def populate_credetials(self, config, credentials_path, vaultpass): if ansible_ver < 4 or is_py2: secret = [("default", VaultSecret(bytes(vaultpass.encode('utf-8'))))] vault = VaultLib(secret) cred = open(credentials_path, "rb").read() cred = vault.decrypt(cred) ret_str = "" for asc in cred: ret_str += asc tmpf = open("tmppass", 'w') tmpf.write(ret_str) tmpf.close() tmpparser = RawConfigParser() tmpparser.read("tmppass") os.remove("tmppass") else: secret = [("default", VaultSecret(bytes(vaultpass, "utf-8")))] vault = VaultLib(secret) cred = open(credentials_path, "rb").read() cred = vault.decrypt(cred) ret_str = "" for asc in cred: ret_str += (chr(int(asc))) tmpparser = RawConfigParser() tmpparser.read_string(ret_str) config.__set_credentials__(parser=tmpparser)
def __init__(self): """ This constructor function provides variables from the input files. """ # Retrieving secret variables from config_secrets.json file encrypted_file = open("config_secrets.json") key = getpass("Enter key for encrypted variables:") # Configuring key and decrypting encrypted variables config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))]) config = json.loads(config_vault.decrypt(encrypted_file.read())) # Closing opened encrypted file encrypted_file.close() #Retrieving variables from user_input.json file with open("user_input.json", "r") as json_fp: input_json_data = json.load(json_fp) self.username = config["CONSOLE_USERNAME"] self.password = config["CONSOLE_PASSWORD"] self.controller_IP = input_json_data["CONTROLLER_IP"] self.cluster_name = input_json_data["CLUSTER_NAME"] self.expand_shrink = input_json_data["EXPAND_OR_SHRINK"] self.host_ips = input_json_data["HOST_IP's"] self.host_role = input_json_data["HOST_ROLE"]
def __init__(self, password): self.text = b'' self.err = '' self.password = password if password: self.vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(password.encode("utf-8")))])
def write(self): cleartext = yaml.dump(self.data) vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(self.keyphrase.encode('utf-8')))]) ciphered = vault.encrypt(cleartext) with open(self.path, 'wb') as f: f.write(ciphered)
def __init__(self, password): """Create a vault.""" self.password = password pass_bytes = to_bytes(password, encoding='utf-8', errors='strict') secrets = [('password', VaultSecret(_bytes=pass_bytes))] # pylint: disable=unexpected-keyword-arg, no-value-for-parameter self.vault = VaultLib(secrets=secrets)
def setup_vault_secrets(self, loader, vault_ids, vault_password_files=None, vault_pass=None): vault_secrets = [] vault_password_files = vault_password_files or [] if C.DEFAULT_VAULT_PASSWORD_FILE: vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE) vault_ids = Vault.build_vault_ids(vault_ids, vault_password_files, vault_pass) for vault_id_slug in vault_ids: vault_id_name, vault_id_value = Vault.split_vault_id(vault_id_slug) if vault_id_value == 'vault_pass': built_vault_id = vault_id_name or C.DEFAULT_VAULT_IDENTITY # load password vault_secret = VaultSecret(bytes(vault_pass, 'utf-8')) vault_secrets.append((built_vault_id, vault_secret)) loader.set_vault_secrets(vault_secrets) continue file_vault_secret = get_file_vault_secret(filename=vault_id_value, vault_id=vault_id_name, loader=loader) # an invalid password file will error globally file_vault_secret.load() if vault_id_name: vault_secrets.append((vault_id_name, file_vault_secret)) else: vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, file_vault_secret)) # update loader with as-yet-known vault secrets loader.set_vault_secrets(vault_secrets) return vault_secrets
def get_group_vars(group, inventory, invfile, vaultpass): try: from ansible.plugins.loader import vars_loader from ansible.utils.vars import combine_vars loader = ansible.parsing.dataloader.DataLoader() if vaultpass: if hasattr(loader, 'set_vault_secrets'): from ansible.module_utils._text import to_bytes from ansible.parsing.vault import VaultSecret loader.set_vault_secrets([ ('default', VaultSecret(_bytes=to_bytes(vaultpass))) ]) else: # not tested loader.set_vault_password(vaultpass) # variables in inventory file vars = group.get_vars() # variables in group_vars related to invfile for p in vars_loader.all(): gvars = p.get_vars(loader, invfile, group) vars = combine_vars(vars, gvars) return vars except ImportError: pass # http://stackoverflow.com/a/197053 vars = inspect.getargspec(inventory.get_group_vars) if 'return_results' in vars[0]: return inventory.get_group_vars(group, return_results=True) else: return inventory.get_group_vars(group)
