Commit graph

241 commits

Author SHA1 Message Date
Adrian Likins
309f54b709 Fix 'vault rekey' with vault secret env var
if ANSIBLE_VAULT_PASSWORD_FILE is set, 'ansible-vault rekey myvault.yml'
will fail to prompt for the new vault password file, and will use
None.

Fix is to split out 'ask_vault_passwords' into 'ask_vault_passwords'
and 'ask_new_vault_passwords' to make the logic simpler. And then
make sure new_vault_pass is always set for 'rekey', and if not, then
call ask_new_vault_passwords() to set it.

ask_vault_passwords() would return values for vault_pass and new
vault_pass, and vault cli previously would not prompt for new_vault_pass
if there was a vault_pass set via a vault password file.

Fixes #18247
2016-11-01 13:07:48 -04:00
Andrew Gaffney
194c9c41eb Fix search path for relative paths in roles (fixes #17877)
(cherry picked from commit 72f0aaf606)
2016-10-17 11:21:46 -04:00
Toshio Kuratomi
bf3d546d9a Only dispkay failure to use cryptography at a higher verbosity
Fixes #17982
2016-10-12 10:48:36 -07:00
James Cammarata
c9d3d2b9a0 Allow for empty source in dwim_path_relative_stack
Fixes #17192
2016-09-21 16:16:14 -05:00
Toshio Kuratomi
2989527cd9 Fix dataloader using deprecated version of is_encrypted (#17615) 2016-09-17 00:45:29 -07:00
Toshio Kuratomi
8af8eec789 Merge pull request #17590 from abadger/vault-fixes
Vault fixes
2016-09-15 18:39:34 -07:00
Toshio Kuratomi
e70066a6f7 Many Cleanups to vault
* Make is_encrypted_file handle both files opened in text and binary mode
  On python3, by default files are opened in text mode.  Since we know
  the encoding of vault files (and especially the header which is the
  first set of bytes) we can decide whether the file is an encrypted
  vault file in either case.
* Fix is_encrypted_file not resetting the file position
* Update is_encrypted_file to check that all the data in the file is ascii
* For is_encrypted_file(), add start_pos and count parameters
  This allows callers to specify reading vaulttext from the middle of
  a file if necessary.
* Combine VaultLib.encrypt() and VaultLib.encrypt_bytestring()
* Change vault's is_encrypted() to take either text or byte strings and to return False if any part of the data is non-ascii.
* Remove unnecessary use of six.b
* Vault Cipher: mark a few methods as private.
* VaultAES256._is_equal throws a TypeError if given non byte strings
* Make VaultAES256 methods that don't need self staticmethods and classmethods
* Mark VaultAES and is_encrypted as deprecated
* Get rid of VaultFile (unused and feature implemented in a different way)
* Normalize variable and parameter names on plaintext, ciphertext, vaulttext
* Normalize variable and parameter names on "b_" prefix when dealing with bytes
* Test changes:
  * Remove redundant tests( both checking the same byte string)
  * Fix use of format string without format operator
  * Enable vault editor tests on python3
  * Initialize the vault_cipher for VaultAES256 testing in setUp()
  * Make assertTrue and assertFalse take the actual method calls for
    better error messages.
  * Test that non-ascii byte strings compare correctly.
  * Test that unicode strings and ints raise TypeError

* Test-specific:
  * Removed test_methods_exist().  We only have one VaultLib so the
    implementation is the assurance that the methods exist. (Can use an abc for
    this if it changes).
  * Add tests for both byte string and text string input where the API takes either.
  * Convert "assert" to unittest assert functions or add a custom message where
    that will make failures easier to debug.
  * Move instantiating the VaultLib into setUp().
2016-09-15 15:22:06 -07:00
jctanner
b93de25204 During initial argument evaluation, cast args to string. (#17595)
Later in the stack, further code will check and inform the user that var names must start with a letter
or underscore, so this fix only allows us to get to that previously existing policy.

