241 lines
7.6 KiB
Python
Executable file
241 lines
7.6 KiB
Python
Executable file
#!/usr/bin/env python
|
|
|
|
# (c) 2014, James Tanner <tanner.jc@gmail.com>
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
# ansible-vault is a script that encrypts/decrypts YAML files. See
|
|
# http://docs.ansible.com/playbooks_vault.html for more details.
|
|
|
|
__requires__ = ['ansible']
|
|
try:
|
|
import pkg_resources
|
|
except Exception:
|
|
# Use pkg_resources to find the correct versions of libraries and set
|
|
# sys.path appropriately when there are multiversion installs. But we
|
|
# have code that better expresses the errors in the places where the code
|
|
# is actually used (the deps are optional for many code paths) so we don't
|
|
# want to fail here.
|
|
pass
|
|
|
|
import os
|
|
import sys
|
|
import traceback
|
|
|
|
import ansible.constants as C
|
|
|
|
from ansible import utils
|
|
from ansible import errors
|
|
from ansible.utils.vault import VaultEditor
|
|
|
|
from optparse import OptionParser
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
# Utility functions for parsing actions/options
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view")
|
|
|
|
def build_option_parser(action):
|
|
"""
|
|
Builds an option parser object based on the action
|
|
the user wants to execute.
|
|
"""
|
|
|
|
usage = "usage: %%prog [%s] [--help] [options] file_name" % "|".join(VALID_ACTIONS)
|
|
epilog = "\nSee '%s <command> --help' for more information on a specific command.\n\n" % os.path.basename(sys.argv[0])
|
|
OptionParser.format_epilog = lambda self, formatter: self.epilog
|
|
parser = OptionParser(usage=usage, epilog=epilog)
|
|
|
|
if not action:
|
|
parser.print_help()
|
|
sys.exit()
|
|
|
|
# options for all actions
|
|
#parser.add_option('-c', '--cipher', dest='cipher', default="AES256", help="cipher to use")
|
|
parser.add_option('--debug', dest='debug', action="store_true", help="debug")
|
|
parser.add_option('--vault-password-file', dest='password_file',
|
|
help="vault password file", default=C.DEFAULT_VAULT_PASSWORD_FILE)
|
|
|
|
# options specific to actions
|
|
if action == "create":
|
|
parser.set_usage("usage: %prog create [options] file_name")
|
|
elif action == "decrypt":
|
|
parser.set_usage("usage: %prog decrypt [options] file_name")
|
|
elif action == "edit":
|
|
parser.set_usage("usage: %prog edit [options] file_name")
|
|
elif action == "view":
|
|
parser.set_usage("usage: %prog view [options] file_name")
|
|
elif action == "encrypt":
|
|
parser.set_usage("usage: %prog encrypt [options] file_name")
|
|
elif action == "rekey":
|
|
parser.set_usage("usage: %prog rekey [options] file_name")
|
|
|
|
# done, return the parser
|
|
return parser
|
|
|
|
def get_action(args):
|
|
"""
|
|
Get the action the user wants to execute from the
|
|
sys argv list.
|
|
"""
|
|
for i in range(0,len(args)):
|
|
arg = args[i]
|
|
if arg in VALID_ACTIONS:
|
|
del args[i]
|
|
return arg
|
|
return None
|
|
|
|
def get_opt(options, k, defval=""):
|
|
"""
|
|
Returns an option from an Optparse values instance.
|
|
"""
|
|
try:
|
|
data = getattr(options, k)
|
|
except:
|
|
return defval
|
|
if k == "roles_path":
|
|
if os.pathsep in data:
|
|
data = data.split(os.pathsep)[0]
|
|
return data
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
# Command functions
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
def execute_create(args, options, parser):
|
|
if len(args) > 1:
|
|
raise errors.AnsibleError("'create' does not accept more than one filename")
|
|
|
|
if not options.password_file:
|
|
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
cipher = 'AES256'
|
|
if hasattr(options, 'cipher'):
|
|
cipher = options.cipher
|
|
|
|
this_editor = VaultEditor(cipher, password, args[0])
|
|
this_editor.create_file()
|
|
|
|
def execute_decrypt(args, options, parser):
|
|
|
|
if not options.password_file:
|
|
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
cipher = 'AES256'
|
|
if hasattr(options, 'cipher'):
|
|
cipher = options.cipher
|
|
|
|
for f in args:
|
|
this_editor = VaultEditor(cipher, password, f)
|
|
this_editor.decrypt_file()
|
|
|
|
print "Decryption successful"
|
|
|
|
def execute_edit(args, options, parser):
|
|
|
|
if len(args) > 1:
|
|
raise errors.AnsibleError("edit does not accept more than one filename")
|
|
|
|
if not options.password_file:
|
|
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
cipher = None
|
|
|
|
for f in args:
|
|
this_editor = VaultEditor(cipher, password, f)
|
|
this_editor.edit_file()
|
|
|
|
def execute_view(args, options, parser):
|
|
|
|
if len(args) > 1:
|
|
raise errors.AnsibleError("view does not accept more than one filename")
|
|
|
|
if not options.password_file:
|
|
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
cipher = None
|
|
|
|
for f in args:
|
|
this_editor = VaultEditor(cipher, password, f)
|
|
this_editor.view_file()
|
|
|
|
def execute_encrypt(args, options, parser):
|
|
|
|
if not options.password_file:
|
|
password, new_password = utils.ask_vault_passwords(ask_vault_pass=True, confirm_vault=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
cipher = 'AES256'
|
|
if hasattr(options, 'cipher'):
|
|
cipher = options.cipher
|
|
|
|
for f in args:
|
|
this_editor = VaultEditor(cipher, password, f)
|
|
this_editor.encrypt_file()
|
|
|
|
print "Encryption successful"
|
|
|
|
def execute_rekey(args, options, parser):
|
|
|
|
if not options.password_file:
|
|
password, __ = utils.ask_vault_passwords(ask_vault_pass=True)
|
|
else:
|
|
password = utils.read_vault_file(options.password_file)
|
|
|
|
__, new_password = utils.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
|
|
|
cipher = None
|
|
for f in args:
|
|
this_editor = VaultEditor(cipher, password, f)
|
|
this_editor.rekey_file(new_password)
|
|
|
|
print "Rekey successful"
|
|
|
|
#-------------------------------------------------------------------------------------
|
|
# MAIN
|
|
#-------------------------------------------------------------------------------------
|
|
|
|
def main():
|
|
|
|
action = get_action(sys.argv)
|
|
parser = build_option_parser(action)
|
|
(options, args) = parser.parse_args()
|
|
|
|
if not len(args):
|
|
raise errors.AnsibleError(
|
|
"The '%s' command requires a filename as the first argument" % action
|
|
)
|
|
|
|
# execute the desired action
|
|
try:
|
|
fn = globals()["execute_%s" % action]
|
|
fn(args, options, parser)
|
|
except Exception, err:
|
|
if options.debug:
|
|
print traceback.format_exc()
|
|
print "ERROR:",err
|
|
sys.exit(1)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|