Support multiple vault passwords in keyring script

Allows users to specify a key name in a given project’s `ansible.cfg`
file and thus handle keyring integration with vaults with different
passwords. If no key name is specified, the original default `ansible`
key name will be used.

Other improvements:

* `username` is now optional; defaults to user that invokes the script
* change string interpolation to new `.format()` style
* clean up and expand upon documentation
* enforce PEP 8 compliance
pull/21165/head
Justin Mayer 8 years ago committed by Brian Coca
parent 1b8c2a2b0b
commit fda131504b

@ -1,8 +1,9 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# (c) 2014, Matt Martz <matt@sivel.net> # (c) 2014, Matt Martz <matt@sivel.net>
# (c) 2016, Justin Mayer <https://justinmayer.com/>
# #
# This file is part of Ansible # This file is part of Ansible.
# #
# Ansible is free software: you can redistribute it and/or modify # Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@ -17,30 +18,42 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>. # along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# #
# =============================================================================
# #
# Script to be used with vault_password_file or --vault-password-file # This script is to be used with vault_password_file or --vault-password-file
# to retrieve the vault password via your OSes native keyring application # to retrieve the vault password via your OS's native keyring application.
# #
# This script requires the ``keyring`` python module # This file *MUST* be saved with executable permissions. Otherwise, Ansible
# will try to parse as a password file and display: "ERROR! Decryption failed"
# #
# Add a [vault] section to your ansible.cfg file, # The `keyring` Python module is required: https://pypi.python.org/pypi/keyring
# the only option is 'username'. Example: #
# By default, this script will store the specified password in the keyring of
# the user that invokes the script. To specify a user keyring, add a [vault]
# section to your ansible.cfg file with a 'username' option. Example:
# #
# [vault] # [vault]
# username = 'ansible_vault' # username = 'ansible-vault'
#
# Another optional setting is for the key name, which allows you to use this
# script to handle multiple project vaults with different passwords:
# #
# Additionally, it would be a good idea to configure vault_password_file in # [vault]
# ansible.cfg # keyname = 'ansible-vault-yourproject'
#
# You can configure the `vault_password_file` option in ansible.cfg:
# #
# [defaults] # [defaults]
# ... # ...
# vault_password_file = /path/to/vault-keyring.py # vault_password_file = /path/to/vault-keyring.py
# ... # ...
# #
# To set your password: python /path/to/vault-keyring.py set # To set your password, `cd` to your project directory and run:
#
# python /path/to/vault-keyring.py set
# #
# If you choose to not configure the path to vault_password_file in ansible.cfg # If you choose not to configure the path to `vault_password_file` in
# your ansible-playbook command may look like: # ansible.cfg, your `ansible-playbook` command might look like:
# #
# ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml # ansible-playbook --vault-password-file=/path/to/vault-keyring.py site.yml
@ -51,29 +64,35 @@ ANSIBLE_METADATA = {'status': ['preview'],
import sys import sys
import getpass import getpass
import keyring import keyring
import ConfigParser
import ansible.constants as C import ansible.constants as C
def main(): def main():
(parser,config_path) = C.load_config_file() (parser, config_path) = C.load_config_file()
try: if parser.has_option('vault', 'username'):
username = parser.get('vault', 'username') username = parser.get('vault', 'username')
except ConfigParser.NoSectionError: else:
sys.stderr.write('No [vault] section configured in config file: %s\n' % config_path) username = getpass.getuser()
sys.exit(1)
if parser.has_option('vault', 'keyname'):
keyname = parser.get('vault', 'keyname')
else:
keyname = 'ansible'
if len(sys.argv) == 2 and sys.argv[1] == 'set': if len(sys.argv) == 2 and sys.argv[1] == 'set':
intro = 'Storing password in "{}" user keyring using key name: {}\n'
sys.stdout.write(intro.format(username, keyname))
password = getpass.getpass() password = getpass.getpass()
confirm = getpass.getpass('Confirm password: ') confirm = getpass.getpass('Confirm password: ')
if password == confirm: if password == confirm:
keyring.set_password('ansible', username, password) keyring.set_password(keyname, username, password)
else: else:
sys.stderr.write('Passwords do not match\n') sys.stderr.write('Passwords do not match\n')
sys.exit(1) sys.exit(1)
else: else:
sys.stdout.write('%s\n' % keyring.get_password('ansible', username)) sys.stdout.write('{}\n'.format(keyring.get_password(keyname,
username)))
sys.exit(0) sys.exit(0)

Loading…
Cancel
Save