Fixes #16008
2016-09-15 16:41:11 -04:00
Matt Davis
f497d771c8 win_shell/win_command changes + tests (#17557) 2016-09-15 11:25:56 -07:00
Toshio Kuratomi
4ed88512e4 Move uses of to_bytes, to_text, to_native to use the module_utils version (#17423)
We couldn't copy to_unicode, to_bytes, to_str into module_utils because
of licensing.  So once created it we had two sets of functions that did
the same things but had different implementations.  To remedy that, this
change removes the ansible.utils.unicode versions of those functions.
2016-09-06 22:54:17 -07:00
Brian Coca
f25ec5adb3 fix action parsing to avoid conflicts agin 2016-08-26 16:15:55 -04:00
Brian Coca
bd9094c925 include_role (role revamp implementation) (#17232)
* attempt #11 to role_include

* fixes from jimi-c

* do not override load_data, move all to load

* removed debugging

* implemented tasks_from parameter, must break cache

* fixed issue with cache and tasks_from

* make resolution of from_tasks prioritize literal

* avoid role dependency dedupe when include_role

* fixed role deps and handlers are now loaded

* simplified code, enabled k=v parsing

used example from jimi-c

* load role defaults for task when include_role

* fixed issue with from_Tasks overriding all subdirs

* corrected priority order of main candidates

* made tasks_from a more generic interface to roles

* fix block inheritance and handler order

* allow vars: clause into included role

* pull vars already processed vs from raw data

* fix from jimi-c blocks i broke

* added back append for dynamic includes

* only allow for basename in from parameter

* fix for docs when no default

* fixed notes

* added include_role to changelog
2016-08-26 13:42:13 -04:00
Adrian Likins
e396d5d508 Implement vault encrypted yaml variables. (#16274)
Make !vault-encrypted create a AnsibleVaultUnicode
yaml object that can be used as a regular string object.

This allows a playbook to include a encrypted vault
blob for the value of a yaml variable. A 'secret_password'
variable can have it's value encrypted instead of having
to vault encrypt an entire vars file.

Add __ENCRYPTED__ to the vault yaml types so
template.Template can treat it similar
to __UNSAFE__ flags.

vault.VaultLib api changes:
    - Split VaultLib.encrypt to encrypt and encrypt_bytestring

    - VaultLib.encrypt() previously accepted the plaintext data
      as either a byte string or a unicode string.
      Doing the right thing based on the input type would fail
      on py3 if given a arg of type 'bytes'. To simplify the
      API, vaultlib.encrypt() now assumes input plaintext is a
      py2 unicode or py3 str. It will encode to utf-8 then call
      the new encrypt_bytestring(). The new methods are less
      ambiguous.

    - moved VaultLib.is_encrypted logic to vault module scope
      and split to is_encrypted() and is_encrypted_file().

Add a test/unit/mock/yaml_helper.py
It has some helpers for testing parsing/yaml

Integration tests added as roles test_vault and test_vault_embedded
2016-08-23 20:03:11 -04:00
Toshio Kuratomi
76f9935634 Add some missing imports from last night's py3 fixes (#17196) 2016-08-23 08:06:20 -07:00
Toshio Kuratomi
313d4b2c9e Move a path being passed around as a byte string to being passed around as a text string. (#17190)
This is enough to get minimal copy module working on python3

We have t omodify dataloader's path_dwim_relative_stack and everything
that calls it to use text paths instead of byte string paths
2016-08-22 21:55:30 -07:00
Toshio Kuratomi
384a01fcff Fix tmpfile misspelled as tmplfile (#17183) 2016-08-22 11:31:42 -07:00
Dag Wieers
cb5675a29f Remove a useless section, only act on 'shell' (#16205) 2016-08-12 10:13:02 -07:00
Brian Coca
4e14b7b783 warn when searching for an empty string or null 2016-07-26 08:26:07 -04:00
nyasukun
adea1f2b80 fixed memoryerror when coping huge file (#16392)
* fixed

* support both python 2 and 3
2016-07-22 09:06:06 -04:00
Toshio Kuratomi
84c1697271 Only show the traceback for importing cryptography when in Ansible Debug. (#16795) 2016-07-22 05:40:43 -07:00
Shintaro Kaneko
372018dfce Fix typo in lib/ansible/parsing/__init__.py (#16761) 2016-07-20 18:03:50 -04:00
Connor Osborn
b06c61c49b Fix exceptions thrown from cryptography import (#16723)
A simple import of cryptography can throw several types of errors. For example,
if `setuptools` is less than cryptography's minimum requirement of 11.3, then
this import of cryptography will throw a VersionConflict here. An earlier case
threw a DistributionNotFound exception.

