def populate_credetials(self, config, credentials_path, vaultpass):
if ansible_ver < 4 or is_py2:
secret = [("default",
VaultSecret(bytes(vaultpass.encode('utf-8'))))]
vault = VaultLib(secret)
cred = open(credentials_path, "rb").read()
cred = vault.decrypt(cred)
ret_str = ""
for asc in cred:
ret_str += asc
tmpf = open("tmppass", 'w')
tmpf.write(ret_str)
tmpf.close()
tmpparser = RawConfigParser()
tmpparser.read("tmppass")
os.remove("tmppass")
else:
secret = [("default", VaultSecret(bytes(vaultpass, "utf-8")))]
vault = VaultLib(secret)
cred = open(credentials_path, "rb").read()
cred = vault.decrypt(cred)
ret_str = ""
for asc in cred:
ret_str += (chr(int(asc)))
tmpparser = RawConfigParser()
tmpparser.read_string(ret_str)
config.__set_credentials__(parser=tmpparser)
def __init__(self):
"""
This constructor function provides variables from the input files.
"""
# Retrieving secret variables from config_secrets.json file
encrypted_file = open("config_secrets.json")
key = getpass("Enter key for encrypted variables:")
# Configuring key and decrypting encrypted variables
config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(key.encode('utf-8')))])
config = json.loads(config_vault.decrypt(encrypted_file.read()))
# Closing opened encrypted file
encrypted_file.close()
#Retrieving variables from user_input.json file
with open("user_input.json", "r") as json_fp:
input_json_data = json.load(json_fp)
self.username = config["CONSOLE_USERNAME"]
self.password = config["CONSOLE_PASSWORD"]
self.controller_IP = input_json_data["CONTROLLER_IP"]
self.cluster_name = input_json_data["CLUSTER_NAME"]
self.expand_shrink = input_json_data["EXPAND_OR_SHRINK"]
self.host_ips = input_json_data["HOST_IP's"]
self.host_role = input_json_data["HOST_ROLE"]
def __init__(self, password):
self.text = b''
self.err = ''
self.password = password
if password:
self.vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(password.encode("utf-8")))])
def write(self):
cleartext = yaml.dump(self.data)
vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(self.keyphrase.encode('utf-8')))])
ciphered = vault.encrypt(cleartext)
with open(self.path, 'wb') as f:
f.write(ciphered)
def __init__(self, password):
"""Create a vault."""
self.password = password
pass_bytes = to_bytes(password, encoding='utf-8', errors='strict')
secrets = [('password', VaultSecret(_bytes=pass_bytes))]
# pylint: disable=unexpected-keyword-arg, no-value-for-parameter
self.vault = VaultLib(secrets=secrets)
def setup_vault_secrets(self, loader, vault_ids, vault_password_files=None, vault_pass=None):
vault_secrets = []
vault_password_files = vault_password_files or []
if C.DEFAULT_VAULT_PASSWORD_FILE:
vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE)
vault_ids = Vault.build_vault_ids(vault_ids, vault_password_files, vault_pass)
for vault_id_slug in vault_ids:
vault_id_name, vault_id_value = Vault.split_vault_id(vault_id_slug)
if vault_id_value == 'vault_pass':
built_vault_id = vault_id_name or C.DEFAULT_VAULT_IDENTITY
# load password
vault_secret = VaultSecret(bytes(vault_pass, 'utf-8'))
vault_secrets.append((built_vault_id, vault_secret))
loader.set_vault_secrets(vault_secrets)
continue
file_vault_secret = get_file_vault_secret(filename=vault_id_value,
vault_id=vault_id_name,
loader=loader)
# an invalid password file will error globally
file_vault_secret.load()
if vault_id_name:
vault_secrets.append((vault_id_name, file_vault_secret))
else:
vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, file_vault_secret))
# update loader with as-yet-known vault secrets
loader.set_vault_secrets(vault_secrets)
return vault_secrets
def get_group_vars(group, inventory, invfile, vaultpass):
try:
from ansible.plugins.loader import vars_loader
from ansible.utils.vars import combine_vars
loader = ansible.parsing.dataloader.DataLoader()
if vaultpass:
if hasattr(loader, 'set_vault_secrets'):
from ansible.module_utils._text import to_bytes
from ansible.parsing.vault import VaultSecret
loader.set_vault_secrets([
('default', VaultSecret(_bytes=to_bytes(vaultpass)))
])
else:
# not tested
loader.set_vault_password(vaultpass)
# variables in inventory file
vars = group.get_vars()
# variables in group_vars related to invfile
for p in vars_loader.all():
gvars = p.get_vars(loader, invfile, group)
vars = combine_vars(vars, gvars)
return vars
except ImportError:
pass
# http://stackoverflow.com/a/197053
vars = inspect.getargspec(inventory.get_group_vars)
if 'return_results' in vars[0]:
return inventory.get_group_vars(group, return_results=True)
else:
return inventory.get_group_vars(group)
def ansible_decrypt(msg):
if config.ANSIBLE_VAULT_HEADER not in msg:
return msg
_, ciphertext = msg.split("\n")
vault = VaultAES256()
