From 059347338989821e280a3f1f301de960df8e4f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Lindstr=C3=B6m?= Date: Tue, 20 May 2014 22:18:32 +0200 Subject: [PATCH 1/4] Enable use of vault password for --syntax-check, --list-hosts and --list-tasks --- bin/ansible-playbook | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/bin/ansible-playbook b/bin/ansible-playbook index 21635ea5735..d7c9182e2f6 100755 --- a/bin/ansible-playbook +++ b/bin/ansible-playbook @@ -110,30 +110,32 @@ def main(args): su_pass = None vault_pass = None - if not options.listhosts and not options.syntax and not options.listtasks: + options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS + + if options.listhosts or options.syntax or options.listtasks: + (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass) + else: options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS - options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS # Never ask for an SSH password when we run with local connection if options.connection == "local": options.ask_pass = False options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS - options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass) options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER options.su_user = options.su_user or C.DEFAULT_SU_USER - if options.vault_password_file: - this_path = os.path.expanduser(options.vault_password_file) - try: - f = open(this_path, "rb") - tmp_vault_pass=f.read().strip() - f.close() - except (OSError, IOError), e: - raise errors.AnsibleError("Could not read %s: %s" % (this_path, e)) + if options.vault_password_file: + this_path = os.path.expanduser(options.vault_password_file) + try: + f = open(this_path, "rb") + tmp_vault_pass=f.read().strip() + f.close() + except (OSError, IOError), e: + raise errors.AnsibleError("Could not read %s: %s" % (this_path, e)) - if not options.ask_vault_pass: - vault_pass = tmp_vault_pass + if not options.ask_vault_pass: + vault_pass = tmp_vault_pass extra_vars = {} for extra_vars_opt in options.extra_vars: @@ -207,7 +209,8 @@ def main(args): playnum = 0 for (play_ds, play_basedir) in zip(pb.playbook, pb.play_basedirs): playnum += 1 - play = ansible.playbook.Play(pb, play_ds, play_basedir) + play = ansible.playbook.Play(pb, play_ds, play_basedir, + vault_password=pb.vault_password) label = play.name hosts = pb.inventory.list_hosts(play.hosts) From 926755c3cf74d199317917ca12de107f0d6e8d7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Lindstr=C3=B6m?= Date: Wed, 21 May 2014 21:06:47 +0200 Subject: [PATCH 2/4] Added integration tests for encrypted vars --- test/integration/test_var_in_vault.yml | 11 +++++++++++ test/integration/vars/test_var_encrypted.yml | 6 ++++++ test/integration/vault-password | 1 + 3 files changed, 18 insertions(+) create mode 100644 test/integration/test_var_in_vault.yml create mode 100644 test/integration/vars/test_var_encrypted.yml create mode 100644 test/integration/vault-password diff --git a/test/integration/test_var_in_vault.yml b/test/integration/test_var_in_vault.yml new file mode 100644 index 00000000000..3313f32d074 --- /dev/null +++ b/test/integration/test_var_in_vault.yml @@ -0,0 +1,11 @@ +- hosts: testhost + vars_files: + - vars/test_var_encrypted.yml + + gather_facts: False + + tasks: + - assert: + that: + - 'secret_var == "secret"' + diff --git a/test/integration/vars/test_var_encrypted.yml b/test/integration/vars/test_var_encrypted.yml new file mode 100644 index 00000000000..263c8f09b4a --- /dev/null +++ b/test/integration/vars/test_var_encrypted.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +66316432306130656439343231643731643637663362643633316161663034353135333661393064 +3533653862643531613737323332393862396430396633610a363330646130373966393830623738 +33616137323034333830663164326666613839366533326531396636323030636435393866613437 +3634386461363430310a333330326166626363393039363739363730366234393634333431346436 +33323132373035663965306166313761343432303962623962323531653934616130 diff --git a/test/integration/vault-password b/test/integration/vault-password new file mode 100644 index 00000000000..969739294df --- /dev/null +++ b/test/integration/vault-password @@ -0,0 +1 @@ +test-vault-password From 923c172044537a223711bd778cbee77da4a4d6ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Lindstr=C3=B6m?= Date: Wed, 21 May 2014 21:17:53 +0200 Subject: [PATCH 3/4] Enabled integration tests for encrypted vars in Makefile --- test/integration/Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/integration/Makefile b/test/integration/Makefile index 065f28aea50..754ab46a405 100644 --- a/test/integration/Makefile +++ b/test/integration/Makefile @@ -14,7 +14,9 @@ else CREDENTIALS_ARG = endif -all: non_destructive destructive check_mode test_hash test_handlers test_group_by +VAULT_PASSWORD_FILE = vault-password + +all: non_destructive destructive check_mode test_hash test_handlers test_group_by test_var_in_vault non_destructive: ansible-playbook non_destructive.yml -i $(INVENTORY) -e @$(VARS_FILE) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) @@ -38,6 +40,10 @@ test_hash: test_var_precedence: ansible-playbook test_var_precedence.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v -e 'extra_var=extra_var' +test_var_in_vault: + ansible-playbook test_var_in_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks + ansible-playbook test_var_in_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) + cloud: amazon rackspace cloud_cleanup: amazon_cleanup rackspace_cleanup From 96c6daf177404b0d1ce727d64849ea9e7aff24fb Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Tue, 10 Jun 2014 10:07:50 -0500 Subject: [PATCH 4/4] Change name of vault integration test --- test/integration/Makefile | 8 +++++--- .../integration/{test_var_in_vault.yml => test_vault.yml} | 0 2 files changed, 5 insertions(+), 3 deletions(-) rename test/integration/{test_var_in_vault.yml => test_vault.yml} (100%) diff --git a/test/integration/Makefile b/test/integration/Makefile index 754ab46a405..f8ba970f7eb 100644 --- a/test/integration/Makefile +++ b/test/integration/Makefile @@ -40,9 +40,11 @@ test_hash: test_var_precedence: ansible-playbook test_var_precedence.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v -e 'extra_var=extra_var' -test_var_in_vault: - ansible-playbook test_var_in_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks - ansible-playbook test_var_in_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) +test_vault: + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-hosts + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --syntax-check + ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) cloud: amazon rackspace diff --git a/test/integration/test_var_in_vault.yml b/test/integration/test_vault.yml similarity index 100% rename from test/integration/test_var_in_vault.yml rename to test/integration/test_vault.yml