def set_vault_password(self, b_vault_password): self._b_vault_password = b_vault_password self._vault = VaultLib(b_password=b_vault_password)
if vaultfile is None: vaultfile = args.vault_file if not os.path.isfile(vaultfile): sys.stderr.write( "No ansible vault found in %s. Either create one or set the environment variable VAULTFILE.\n" % vaultfile) sys.exit(3) vaultpass = os.environ.get("VAULTPASS", None) if vaultpass is None: sys.stderr.write( "Set the VAULTPASS environment variable to unlock the ansible vault.\n" ) sys.exit(3) vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(vaultpass.encode('utf-8')))]) try: content = vault.decrypt(open(vaultfile).read()) except AnsibleVaultError: sys.stderr.write("Invalid vault password, could not decrypt vault.\n") sys.exit(3) data = yaml.load(content, Loader=yaml.CLoader) cmd = ["terraform", args.action] for key, value in data.items(): cmd.append("--var '{}={}'".format(key, value)) cmd += options runcmd = ' '.join(cmd)
def __init__(self, password): self.password = password self.vault = VaultLib(password)
def __init__(self, vault_password=None): self._basedir = '.' self._vault = VaultLib(password=vault_password)
from ansible.constants import DEFAULT_VAULT_ID_MATCH from ansible.parsing.vault import VaultLib from ansible.parsing.vault import VaultSecret vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret('tower@123'))]) print vault.decrypt( open( '/home/nik/Desktop/git-repo/cloud-ops/python-ops/rest-api/json-outs/env-1.json' ).read())
exit(0) try: # Reading Composer Security Configurations from the input file composer_security_configuration_file = open( composer_security_configuration_file_path, encoding='utf-8') security_configurations = json.load( composer_security_configuration_file) # oneview_credentials_file = open(oneview_credentials_file_path, encoding='utf-8') # oneview_config = json.load(oneview_credentials_file) # Reading OneView configurations from the input file key = getpass("Enter the key to decrypt OneView credentials file : ") oneview_credentials_key = VaultLib([ (DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8'))) ]) oneview_credentials_file = open(oneview_credentials_file_path) oneview_config = json.loads( oneview_credentials_key.decrypt(oneview_credentials_file.read())) # Validating input Composer Security Configurations inputs_state = validate_inputs(security_configurations) if not inputs_state: print("Failed: Input format is invalid.") exit(0) # Defining HPE OneView API endpoints api_endpoints = { "allowSshAccess": "/rest/appliance/ssh-access", "GlobalSettings": "/rest/logindomains/global-settings",
def test_encrypt(self): v = VaultLib(password='******') plaintext = u'Some text to encrypt.' ciphertext = v.encrypt(plaintext) self.assertIsInstance(ciphertext, (bytes, str))
def run(self): super(VaultCLI, self).run() loader = DataLoader() # set default restrictive umask old_umask = os.umask(0o077) vault_ids = self.options.vault_ids # there are 3 types of actions, those that just 'read' (decrypt, view) and only # need to ask for a password once, and those that 'write' (create, encrypt) that # ask for a new password and confirm it, and 'read/write (rekey) that asks for the # old password, then asks for a new one and confirms it. default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST vault_ids = default_vault_ids + vault_ids # TODO: instead of prompting for these before, we could let VaultEditor # call a callback when it needs it. if self.action in ['decrypt', 'view', 'rekey', 'edit']: vault_secrets = self.setup_vault_secrets( loader, vault_ids=vault_ids, vault_password_files=self.options.vault_password_files, ask_vault_pass=self.options.ask_vault_pass) if not vault_secrets: raise AnsibleOptionsError( "A vault password is required to use Ansible's Vault") if self.action in ['encrypt', 'encrypt_string', 'create']: encrypt_vault_id = None # no --encrypt-vault-id self.options.encrypt_vault_id for 'edit' if self.action not in ['edit']: encrypt_vault_id = self.options.encrypt_vault_id or C.DEFAULT_VAULT_ENCRYPT_IDENTITY vault_secrets = None vault_secrets = \ self.setup_vault_secrets(loader, vault_ids=vault_ids, vault_password_files=self.options.vault_password_files, ask_vault_pass=self.options.ask_vault_pass, create_new_password=True) if len(vault_secrets) > 1 and not encrypt_vault_id: raise AnsibleOptionsError( "The vault-ids %s are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id" % ','.join([x[0] for