2.15.8
v2.15.9
v2.15.9rc1
v2.16.0
v2.16.0b1
v2.16.0b2
v2.16.0rc1
v2.16.1
v2.16.1rc1
v2.16.2
v2.16.3
v2.16.3rc1
v2.16.4
v2.16.4rc1
v2.16.5
v2.16.5rc1
v2.16.6
v2.16.7
v2.16.7rc1
v2.17.0
v2.17.0b1
v2.17.0rc1
v2.17.0rc2
v2.5.0b2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '424e1946f4'
${ noResults }
ansible/lib/ansible/cli/vault.py

357 lines
14 KiB
Python
Raw Normal View History Unescape Escape

1st draft port to v2
9 years ago
# (c) 2014, James Tanner <tanner.jc@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
# ansible-vault is a script that encrypts/decrypts YAML files. See
# http://docs.ansible.com/playbooks_vault.html for more details.
Add python3-compat boilerplate to all .py files in lib/ansible
9 years ago
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
1st draft port to v2
9 years ago
import os
import sys
most of galaxy is working, install still needs work normalized return codes in bin refactored galaxy classes a bit, ignoring 'compatct' role spec
9 years ago
from ansible.errors import AnsibleError, AnsibleOptionsError
Break apart a looped dependency to show a warning when parsing playbooks Display a warning when a dict key is overwritten by pyyaml Fixes #12888
9 years ago
from ansible.parsing.dataloader import DataLoader
changed vaulteditor import to new path, now vault seems to work
9 years ago
from ansible.parsing.vault import VaultEditor
one cli to bind them all
9 years ago
from ansible.cli import CLI
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
from ansible.module_utils._text import to_text, to_bytes
1st draft port to v2
9 years ago
Migrate cli and dependencies to use global display
9 years ago
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display
display = Display()
there will be only one cli
9 years ago
class VaultCLI(CLI):
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
""" Vault command line class """
1st draft port to v2
9 years ago
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "encrypt_string", "rekey", "view")
FROM_STDIN = "stdin"
FROM_ARGS = "the command line args"
FROM_PROMPT = "the interactive prompt"
1st draft port to v2
9 years ago
Migrate cli and dependencies to use global display
9 years ago
def __init__(self, args):
1st draft port to v2
9 years ago
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
self.b_vault_pass = None
self.b_new_vault_pass = None
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
self.encrypt_string_read_stdin = False
Migrate cli and dependencies to use global display
9 years ago
super(VaultCLI, self).__init__(args)
1st draft port to v2
9 years ago
def parse(self):
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
self.parser = CLI.base_parser(
one cli to bind them all
9 years ago
vault_opts=True,
draft to generate man pages
7 years ago
usage = "usage: %%prog [%s] [options] [vaultfile.yml]" % "|".join(self.VALID_ACTIONS),
desc = "encryption/decryption utility for Ansbile data files",
one cli to bind them all
9 years ago
epilog = "\nSee '%s <command> --help' for more information on a specific command.\n\n" % os.path.basename(sys.argv[0])
1st draft port to v2
9 years ago
)
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
self.set_action()
# options specific to self.actions
if self.action == "create":
self.parser.set_usage("usage: %prog create [options] file_name")
elif self.action == "decrypt":
self.parser.set_usage("usage: %prog decrypt [options] file_name")
elif self.action == "edit":
self.parser.set_usage("usage: %prog edit [options] file_name")
elif self.action == "view":
self.parser.set_usage("usage: %prog view [options] file_name")
elif self.action == "encrypt":
self.parser.set_usage("usage: %prog encrypt [options] file_name")
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
# I have no prefence for either dash or underscore
elif self.action == "encrypt_string":
self.parser.add_option('-p', '--prompt', dest='encrypt_string_prompt',
action='store_true',
help="Prompt for the string to encrypt")
self.parser.add_option('-n', '--name', dest='encrypt_string_names',
action='append',
help="Specify the variable name")
self.parser.add_option('--stdin-name', dest='encrypt_string_stdin_name',
default=None,
help="Specify the variable name for stdin")
self.parser.set_usage("usage: %prog encrypt-string [--prompt] [options] string_to_encrypt")
fixed missing self in self.action on rekey in vault fixes #11584
9 years ago
elif self.action == "rekey":
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
self.parser.set_usage("usage: %prog rekey [options] file_name")
1st draft port to v2
9 years ago
Refactor parsing of CLI args so that we can modify them in the base class Implement tag and skip_tag handling in the CLI() class. Change tag and skip_tag command line options to be accepted multiple times on the CLI and add them together rather than overwrite. * Make it configurable whether to merge or overwrite multiple --tags arguments * Make the base CLI class an abstractbaseclass so we can implement functionality in parse() but still make subclasses implement it. * Deprecate the overwrite feature of --tags with a message that the default will change in 2.4 and go away in 2.5. * Add documentation for merge_multiple_cli_flags * Fix galaxy search so its tags argument does not conflict with generic tags * Unit tests and more integration tests for tags
8 years ago
super(VaultCLI, self).parse()
Migrate cli and dependencies to use global display
9 years ago
display.verbosity = self.options.verbosity
1st draft port to v2
9 years ago
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
can_output = ['encrypt', 'decrypt', 'encrypt_string']
Also support output to stdout with no arguments This allows "cat plaintext|ansible-vault encrypt > ciphertext".