secret = VaultSecret(bytes(config.ANSIBLE_SECRET, 'utf-8'))
return str(vault.decrypt(ciphertext, secret), 'utf-8')
def do_unvault(vault, secret, vaultid='filter_default'):
if not isinstance(secret, (string_types, binary_type, Undefined)):
raise AnsibleFilterTypeError(
"Secret passed is required to be as string, instead we got: %s" %
type(secret))
if not isinstance(
vault,
(string_types, binary_type, AnsibleVaultEncryptedUnicode, Undefined)):
raise AnsibleFilterTypeError(
"Vault should be in the form of a string, instead we got: %s" %
type(vault))
data = ''
vs = VaultSecret(to_bytes(secret))
vl = VaultLib([(vaultid, vs)])
if isinstance(vault, AnsibleVaultEncryptedUnicode):
vault.vault = vl
data = vault.data
elif is_encrypted(vault):
try:
data = vl.decrypt(vault)
except UndefinedError:
raise
except Exception as e:
raise AnsibleFilterError("Unable to decrypt: %s" % to_native(e),
orig_exc=e)
else:
data = vault
return to_native(data)
def _make_secrets(self, secret):
if self._ansible_ver < 2.4:
return secret
from ansible.constants import DEFAULT_VAULT_ID_MATCH #@UnresolvedImport
from ansible.parsing.vault import VaultSecret
return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def decrypt_vault(filename,
vault_password=None,
vault_password_file=None,
vault_prompt=False):
"""
filename: name of your encrypted file that needs decrypted.
vault_password: key that will decrypt the vault.
vault_password_file: file containing key that will decrypt the vault.
vault_prompt: Force vault to prompt for a password if everything else fails.
"""
loader = DataLoader()
if vault_password:
vault_secret = [([], VaultSecret(vault_password.encode()))]
elif vault_password_file:
vault_secret = CLI.setup_vault_secrets(loader=loader,
vault_ids=[vault_password_file])
else:
vault_secret = CLI.setup_vault_secrets(loader=loader,
vault_ids=[],
auto_prompt=vault_prompt)
vault = VaultLib(vault_secret)
with open(filename) as f:
unencrypted_yaml = vault.decrypt(f.read())
unencrypted_yaml = yaml.safe_load(unencrypted_yaml)
return unencrypted_yaml
def __initializeData(self):
"""
初始化ansible
"""
Options = namedtuple('Options',
['ansible_python_interpreter', 'connection', 'module_path', 'forks', 'become',
'become_method', 'become_user', 'check',
'diff', 'private_key_file', 'remote_user'])
self.loader = DataLoader()
# 加载hosts文件解密密码
self.loader.set_vault_secrets(
[('default', VaultSecret(_bytes=to_bytes(self.ansible_vault_key)))])
self.options = Options(ansible_python_interpreter=self.ansible_python_interpreter,
connection='ssh', module_path='', forks=100, become=None,
become_method=None, become_user=self.become_user,
check=False, diff=False, private_key_file=self.private_key_file,
remote_user=self.ansible_ssh_user)
self.passwords = dict(conn_pass=self.passwords)
self.inventory = InventoryManager(
loader=self.loader, sources=self.resource)
self.variable_manager = VariableManager(
loader=self.loader, inventory=self.inventory)
def makeVaultLib(passwordBytes, vaultId="default"):
if passwordBytes:
if isinstance(passwordBytes, six.string_types):
passwordBytes = to_bytes(passwordBytes)
vault_secrets = [(vaultId, VaultSecret(passwordBytes))]
return VaultLib(secrets=vault_secrets)
return None
def get_play_prereqs_2_4(self, options):
loader = DataLoader()
if self.vault_pass:
loader.set_vault_secrets([
('default', VaultSecret(_bytes=to_bytes(self.vault_pass)))
])
# create the inventory, and filter it based on the subset specified (if any)
inventory = InventoryManager(loader=loader, sources=options.inventory)
# create the variable manager, which will be shared throughout
# the code, ensuring a consistent view of global variables
try:
# Ansible 2.8
variable_manager = VariableManager(
loader=loader,
inventory=inventory,
version_info=self.version_info(ansible_version))
variable_manager._extra_vars = self.extra_vars
except TypeError:
variable_manager = VariableManager(loader=loader,
inventory=inventory)
variable_manager.extra_vars = self.extra_vars
variable_manager.options_vars = {
'ansible_version': self.version_info(ansible_version)
}
return loader, inventory, variable_manager
def make_vault_lib_ex(secrets: List[Tuple[str, Union[str, bytes]]]):
vault_secrets = []
for vaultId, passwordBytes in secrets:
if isinstance(passwordBytes, six.string_types):
passwordBytes = to_bytes(passwordBytes)
vault_secrets.append((vaultId, VaultSecret(passwordBytes)))
return VaultLib(secrets=vault_secrets)
def read(self):
vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(self.keyphrase.encode('utf-8')))])
with open(self.path) as f:
ciphered = f.read()
cleartext = vault.decrypt(ciphered)
self.data = yaml.safe_load(cleartext)
def __init__(self):
"""
This constructor function provides encrypted as well as normal variables based input files.
