def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) settings = mgmt.tm.gtm.global_settings.metrics.load() assert settings.defaultProbeLimit == 10
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) tg = mgmt.tm.cm.traffic_groups.traffic_group.load(name="my_traffic_group") assert tg.name == "my_traffic_group" assert tg.description == "My traffic group"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) partition = mgmt.tm.auth.partitions.partition.load(name="my_partition") assert partition.name == "my_partition" assert partition.description == "My partition"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) td = mgmt.tm.cm.trust_domains.trust_domain.load(name="Root") assert td.name == "Root" assert hasattr(td, "caDevices") is False
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) dc = mgmt.tm.gtm.datacenters.datacenter.load(name="my_datacenter") assert dc.name == "my_datacenter" assert dc.description == "My datacenter" assert dc.contact == "admin@localhost" assert dc.location == "Somewhere"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) monitor = mgmt.tm.gtm.monitor.tcps.tcp.load(name="my_tcp_monitor", partition="Common") assert monitor.name == "my_tcp_monitor" assert monitor.partition == "Common" assert monitor.description == "My tcp monitor"
def decrypt_file(path, password_file, newpath=None): '''Decrypts an Ansible Vault YAML file and returns a dict. Set newpath to write the result somewhere.''' # log.debug('decrypt_file({}, {}, {})'.format(path, password_file, newpath)) if is_file_secret(path): # log.debug('file is fully encrypted') with open(password_file) as f: vault = Vault(f.read().strip()) # log.debug('vault fetched with password file: {}'.format(password_file)) with open(path) as f: r = vault.load(f.read()) # log.debug('loaded file: {}'.format(r)) else: r = parse_yaml(path) for s in find_yaml_secrets(r): v = get_dict_value(r, s) plaintext = v.decrypt(open(password_file).read().strip()) put_dict_value(r, s, plaintext) if not r: raise ValueError( 'The Vault library extracted nothing from the file. Is it actually encrypted?' ) if newpath: if not os.path.isdir(os.path.dirname(newpath)): os.makedirs(os.path.dirname(newpath)) with open(newpath, 'w+') as f: f.write(yaml.dump(r)) return r
def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] args.vault_password_file = args.vault_password_file or \ "{}.vault_password".format(file_prefix) if os.path.exists(args.vault_password_file): with open(args.vault_password_file, "r") as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password_file)) else: raise YBOpsRuntimeError("Vault password file doesn't exists.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) vault = Vault(vault_password) data = vault.load(open(args.vault_file).read()) if args.has_sudo_password: if not YB_SUDO_PASS: raise YBOpsRuntimeError("Did not find sudo password.") data['ansible_become_pass'] = YB_SUDO_PASS vault.dump(data, open(args.vault_file, 'w')) print( json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password_file }))
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) listener = mgmt.tm.gtm.listeners.listener.load( name="my_listener", partition="Common" ) assert listener.name == "my_listener" assert listener.partition == "Common" assert listener.description == "My listener" assert listener.address == "10.10.1.1"
def combine_vault_with_playbook(self, data, content): """Combines the vault data with the playbook data Args: data (dict) content (dict) Returns: dict """ vault = Vault(config.settings['common']['vault_enc_key']) secrets = vault.load(base64.b64decode(data['vault'])) for k, v in content[0]['tasks'][1]['param_pusher'][ 'parameters'].iteritems(): if ('VAULT' in v) and ( k in content[0]['tasks'][1]['param_pusher']['parameters']): if "VAULT_{}".format(k) in secrets: content[0]['tasks'][1]['param_pusher']['parameters'][ k] = secrets["VAULT_" + k] else: print v print "VAULT_{}".format(k) print secrets content[0]['tasks'][1]['param_pusher']['parameters'][ k] = "KEY NAME MISMATCH" return content[0]['tasks'][1]['param_pusher']['parameters']