An optional dependency should not stop ansible. If the error is more than
an ImportError, log a warning, so that errors can be fixed in ansible or
elsewhere.
2016-07-20 03:32:23 -07:00
Brian Coca
2bb7feec6d Search path (#16387)
* smarter function to figure out relative paths

takes list of paths in order of relevance to current task
and does the dwim magic on them

* shared function for action plugins using new dwim

unify path construction and error info/messaging
made include and role non exclusive
corrected order and now smarter about tasks
includes inside roles are currently broken as they don't provide the correct role data
make dirname full match to avoid corner cases

* migrated action plugins to new dwim function

reported plugins to use exceptions instead of info

* clarified needle
2016-06-28 17:23:30 -04:00
jctanner
1db02dfb71 If decryption of a vaulted file failed, include the filename in the error. (#16329)
Fixes #16327
2016-06-18 09:30:08 -04:00
Peter Oliver
95cfceda98 Catch DistributionNotFound when pycrypto is absent (#15731)
* Catch DistributionNotFound when pycrypto is absent

On Solaris 11, module `pkg_resources` throws `DistributionNotFound` on import if `cryptography` is installed but `pycrypto` is not.  This change causes that situation to be handled gracefully.

I'm not using Paramiko or Vault, so I my understanding is that I don't
need `pycrpto`.  I could install `pycrypto` to make the error go away, but:
- The latest released version of `pycrypto` doesn't build cleanly on Solaris (https://github.com/dlitz/pycrypto/issues/184).
- Solaris includes an old version of GMP that triggers warnings every time Ansible runs (https://github.com/ansible/ansible/issues/6941).  I notice that I can silence these warnings with `system_warnings` in `ansible.cfg`, but not installing `pycrypto` seems like a safer solution.

* Ignore only `pkg_resources.DistributionNotFound`, not other exceptions.
2016-05-19 11:39:34 -07:00
Brian Coca
e0573d3099 make vi the default editor if no EDITOR
fixes #15577
2016-05-03 09:39:19 -04:00
Toshio Kuratomi
b8a988e922 bytes when passing to os.path.* and opening the file, text at other times
Fixes #15644
2016-04-29 22:20:22 -07:00
Toshio Kuratomi
e386a51cf8 Trnasform file name to bytes before opening it to avoid unicode errors if python tries to encode it implicitly 2016-04-19 08:33:01 -07:00
Brian Coca
5940d3d45b fixes to vault/copy
rm _del_ as it might leak memory
renamed to tmp file cleanup
added exception handling when traversing file list, even if one fails try rest
added cleanup to finally to ensure removal in most cases
2016-04-14 14:12:48 -04:00
Cambell
cdf6e3e4bf feature/copy-vault-dataloader: Add method get_real_file(file_path) to dataloader
- get_real_file will decrypt vault encrypted files and return a path to
  a temporary file.

- cleanup_real_file will remove a temporary file created previously with
  get_real_file
2016-04-14 14:12:48 -04:00
James Cammarata
f2713f764c Take previous jinja2 blocks into account in splitter when we see quotes
Previously, split_args() was not taking print/block/comment depth into account
when splitting things, meaning that if there was a quote character inside an
un-quoted variable (ie. {{ foo | some_filter(' ') }}), it was incorrectly
splitting on the quotes instead of continuing to append to the previous param.

Fixes #13630
2016-03-28 15:43:43 -04:00
Konstantin Suvorov
1c922135a0 show error context in args splitter exception 2016-03-24 16:50:21 +03:00
Toshio Kuratomi
2ba4428424 Catch ValueError as well because of El Capitan provoking a bug in python2's subprocess
Fixes #14895
2016-03-18 05:52:53 -07:00
Matt Clay
5b79ed77e7 Use to_bytes on filenames in filesystem calls. 2016-03-04 09:08:41 -08:00
Brian Coca
e762095497 better task parsing errors
fixes #14790
2016-03-03 19:51:15 -05:00
Brian Coca
cc3cb0f65e fix issues with older yaml lib versions
also added missing json import and removed unused ones
2016-03-03 18:13:36 -05:00
Brian Coca
ea5e089056 restore initial json parsing attempt to loader
fixes issues with extra vars json strings not being parsed correctly by the yaml parser
2016-03-03 13:26:50 -05:00
Toshio Kuratomi
4657be4eab Transform pathnames to bytes before passing on to os.path functions 2016-03-03 09:03:28 -08:00
James Cammarata
7c049c3200 Fixing up jsonify and adding unit tests 2016-02-29 14:51:23 -05:00
Toshio Kuratomi
1f2595306a normalize path components to unicode before combining or operating on them
Note that this will break if we deal with non-utf8 paths.  Fixing this
way because converting everythig to byte strings instead is a very
invasive task so it should be done as a specific feature to provide
support for non-utf8 paths at some point in the future (if needed).
2016-02-26 10:29:37 -08:00
Toshio Kuratomi
ef8bec18bf Use a unicode format string so that we don't convert to byte strings
Fixes #14349
2016-02-26 10:29:37 -08:00
Matt Martz
38b663471d Merge pull request #14311 from sivel/unsafe-yaml-constructor
Add new 'unsafe' YAML constructor
2016-02-23 11:29:53 -06:00
Brian Coca
0f73fb0d6f better error messages when failing to decrypt 2016-02-18 08:57:28 -08:00
Jonathan Davila
b220051c14 Added more info to the no action detected error
Error fix
2016-02-08 16:51:10 -05:00
Matt Martz
8bc2d3be9c Add new 'unsafe' YAML constructor 2016-02-04 10:08:42 -06:00
Brian Coca
db375c22af load now does not modify the incomming data
also removed json loader as yaml loader can do both
2016-01-28 19:43:17 -05:00
Brian Coca
c063803a91 raise AnsibleError as an 'expected' exception
fixes #14065
2016-01-25 22:20:55 -05:00
Brian Coca
f26adcc7da avoid shredding empty files, also x/0
also cleaned up unused import and exception var
2016-01-21 10:54:56 -05:00
James Cammarata
46e515131e Allow module args as k=v pairs when using the module: option with local_action
This task format is valid in 1.x, but was broken in 2.x:
  - local_action:
     module: shell echo "hello world"
2016-01-18 14:32:44 -05:00
Toshio Kuratomi
4958180333 use integer division instead of floating point division.
Fixes #13855
2016-01-13 12:35:28 -08:00
Eric Feliksik
11ce08b9dd cleaner implementation and random chunk length. 2016-01-05 18:04:38 +01:00
Eric Feliksik
151e09d129 use unix shred if possible, otherwise fast custom impl; do not shred encrypted file 2016-01-05 01:43:42 +01:00
Eric Feliksik
1e911375e8 add docs, remove unnecessary int() cast 2016-01-04 18:13:59 +01:00
Eric Feliksik
7193d27acc add os.fsync() so that the shredding data (hopefully) hits the drive 2016-01-04 17:22:18 +01:00
Eric Feliksik
946b82bef7 shred ansible-vault tmp_file. Also when editor is interruped. 2015-12-30 18:21:34 +01:00
Brian Coca
75e94e0cba allow for non standard hostnames
* Changed parse_addresses to throw exceptions instead of passing None
* Switched callers to trap and pass through the original values.
* Added very verbose notice
* Look at deprecating this and possibly validate at plugin instead
fixes #13608
2015-12-21 13:42:34 -05:00
James Cammarata
8716bf8021 All variables in complex args again
Also updates the CHANGELOG to note the slight change, where bare variables
in args are no longer allowed to be bare variables