9 years ago
if self.action not in can_output:
if self.options.output_file:
raise AnsibleOptionsError("The --output option can be used only with ansible-vault %s" % '/'.join(can_output))
if len(self.args) == 0:
raise AnsibleOptionsError("Vault requires at least one filename as a parameter")
else:
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
# This restriction should remain in place until it's possible to
# load multiple YAML records from a single file, or it's too easy
# to create an encrypted file that can't be read back in. But in
# the meanwhile, "cat a b c|ansible-vault encrypt --output x" is
# a workaround.
Also support output to stdout with no arguments This allows "cat plaintext|ansible-vault encrypt > ciphertext".
9 years ago
if self.options.output_file and len(self.args) > 1:
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
raise AnsibleOptionsError("At most one input file may be used with the --output option")
Fix vault cli errors on 'encrypt_string_read_stdin' (#21675) 'encrypt_string' only options were being referenced when using other vault subcommands. That code is moved inside a check for 'encrypt_string' action now.
7 years ago
if self.action == 'encrypt_string':
if '-' in self.args or len(self.args) == 0 or self.options.encrypt_string_stdin_name:
self.encrypt_string_read_stdin = True
# TODO: prompting from stdin and reading from stdin seem
# mutually exclusive, but verify that.
if self.options.encrypt_string_prompt and self.encrypt_string_read_stdin:
raise AnsibleOptionsError('The --prompt option is not supported if also reading input from stdin')
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
def run(self):
1st draft port to v2
9 years ago
now verbose mode shows config file used
9 years ago
super(VaultCLI, self).run()
Vault missing DataLoader for pwd file #12293
9 years ago
loader = DataLoader()
now verbose mode shows config file used
9 years ago
vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases
9 years ago
# set default restrictive umask
old_umask = os.umask(0o077)
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
if self.options.vault_password_file:
# read vault_pass from a file
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
self.b_vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader)
1st draft port to v2
9 years ago
add option to ansible-vault to read new password from file for rekey The --new-vault-password-file option works the same as --vault-password-file but applies only to rekeying (when --vault-password-file sets the old password). Also update the manpage to document these options more fully.
9 years ago
if self.options.new_vault_password_file:
# for rekey only
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
self.b_new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file, loader)
add option to ansible-vault to read new password from file for rekey The --new-vault-password-file option works the same as --vault-password-file but applies only to rekeying (when --vault-password-file sets the old password). Also update the manpage to document these options more fully.
9 years ago
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
if not self.b_vault_pass or self.options.ask_vault_pass:
Make vault encrypt/create/etc confirm pass again. Make the 'write' modes of vault confirm a new password before using, again. This was unintentionally disabled in 309f54b709d489114841530663642b7f3ad262ec previously. Fixes #22438
