def set_vault_password(self, b_vault_password):
self._b_vault_password = b_vault_password
self._vault = VaultLib(b_password=b_vault_password)
if vaultfile is None:
vaultfile = args.vault_file
if not os.path.isfile(vaultfile):
sys.stderr.write(
"No ansible vault found in %s. Either create one or set the environment variable VAULTFILE.\n"
% vaultfile)
sys.exit(3)
vaultpass = os.environ.get("VAULTPASS", None)
if vaultpass is None:
sys.stderr.write(
"Set the VAULTPASS environment variable to unlock the ansible vault.\n"
)
sys.exit(3)
vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(vaultpass.encode('utf-8')))])
try:
content = vault.decrypt(open(vaultfile).read())
except AnsibleVaultError:
sys.stderr.write("Invalid vault password, could not decrypt vault.\n")
sys.exit(3)
data = yaml.load(content, Loader=yaml.CLoader)
cmd = ["terraform", args.action]
for key, value in data.items():
cmd.append("--var '{}={}'".format(key, value))
cmd += options
runcmd = ' '.join(cmd)
def __init__(self, password):
self.password = password
self.vault = VaultLib(password)
def __init__(self, vault_password=None):
self._basedir = '.'
self._vault = VaultLib(password=vault_password)
from ansible.constants import DEFAULT_VAULT_ID_MATCH
from ansible.parsing.vault import VaultLib
from ansible.parsing.vault import VaultSecret
vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret('tower@123'))])
print vault.decrypt(
open(
'/home/nik/Desktop/git-repo/cloud-ops/python-ops/rest-api/json-outs/env-1.json'
).read())
exit(0)
try:
# Reading Composer Security Configurations from the input file
composer_security_configuration_file = open(
composer_security_configuration_file_path, encoding='utf-8')
security_configurations = json.load(
composer_security_configuration_file)
# oneview_credentials_file = open(oneview_credentials_file_path, encoding='utf-8')
# oneview_config = json.load(oneview_credentials_file)
# Reading OneView configurations from the input file
key = getpass("Enter the key to decrypt OneView credentials file : ")
oneview_credentials_key = VaultLib([
(DEFAULT_VAULT_ID_MATCH, VaultSecret(key.encode('utf-8')))
])
oneview_credentials_file = open(oneview_credentials_file_path)
oneview_config = json.loads(
oneview_credentials_key.decrypt(oneview_credentials_file.read()))
# Validating input Composer Security Configurations
inputs_state = validate_inputs(security_configurations)
if not inputs_state:
print("Failed: Input format is invalid.")
exit(0)
# Defining HPE OneView API endpoints
api_endpoints = {
"allowSshAccess": "/rest/appliance/ssh-access",
"GlobalSettings": "/rest/logindomains/global-settings",
def test_encrypt(self):
v = VaultLib(password='******')
plaintext = u'Some text to encrypt.'
ciphertext = v.encrypt(plaintext)
self.assertIsInstance(ciphertext, (bytes, str))
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
vault_ids = self.options.vault_ids
# there are 3 types of actions, those that just 'read' (decrypt, view) and only
# need to ask for a password once, and those that 'write' (create, encrypt) that
# ask for a new password and confirm it, and 'read/write (rekey) that asks for the
# old password, then asks for a new one and confirms it.
default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
vault_ids = default_vault_ids + vault_ids
# TODO: instead of prompting for these before, we could let VaultEditor
# call a callback when it needs it.
if self.action in ['decrypt', 'view', 'rekey', 'edit']:
vault_secrets = self.setup_vault_secrets(
loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass)
if not vault_secrets:
raise AnsibleOptionsError(
"A vault password is required to use Ansible's Vault")
if self.action in ['encrypt', 'encrypt_string', 'create']:
encrypt_vault_id = None
# no --encrypt-vault-id self.options.encrypt_vault_id for 'edit'
if self.action not in ['edit']:
encrypt_vault_id = self.options.encrypt_vault_id or C.DEFAULT_VAULT_ENCRYPT_IDENTITY
vault_secrets = None
vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if len(vault_secrets) > 1 and not encrypt_vault_id:
raise AnsibleOptionsError(
"The vault-ids %s are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id"
% ','.join([x[0] for x in vault_secrets]))
if not vault_secrets:
raise AnsibleOptionsError(
"A vault password is required to use Ansible's Vault")
encrypt_secret = match_encrypt_secret(
vault_secrets, encrypt_vault_id=encrypt_vault_id)