Fixes #13518
2015-12-16 16:39:08 -05:00
James Cammarata
2b36343451 Missed one place we were appending the incorrectly escaped item to raw params 2015-12-09 17:58:44 -05:00
James Cammarata
1799de8528 Preserve original token when appending to _raw_params in parse_kv
Fixes #13311
2015-12-08 15:06:36 -05:00
Toshio Kuratomi
a8e015cc22 Add representers so we can output yaml for all the types we read in from yaml 2015-12-06 22:17:47 -08:00
Monty Taylor
d20e67d708 Put in trap for args being None
_normalize_old_style_args can return None. If it does, the loop
"for args in args" blows up.
2015-11-28 13:38:11 -05:00
Yannig Perré
2fc7c8b460 More restrictive test against variable name to allow setting variable starting with _. 2015-11-28 10:35:06 +01:00
Yannig Perré
2c54fb1339 Switch parameters validation after parsing in order to be more consistent between old and new style. 2015-11-26 13:33:58 +01:00
Matteo Acerbi
0127d32652 Fix DataLoader's docstring
DataLoader.__init__ doesn't take an argument named vault_password
2015-11-18 11:20:34 +01:00
Abhijit Menon-Sen
7caefa5cd9 Fix typo 2015-11-03 10:57:48 +05:30
Brian Coca
00bc74404a vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases 2015-10-31 14:13:03 -04:00
Toshio Kuratomi
e3e2db1119 Improve the warning message about duplicate yaml dict keys 2015-10-27 14:20:36 -07:00
Toshio Kuratomi
4203850d1a Break apart a looped dependency to show a warning when parsing playbooks
Display a warning when a dict key is overwritten by pyyaml
Fixes #12888
2015-10-27 12:39:42 -07:00
James Cammarata
86de1429e5 Cleaning up FIXMEs 2015-10-22 16:03:50 -04:00
James Cammarata
0bbe9d5bd0 Make hostvars json/yaml serializable in filters
Fixes #12615
2015-10-18 10:09:05 -04:00
Toshio Kuratomi
b23a083776 Make vault use a mapping of cipher name to classes instead of formatting the name for safety. 2015-10-16 10:05:27 -07:00
Toshio Kuratomi
baa309309d Bundle a new version of python-six for compatibility along with some code to make it easy for distributions to override the bunndled copy if they have a new enough version. 2015-10-16 08:21:28 -07:00
Marius Gedminas
98958ec990 Simplify join expression 2015-10-16 17:39:27 +03:00
Marius Gedminas
56184a3d8c Python 3: avoid %-formatting of byte strings
This is needed for Python 3.4 compatibility; Python 3.5 can use
`b'%s\n' bytestring` again.
2015-10-16 17:18:35 +03:00
Toshio Kuratomi
85abd61001 Add some more info to docstring 2015-10-14 18:57:10 -07:00
Brian Coca
abf2e13955 Revert "Track local_action internally to prevent it from being overridden"
This reverts commit 49ca0eb797.
2015-10-09 13:01:32 -04:00
Brian Coca
101c8785ec removed changes to make local action equate connection=local and brought it back to equate delegate_to=localhost 2015-10-09 13:01:32 -04:00
Brian Coca
3705d54485 fixed error reporting on splitter 2015-10-01 19:03:04 -04:00
Brian Coca
a680ef66dd fixed vault password file script execution 2015-10-01 18:49:51 -04:00
Abhijit Menon-Sen
0bb34fd076 Make «ansible-vault view» not write plaintext to a tempfile
CLI already provides a pager() method that feeds $PAGER on stdin, so we
just feed that the plaintext from the vault file. We can also eliminate
the redundant and now-unused shell_pager_command method in VaultEditor.
2015-09-30 22:13:36 +05:30
Toshio Kuratomi
dcdcd9e9c5 Move is_executable to the toplevel of basic.py so we can utilize it from other code 2015-09-25 07:48:57 -07:00
James Cammarata
95b371dd60 Use AnsibleFileNotFound instead of AnsibleParsingError when YAML files are not found
And update portions of code to expect the proper error.

Fixes #12512
2015-09-24 16:27:25 -04:00
Marius Gedminas
fc0dcc3947 Python 3: there's no basestring
Fixes one failing test.