7 years ago
# the 'read' options dont need to ask for password confirmation.
# 'edit' is read/write, but the decrypt will confirm.
if self.action in ['decrypt', 'edit', 'view', 'rekey']:
self.b_vault_pass = self.ask_vault_passwords()
else:
self.b_vault_pass = self.ask_new_vault_passwords()
Fix 'vault rekey' with vault secret env var if ANSIBLE_VAULT_PASSWORD_FILE is set, 'ansible-vault rekey myvault.yml' will fail to prompt for the new vault password file, and will use None. Fix is to split out 'ask_vault_passwords' into 'ask_vault_passwords' and 'ask_new_vault_passwords' to make the logic simpler. And then make sure new_vault_pass is always set for 'rekey', and if not, then call ask_new_vault_passwords() to set it. ask_vault_passwords() would return values for vault_pass and new vault_pass, and vault cli previously would not prompt for new_vault_pass if there was a vault_pass set via a vault password file. Fixes #18247
8 years ago
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
if not self.b_vault_pass:
now validate that we do get a vault password
9 years ago
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
Fix 'vault rekey' with vault secret env var if ANSIBLE_VAULT_PASSWORD_FILE is set, 'ansible-vault rekey myvault.yml' will fail to prompt for the new vault password file, and will use None. Fix is to split out 'ask_vault_passwords' into 'ask_vault_passwords' and 'ask_new_vault_passwords' to make the logic simpler. And then make sure new_vault_pass is always set for 'rekey', and if not, then call ask_new_vault_passwords() to set it. ask_vault_passwords() would return values for vault_pass and new vault_pass, and vault cli previously would not prompt for new_vault_pass if there was a vault_pass set via a vault password file. Fixes #18247
8 years ago
if self.action == 'rekey':
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
if not self.b_new_vault_pass:
self.b_new_vault_pass = self.ask_new_vault_passwords()
if not self.b_new_vault_pass:
Fix 'vault rekey' with vault secret env var if ANSIBLE_VAULT_PASSWORD_FILE is set, 'ansible-vault rekey myvault.yml' will fail to prompt for the new vault password file, and will use None. Fix is to split out 'ask_vault_passwords' into 'ask_vault_passwords' and 'ask_new_vault_passwords' to make the logic simpler. And then make sure new_vault_pass is always set for 'rekey', and if not, then call ask_new_vault_passwords() to set it. ask_vault_passwords() would return values for vault_pass and new vault_pass, and vault cli previously would not prompt for new_vault_pass if there was a vault_pass set via a vault password file. Fixes #18247
8 years ago
raise AnsibleOptionsError("A password is required to rekey Ansible's Vault")
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
if self.action == 'encrypt_string':
if self.options.encrypt_string_prompt:
self.encrypt_string_prompt = True
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
self.editor = VaultEditor(self.b_vault_pass)
Pass the filename to the individual VaultEditor methods, not __init__ Now we don't have to recreate VaultEditor objects for each file, and so on. It also paves the way towards specifying separate input and output files later.
9 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
self.execute()
1st draft port to v2
9 years ago
vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases
9 years ago
# and restore umask
os.umask(old_umask)
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
def execute_encrypt(self):
1st draft port to v2
9 years ago
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
if len(self.args) == 0 and sys.stdin.isatty():
Migrate cli and dependencies to use global display
9 years ago
display.display("Reading plaintext input from stdin", stderr=True)
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
for f in self.args or ['-']:
self.editor.encrypt_file(f, output_file=self.options.output_file)
Don't insist on ansible-vault taking only one filename parameter Apart from ansible-vault create, every vault subcommand is happy to deal with multiple filenames, so we can check that there's at least one, and make create check separately that there aren't any extra.
9 years ago
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
if sys.stdout.isatty():
Migrate cli and dependencies to use global display
9 years ago
display.display("Encryption successful", stderr=True)
1st draft port to v2
9 years ago
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
def format_ciphertext_yaml(self, b_ciphertext, indent=None, name=None):
indent = indent or 10
block_format_var_name = ""
if name:
block_format_var_name = "%s: " % name
respond with correct vaulting suggestion fixes #22247
7 years ago
block_format_header = "%s!vault |" % block_format_var_name
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
lines = []
vault_ciphertext = to_text(b_ciphertext)
lines.append(block_format_header)
for line in vault_ciphertext.splitlines():
lines.append('%s%s' % (' ' * indent, line))
yaml_ciphertext = '\n'.join(lines)
return yaml_ciphertext
def execute_encrypt_string(self):
b_plaintext = None
# Holds tuples (the_text, the_source_of_the_string, the variable name if its provided).
b_plaintext_list = []
# remove the non-option '-' arg (used to indicate 'read from stdin') from the candidate args so
# we dont add it to the plaintext list
args = [x for x in self.args if x != '-']
# We can prompt and read input, or read from stdin, but not both.
if self.options.encrypt_string_prompt:
msg = "String to encrypt: "
name = None
name_prompt_response = display.prompt('Variable name (enter for no name): ')