x in vault_secrets])) if not vault_secrets: raise AnsibleOptionsError( "A vault password is required to use Ansible's Vault") encrypt_secret = match_encrypt_secret( vault_secrets, encrypt_vault_id=encrypt_vault_id) # only one secret for encrypt for now, use the first vault_id and use its first secret # TODO: exception if more than one? self.encrypt_vault_id = encrypt_secret[0] self.encrypt_secret = encrypt_secret[1] if self.action in ['rekey']: encrypt_vault_id = self.options.encrypt_vault_id or C.DEFAULT_VAULT_ENCRYPT_IDENTITY # print('encrypt_vault_id: %s' % encrypt_vault_id) # print('default_encrypt_vault_id: %s' % default_encrypt_vault_id) # new_vault_ids should only ever be one item, from # load the default vault ids if we are using encrypt-vault-id new_vault_ids = [] if encrypt_vault_id: new_vault_ids = default_vault_ids if self.options.new_vault_id: new_vault_ids.append(self.options.new_vault_id) new_vault_password_files = [] if self.options.new_vault_password_file: new_vault_password_files.append( self.options.new_vault_password_file) new_vault_secrets = \ self.setup_vault_secrets(loader, vault_ids=new_vault_ids, vault_password_files=new_vault_password_files, ask_vault_pass=self.options.ask_vault_pass, create_new_password=True) if not new_vault_secrets: raise AnsibleOptionsError( "A new vault password is required to use Ansible's Vault rekey" ) # There is only one new_vault_id currently and one new_vault_secret, or we # use the id specified in --encrypt-vault-id new_encrypt_secret = match_encrypt_secret( new_vault_secrets, encrypt_vault_id=encrypt_vault_id) self.new_encrypt_vault_id = new_encrypt_secret[0] self.new_encrypt_secret = new_encrypt_secret[1] loader.set_vault_secrets(vault_secrets) # FIXME: do we need to create VaultEditor here? its not reused vault = VaultLib(vault_secrets) self.editor = VaultEditor(vault) self.execute() # and restore umask os.umask(old_umask)
def set_secrets(cls, secrets): cls._vaults['default'] = VaultLib(secrets=secrets)
def create(self): try: print('') new_file = self.args.file if new_file is None: new_file = input('File to create: ') if os.path.exists(os.path.join(self.args.vault_path, new_file)): eprint('This file already exists') sys.exit(2) plugin_name = self.args.plugin if plugin_name is None: plugin_name = input('Keyring plugin name to use [' + ', '.join(list_plugins()) + ']: ') plugin = self.get_plugin_instance(plugin_name) id = plugin.generate_id(self.args.plugin_vars) print('New ID to use: ' + id) print('') stdin_pass = self.args.stdin_pass if not stdin_pass and sys.stdin.isatty(): password = getpass.getpass('New password: '******'Confirm password: '******'Passwords missmatch') sys.exit(2) else: password = sys.stdin.read() password = password.strip() if password == '': print('Your password is empty !') sys.exit(2) except KeyboardInterrupt: print('') sys.exit(0) try: new_version = plugin.set_password(id, password) id = plugin.append_id_version(new_version) vault_metadata = get_metadata(self.args.vault_path) vault_metadata['vault_ids'].append({ METADATA_ID_KEY: id, METADATA_PLUGIN_KEY: plugin_name, METADATA_VAULT_FILES: [new_file] }) write_metadata(vault_metadata, self.args.vault_path) VaultLib = get_vault_lib() vault_api = VaultLib(_make_secrets(password)) with open(os.path.join(self.args.vault_path, new_file), 'w') as stream: encrypted = vault_api.encrypt('---') stream.write(encrypted) except Exception as e: eprint(e) sys.exit(2) if (self.args.verbose): import traceback traceback.print_exc()
def encrypt(self, to_encrypt): """Encrypts a scalar value using ansible-vault""" return VaultLib().encrypt(to_encrypt, self.generate_secrets())
def setUp(self): self.v = VaultLib('test-vault-password')
def __init__(self, vault_password=None): self._basedir = '.' self._vault_password = vault_password self._FILE_CACHE = dict() self._vault = VaultLib(password=vault_password)