Now technically a filename can be a bytestring, even on Python 3.  I
hope this is unlikely for Ansible.
2015-09-22 08:42:33 +03:00
Toshio Kuratomi
627f9d73ba Detect if core modules aren't installed and warn if that is the case
Fixes #11206
2015-09-21 12:31:51 -07:00
Abhijit Menon-Sen
2d420a9bb7 Allow hexadecimal ranges in IPv6 addresses, not only 0-9 2015-09-17 23:32:58 +05:30
Abhijit Menon-Sen
349eec7855 Fix missing colon (typo) in IPv6 pattern 2015-09-17 19:34:33 +05:30
James Cammarata
4f30db8ca5 Check if path is /dev/null when checking if a file is in fact a file 2015-09-14 14:41:22 -04:00
James Cammarata
49ca0eb797 Track local_action internally to prevent it from being overridden
Fixes #12053
2015-09-14 12:11:58 -04:00
James Cammarata
aa762bb432 Don't split args out unless we're parsing module args using the new style
Fixes #12331
2015-09-12 17:50:05 -04:00
Abhijit Menon-Sen
7479ab47e0 Be stricter about parsing hostname labels
Labels must start with an alphanumeric character, may contain
alphanumeric characters or hyphens, but must not end with a hyphen.
We enforce those rules, but allow underscores wherever hyphens are
accepted, and allow alphanumeric ranges anywhere.

We relax the definition of "alphanumeric" to include Unicode characters
even though such inventory hostnames cannot be used in practice unless
an ansible_ssh_host is set for each of them.

We still don't enforce length restrictions—the fact that we have to
accept ranges makes it more complex, and it doesn't seem especially
worthwhile.
2015-09-11 21:47:19 +05:30
Abhijit Menon-Sen
065bb52109 Be systematic about parsing and validating hostnames and addresses
This adds a parse_address(pattern) utility function that returns
(host,port), and uses it wherever where we accept IPv4 and IPv6
addresses and hostnames (or host patterns): the inventory parser
the the add_host action plugin.

It also introduces a more extensive set of unit tests that supersedes
the old add_host unit tests (which didn't actually test add_host, but
only the parsing function).
2015-09-11 21:47:18 +05:30
Marius Gedminas
b95e3d18a7 Python 3: use the right PyYAML SafeRepresenter for unicode
PyYAML has a SafeRepresenter in lib/... that defines

    def represent_unicode(self, data):
        return self.represent_scalar(u'tag:yaml.org,2002:str', data)

and a different SafeRepresenter in lib3/... that defines

    def represent_str(self, data):
        return self.represent_scalar('tag:yaml.org,2002:str', data)

so the right thing to do on Python 3 is to use represent_str.

(AnsibleUnicode is a subclass of six.text_type, i.e. 'str' on Python 3.)
2015-09-10 08:57:53 +03:00
James Cammarata
ff9f5d7dc8 Starting to add additional unit tests for VariableManager
Required some rewiring in inventory code to make sure we're using
the DataLoader class for some data file operations, which makes mocking
them much easier.

Also identified two corner cases not currently handled by the code, related
to inventory variable sources and which one "wins". Also noticed we weren't
properly merging variables from multiple group/host_var file locations
(inventory directory vs. playbook directory locations) so fixed as well.
2015-09-04 16:41:38 -04:00
Marius Gedminas
37be9539ff Python 3: use six.text_type instead of unicode
Replace 'unicode' with six.text_type, everywhere but in module_utils.
2015-09-04 08:40:10 +03:00
Toshio Kuratomi
86b2982005 Merge pull request #12112 from amenonsen/vault-stdio
Implement cat-like filtering behaviour for encrypt/decrypt
2015-08-27 11:26:48 -07:00
Abhijit Menon-Sen
090cfc9e03 More helpful prompts from ansible-vault encrypt/decrypt
Now we issue a "Reading … from stdin" prompt if our input isatty(), as
gpg does. We also suppress the "x successful" confirmation message at
the end if we're part of a pipeline.

(The latter requires that we not close sys.stdout in VaultEditor, and
for symmetry we do the same for sys.stdin, though it doesn't matter in
that case.)
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e7eebb6954 Implement cat-like filtering behaviour for encrypt/decrypt
This allows the following invocations:

    # Interactive use, like gpg
    ansible-vault encrypt --output x

    # Non-interactive, for scripting
    echo plaintext|ansible-vault encrypt --output x

    # Separate input and output files
    ansible-vault encrypt input.yml --output output.yml

    # Existing usage (in-place encryption) unchanged
    ansible-vault encrypt inout.yml

…and the analogous cases for ansible-vault decrypt as well.