# TODO: enforce var naming rules?
if name_prompt_response != "":
name = name_prompt_response
# could use private=True for shadowed input if useful
prompt_response = display.prompt(msg)
if prompt_response == '':
raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')
b_plaintext = to_bytes(prompt_response)
b_plaintext_list.append((b_plaintext, self.FROM_PROMPT, name))
# read from stdin
if self.encrypt_string_read_stdin:
if sys.stdout.isatty():
display.display("Reading plaintext input from stdin. (ctrl-d to end input)", stderr=True)
stdin_text = sys.stdin.read()
if stdin_text == '':
raise AnsibleOptionsError('stdin was empty, not encrypting')
b_plaintext = to_bytes(stdin_text)
# defaults to None
name = self.options.encrypt_string_stdin_name
b_plaintext_list.append((b_plaintext, self.FROM_STDIN, name))
# use any leftover args as strings to encrypt
# Try to match args up to --name options
if hasattr(self.options, 'encrypt_string_names') and self.options.encrypt_string_names:
Wrap vault encrypt_strings zip() result in list for py3 (#21695) py3 zip() results are not lists, so list'ify the result for py2/py3 compat.
7 years ago
name_and_text_list = list(zip(self.options.encrypt_string_names, args))
Vault encrypt string cli (#21024) * Add a vault 'encrypt_string' command. The command will encrypt the string on the command line and print out the yaml block that can be included in a playbook. To be prompted for a string to encrypt: ansible-vault encrypt_string --prompt To specify a string on the command line: ansible-vault encrypt_string "some string to encrypt" To read a string from stdin to encrypt: echo "the plaintext to encrypt" | ansible-vault encrypt_string If a --name or --stdin-name is provided, the output will include that name in yaml key value format: $ ansible-vault encrypt_string "42" --name "the_answer" the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 <vault cipher text here> plaintext provided via prompt, cli, and/or stdin can be mixed: $ ansible-vault encrypt_string "42" --name "the_answer" --prompt Vault password: Variable name (enter for no name): some_variable String to encrypt: microfiber # The encrypted version of variable ("some_variable", the string #1 from the interactive prompt). some_variable: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> # The encrypted version of variable ("the_answer", the string #2 from the command line args). the_answer: !vault-encrypted | $ANSIBLE_VAULT;1.1;AES256 < vault cipher text here> Encryption successful * add stdin and prompting to vault 'encrypt_string' * add a --name to encrypt_string to optional specify a var name * prompt for a var name to use with --prompt * add a --stdin-name for the var name for value read from stdin
7 years ago
# Some but not enough --name's to name each var
if len(args) > len(name_and_text_list):
# Trying to avoid ever showing the plaintext in the output, so this warning is vague to avoid that.
display.display('The number of --name options do not match the number of args.',
stderr=True)
display.display('The last named variable will be "%s". The rest will not have names.' % self.options.encrypt_string_names[-1],
stderr=True)
# Add the rest of the args without specifying a name
for extra_arg in args[len(name_and_text_list):]:
name_and_text_list.append((None, extra_arg))
# if no --names are provided, just use the args without a name.
else:
name_and_text_list = [(None, x) for x in args]
# Convert the plaintext text objects to bytestrings and collect
for name_and_text in name_and_text_list:
name, plaintext = name_and_text
if plaintext == '':
raise AnsibleOptionsError('The plaintext provided from the command line args was empty, not encrypting')
b_plaintext = to_bytes(plaintext)
b_plaintext_list.append((b_plaintext, self.FROM_ARGS, name))
# Format the encrypted strings and any corresponding stderr output
outputs = self._format_output_vault_strings(b_plaintext_list)
for output in outputs:
err = output.get('err', None)
out = output.get('out', '')
if err:
sys.stderr.write(err)
print(out)
if sys.stdout.isatty():
display.display("Encryption successful", stderr=True)
# TODO: offer block or string ala eyaml
def _format_output_vault_strings(self, b_plaintext_list):
# If we are only showing one item in the output, we dont need to included commented
# delimiters in the text
show_delimiter = False
if len(b_plaintext_list) > 1:
show_delimiter = True
# list of dicts {'out': '', 'err': ''}
output = []