class AnsibleVaultSearch(object): def __init__(self, vault_password, vault_path): try: self.vault = Vault(vault_password) self.data = self.vault.load(open(vault_path).read()) except Exception as e: raise e def search(self, query, raw_structure): obj = None last_attr = None for attr in query.split("."): try: if not obj: last_attr = attr obj = self.data[attr] else: last_attr = attr obj = obj[attr] except (TypeError, KeyError): # Type not dictionary, so fail as not implemented obj = getattr(obj, attr) if raw_structure: print obj else: json_obj = json.dumps({last_attr: obj}) print json_obj
def decrypt(vault_string, vault_pass): """Decrypt a VaultString object with a specified Vault pass.""" if not isinstance(vault_string, VaultString): raise TypeError('vault_string must be an instance of VaultString') vault = Vault(vault_pass) return vault.load(vault_string.value)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) dg = mgmt.tm.cm.device_groups.device_group.load(name="my_device_group") assert dg.name == "my_device_group" assert dg.description == "My device group" devices = dg.devices_s.get_collection() assert len(devices) == 1 decrypted_device_name = vault.load(vars["device_name"]["__ansible_vault"]) assert devices[0].name == decrypted_device_name
def get_yaml_vault_data(): """Gets data from vault and prints it.""" vault_pass_file = open(ARGS.vault_password_file, "r") vault_password = vault_pass_file.read() vault = Vault(vault_password.rstrip()) vault_data = vault.load(open(ARGS.vaultfile).read()) myoutput = vault_data.get(ARGS.yaml_key) return myoutput
def convert(yaml_file, vault_pass, out_file=None): if not out_file: out_file = yaml_file vault = Vault(vault_pass) unencrypted_data = vault.load(open(yaml_file).read()) encrypted_data = encrypt_values(unencrypted_data, vault_pass) yaml.safe_dump(encrypted_data, open(out_file, 'w'), default_style='|', default_flow_style=False)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) user = mgmt.tm.auth.users.user.load(name="user1") assert user.name == "user1" assert user.description == "User 1" partition_access = [ {"name": "Common", "role": "guest"}, {"name": "Test", "role": "operator"}, ] assert not DeepDiff( partition_access, user.partitionAccess, exclude_regex_paths={r"root\[\d+\]\['nameReference'\]"}, )
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) decrypted_device_name = vault.load(vars["device_name"]["__ansible_vault"]) decrypted_device_internal_ip = vault.load( vars["device_internal_ip"]["__ansible_vault"]) device = mgmt.tm.cm.devices.device.load(name=decrypted_device_name) assert device.name == decrypted_device_name assert device.comment == "My lab device" assert device.configsyncIp == decrypted_device_internal_ip assert device.contact == "admin@localhost" assert device.description == "My device" assert device.haCapacity == 10 assert device.location == "Central Office"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) policy = mgmt.tm.auth.password_policy.load() assert policy.expirationWarning == 5 assert policy.maxDuration == 90 assert policy.maxLoginFailures == 3 assert policy.minDuration == 30 assert policy.minimumLength == 8 assert policy.passwordMemory == 1 assert policy.policyEnforcement == "enabled" assert policy.requiredLowercase == 2 assert policy.requiredNumeric == 1 assert policy.requiredSpecial == 1 assert policy.requiredUppercase == 2
def setup_roles(args, tags=None): '''Used to assign and execute a role on a server''' vpass = args.get('vault_pass', None) vault_content = args.get('vault_content', None) if vpass: from ansible_vault import Vault vault = Vault(vpass) data = vault.load(vault_content) return runplay(config.get('books', 'setup'), args['servername'], args=args, tags=tags)
