Commit Graph

86 Commits (96b221b344587faa42d0c02da8e87c5ead1ef20d)

Author SHA1 Message Date
Adrian Likins 86dc3c09ac
Fix vault --ask-vault-pass with no tty (#31493)
* Fix vault --ask-vault-pass with no tty

2.4.0 added a check for isatty() that would skip setting up interactive
vault password prompts if not running on a tty.

But... getpass.getpass() will fallback to reading from stdin if
it gets that far without a tty. Since 2.4.0 skipped the interactive
prompts / getpass.getpass() in that case, it would never get a chance
to fall back to stdin.

So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml'
was ran without a tty (ie, from a jenkins job or via the vagrant
ansible provisioner) the 2.4 behavior was different than 2.3. 2.4
would never read the password from stdin, resulting in a vault password
error like:

        ERROR! Attempting to decrypt but no vault secrets found

Fix is just to always call the interactive password prompts based
on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and
let getpass sort it out.

* up test_prompt_no_tty to expect prompt with no tty

We do call the PromptSecret class if there is no tty, but
we are back to expecting it to read from stdin in that case.

* Fix logic for when to auto-prompt vault pass

If --ask-vault-pass is used, then pretty much always
prompt.

If it is not used, then prompt if there are no other
vault ids provided and 'auto_prompt==True'.

Fixes vagrant bug https://github.com/hashicorp/vagrant/issues/9033

Fixes #30993
7 years ago
Adrian Likins 307be59092 Don't ask for password confirm on 'ansible-vault edit' (#30514)
* Don't ask for password confirm on 'ansible-vault edit'

This is to match the 2.3 behavior on:

        ansible-vault edit encrypted_file.yml

Previously, the above command would consider that a 'new password'
scenario and prompt accordingly, ie:

        $ ansible-vault edit encrypted_file.yml
        New Password:
        Confirm New Password:

The bug was cause by 'create_new_password' being used for
'edit' action. This also causes the previous implicit 'auto prompt'
to get triggered and prompt the user.

Fix is to make auto prompt explicit in the calling code to handle
the 'edit' case where we want to auto prompt but we do not want
to request a password confirm.

Fixes #30491
7 years ago
Adrian Likins 8003437ebc prompt for new pass on create/encrypt if none specified (#28185)
* prompt for new pass on create/encrypt if none specified

Make 'ansible-vault' edit or encrypt prompt for a password
if none or provided elsewhere.

Note: ansible-playbook does not prompt if not vault password
is provided

* dont show vault password prompts if not a tty
7 years ago
Adrian Likins 5739bb075f Vault secrets default vault ids list (#28190)
* Add config option for a default list of vault-ids

This is the vault-id equilivent of ANSIBLE_DEFAULT_PASSWORD_FILE
except ANSIBLE_DEFAULT_VAULT_IDENTITY_LIST is a list.
7 years ago
Adrian Likins 82f550e8cd Add prompt formats for 2.3 compat ask-vault-pass (#27974)
The prompt_formats dict didn't get the 'prompt_ask_vault_pass'
item added for interactive --ask-vault-pass, which
caused "KeyError: u'prompt_ask_vault_pass'"

Fixes #27885
7 years ago
Adrian Likins 934b645191 Support multiple vault passwords (#22756)
Fixes #13243

** Add --vault-id to name/identify multiple vault passwords

Use --vault-id to indicate id and path/type

 --vault-id=prompt  # prompt for default vault id password
 --vault-id=myorg@prompt  # prompt for a vault_id named 'myorg'
 --vault-id=a_password_file  # load ./a_password_file for default id
 --vault-id=myorg@a_password_file # load file for 'myorg' vault id

vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.

Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.

Replace passing password around everywhere with
a VaultSecrets object.

If we specify a vault_id, mention that in password prompts

Specifying multiple -vault-password-files will
now try each until one works

** Rev vault format in a backwards compatible way

The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.

Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.

use 1.1 format for 'default' vault_id

Vaulted items that need to include a vault_id will be
written in 1.2 format.

If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2

vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.

** Changes/refactors needed to implement multiple vault passwords

raise exceptions on decrypt fail, check vault id early

split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()

some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback

fix py3 dict.keys() 'dict_keys object is not indexable' error

pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids

** Add a config option (vault_id_match) to force vault id matching.

With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).

In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.

If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.

Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
7 years ago
Brian Coca fedbf3666b fixed issue with paths separator and others
finished  normalizing of path handling
removed overloaded '-p' from init_paths option, it is for role_paths
removed expand_tilde and get_opt methods as both were redundant, adjusted rest of code
updated tests to match
8 years ago
Brian Coca 74842adc07 1st part of ansible config, adds ansible-config to view/manage configs (#12797)
* Start of ansible config project

moved configuration definitions to external yaml file vs hardcoded
 * updated constants to be a data strcutures that are looped over and also return origin of setting
changed to manager/data scheme for base classes
new cli ansible-config to view/manage ansible configuration settings
 * prints green for default/unchanged and yellow for those that have been overriden
 * added list action to show all configurable settings and their associated ini and env var names
 * allows specifying config file to see what result would look like
 * TBD update, edit and view options

removed test for functions that have been removed

env_Vars are now list of dicts
allows for version_added and deprecation in future
added a couple of descriptions for future doc autogeneration
ensure test does not fail if delete_me exists
normalized 'path expansion'
added yaml config to setup packaging
removed unused imports
better encoding handling

updated as per feedback

* pep8
8 years ago
Abhijeet Kasurde b89cb95609 Fix spelling mistakes (comments only) (#25564)
Original Author : klemens <ka7@github.com>

Taking over previous PR as per
https://github.com/ansible/ansible/pull/23644#issuecomment-307334525

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
8 years ago
Dag Wieers 4efec414e7 test/: PEP8 compliancy (#24803)
* test/: PEP8 compliancy

- Make PEP8 compliant

* Python3 chokes on casting int to bytes (#24952)

But if we tell the formatter that the var is a number, it works
8 years ago
Brian Coca 8f97aef1a3 Transition inventory into plugins (#23001)
* draft new inventory plugin arch, yaml sample

 - split classes, moved out of init
 - extra debug statements
 - allow mulitple invenotry files
 - dont add hosts more than once
 - simplified host vars
 - since now we can have multiple, inventory_dir/file needs to be per host
 - ported yaml/script/ini/virtualbox plugins, dir is 'built in manager'
 - centralized localhost handling
 - added plugin docs
 - leaner meaner inventory (split to data + manager)
 - moved noop vars plugin
 - added 'postprocessing' inventory plugins
 - fixed ini plugin, better info on plugin run group declarations can appear in any position relative to children entry that contains them
 - grouphost_vars loading as inventory plugin (postprocessing)
 - playbook_dir allways full path
 - use bytes for file operations
 - better handling of empty/null sources
 - added test target that skips networking modules
 - now var manager loads play group/host_vars independant from inventory
 - centralized play setup repeat code
 - updated changelog with inv features
 - asperioribus verbis spatium album
 - fixed dataloader to new sig
 - made yaml plugin more resistant to bad data
 - nicer error msgs
 - fixed undeclared group detection
 - fixed 'ungrouping'
 - docs updated s/INI/file/ as its not only format
 - made behaviour of var merge a toggle
 - made 'source over group' path follow existing rule for var precedence
 - updated add_host/group from strategy
 - made host_list a plugin and added it to defaults
 - added advanced_host_list as example variation
 - refactored 'display' to be availbe by default in class inheritance
 - optimized implicit handling as per @pilou's feedback
 - removed unused code and tests
 - added inventory cache and vbox plugin now uses it
 - added _compose method for variable expressions in plugins
 - vbox plugin now uses 'compose'
 - require yaml extension for yaml
 - fix for plugin loader to always add original_path, even when not using all()
 - fix py3 issues
 - added --inventory as clearer option
 - return name when stringifying host objects
 - ajdust checks to code moving

* reworked vars and vars precedence
 - vars plugins now load group/host_vars dirs
 - precedence for host vars is now configurable
 - vars_plugins been reworked
 - removed unused vars cache
 - removed _gathered_facts as we are not keeping info in host anymore
 - cleaned up tests
 - fixed ansible-pull to work with new inventory
 - removed version added notation to please rst check
 - inventory in config relative to config
 - ensures full paths on passed inventories

* implicit localhost connection local
8 years ago
Toshio Kuratomi 2fff690caa Update module_utils.six to latest (#22855)
* Update module_utils.six to latest

We've been held back on the version of six we could use on the module
side to 1.4.x because of python-2.4 compatibility.  Now that our minimum
is Python-2.6, we can update to the latest version of six in
module_utils and get rid of the second copy in lib/ansible/compat.
8 years ago
Adrian Likins 694c57de2e add python version info to --version (#22089)
* add python info to ansible --version
* Add unit tests for cli.CLI.version
8 years ago
azenk bdf0ab451e Add role skeleton support (#17079)
* Add role skeleton support

The default role skeleton used by ansible-galaxy is good, but it doesn't
allow organizations to customize it to suit their needs.  This patch
addresses that by adding the option to point ansible-galaxy at a
role skeleton directory.  The contents of this directory are then
copied (or rendered) into the output role directory.  Appropriate
command line options and configuration entries are added to allow for
further customization from the role skeleton.

* Remove dependency on platforms list from test

Platforms are no longer provided to the template by galaxy init.
Removing the code in our test meta/main.yml template that relied on it.

* Fix whitespace issue
8 years ago
Matt Martz 87aa59af79 Legacy pep8 updates for setup.py and tests 8 years ago
Matt Clay 256a25bdcc Revert "Update galaxy and database unit tests." 8 years ago
Matt Clay 2b9a0fb952 Update galaxy and database unit tests. (#21209)
* Update galaxy unit tests to work from tmp dir.
* Fix sorting of database tests.
8 years ago
s-hertel 65815c3875 Refactoring Galaxy unit tests for uniformity (#20828)
* Making tests more uniform

Removing unnecessary GalaxyCLI arguments/patching of the command line since parsing of the CLI args has been modified.