In all cases, the input and output files can be '-' to read from stdin
or write to stdout. This permits sensitive data to be encrypted and
decrypted without ever hitting disk.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
8fc8bf9439 Simplify VaultEditor methods
We don't need to keep creating VaultLibs everywhere, and we don't need
to keep checking for errors because VaultLib does it already.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e99395f0c0 Don't create a VaultLib in each method; do it in __init__ instead 2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
159887a6c9 Remove deprecated and unused VaultAES encryption code
Now that VaultLib always decides to use AES256 to encrypt, we don't need
this broken code any more. We need to be able to decrypt this format for
a while longer, but encryption support can be safely dropped.
2015-08-27 16:54:39 +05:30
Abhijit Menon-Sen
b84053019a Make the filename the first argument to rekey_file 2015-08-26 19:54:59 +05:30
Abhijit Menon-Sen
20fd9224bb Pass the filename to the individual VaultEditor methods, not __init__
Now we don't have to recreate VaultEditor objects for each file, and so
on. It also paves the way towards specifying separate input and output
files later.
2015-08-26 19:17:37 +05:30
Abhijit Menon-Sen
a27c5741a1 Remove inaccurate outdated comment 2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
f91ad3dabe Don't pass the cipher around so much
It's unused and unnecessary; VaultLib can decide for itself what cipher
to use when encrypting. There's no need (and no provision) for the user
to override the cipher via options, so there's no need for code to see
if that has been done either.
2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
017566a2d9 Use AES256 if the cipher is not write-whitelisted 2015-08-26 18:09:21 +05:30
Abhijit Menon-Sen
47bcdf5952 Remove incorrect copy-pasted comment 2015-08-26 18:09:21 +05:30
Toshio Kuratomi
d2c948dd6a Remove decrypted vault temp_file mistakenly left from patch making vault edit idempotent
This bug was introduced in commit f8bf2ba on July 27.  Hasn't gone out
in a release yet.
2015-08-25 14:51:32 -07:00
Toshio Kuratomi
a3fd4817ef Unicode and other fixes for vault 2015-08-25 12:43:09 -07:00
Brian Coca
144da7e7d1 Merge pull request #11765 from ldx/vault_pbkdf2hmac
Use PBKDF2HMAC() from cryptography for vault keys.
2015-08-21 11:06:00 -04:00
Brian Coca
7a4a156d91 changed local_action to alias to connection=local vs delegate_to=localhost
fixes #11998, but still leaves issue of delegate_to: localhost not working
2015-08-18 18:31:29 -04:00
James Cammarata
eb381bd522 Add one more search path to path_dwim_relative 2015-08-13 09:53:09 -04:00
James Cammarata
d9833f227f Make sure cached data from file loads isn't impacted by modifications
Fixes #11893
2015-08-12 14:30:43 -04:00
Toshio Kuratomi
e8452c864e Restore the relative path handling portion of #11865 2015-08-06 07:28:22 -07:00
Brian Coca
b9433650d1 Revert "Path of group_vars and host_vars were getting the basedir added twice."
in view of simpler solution incomming from james
This reverts commit bae7a02be5.
2015-08-06 10:09:43 -04:00
Toshio Kuratomi
bae7a02be5 Path of group_vars and host_vars were getting the basedir added twice.
Fix inventory so this won't happen and fix DataLoader so that it will
test relative paths relative to self._basedir

Fixes #11789
2015-08-05 17:41:17 -07:00
Chris Church
6969b5ac8b Make sure raw doesn't eat key=value arguments. 2015-08-02 11:57:32 -04:00
Vilmos Nebehaj
58cccce384 Use PBKDF2HMAC() from cryptography for vault keys.
When stretching the key for vault files, use PBKDF2HMAC() from the
cryptography package instead of pycrypto. This will speed up the opening
of vault files by ~10x.

The problem is here in lib/ansible/utils/vault.py:

    hash_function = SHA256

    # make two keys and one iv
    pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

    derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
                        count=10000, prf=pbkdf2_prf)

`PBKDF2()` calls a Python callback function (`pbkdf2_pr()`) 10000 times.
If one has several vault files, this will cause excessive start times
with `ansible` or `ansible-playbook` (we experience ~15 second startup
times).