def get_vault_variables(self): # try unencrypted first for tests with open(self.paths.vault_yml, 'r') as f: vault_vars = yaml.load(f) if isinstance(vault_vars, dict): return vault_vars while True: try: vault = Vault(self.get_ansible_vault_password()) with open(self.paths.vault_yml, 'r') as vf: return vault.load(vf.read()) except AnsibleVaultError: print('incorrect password') self.get_ansible_vault_password.reset_cache(self)
def get_creds_vault(vault_file,vault_password): try: vault = Vault(vault_password) secrets = vault.load(open(vault_file).read()) except: err=f"can't decode {vault_file}" print(err) logging.debug(f"ERROR: {err}") sys.exit() #####HACK for ansible version https://github.com/tomoh1r/ansible-vault/pull/34 #vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(vault_password.encode()))]) #secrets = yaml.safe_load(vault.decrypt(open(vault_file).read())) ##### # print(secrets) return secrets
def decrypt_keyfile_data(keyfile_data: bytes, password: str = None) -> bytes: """ Decrypts passed keyfile data using ansible vault. Args: keyfile_data ( bytes, required ): Bytes to validate password ( bool, optional ): It set, uses this password to decrypt data. Returns: decrypted_data (bytes): Decrypted data. Raises: KeyFileError: Raised if the file is corrupted or if the password is incorrect. """ password = getpass.getpass( "Enter password to unlock key: ") if password == None else password try: password = getpass.getpass( "Enter password to unlock key: ") if password == None else password console = bittensor.__console__ with console.status(":key: Decrypting key..."): # Ansible decrypt. if keyfile_data_is_encrypted_ansible(keyfile_data): vault = Vault(password) decrypted_keyfile_data = vault.load(keyfile_data) # Legacy decrypt. elif keyfile_data_is_encrypted_legacy(keyfile_data): __SALT = b"Iguesscyborgslikemyselfhaveatendencytobeparanoidaboutourorigins" kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), salt=__SALT, length=32, iterations=10000000, backend=default_backend()) key = base64.urlsafe_b64encode(kdf.derive(password.encode())) cipher_suite = Fernet(key) decrypted_keyfile_data = cipher_suite.decrypt(keyfile_data) # Unknown. else: raise KeyFileError( "Keyfile data: {} is corrupt".format(keyfile_data)) except (InvalidSignature, InvalidKey, InvalidToken): raise KeyFileError('Invalid password') if not isinstance(decrypted_keyfile_data, bytes): decrypted_keyfile_data = json.dumps(decrypted_keyfile_data).encode() return decrypted_keyfile_data
def _get_vault_variables(self): # try unencrypted first for tests with open(self.paths.vault_yml, 'r') as f: vault_vars = yaml.safe_load(f) if isinstance(vault_vars, dict): return vault_vars while True: try: vault = Vault(self._get_ansible_vault_password()) with open(self.paths.vault_yml, 'r') as vf: return vault.load(vf.read()) except AnsibleVaultError: if os.environ.get('ANSIBLE_VAULT_PASSWORD'): raise print('incorrect password') self._get_ansible_vault_password.reset_cache(self)
def get_stack_password(): if IS_CW == 0: vault = Vault(ANSIBLE_VAULT) #try: urllib3.contrib.pyopenssl.inject_into_urllib3() urllib3.disable_warnings() user_agent = {'user-agent': 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) ..'} http = urllib3.PoolManager(10, headers=user_agent) url = 'https://api.github.com/repos/SplunkStorm/stax/contents/wormhole/secure_vars/tag_Stack_'+STACK+'/secure.yml?access_token='+TOKEN result = http.request("GET",url) if result.status == 200: req = json.loads(result.data) content = base64.decodestring(req['content']) _pass = vault.load(content)['stack_password'] return _pass else: return "ERROR_404" #stack not found #except: # return "ERROR" else: return "ERROR_CW"