# Encrypt the plaintext, and format it into a yaml block that can be pasted into a playbook.
# For more than one input, show some differentiating info in the stderr output so we can tell them
# apart. If we have a var name, we include that in the yaml
for index, b_plaintext_info in enumerate(b_plaintext_list):
# (the text itself, which input it came from, its name)
b_plaintext, src, name = b_plaintext_info
b_ciphertext = self.editor.encrypt_bytes(b_plaintext)
# block formatting
yaml_text = self.format_ciphertext_yaml(b_ciphertext, name=name)
err_msg = None
if show_delimiter:
human_index = index + 1
if name:
err_msg = '# The encrypted version of variable ("%s", the string #%d from %s).\n' % (name, human_index, src)
else:
err_msg = '# The encrypted version of the string #%d from %s.)\n' % (human_index, src)
output.append({'out': yaml_text, 'err': err_msg})
return output
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
def execute_decrypt(self):
1st draft port to v2
9 years ago
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
if len(self.args) == 0 and sys.stdin.isatty():
Migrate cli and dependencies to use global display
9 years ago
display.display("Reading ciphertext input from stdin", stderr=True)
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
for f in self.args or ['-']:
self.editor.decrypt_file(f, output_file=self.options.output_file)
1st draft port to v2
9 years ago
More helpful prompts from ansible-vault encrypt/decrypt Now we issue a "Reading … from stdin" prompt if our input isatty(), as gpg does. We also suppress the "x successful" confirmation message at the end if we're part of a pipeline. (The latter requires that we not close sys.stdout in VaultEditor, and for symmetry we do the same for sys.stdin, though it doesn't matter in that case.)
9 years ago
if sys.stdout.isatty():
Migrate cli and dependencies to use global display
9 years ago
display.display("Decryption successful", stderr=True)
1st draft port to v2
9 years ago
Implement cat-like filtering behaviour for encrypt/decrypt This allows the following invocations: # Interactive use, like gpg ansible-vault encrypt --output x # Non-interactive, for scripting echo plaintext|ansible-vault encrypt --output x # Separate input and output files ansible-vault encrypt input.yml --output output.yml # Existing usage (in-place encryption) unchanged ansible-vault encrypt inout.yml …and the analogous cases for ansible-vault decrypt as well. In all cases, the input and output files can be '-' to read from stdin or write to stdout. This permits sensitive data to be encrypted and decrypted without ever hitting disk.
9 years ago
def execute_create(self):
if len(self.args) > 1:
raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
self.editor.create_file(self.args[0])
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
def execute_edit(self):
for f in self.args:
Pass the filename to the individual VaultEditor methods, not __init__ Now we don't have to recreate VaultEditor objects for each file, and so on. It also paves the way towards specifying separate input and output files later.
9 years ago
self.editor.edit_file(f)
1st draft port to v2
9 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
def execute_view(self):
1st draft port to v2
9 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
for f in self.args:
Changes to convert to unicode at the borders The module docs and vault changes solve issues where tracebacks can happen. The galaxy changes are mostly refactoring to be more pythonic with a small chance that a unicode traceback could have occurred there without the changes. The change in __init__.py when we actually call the pager makes things more robust but could hide places where we had bytes coming in already so I didn't want to change that without auditing where the text was coming from. Fixes #14178
8 years ago
# Note: vault should return byte strings because it could encrypt
# and decrypt binary files. We are responsible for changing it to
# unicode here because we are displaying it and therefore can make
# the decision that the display doesn't have to be precisely what
# the input was (leave that to decrypt instead)
Fix NameError on 'ansible-vault view' (#17440)
8 years ago
self.pager(to_text(self.editor.plaintext(f)))
1st draft port to v2
9 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
def execute_rekey(self):
Update rekey() in vault.py to validate files passed exist before prompting for password
9 years ago
for f in self.args:
if not (os.path.isfile(f)):
raise AnsibleError(f + " does not exist")
add option to ansible-vault to read new password from file for rekey The --new-vault-password-file option works the same as --vault-password-file but applies only to rekeying (when --vault-password-file sets the old password). Also update the manpage to document these options more fully.
9 years ago
refactored most binaries added AnsibleOptionsError removed pulicate parser error class
9 years ago
for f in self.args:
Retain vault password as bytes in 2.2 (#22378) * Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
7 years ago
self.editor.rekey_file(f, self.b_new_vault_pass)
1st draft port to v2
9 years ago
Migrate cli and dependencies to use global display
9 years ago
display.display("Rekey successful", stderr=True)