Skip to content

A
ansible
Commit 52a8efef by James Tanner
Options

Vault rewrite, pass 1

parent 13604e75
Showing with 40 additions and 35 deletions
bin/ansible-vault
...@@ -20,13 +20,13 @@ ...@@ -20,13 +20,13 @@
# example playbook to bootstrap this script in the examples/ dir which # example playbook to bootstrap this script in the examples/ dir which
# installs ansible and sets it up to run on cron. # installs ansible and sets it up to run on cron.
import os
import sys import sys
import traceback import traceback
from ansible import utils from ansible import utils
from ansible import errors from ansible import errors
from ansible.utils.vault import * from ansible.utils.vault import VaultEditor
from ansible.utils.vault import Vault
from optparse import OptionParser from optparse import OptionParser
...@@ -100,32 +100,30 @@ def get_opt(options, k, defval=""): ...@@ -100,32 +100,30 @@ def get_opt(options, k, defval=""):
# Command functions # Command functions
#------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------
def _get_vault(filename, options, password):
this_vault = Vault()
this_vault.filename = filename
this_vault.vault_password = password
this_vault.password = password
return this_vault
def execute_create(args, options, parser): def execute_create(args, options, parser):
if len(args) > 1: if len(args) > 1:
raise errors.AnsibleError("create does not accept more than one filename") raise errors.AnsibleError("'create' does not accept more than one filename")
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True) password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True)
this_vault = _get_vault(args[0], options, password) cipher = 'AES'
if not hasattr(options, 'cipher'): if hasattr(options, 'cipher'):
this_vault.cipher = 'AES' cipher = options.cipher
this_vault.create()
this_editor = VaultEditor(cipher, password, args[0])
this_editor.create_file()
def execute_decrypt(args, options, parser): def execute_decrypt(args, options, parser):
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True) password, new_password = utils.ask_vault_passwords(ask_vault_pass=True)
cipher = 'AES'
if hasattr(options, 'cipher'):
cipher = options.cipher
for f in args: for f in args:
this_vault = _get_vault(f, options, password) this_editor = VaultEditor(cipher, password, f)
this_vault.decrypt() this_editor.decrypt_file()
print "Decryption successful" print "Decryption successful"
...@@ -136,29 +134,35 @@ def execute_edit(args, options, parser): ...@@ -136,29 +134,35 @@ def execute_edit(args, options, parser):
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True) password, new_password = utils.ask_vault_passwords(ask_vault_pass=True)
cipher = None
for f in args: for f in args:
this_vault = _get_vault(f, options, password) this_editor = VaultEditor(cipher, password, f)
this_vault.edit() this_editor.edit_file()
def execute_encrypt(args, options, parser): def execute_encrypt(args, options, parser):
if len(args) > 1:
raise errors.AnsibleError("'create' does not accept more than one filename")
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True) password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True)
cipher = 'AES'
if hasattr(options, 'cipher'):
cipher = options.cipher
for f in args: for f in args:
this_vault = _get_vault(f, options, password) this_editor = VaultEditor(cipher, password, f)
if not hasattr(options, 'cipher'): this_editor.encrypt_file()
this_vault.cipher = 'AES'
this_vault.encrypt()
print "Encryption successful" print "Encryption successful"
def execute_rekey(args, options, parser): def execute_rekey(args, options, parser):
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=True, confirm_new=True) password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=True, confirm_new=True)
cipher = None
for f in args: for f in args:
this_vault = _get_vault(f, options, password) this_editor = VaultEditor(cipher, password, f)
this_vault.rekey(new_password) this_editor.rekey_file(new_password)
print "Rekey successful" print "Rekey successful"
......
lib/ansible/utils/__init__.py
...@@ -43,7 +43,8 @@ import getpass ...@@ -43,7 +43,8 @@ import getpass
import sys import sys
import textwrap import textwrap
import vault #import vault
from vault import VaultLib
VERBOSITY=0 VERBOSITY=0
...@@ -501,14 +502,14 @@ def parse_yaml_from_file(path, vault_password=None): ...@@ -501,14 +502,14 @@ def parse_yaml_from_file(path, vault_password=None):
data = None data = None
#VAULT try:
if vault.is_encrypted(path): data = open(path).read()
data = vault.decrypt(path, vault_password) except IOError:
else: raise errors.AnsibleError("file could not read: %s" % path)
try:
data = open(path).read() vault = VaultLib(password=vault_password)
except IOError: if vault.is_encrypted(data):
raise errors.AnsibleError("file could not read: %s" % path) data = vault.decrypt(data)
try: try:
return parse_yaml(data) return parse_yaml(data)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment