#!/usr/bin/env python # (c) 2014, James Tanner <tanner.jc@gmail.com> # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see <http://www.gnu.org/licenses/>. # # ansible-vault is a script that encrypts/decrypts YAML files. See # http://docs.ansible.com/playbooks_vault.html for more details. __requires__ = ['ansible'] try: import pkg_resources except Exception: # Use pkg_resources to find the correct versions of libraries and set # sys.path appropriately when there are multiversion installs. But we # have code that better expresses the errors in the places where the code # is actually used (the deps are optional for many code paths) so we don't # want to fail here. pass import os import sys import traceback import ansible.constants as C from ansible import utils from ansible import errors from ansible.utils.vault import VaultEditor from optparse import OptionParser #------------------------------------------------------------------------------------- # Utility functions for parsing actions/options #------------------------------------------------------------------------------------- VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view") def build_option_parser(action): """ Builds an option parser object based on the action the user wants to execute. """ usage = "usage: %%prog [%s] [--help] [options] file_name" % "|".join(VALID_ACTIONS) epilog = "\nSee '%s <command> --help' for more information on a specific command.\n\n" % os.path.basename(sys.argv[0]) OptionParser.format_epilog = lambda self, formatter: self.epilog parser = OptionParser(usage=usage, epilog=epilog) if not action: parser.print_help() sys.exit() # options for all actions #parser.add_option('-c', '--cipher', dest='cipher', default="AES256", help="cipher to use") parser.add_option('--debug', dest='debug', action="store_true", help="debug") parser.add_option('--vault-password-file', dest='password_file', help="vault password file", default=C.DEFAULT_VAULT_PASSWORD_FILE) # options specific to actions if action == "create": parser.set_usage("usage: %prog create [options] file_name") elif action == "decrypt": parser.set_usage("usage: %prog decrypt [options] file_name") elif action == "edit": parser.set_usage("usage: %prog edit [options] file_name") elif action == "view": parser.set_usage("usage: %prog view [options] file_name") elif action == "encrypt": parser.set_usage("usage: %prog encrypt [options] file_name") elif action == "rekey": parser.set_usage("usage: %prog rekey [options] file_name") # done, return the parser return parser def get_action(args): """ Get the action the user wants to execute from the sys argv list. """ for i in range(0,len(args)): arg = args[i] if arg in VALID_ACTIONS: del args[i] return arg return None def get_opt(options, k, defval=""): """ Returns an option from an Optparse values instance. """ try: data = getattr(options, k) except: return defval if k == "roles_path": if os.pathsep in data: data = data.split(os.pathsep)[0] return data #------------------------------------------------------------------------------------- # Command functions #------------------------------------------------------------------------------------- def execute_create(args, options, parser): if len(args) > 1: raise errors.AnsibleError("'create' does not accept more than one filename") if not options.password_file: password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True) else: password = utils.read_vault_file(options.password_file) cipher = 'AES256' if hasattr(options, 'cipher'): cipher = options.cipher this_editor = VaultEditor(cipher, password, args[0]) this_editor.create_file() def execute_decrypt(args, options, parser): if not options.password_file: password, new_password = utils.ask_vault_passwords(ask_vault_pass=True) else: password = utils.read_vault_file(options.password_file) cipher = 'AES256' if hasattr(options, 'cipher'): cipher = options.cipher for f in args: this_editor = VaultEditor(cipher, password, f) this_editor.decrypt_file() print "Decryption successful" def execute_edit(args, options, parser): if len(args) > 1: raise errors.AnsibleError("edit does not accept more than one filename") if not options.password_file: password, new_password = utils.ask_vault_passwords(ask_vault_pass=True) else: password = utils.read_vault_file(options.password_file) cipher = None for f in args: this_editor = VaultEditor(cipher, password, f) this_editor.edit_file() def execute_view(args, options, parser): if len(args) > 1: raise errors.AnsibleError("view does not accept more than one filename") if not options.password_file: password, new_password = utils.ask_vault_passwords(ask_vault_pass=True) else: password = utils.read_vault_file(options.password_file) cipher = None for f in args: this_editor = VaultEditor(cipher, password, f) this_editor.view_file() def execute_encrypt(args, options, parser): if not options.password_file: password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True) else: password = utils.read_vault_file(options.password_file) cipher = 'AES256' if hasattr(options, 'cipher'): cipher = options.cipher for f in args: this_editor = VaultEditor(cipher, password, f) this_editor.encrypt_file() print "Encryption successful" def execute_rekey(args, options, parser): if not options.password_file: password, __ = utils.ask_vault_passwords(ask_vault_pass=True) else: password = utils.read_vault_file(options.password_file) __, new_password = utils.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True) cipher = None for f in args: this_editor = VaultEditor(cipher, password, f) this_editor.rekey_file(new_password) print "Rekey successful" #------------------------------------------------------------------------------------- # MAIN #------------------------------------------------------------------------------------- def main(): action = get_action(sys.argv) parser = build_option_parser(action) (options, args) = parser.parse_args() if not len(args): raise errors.AnsibleError( "The '%s' command requires a filename as the first argument" % action ) # execute the desired action try: fn = globals()["execute_%s" % action] fn(args, options, parser) except Exception, err: if options.debug: print traceback.format_exc() print "ERROR:",err sys.exit(1) if __name__ == "__main__": main()