Run GalaxyCLI.parse() without saving the returned value to be uniform with the rest of the code.

Fix test_execute_remove to use the correct path

Use GalaxyCLI.run() instead of super(GalaxyCLI, gc).run() and GalaxyCLI.api = ansible.galaxy.api.GalaxyAPI(gc.galaxy).

* Refactor so one unit test checks one thing instead of multiple.

Improve readability by using a dict instead of lots of elifs

* Removing import used for debugging

* Fixing PEP 8 issues.

* Fix PEP 8 issues
8 years ago
Matt Clay cb76200c7d PEP 8 E111 & E114 cleanup. (#20838) 8 years ago
Matt Clay 95789f3949 PEP 8 whitespace cleanup. (#20783)
* PEP 8 E271 whitespace cleanup.
* PEP 8 W293 whitespace cleanup.
* Fix whitespace issue from recent PR.
8 years ago
s-hertel 28b4931e3d testing GalaxyCLI.run() does what is expected 8 years ago
Adrian Likins 727ca6f436 Fix error on 'help module' in ansible-console (#19390)
If 'help xattr' for example, ansible-console would
traceback because module_docs.get_docstring() now
returns 4 values (module metadata was added)
8 years ago
Adrian Likins 08a5d506bb Fix errors on 'ansible-playbook --flush-cache' (#18754)
Add a unit test, and split out the flush cache logic to
it's own method.
Fixes #18708
8 years ago
jctanner cb872415d1 set galaxy unit test server to None (#18298)
Prevents connections to the internet in isolated environments such as koji+mock

Fixes #18297
8 years ago
Thilo Uttendorfer 5ece97ae5b Fix call of wrong super class
Added a basic test
8 years ago
Toshio Kuratomi 1efe782b46 Refactor parsing of CLI args so that we can modify them in the base class
Implement tag and skip_tag handling in the CLI() class.  Change tag and
skip_tag command line options to be accepted multiple times on the CLI
and add them together rather than overwrite.

* Make it configurable whether to merge or overwrite multiple --tags arguments
* Make the base CLI class an abstractbaseclass so we can implement
  functionality in parse() but still make subclasses implement it.
* Deprecate the overwrite feature of --tags with a message that the
  default will change in 2.4 and go away in 2.5.

* Add documentation for merge_multiple_cli_flags
* Fix galaxy search so its tags argument does not conflict with generic tags
* Unit tests and more integration tests for tags
8 years ago
Toshio Kuratomi 0139298786 Have unittests import mock from ansible.compat so they work on py3 without mock installed from pypi 8 years ago
Toshio Kuratomi f4cd1c6321 Fix galaxy's parsing of the command line. (#17569)
Also make the parsing of the action in both galaxy and vault more
robust.

Fixes #17534
May Fix #17563
8 years ago
Toshio Kuratomi 44d979c8f5 Enable most unittests on python3 (just some vault unittests and a logging one left) (#17240)
Make some python3 fixes to make the unittests pass:

* galaxy imports
* dictionary iteration in role requirements
* swap_stdout helper for unittests
* Normalize to text string in a facts.py function
8 years ago
s-hertel 93c5ec42cf Test GalaxyCLI when no actions are provided
Adds a new test for GalaxyCLI. Tests cases when:

- no actions are provided
- invalid actions are provided
- each valid action is provided

When parser() runs successfully the method returns True, creates a
SortedOptParser instance, a Galaxy instance, and updates certain class data.
8 years ago
s-hertel 671f9c3d15 Merge pull request #16783 from s-hertel/test_display_galaxy_info_fix
fixing a logic error in test_galaxy
8 years ago
s-hertel 3cb5747f54 fixing a logic error in test_galaxy 8 years ago
s-hertel aae5e50299 Adding a test for GalaxyCLI. Tests exit_without_ignore method. 8 years ago
s-hertel e84ab95733 Fixing bug in GalaxyCLI test; creates temp dir for role_path instead … (#16689)
* Fixing bug in GalaxyCLI test; creates temp dir for role_path instead of installing to /etc/ansible/roles

* Update test_galaxy.py
8 years ago
s-hertel 9c925eeeab Adding a test for GalaxyCLI and two methods on which it depends. Tes… (#16651)
* Adding a test for GalaxyCLI and two methods on which it depends. Tests execute_info method.

*  Adding a test for GalaxyCLI and two methods on which it depends. Tests execute_remove method.

* Update test_galaxy.py

* Revising test for GalaxyCLI execute_remove.

* Removing mocks
8 years ago
Adrian Likins 1468538414 galaxy info displayed 'galaxy_info' section wrong
The output of 'ansible-galaxy info' was formatting the
'galaxy_info' key with one char per line.

Previously, when building the output string, items in
role_info that had a dict for value, the label for
it's key ('galaxy_info' for ex) was being added to
the text list in addition to being appended. Only
the append is needed.

Also added a unit test in test/units/cli/test_galaxy.py,
but skip it on py3 until galaxy is py3 compatible.

fixes #15177
9 years ago