added unvault lookup plugin (#69087)

* added unvault lookup plugin

lib/ansible/plugins/lookup/unvault.py

@@ -0,0 +1,61 @@
+# (c) 2020 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+    lookup: unvault
+    author: ansible core team
+    version_added: "2.10"
+    short_description: read vaulted file(s) contents
+    description:
+        - This lookup returns the contents from vaulted (or not) file(s) on the Ansible controller's file system.
+    options:
+      _terms:
+        description: path(s) of files to read
+        required: True
+    notes:
+      - This lookup does not understand 'globing' nor shell environment variables.
+"""
+
+EXAMPLES = """
+- debug: msg="the value of foo.txt is {{lookup('vault', '/etc/foo.txt')|to_string }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - content of file(s) as bytes
+"""
+
+from ansible.errors import AnsibleParserError
+from ansible.plugins.lookup import LookupBase
+from ansible.module_utils._text import to_text
+from ansible.utils.display import Display
+
+display = Display()
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+
+        self.set_options(direct=kwargs)
+
+        ret = []
+
+        for term in terms:
+            display.debug("Unvault lookup term: %s" % term)
+
+            # Find the file in the expected search path
+            lookupfile = self.find_file_in_search_path(variables, 'files', term)
+            display.vvvv(u"Unvault lookup found %s" % lookupfile)
+            if lookupfile:
+                actual_file = self._loader.get_real_file(lookupfile, decrypt=True)
+                with open(actual_file, 'rb') as f:
+                    b_contents = f.read()
+                ret.append(b_contents)
+            else:
+                raise AnsibleParserError('Unable to find file matching "%s" ' % term)
+
+        return ret

test/integration/targets/lookup_unvault/aliases

@@ -0,0 +1,3 @@
+shippable/posix/group2
+needs/root
+skip/aix

test/integration/targets/lookup_unvault/files/foot.txt

@@ -0,0 +1 @@
+bar

test/integration/targets/lookup_unvault/files/foot.txt.vault

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+35363932323438383333343462373431376162373631636238353061616565323630656464393939
+3937313630326662336264636662313163343832643239630a646436313833633135353834343364
+63363039663765363365626531643533616232333533383239323234393934356639373136323635
+3632356163343031300a373766636130626237346630653537633764663063313439666135623032
+6139

test/integration/targets/lookup_unvault/runme.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# run tests
+ansible-playbook unvault.yml --vault-password-file='secret' -v "$@"

test/integration/targets/lookup_unvault/secret

@@ -0,0 +1 @@
+ssssshhhhhh

test/integration/targets/lookup_unvault/unvault.yml

@@ -0,0 +1,9 @@
+- name: test vault lookup plugin
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - debug: msg={{lookup('unvault', 'foot.txt.vault')}}
+    - name: verify vault lookup works with both vaulted and unvaulted
+      assert:
+        that:
+            - lookup('unvault', 'foot.txt.vault') == lookup('unvault', 'foot.txt')