Merge pull request #579 from rickmendes/keys-with-passphrases

now handles keys protected with a passphrase
2015-06-30 07:56:41 -04:00 · 2015-06-30 07:56:41 -04:00 · a1b2677c26
commit a1b2677c26
parent 3ab08534f5 2791edc496
1 changed files with 73 additions and 7 deletions
--- a/cloud/amazon/ec2_win_password.py
+++ b/cloud/amazon/ec2_win_password.py
@ -15,14 +15,33 @@ options:
    required: true
  key_file:
    description:
-      - path to the file containing the key pair used on the instance
+      - Path to the file containing the key pair used on the instance.
    required: true
+  key_passphrase:
+    version_added: "2.0"
+    description:
+      - The passphrase for the instance key pair. The key must use DES or 3DES encryption for this module to decrypt it. You can use openssl to convert your password protected keys if they do not use DES or 3DES. ex) openssl rsa -in current_key -out new_key -des3. 
+    required: false
+    default: null
  region:
    description:
      - The AWS region to use.  Must be specified if ec2_url is not used. If not specified then the value of the EC2_REGION environment variable, if any, is used.
    required: false
    default: null
    aliases: [ 'aws_region', 'ec2_region' ]
+  wait:
+    version_added: "2.0"
+    description:
+      - Whether or not to wait for the password to be available before returning.
+    required: false
+    default: "no"
+    choices: [ "yes", "no" ]
+  wait_timeout:
+    version_added: "2.0"
+    description:
+      - Number of seconds to wait before giving up.
+    required: false
+    default: 120

 extends_documentation_fragment: aws
 '''
@ -36,12 +55,34 @@ tasks:
    instance_id: i-XXXXXX
    region: us-east-1
    key_file: "~/aws-creds/my_test_key.pem"
+
+# Example of getting a password with a password protected key
+tasks:
+- name: get the Administrator password
+  ec2_win_password:
+    profile: my-boto-profile
+    instance_id: i-XXXXXX
+    region: us-east-1
+    key_file: "~/aws-creds/my_protected_test_key.pem"
+    key_passphrase: "secret"
+
+# Example of waiting for a password
+tasks:
+- name: get the Administrator password
+  ec2_win_password:
+    profile: my-boto-profile
+    instance_id: i-XXXXXX
+    region: us-east-1
+    key_file: "~/aws-creds/my_test_key.pem"
+    wait: yes
+    wait_timeout: 45
 '''

 from base64 import b64decode
 from os.path import expanduser
 from Crypto.Cipher import PKCS1_v1_5
 from Crypto.PublicKey import RSA
+import datetime

 try:
    import boto.ec2
@ -54,6 +95,9 @@ def main():
    argument_spec.update(dict(
            instance_id = dict(required=True),
            key_file = dict(required=True),
+            key_passphrase = dict(no_log=True, default=None, required=False),
+            wait = dict(type='bool', default=False, required=False),
+            wait_timeout = dict(default=120, required=False),
        )
    )
    module = AnsibleModule(argument_spec=argument_spec)
@ -63,26 +107,48 @@ def main():

    instance_id = module.params.get('instance_id')
    key_file = expanduser(module.params.get('key_file'))
+    key_passphrase = module.params.get('key_passphrase')
+    wait = module.params.get('wait')
+    wait_timeout = int(module.params.get('wait_timeout'))

    ec2 = ec2_connect(module)

-    data = ec2.get_password_data(instance_id)
-    decoded = b64decode(data)
+    if wait:
+        start = datetime.datetime.now()
+        end = start + datetime.timedelta(seconds=wait_timeout)
+
+        while datetime.datetime.now() < end:
+            data = ec2.get_password_data(instance_id)
+            decoded = b64decode(data)
+            if wait and not decoded:
+                time.sleep(5)
+            else:
+                break
+    else:
+        data = ec2.get_password_data(instance_id)
+        decoded = b64decode(data)
+
+    if wait and datetime.datetime.now() >= end:
+        module.fail_json(msg = "wait for password timeout after %d seconds" % wait_timeout)

    f = open(key_file, 'r')
-    key = RSA.importKey(f.read())
+    key = RSA.importKey(f.read(), key_passphrase)
    cipher = PKCS1_v1_5.new(key)
    sentinel = 'password decryption failed!!!'

    try:
-      decrypted = cipher.decrypt(decoded, sentinel)
+        decrypted = cipher.decrypt(decoded, sentinel)
    except ValueError as e:
-      decrypted = None
+        decrypted = None

    if decrypted == None:
        module.exit_json(win_password='', changed=False)
    else:
-        module.exit_json(win_password=decrypted, changed=True)
+        if wait:
+            elapsed = datetime.datetime.now() - start
+            module.exit_json(win_password=decrypted, changed=True, elapsed=elapsed.seconds)
+        else:
+            module.exit_json(win_password=decrypted, changed=True)

 # import module snippets
 from ansible.module_utils.basic import *