def ansible_decrypt(msg): if config.ANSIBLE_VAULT_HEADER not in msg: return msg _, ciphertext = msg.split("\n") vault = VaultAES256() secret = VaultSecret(bytes(config.ANSIBLE_SECRET, 'utf-8')) return str(vault.decrypt(ciphertext, secret), 'utf-8')
def do_unvault(vault, secret, vaultid='filter_default'): if not isinstance(secret, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Secret passed is required to be as string, instead we got: %s" % type(secret)) if not isinstance( vault, (string_types, binary_type, AnsibleVaultEncryptedUnicode, Undefined)): raise AnsibleFilterTypeError( "Vault should be in the form of a string, instead we got: %s" % type(vault)) data = '' vs = VaultSecret(to_bytes(secret)) vl = VaultLib([(vaultid, vs)]) if isinstance(vault, AnsibleVaultEncryptedUnicode): vault.vault = vl data = vault.data elif is_encrypted(vault): try: data = vl.decrypt(vault) except UndefinedError: raise except Exception as e: raise AnsibleFilterError("Unable to decrypt: %s" % to_native(e), orig_exc=e) else: data = vault return to_native(data)
def _make_secrets(self, secret): if self._ansible_ver < 2.4: return secret from ansible.constants import DEFAULT_VAULT_ID_MATCH #@UnresolvedImport from ansible.parsing.vault import VaultSecret return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def decrypt_vault(filename, vault_password=None, vault_password_file=None, vault_prompt=False): """ filename: name of your encrypted file that needs decrypted. vault_password: key that will decrypt the vault. vault_password_file: file containing key that will decrypt the vault. vault_prompt: Force vault to prompt for a password if everything else fails. """ loader = DataLoader() if vault_password: vault_secret = [([], VaultSecret(vault_password.encode()))] elif vault_password_file: vault_secret = CLI.setup_vault_secrets(loader=loader, vault_ids=[vault_password_file]) else: vault_secret = CLI.setup_vault_secrets(loader=loader, vault_ids=[], auto_prompt=vault_prompt) vault = VaultLib(vault_secret) with open(filename) as f: unencrypted_yaml = vault.decrypt(f.read()) unencrypted_yaml = yaml.safe_load(unencrypted_yaml) return unencrypted_yaml
def __initializeData(self): """ 初始化ansible """ Options = namedtuple('Options', ['ansible_python_interpreter', 'connection', 'module_path', 'forks', 'become', 'become_method', 'become_user', 'check', 'diff', 'private_key_file', 'remote_user']) self.loader = DataLoader() # 加载hosts文件解密密码 self.loader.set_vault_secrets( [('default', VaultSecret(_bytes=to_bytes(self.ansible_vault_key)))]) self.options = Options(ansible_python_interpreter=self.ansible_python_interpreter, connection='ssh', module_path='', forks=100, become=None, become_method=None, become_user=self.become_user, check=False, diff=False, private_key_file=self.private_key_file, remote_user=self.ansible_ssh_user) self.passwords = dict(conn_pass=self.passwords) self.inventory = InventoryManager( loader=self.loader, sources=self.resource) self.variable_manager = VariableManager( loader=self.loader, inventory=self.inventory)
def makeVaultLib(passwordBytes, vaultId="default"): if passwordBytes: if isinstance(passwordBytes, six.string_types): passwordBytes = to_bytes(passwordBytes) vault_secrets = [(vaultId, VaultSecret(passwordBytes))] return VaultLib(secrets=vault_secrets) return None
def get_play_prereqs_2_4(self, options): loader = DataLoader() if self.vault_pass: loader.set_vault_secrets([ ('default', VaultSecret(_bytes=to_bytes(self.vault_pass))) ]) # create the inventory, and filter it based on the subset specified (if any) inventory = InventoryManager(loader=loader, sources=options.inventory) # create the variable manager, which will be shared throughout # the code, ensuring a consistent view of global variables try: # Ansible 2.8 variable_manager = VariableManager( loader=loader, inventory=inventory, version_info=self.version_info(ansible_version)) variable_manager._extra_vars = self.extra_vars except TypeError: variable_manager = VariableManager(loader=loader, inventory=inventory) variable_manager.extra_vars = self.extra_vars variable_manager.options_vars = { 'ansible_version': self.version_info(ansible_version) } return loader, inventory, variable_manager