"""
# Retriving secret variables from config_secrets.json file
encrypted_file = open("config_secrets.json")
key = getpass("Enter key for encrypted variables:")
# Configuring key and decrypting encrypted variables
config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))])
config = json.loads(config_vault.decrypt(encrypted_file.read()))
# Closing opened encrypted file
encrypted_file.close()
# Retriving all user input files from file into a variable
with open ("userinput.json", "r") as json_fp:
input_json_data = json.load(json_fp)
self.username = config["OPENSHIFT_USERNAME"]
self.password = config["OPENSHIFT_PASSWORD"]
self.oc_host = ":".join([input_json_data["OPENSHIFT_DOMAIN"], input_json_data["OPENSHIFT_PORT"]])
self.operator_list = input_json_data["OPENSHIFT_OPERATOR_LIST"]
self.channel_list = input_json_data["OPERATOR_CHANNEL_LIST"]
self.source_list = input_json_data["OPERATOR_SOURCE_LIST"]
self.install_plan_approval_list = input_json_data["OPERATOR_INSTALL_PLAN"]
self.namespaces = input_json_data["OPENSHIFT_PROJECT_NAME"]
self.oc_path = input_json_data["OPENSHIFT_CLIENT_PATH"]
self.storage_class_name = input_json_data["OPENSHIFT_STORAGE_CLASS_NAME"]
def do_vault(data,
secret,
salt=None,
vaultid='filter_default',
wrap_object=False):
if not isinstance(secret, (string_types, binary_type, Undefined)):
raise AnsibleFilterTypeError(
"Secret passed is required to be a string, instead we got: %s" %
type(secret))
if not isinstance(data, (string_types, binary_type, Undefined)):
raise AnsibleFilterTypeError(
"Can only vault strings, instead we got: %s" % type(data))
vault = ''
vs = VaultSecret(to_bytes(secret))
vl = VaultLib()
try:
vault = vl.encrypt(to_bytes(data), vs, vaultid, salt)
except UndefinedError:
raise
except Exception as e:
raise AnsibleFilterError("Unable to encrypt: %s" % to_native(e),
orig_exc=e)
if wrap_object:
vault = AnsibleVaultEncryptedUnicode(vault)
else:
vault = to_native(vault)
return vault
def _make_secrets(self, secret):
if parse_version(ansible.__version__) < parse_version('2.4'):
return secret
from ansible.constants import DEFAULT_VAULT_ID_MATCH
from ansible.parsing.vault import VaultSecret
return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def make_secret(secret):
""" creates vault secret based on the version of ansible being ran"""
if ANSIBLE_VER < 2.4:
return secret
from ansible.constants import DEFAULT_VAULT_ID_MATCH
from ansible.parsing.vault import VaultSecret
return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def _make_secrets(self, secret):
if _ANSIBLE_VER < 2.4:
return secret
from ansible.constants import DEFAULT_VAULT_ID_MATCH
from ansible.parsing.vault import VaultSecret
return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def make_secrets(secret):
"""Create ansible compatible secret."""