class Vault(): @staticmethod def to_encrypted_name(name): return f'{name}.encrypted' @staticmethod def to_decrypted_name(name): return '.'.join(name.split('.')[:-1]) def __init__(self, password): self.ansible_vault = AnsibleVault(password) self.fs = FileSystem() def encrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_encrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: raw_data = input_file.read() with open(dest, 'wb') as output_file: self.ansible_vault.dump(raw_data, output_file) def decrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_decrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: encrypted_data = input_file.read() try: decrypted_data = self.ansible_vault.load(encrypted_data) except AnsibleVaultError as e: raise Exception('Decrypt failed') with open(dest, 'w') as output_file: output_file.write(decrypted_data)
def __init__(self, var_file, pass_file, vault_password): """ --- dr_sites_primary_url: http://xxx.xx.xx.xxx:8080/ovirt-engine/api dr_sites_primary_username: admin@internal dr_sites_primary_ca_file: /etc/pki/ovirt-engine/ca.pem # Please fill in the following properties for the secondary site: dr_sites_secondary_url: http://yyy.yy.yy.yyy:8080/ovirt-engine/api dr_sites_secondary_username: admin@internal dr_sites_secondary_ca_file: /etc/pki/ovirt-engine_secondary/ca.pem """ self.primary_url = var_file.get('dr_sites_primary_url') self.primary_user = var_file.get('dr_sites_primary_username') self.primary_ca = var_file.get('dr_sites_primary_ca_file') self.second_url = var_file.get('dr_sites_secondary_url') self.second_user = var_file.get('dr_sites_secondary_username') self.second_ca = var_file.get('dr_sites_secondary_ca_file') if (vault_password != ''): vault = Vault(vault_password) try: passwords = vault.load(open(pass_file).read()) self.primary_password = passwords['dr_sites_primary_password'] self.second_password = passwords['dr_sites_secondary_password'] except BaseException: try: print("%s%sCan not read passwords from vault." " Will try to read as plain file.%s" % (WARN, PREFIX, END)) self._plain_read(pass_file) except BaseException: print("%s%sCan not read passwords from file%s" % (FAIL, PREFIX, END)) else: try: self._plain_read(pass_file) except BaseException: print("%s%sCan not read passwords from file%s" % (FAIL, PREFIX, END))
def send_email(self): """Sends results email""" # Read SendGrid API key from Ansible vault vault = Vault('Frankenstein') api_key = vault.load(open('secrets.yml').read()) # Set up SendGrid API Client send_grid = SendGridAPIClient(apikey=api_key) # Set up email message from_email = Email('*****@*****.**') to_email = Email(self.email) subject = "AppNexus Crawler Compression Results" content = "These files were compressed:\n" for filename in self.compressed_files: content += '{}\n'.format(filename) content += "\nThese files were not compressed:\n" for filename in self.uncompressed_files: content += '{}\n'.format(filename) content += '\nTotal disk savings: {} bytes'.format(self.space_savings) content = Content("text/plain", content) mail = Mail(from_email, subject, to_email, content) mail.reply_to = Email('*****@*****.**') # Send email message dummy = send_grid.client.mail.send.post(request_body=mail.get())
def __read_secrets(password=None): password = get_pass() vault = Vault(password) return vault.load(open(VAULT_FILE).read())
# python version 2.7.3 # # Script takes String input and sends the message to an SQS queue (no send message to sqs queue module available in ansible) # command to run example: python sendMessageToQueue.py import boto3 from ansible_vault import Vault import sys password = raw_input("Please enter vault password for api keys: ") vault = Vault(password) vote = raw_input("Please enter your vote (RED, GREEN, BLUE): ") print "you entered", vote key_data = vault.load(open('../group_vars/aws/vault.yml').read()) secret_access_key = list(key_data.values())[0] access_key_id = list(key_data.values())[1] if vote.upper() in ("RED", "GREEN", "BLUE"): client = boto3.client('sqs', region_name='eu-west-1', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) queue_url = client.get_queue_url( QueueName='VoteQueue' ) print(queue_url['QueueUrl']) sqs_response = client.send_message( QueueUrl=queue_url['QueueUrl'],
def openVaultFile(file): vault = Vault(vaultpwd) data = vault.load(open(vaultFile).read()) return data