def make_vault_lib_ex(secrets: List[Tuple[str, Union[str, bytes]]]): vault_secrets = [] for vaultId, passwordBytes in secrets: if isinstance(passwordBytes, six.string_types): passwordBytes = to_bytes(passwordBytes) vault_secrets.append((vaultId, VaultSecret(passwordBytes))) return VaultLib(secrets=vault_secrets)
def read(self): vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(self.keyphrase.encode('utf-8')))]) with open(self.path) as f: ciphered = f.read() cleartext = vault.decrypt(ciphered) self.data = yaml.safe_load(cleartext)
def __init__(self): """ This constructor function provides encrypted as well as normal variables based input files. """ # Retriving secret variables from config_secrets.json file encrypted_file = open("config_secrets.json") key = getpass("Enter key for encrypted variables:") # Configuring key and decrypting encrypted variables config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))]) config = json.loads(config_vault.decrypt(encrypted_file.read())) # Closing opened encrypted file encrypted_file.close() # Retriving all user input files from file into a variable with open ("userinput.json", "r") as json_fp: input_json_data = json.load(json_fp) self.username = config["OPENSHIFT_USERNAME"] self.password = config["OPENSHIFT_PASSWORD"] self.oc_host = ":".join([input_json_data["OPENSHIFT_DOMAIN"], input_json_data["OPENSHIFT_PORT"]]) self.operator_list = input_json_data["OPENSHIFT_OPERATOR_LIST"] self.channel_list = input_json_data["OPERATOR_CHANNEL_LIST"] self.source_list = input_json_data["OPERATOR_SOURCE_LIST"] self.install_plan_approval_list = input_json_data["OPERATOR_INSTALL_PLAN"] self.namespaces = input_json_data["OPENSHIFT_PROJECT_NAME"] self.oc_path = input_json_data["OPENSHIFT_CLIENT_PATH"] self.storage_class_name = input_json_data["OPENSHIFT_STORAGE_CLASS_NAME"]
def do_vault(data, secret, salt=None, vaultid='filter_default', wrap_object=False): if not isinstance(secret, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Secret passed is required to be a string, instead we got: %s" % type(secret)) if not isinstance(data, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Can only vault strings, instead we got: %s" % type(data)) vault = '' vs = VaultSecret(to_bytes(secret)) vl = VaultLib() try: vault = vl.encrypt(to_bytes(data), vs, vaultid, salt) except UndefinedError: raise except Exception as e: raise AnsibleFilterError("Unable to encrypt: %s" % to_native(e), orig_exc=e) if wrap_object: vault = AnsibleVaultEncryptedUnicode(vault) else: vault = to_native(vault) return vault
def _make_secrets(self, secret): if parse_version(ansible.__version__) < parse_version('2.4'): return secret from ansible.constants import DEFAULT_VAULT_ID_MATCH from ansible.parsing.vault import VaultSecret return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def make_secret(secret): """ creates vault secret based on the version of ansible being ran""" if ANSIBLE_VER < 2.4: return secret from ansible.constants import DEFAULT_VAULT_ID_MATCH from ansible.parsing.vault import VaultSecret return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def _make_secrets(self, secret): if _ANSIBLE_VER < 2.4: return secret from ansible.constants import DEFAULT_VAULT_ID_MATCH from ansible.parsing.vault import VaultSecret return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def make_secrets(secret): """Create ansible compatible secret.""" if parse_version(ansible.__version__) < parse_version("2.4"): return secret from ansible.constants import DEFAULT_VAULT_ID_MATCH from ansible.parsing.vault import VaultSecret return [(DEFAULT_VAULT_ID_MATCH, VaultSecret(secret))]