Testing the original implementation in 1.9.2 with a vault file:

In [2]: %timeit v.decrypt(encrypted_data)
1 loops, best of 3: 265 ms per loop

Having a recent OpenSSL version and using the vault.py changes in this commit:

In [2]: %timeit v.decrypt(encrypted_data)
10 loops, best of 3: 23.2 ms per loop
2015-07-28 14:51:36 +02:00
Pablo Figue
f8bf2ba1bd Encrypt the vault file after editing only if the contents changed 2015-07-26 14:41:34 +05:30
James Cammarata
73aa5686cc Remove octal escapes from unicode escape handling
Fixes #11673
2015-07-25 16:30:11 -04:00
James Cammarata
e526743b4f Allowing args: "{{some_var}}" for task params again
This is unsafe and we debated re-adding it to the v2/2.0 codebase,
however it is a common-enough feature that we will simply mark it
as deprecated for now and remove it at some point in the future.

Fixes #11718
2015-07-24 10:33:12 -04:00
Brian Coca
b9050ecf18 fixed file lookup pathing in dwim functinos, now does specific paths and priorities and is commented
fixes #11672 as cwd is now not part of thos paths:
if full path is supplied, used that
2015-07-22 20:58:24 -04:00
Brian Coca
827b0443c8 now dataloader checkis that you get at least a valid string as a file name 2015-07-21 08:47:13 -04:00
James Cammarata
165fff8a1e Fixing module arg parsing splitting when action is a variable
Fixes #11122
2015-07-15 12:03:02 -04:00
James Cammarata
f40b66d841 Make sure the basedir is unicode
Fixes #10773
2015-07-12 16:40:00 -04:00
Brian Coca
e4097ed279 simplified ansible errors, moved md5 hash import with notes to be more prominent 2015-07-11 14:24:00 -04:00
Toshio Kuratomi
ddac6fa9f3 Update exception handling to be python3 compat 2015-07-08 08:59:42 -07:00
Toshio Kuratomi
49e17b8ff6 Get rid of an unused import so that we don't have circular imports 2015-07-06 14:19:13 -07:00
Toshio Kuratomi
f44f9569e1 Test unquote works as expected and fix two bugs:
* escaped end quote
* a single quote character
2015-07-06 13:16:42 -07:00
James Cammarata
bddadc9565 Fix bug in relative path determination 2015-07-04 23:18:54 -04:00
Brian Coca
b76dbb01cc generalized prereqs check
added vaultfile class for action and lookup plugin usage
2015-06-16 09:20:15 -04:00
Toshio Kuratomi
c3caff5eeb Fix for six version 1.1.0 (rhel6). 2015-06-03 10:25:07 -07:00
Toshio Kuratomi
d8c8ca11cf Add compatibility for old version of six (present on rhel7) 2015-06-03 08:45:36 -07:00
Brian Coca
5622fc23bc fixed frozen set, missing iterable 2015-06-02 23:35:15 -04:00
Brian Coca
48c0d6388f moved RAW var to class and as a frozenset 2015-06-02 23:35:15 -04:00
Brian Coca
e0ef217f97 Revert "Adding raw module to list of modules allowing raw params"
This reverts commit bc041ffea0.
same fix x2 does not fix it 'more'
2015-06-02 13:33:33 -04:00
James Cammarata
bc041ffea0 Adding raw module to list of modules allowing raw params
Fixes #11119
2015-06-02 08:42:24 -05:00
Brian Coca
e251e70178 added raw to 'raw' modules 2015-06-02 08:54:37 -04:00
James Cammarata
4bc7703db3 Fixing some small bugs related to integration tests (v2) 2015-06-01 16:42:10 -05:00
James Cammarata
b94e2a1f4e Fixing bugs related to parsing and fixing up parsing integration tests (v2) 2015-05-13 11:27:12 -05:00
Toshio Kuratomi
3a87b2727d Fix format strings for python2.6 2015-05-08 13:11:04 -07:00
James Cammarata
ce3ef7f4c1 Making the switch to v2 2015-05-03 21:47:26 -05:00