Merge pull request #579 from rickmendes/keys-with-passphrases

now handles keys protected with a passphrase
reviewable/pr18780/r1
Brian Coca 10 years ago
commit a1b2677c26

@ -15,14 +15,33 @@ options:
required: true required: true
key_file: key_file:
description: description:
- path to the file containing the key pair used on the instance - Path to the file containing the key pair used on the instance.
required: true required: true
key_passphrase:
version_added: "2.0"
description:
- The passphrase for the instance key pair. The key must use DES or 3DES encryption for this module to decrypt it. You can use openssl to convert your password protected keys if they do not use DES or 3DES. ex) openssl rsa -in current_key -out new_key -des3.
required: false
default: null
region: region:
description: description:
- The AWS region to use. Must be specified if ec2_url is not used. If not specified then the value of the EC2_REGION environment variable, if any, is used. - The AWS region to use. Must be specified if ec2_url is not used. If not specified then the value of the EC2_REGION environment variable, if any, is used.
required: false required: false
default: null default: null
aliases: [ 'aws_region', 'ec2_region' ] aliases: [ 'aws_region', 'ec2_region' ]
wait:
version_added: "2.0"
description:
- Whether or not to wait for the password to be available before returning.
required: false
default: "no"
choices: [ "yes", "no" ]
wait_timeout:
version_added: "2.0"
description:
- Number of seconds to wait before giving up.
required: false
default: 120
extends_documentation_fragment: aws extends_documentation_fragment: aws
''' '''
@ -36,12 +55,34 @@ tasks:
instance_id: i-XXXXXX instance_id: i-XXXXXX
region: us-east-1 region: us-east-1
key_file: "~/aws-creds/my_test_key.pem" key_file: "~/aws-creds/my_test_key.pem"
# Example of getting a password with a password protected key
tasks:
- name: get the Administrator password
ec2_win_password:
profile: my-boto-profile
instance_id: i-XXXXXX
region: us-east-1
key_file: "~/aws-creds/my_protected_test_key.pem"
key_passphrase: "secret"
# Example of waiting for a password
tasks:
- name: get the Administrator password
ec2_win_password:
profile: my-boto-profile
instance_id: i-XXXXXX
region: us-east-1
key_file: "~/aws-creds/my_test_key.pem"
wait: yes
wait_timeout: 45
''' '''
from base64 import b64decode from base64 import b64decode
from os.path import expanduser from os.path import expanduser
from Crypto.Cipher import PKCS1_v1_5 from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
import datetime
try: try:
import boto.ec2 import boto.ec2
@ -54,6 +95,9 @@ def main():
argument_spec.update(dict( argument_spec.update(dict(
instance_id = dict(required=True), instance_id = dict(required=True),
key_file = dict(required=True), key_file = dict(required=True),
key_passphrase = dict(no_log=True, default=None, required=False),
wait = dict(type='bool', default=False, required=False),
wait_timeout = dict(default=120, required=False),
) )
) )
module = AnsibleModule(argument_spec=argument_spec) module = AnsibleModule(argument_spec=argument_spec)
@ -63,26 +107,48 @@ def main():
instance_id = module.params.get('instance_id') instance_id = module.params.get('instance_id')
key_file = expanduser(module.params.get('key_file')) key_file = expanduser(module.params.get('key_file'))
key_passphrase = module.params.get('key_passphrase')
wait = module.params.get('wait')
wait_timeout = int(module.params.get('wait_timeout'))
ec2 = ec2_connect(module) ec2 = ec2_connect(module)
data = ec2.get_password_data(instance_id) if wait:
decoded = b64decode(data) start = datetime.datetime.now()
end = start + datetime.timedelta(seconds=wait_timeout)
while datetime.datetime.now() < end:
data = ec2.get_password_data(instance_id)
decoded = b64decode(data)
if wait and not decoded:
time.sleep(5)
else:
break
else:
data = ec2.get_password_data(instance_id)
decoded = b64decode(data)
if wait and datetime.datetime.now() >= end:
module.fail_json(msg = "wait for password timeout after %d seconds" % wait_timeout)
f = open(key_file, 'r') f = open(key_file, 'r')
key = RSA.importKey(f.read()) key = RSA.importKey(f.read(), key_passphrase)
cipher = PKCS1_v1_5.new(key) cipher = PKCS1_v1_5.new(key)
sentinel = 'password decryption failed!!!' sentinel = 'password decryption failed!!!'
try: try:
decrypted = cipher.decrypt(decoded, sentinel) decrypted = cipher.decrypt(decoded, sentinel)
except ValueError as e: except ValueError as e:
decrypted = None decrypted = None
if decrypted == None: if decrypted == None:
module.exit_json(win_password='', changed=False) module.exit_json(win_password='', changed=False)
else: else:
module.exit_json(win_password=decrypted, changed=True) if wait:
elapsed = datetime.datetime.now() - start
module.exit_json(win_password=decrypted, changed=True, elapsed=elapsed.seconds)
else:
module.exit_json(win_password=decrypted, changed=True)
# import module snippets # import module snippets
from ansible.module_utils.basic import * from ansible.module_utils.basic import *

Loading…
Cancel
Save