def runplaybook(inventory, playbook, project, bname, secret): loader = DataLoader() invlist = [] invlist.append(inventory) inv = InventoryManager(loader=loader, sources=invlist) variable_manager = VariableManager(loader=loader, inventory=inv) pblist = [] pblist.append(playbook) if secret != '': loader.set_vault_secrets([('default', VaultSecret(_bytes=to_bytes(secret)))]) passwords = {} Options = namedtuple('Options', [ 'connection', 'remote_user', 'ask_sudo_pass', 'verbosity', 'ack_pass', 'module_path', 'forks', 'become', 'become_method', 'become_user', 'check', 'listhosts', 'listtasks', 'listtags', 'syntax', 'sudo_user', 'sudo', 'diff' ]) options = Options(connection='smart', remote_user=None, ack_pass=None, sudo_user=None, forks=5, sudo=None, ask_sudo_pass=False, verbosity=5, module_path=None, become=None, become_method=None, become_user=None, check=False, diff=False, listhosts=None, listtasks=None, listtags=None, syntax=None) pb = PlaybookExecutor(loader=loader, playbooks=pblist, inventory=inv, variable_manager=variable_manager, passwords=passwords, options=options) f = open('/opt/Projects/' + project + '/logs/' + bname + 'out.log', 'a+') # ferr=open('/opt/Projects/'+project+'/logs/'+bname+'err.log','a+') sys.stdout = f # sys.stderr = ferr result = pb.run() # ferr.close() f.close() return result
def __init__(self, config): self._remote_user = config['ANSIBLE_REMOTE_USER'] self._private_key_file = config['ANSIBLE_PRIVATE_KEY_FILE'] self._base_plays_path = config['ANSIBLE_PLAYBOOKS_WORKING_DIR'] self._verbosity = config.get('ANSIBLE_VERBOSITY', 0) vault_password = config['ANSIBLE_VAULT_PASSWORD'] password = to_bytes(vault_password) vault_secret = VaultSecret(_bytes=password) self._default_secret = [('default', vault_secret)]
def encrypt_value(value, passcode): secret = VaultSecret(bytes(passcode.encode('ascii'))) editor = VaultEditor() if not is_encrypted(value): vaultCode = editor.encrypt_bytes(value, secret).decode('ascii') else: vaultCode = value encrypted_val = '!vault |\n' + (vaultCode) return encrypted_val
def __init__(self, password): self.password = password try: from ansible.parsing.vault import VaultSecret from ansible.module_utils._text import to_bytes pass_bytes = to_bytes(password, encoding='utf-8', errors='strict') secrets = [('password', VaultSecret(_bytes=pass_bytes))] self.vault = VaultLib(secrets=secrets) except ImportError: self.vault = VaultLib(password)
def get_decrypted_file(fname, vaultpass=None): if ANSIBLE > 1: loader = ansible.parsing.dataloader.DataLoader() if vaultpass: if hasattr(loader, 'set_vault_secrets'): loader.set_vault_secrets([('default', VaultSecret(_bytes=to_bytes(vaultpass)))]) else: # not tested loader.set_vault_password(vaultpass) return loader.get_real_file(fname) else: return fname
def __init__(self, password): """Create a vault.""" self.password = password try: from ansible.parsing.vault import VaultSecret from ansible.module_utils._text import to_bytes pass_bytes = to_bytes(password, encoding='utf-8', errors='strict') secrets = [('password', VaultSecret(_bytes=pass_bytes))] # pylint: disable=unexpected-keyword-arg, no-value-for-parameter self.vault = VaultLib(secrets=secrets) except ImportError: self.vault = VaultLib(password)
def __init__(self, vim): self.vim = vim if pynvim.os.environ["ANSIBLE_VAULT_PASSWORD_FILE"]: with open(pynvim.os.environ["ANSIBLE_VAULT_PASSWORD_FILE"], "r") as fd: self.vault = VaultLib( [ ( DEFAULT_VAULT_ID_MATCH, VaultSecret(to_bytes(fd.read().rstrip())), ) ] )
def render_POST(self, request): request.setHeader("Content-Type", "application/json; charset=utf-8") version, cipher, vault_id = '1.1', 'AES256', '' is_source_encrypted = True try: body = json.loads(request.content.read()) except: request.setResponseCode(400) return json.dumps({"value": "bad input object"}).encode('utf-8') if body.get("password"): secret = VaultSecret( to_bytes(body["password"], "utf-8", errors='strict')) source = body.get("source", "") source = to_bytes(source, "utf-8", errors='strict') try: (payload, version, cipher, vault) = parse_vaulttext_envelope(source) except ansible.errors.AnsibleError: # maybe not encrypted is_source_encrypted = False payload = source try: this_cipher = CIPHER_MAPPING[cipher]() except Exception as e: request.setResponseCode(400) response_text = e.message return json.dumps({ "value": "error in %s" % response_text }).encode('utf-8') try: if is_source_encrypted: response_text = this_cipher.decrypt(payload, secret=secret) else: response_text = format_vaulttext_envelope( this_cipher.encrypt(payload, secret=secret), cipher, version, vault_id).strip() except ansible.errors.AnsibleError as e: request.setResponseCode(400) response_text = e.message return json.dumps({"value": response_text}).encode('utf-8') else: request.setResponseCode(400) response_text = b"password not specified" return json.dumps({ "value": response_text.decode('utf-8') }).encode('utf-8')