if parse_version(ansible.__version__) < parse_version("2.4"):
return secret
from ansible.constants import DEFAULT_VAULT_ID_MATCH
from ansible.parsing.vault import VaultSecret
return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def runplaybook(inventory, playbook, project, bname, secret):
loader = DataLoader()
invlist = []
invlist.append(inventory)
inv = InventoryManager(loader=loader, sources=invlist)
variable_manager = VariableManager(loader=loader, inventory=inv)
pblist = []
pblist.append(playbook)
if secret != '':
loader.set_vault_secrets([('default',
VaultSecret(_bytes=to_bytes(secret)))])
passwords = {}
Options = namedtuple('Options', [
'connection', 'remote_user', 'ask_sudo_pass', 'verbosity', 'ack_pass',
'module_path', 'forks', 'become', 'become_method', 'become_user',
'check', 'listhosts', 'listtasks', 'listtags', 'syntax', 'sudo_user',
'sudo', 'diff'
])
options = Options(connection='smart',
remote_user=None,
ack_pass=None,
sudo_user=None,
forks=5,
sudo=None,
ask_sudo_pass=False,
verbosity=5,
module_path=None,
become=None,
become_method=None,
become_user=None,
check=False,
diff=False,
listhosts=None,
listtasks=None,
listtags=None,
syntax=None)
pb = PlaybookExecutor(loader=loader,
playbooks=pblist,
inventory=inv,
variable_manager=variable_manager,
passwords=passwords,
options=options)
f = open('/opt/Projects/' + project + '/logs/' + bname + 'out.log', 'a+')
# ferr=open('/opt/Projects/'+project+'/logs/'+bname+'err.log','a+')
sys.stdout = f
# sys.stderr = ferr
result = pb.run()
# ferr.close()
f.close()
return result
def __init__(self, config):
self._remote_user = config['ANSIBLE_REMOTE_USER']
self._private_key_file = config['ANSIBLE_PRIVATE_KEY_FILE']
self._base_plays_path = config['ANSIBLE_PLAYBOOKS_WORKING_DIR']
self._verbosity = config.get('ANSIBLE_VERBOSITY', 0)
vault_password = config['ANSIBLE_VAULT_PASSWORD']
password = to_bytes(vault_password)
vault_secret = VaultSecret(_bytes=password)
self._default_secret = [('default', vault_secret)]
def encrypt_value(value, passcode):
secret = VaultSecret(bytes(passcode.encode('ascii')))
editor = VaultEditor()
if not is_encrypted(value):
vaultCode = editor.encrypt_bytes(value, secret).decode('ascii')
else:
vaultCode = value
encrypted_val = '!vault |\n' + (vaultCode)
return encrypted_val
def __init__(self, password):
self.password = password
try:
from ansible.parsing.vault import VaultSecret
from ansible.module_utils._text import to_bytes
pass_bytes = to_bytes(password, encoding='utf-8', errors='strict')
secrets = [('password', VaultSecret(_bytes=pass_bytes))]
self.vault = VaultLib(secrets=secrets)
except ImportError:
self.vault = VaultLib(password)
def get_decrypted_file(fname, vaultpass=None):
if ANSIBLE > 1:
loader = ansible.parsing.dataloader.DataLoader()
if vaultpass:
if hasattr(loader, 'set_vault_secrets'):
loader.set_vault_secrets([('default', VaultSecret(_bytes=to_bytes(vaultpass)))])
else:
# not tested
loader.set_vault_password(vaultpass)
return loader.get_real_file(fname)
else:
return fname
def __init__(self, password):
"""Create a vault."""
self.password = password
try:
from ansible.parsing.vault import VaultSecret
from ansible.module_utils._text import to_bytes
pass_bytes = to_bytes(password, encoding='utf-8', errors='strict')
secrets = [('password', VaultSecret(_bytes=pass_bytes))]
# pylint: disable=unexpected-keyword-arg, no-value-for-parameter
self.vault = VaultLib(secrets=secrets)
except ImportError:
self.vault = VaultLib(password)
def __init__(self, vim):
self.vim = vim
if pynvim.os.environ["ANSIBLE_VAULT_PASSWORD_FILE"]:
with open(pynvim.os.environ["ANSIBLE_VAULT_PASSWORD_FILE"], "r") as fd:
self.vault = VaultLib(
[
(
DEFAULT_VAULT_ID_MATCH,
VaultSecret(to_bytes(fd.read().rstrip())),
)
]
)
def render_POST(self, request):
request.setHeader("Content-Type", "application/json; charset=utf-8")
version, cipher, vault_id = '1.1', 'AES256', ''
is_source_encrypted = True
try:
body = json.loads(request.content.read())
except:
request.setResponseCode(400)
return json.dumps({"value": "bad input object"}).encode('utf-8')
if body.get("password"):
secret = VaultSecret(
to_bytes(body["password"], "utf-8", errors='strict'))
source = body.get("source", "")
source = to_bytes(source, "utf-8", errors='strict')
try:
(payload, version, cipher,
vault) = parse_vaulttext_envelope(source)
except ansible.errors.AnsibleError:
# maybe not encrypted
is_source_encrypted = False
payload = source
try:
this_cipher = CIPHER_MAPPING[cipher]()
except Exception as e:
request.setResponseCode(400)
response_text = e.message
return json.dumps({
"value": "error in %s" % response_text
}).encode('utf-8')
try:
if is_source_encrypted:
response_text = this_cipher.decrypt(payload, secret=secret)
else:
response_text = format_vaulttext_envelope(
this_cipher.encrypt(payload, secret=secret), cipher,
version, vault_id).strip()
except ansible.errors.AnsibleError as e:
request.setResponseCode(400)
response_text = e.message
return json.dumps({"value": response_text}).encode('utf-8')
else:
request.setResponseCode(400)
response_text = b"password not specified"
return json.dumps({
"value": response_text.decode('utf-8')
}).encode('utf-8')