def run(self): super(VaultCLI, self).run() loader = DataLoader() # set default restrictive umask old_umask = os.umask(0o077) vault_ids = self.options.vault_ids # there are 3 types of actions, those that just 'read' (decrypt, view) and only # need to ask for a password once, and those that 'write' (create, encrypt) that # ask for a new password and confirm it, and 'read/write (rekey) that asks for the # old password, then asks for a new one and confirms it. default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST vault_ids = default_vault_ids + vault_ids # TODO: instead of prompting for these before, we could let VaultEditor # call a callback when it needs it. if self.action in ['decrypt', 'view', 'rekey']: vault_secrets = self.setup_vault_secrets( loader, vault_ids=vault_ids, vault_password_files=self.options.vault_password_files, ask_vault_pass=self.options.ask_vault_pass) if not vault_secrets: raise AnsibleOptionsError( "A vault password is required to use Ansible's Vault") if self.action in ['encrypt', 'encrypt_string', 'create', 'edit']: if len(vault_ids) > 1: raise AnsibleOptionsError( "Only one --vault-id can be used for encryption") vault_secrets = None vault_secrets = \ self.setup_vault_secrets(loader, vault_ids=vault_ids, vault_password_files=self.options.vault_password_files, ask_vault_pass=self.options.ask_vault_pass, create_new_password=True) if not vault_secrets: raise AnsibleOptionsError( "A vault password is required to use Ansible's Vault") encrypt_secret = match_encrypt_secret(vault_secrets) # only one secret for encrypt for now, use the first vault_id and use its first secret # self.encrypt_vault_id = list(vault_secrets.keys())[0] # self.encrypt_secret = vault_secrets[self.encrypt_vault_id][0] self.encrypt_vault_id = encrypt_secret[0] self.encrypt_secret = encrypt_secret[1] if self.action in ['rekey']: new_vault_ids = [] if self.options.new_vault_id: new_vault_ids.append(self.options.new_vault_id) new_vault_secrets = \ self.setup_vault_secrets(loader, vault_ids=new_vault_ids, vault_password_files=self.options.new_vault_password_files, ask_vault_pass=self.options.ask_vault_pass, create_new_password=True) if not new_vault_secrets: raise AnsibleOptionsError( "A new vault password is required to use Ansible's Vault rekey" ) # There is only one new_vault_id currently and one new_vault_secret new_encrypt_secret = match_encrypt_secret(new_vault_secrets) self.new_encrypt_vault_id = new_encrypt_secret[0] self.new_encrypt_secret = new_encrypt_secret[1] loader.set_vault_secrets(vault_secrets) # FIXME: do we need to create VaultEditor here? its not reused vault = VaultLib(vault_secrets) self.editor = VaultEditor(vault) self.execute() # and restore umask os.umask(old_umask)
def test_is_encrypted_bytes(self): v = VaultLib(None) assert not v.is_encrypted( b"foobar"), "encryption check on plaintext failed" data = b"$ANSIBLE_VAULT;9.9;TEST\n%s" + hexlify(b"ansible") assert v.is_encrypted(data), "encryption check on headered text failed"
def __init__(self, file_name=None, vault_password=None): self._vault_password = vault_password self._ansible_file_name = file_name super(AnsibleConstructor, self).__init__() self._vaults = {} self._vaults['default'] = VaultLib(password=self._vault_password)
def test_decrypt_decrypted(self): if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: raise SkipTest v = VaultLib('ansible') data = "ansible" self.assertRaises(errors.AnsibleError, v.decrypt, data)
def __init__(self, file_name=None, vault_secrets=None): self._ansible_file_name = file_name super(AnsibleConstructor, self).__init__() self._vaults = {} self.vault_secrets = vault_secrets or [] self._vaults['default'] = VaultLib(secrets=self.vault_secrets)
def _vault_editor(self, vault_secrets=None): if vault_secrets is None: vault_secrets = self._secrets(self.vault_password) return VaultEditor(VaultLib(vault_secrets))
def set_vault_password(self, vault_password): self._vault_password = vault_password self._vault = VaultLib(password=vault_password)
# Opening input files kickstart_files = { "rhel7_master": "kickstart_files/ks_rhel7.cfg", "rhel7_worker": "kickstart_files/ks_rhel7_worker.cfg", "esxi67": "kickstart_files/ks_esxi67.cfg" } config_path = 'input_files/config.json' servers_path = 'input_files/server_details.json' # Chckign if input files exist or not if os.path.exists(config_path) and os.path.exists(servers_path): # Enter decryption key to decrypt input files key = getpass("Enter Key:") try: config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))]) # Opening config file configuration_file = open(config_path) # Decrypting config.json file config = json.loads(config_vault.decrypt( configuration_file.read())) server_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))]) # Opening server details file server_input_file = open(servers_path) # Decrypting server_details.json file servers = json.loads(server_vault.decrypt( server_input_file.read())) except Exception as e: print(