edcbef27ec
* Retain vault password as bytes in 2.2
Prior to 2.2.1, the vault password was read in as byes and then remained
bytes all the way through the code. A bug existed where bytes and text
were mixed, leading to a traceback with non-ascii passwords. In devel,
this was fixed by changing the read in password to text type to match
with our overall strategy of converting at the borders. This was
backported to stable-2.2 for the 2.2.1 release.
On reflection, this should not have been backported as it causes
passwords which were originally non-utf-8 to become utf-8. People will
then have their working 2.2.x vault files become in-accessible.
this commit pipes bytes all the way through the system for vault
password. That way if a password is read in as a non-utf-8 character
sequence, it will continue to work in 2.2.2+. This change is only for
the 2.2 branch, not for 2.3 and beyond.
Why not everywhere? The reason is that non-utf-8 passwords will cause
problems when vault files are shared between systems or users. If the
password is read from the prompt and one user/machine has a latin1
encoded locale while a second one has utf-8, the non-ascii password
typed in won't match between machines. Deal with this by making sure
that when we encrypt the data, we always use valid utf-8.
Fixes #20398
(cherry picked from commit 5dcce0666a)
161 lines
5.8 KiB
Python
161 lines
5.8 KiB
Python
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
|
|
#
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# Make coding more python3-ish
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
from yaml.constructor import SafeConstructor, ConstructorError
|
|
from yaml.nodes import MappingNode
|
|
|
|
from ansible.module_utils._text import to_bytes
|
|
from ansible.parsing.vault import VaultLib
|
|
from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode
|
|
from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode
|
|
from ansible.vars.unsafe_proxy import wrap_var
|
|
|
|
try:
|
|
from __main__ import display
|
|
except ImportError:
|
|
from ansible.utils.display import Display
|
|
display = Display()
|
|
|
|
|
|
class AnsibleConstructor(SafeConstructor):
|
|
def __init__(self, file_name=None, b_vault_password=None):
|
|
self._b_vault_password = b_vault_password
|
|
self._ansible_file_name = file_name
|
|
super(AnsibleConstructor, self).__init__()
|
|
self._vaults = {}
|
|
self._vaults['default'] = VaultLib(b_password=self._b_vault_password)
|
|
|
|
def construct_yaml_map(self, node):
|
|
data = AnsibleMapping()
|
|
yield data
|
|
value = self.construct_mapping(node)
|
|
data.update(value)
|
|
data.ansible_pos = self._node_position_info(node)
|
|
|
|
def construct_mapping(self, node, deep=False):
|
|
# Most of this is from yaml.constructor.SafeConstructor. We replicate
|
|
# it here so that we can warn users when they have duplicate dict keys
|
|
# (pyyaml silently allows overwriting keys)
|
|
if not isinstance(node, MappingNode):
|
|
raise ConstructorError(None, None,
|
|
"expected a mapping node, but found %s" % node.id,
|
|
node.start_mark)
|
|
self.flatten_mapping(node)
|
|
mapping = AnsibleMapping()
|
|
|
|
# Add our extra information to the returned value
|
|
mapping.ansible_pos = self._node_position_info(node)
|
|
|
|
for key_node, value_node in node.value:
|
|
key = self.construct_object(key_node, deep=deep)
|
|
try:
|
|
hash(key)
|
|
except TypeError as exc:
|
|
raise ConstructorError("while constructing a mapping", node.start_mark,
|
|
"found unacceptable key (%s)" % exc, key_node.start_mark)
|
|
|
|
if key in mapping:
|
|
display.warning(u'While constructing a mapping from {1}, line {2}, column {3}, found a duplicate dict key ({0}).'
|
|
u' Using last defined value only.'.format(key, *mapping.ansible_pos))
|
|
|
|
value = self.construct_object(value_node, deep=deep)
|
|
mapping[key] = value
|
|
|
|
return mapping
|
|
|
|
def construct_yaml_str(self, node, unsafe=False):
|
|
# Override the default string handling function
|
|
# to always return unicode objects
|
|
value = self.construct_scalar(node)
|
|
ret = AnsibleUnicode(value)
|
|
|
|
ret.ansible_pos = self._node_position_info(node)
|
|
|
|
if unsafe:
|
|
ret = wrap_var(ret)
|
|
|
|
return ret
|
|
|
|
def construct_vault_encrypted_unicode(self, node):
|
|
value = self.construct_scalar(node)
|
|
ciphertext_data = to_bytes(value)
|
|
|
|
if self._b_vault_password is None:
|
|
raise ConstructorError(None, None,
|
|
"found vault but no vault password provided", node.start_mark)
|
|
|
|
# could pass in a key id here to choose the vault to associate with
|
|
vault = self._vaults['default']
|
|
ret = AnsibleVaultEncryptedUnicode(ciphertext_data)
|
|
ret.vault = vault
|
|
return ret
|
|
|
|
def construct_yaml_seq(self, node):
|
|
data = AnsibleSequence()
|
|
yield data
|
|
data.extend(self.construct_sequence(node))
|
|
data.ansible_pos = self._node_position_info(node)
|
|
|
|
def construct_yaml_unsafe(self, node):
|
|
return self.construct_yaml_str(node, unsafe=True)
|
|
|
|
def _node_position_info(self, node):
|
|
# the line number where the previous token has ended (plus empty lines)
|
|
# Add one so that the first line is line 1 rather than line 0
|
|
column = node.start_mark.column + 1
|
|
line = node.start_mark.line + 1
|
|
|
|
# in some cases, we may have pre-read the data and then
|
|
# passed it to the load() call for YAML, in which case we
|
|
# want to override the default datasource (which would be
|
|
# '<string>') to the actual filename we read in
|
|
datasource = self._ansible_file_name or node.start_mark.name
|
|
|
|
return (datasource, line, column)
|
|
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'tag:yaml.org,2002:map',
|
|
AnsibleConstructor.construct_yaml_map)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'tag:yaml.org,2002:python/dict',
|
|
AnsibleConstructor.construct_yaml_map)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'tag:yaml.org,2002:str',
|
|
AnsibleConstructor.construct_yaml_str)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'tag:yaml.org,2002:python/unicode',
|
|
AnsibleConstructor.construct_yaml_str)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'tag:yaml.org,2002:seq',
|
|
AnsibleConstructor.construct_yaml_seq)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'!unsafe',
|
|
AnsibleConstructor.construct_yaml_unsafe)
|
|
|
|
AnsibleConstructor.add_constructor(
|
|
u'!vault',
|
|
AnsibleConstructor.construct_vault_encrypted_unicode)
|