# only one secret for encrypt for now, use the first vault_id and use its first secret
# TODO: exception if more than one?
self.encrypt_vault_id = encrypt_secret[0]
self.encrypt_secret = encrypt_secret[1]
if self.action in ['rekey']:
encrypt_vault_id = self.options.encrypt_vault_id or C.DEFAULT_VAULT_ENCRYPT_IDENTITY
# print('encrypt_vault_id: %s' % encrypt_vault_id)
# print('default_encrypt_vault_id: %s' % default_encrypt_vault_id)
# new_vault_ids should only ever be one item, from
# load the default vault ids if we are using encrypt-vault-id
new_vault_ids = []
if encrypt_vault_id:
new_vault_ids = default_vault_ids
if self.options.new_vault_id:
new_vault_ids.append(self.options.new_vault_id)
new_vault_password_files = []
if self.options.new_vault_password_file:
new_vault_password_files.append(
self.options.new_vault_password_file)
new_vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=new_vault_ids,
vault_password_files=new_vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if not new_vault_secrets:
raise AnsibleOptionsError(
"A new vault password is required to use Ansible's Vault rekey"
)
# There is only one new_vault_id currently and one new_vault_secret, or we
# use the id specified in --encrypt-vault-id
new_encrypt_secret = match_encrypt_secret(
new_vault_secrets, encrypt_vault_id=encrypt_vault_id)
self.new_encrypt_vault_id = new_encrypt_secret[0]
self.new_encrypt_secret = new_encrypt_secret[1]
loader.set_vault_secrets(vault_secrets)
# FIXME: do we need to create VaultEditor here? its not reused
vault = VaultLib(vault_secrets)
self.editor = VaultEditor(vault)
self.execute()
# and restore umask
os.umask(old_umask)
def set_secrets(cls, secrets):
cls._vaults['default'] = VaultLib(secrets=secrets)
def create(self):
try:
print('')
new_file = self.args.file
if new_file is None:
new_file = input('File to create: ')
if os.path.exists(os.path.join(self.args.vault_path, new_file)):
eprint('This file already exists')
sys.exit(2)
plugin_name = self.args.plugin
if plugin_name is None:
plugin_name = input('Keyring plugin name to use [' +
', '.join(list_plugins()) + ']: ')
plugin = self.get_plugin_instance(plugin_name)
id = plugin.generate_id(self.args.plugin_vars)
print('New ID to use: ' + id)
print('')
stdin_pass = self.args.stdin_pass
if not stdin_pass and sys.stdin.isatty():
password = getpass.getpass('New password: '******'Confirm password: '******'Passwords missmatch')
sys.exit(2)
else:
password = sys.stdin.read()
password = password.strip()
if password == '':
print('Your password is empty !')
sys.exit(2)
except KeyboardInterrupt:
print('')
sys.exit(0)
try:
new_version = plugin.set_password(id, password)
id = plugin.append_id_version(new_version)
vault_metadata = get_metadata(self.args.vault_path)
vault_metadata['vault_ids'].append({
METADATA_ID_KEY: id,
METADATA_PLUGIN_KEY: plugin_name,
METADATA_VAULT_FILES: [new_file]
})
write_metadata(vault_metadata, self.args.vault_path)
VaultLib = get_vault_lib()
vault_api = VaultLib(_make_secrets(password))
with open(os.path.join(self.args.vault_path, new_file),
'w') as stream:
encrypted = vault_api.encrypt('---')
stream.write(encrypted)
except Exception as e:
eprint(e)
sys.exit(2)
if (self.args.verbose):
import traceback
traceback.print_exc()
def encrypt(self, to_encrypt):
"""Encrypts a scalar value using ansible-vault"""
return VaultLib().encrypt(to_encrypt, self.generate_secrets())
def setUp(self):
self.v = VaultLib('test-vault-password')
def __init__(self, vault_password=None):
self._basedir = '.'
self._vault_password = vault_password
self._FILE_CACHE = dict()
self._vault = VaultLib(password=vault_password)
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
vault_ids = self.options.vault_ids
# there are 3 types of actions, those that just 'read' (decrypt, view) and only
# need to ask for a password once, and those that 'write' (create, encrypt) that
# ask for a new password and confirm it, and 'read/write (rekey) that asks for the
# old password, then asks for a new one and confirms it.
default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
vault_ids = default_vault_ids + vault_ids
# TODO: instead of prompting for these before, we could let VaultEditor
# call a callback when it needs it.
if self.action in ['decrypt', 'view', 'rekey']:
vault_secrets = self.setup_vault_secrets(
loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass)
if not vault_secrets:
raise AnsibleOptionsError(
"A vault password is required to use Ansible's Vault")
if self.action in ['encrypt', 'encrypt_string', 'create', 'edit']:
if len(vault_ids) > 1:
raise AnsibleOptionsError(
"Only one --vault-id can be used for encryption")
vault_secrets = None
vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if not vault_secrets:
raise AnsibleOptionsError(
"A vault password is required to use Ansible's Vault")
encrypt_secret = match_encrypt_secret(vault_secrets)
# only one secret for encrypt for now, use the first vault_id and use its first secret
# self.encrypt_vault_id = list(vault_secrets.keys())[0]
# self.encrypt_secret = vault_secrets[self.encrypt_vault_id][0]
self.encrypt_vault_id = encrypt_secret[0]
self.encrypt_secret = encrypt_secret[1]
if self.action in ['rekey']:
new_vault_ids = []
if self.options.new_vault_id:
new_vault_ids.append(self.options.new_vault_id)
new_vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=new_vault_ids,
vault_password_files=self.options.new_vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if not new_vault_secrets:
raise AnsibleOptionsError(
"A new vault password is required to use Ansible's Vault rekey"
)
# There is only one new_vault_id currently and one new_vault_secret
new_encrypt_secret = match_encrypt_secret(new_vault_secrets)
self.new_encrypt_vault_id = new_encrypt_secret[0]
self.new_encrypt_secret = new_encrypt_secret[1]
loader.set_vault_secrets(vault_secrets)
# FIXME: do we need to create VaultEditor here? its not reused
vault = VaultLib(vault_secrets)
self.editor = VaultEditor(vault)
self.execute()
# and restore umask
os.umask(old_umask)
def test_is_encrypted_bytes(self):
v = VaultLib(None)
assert not v.is_encrypted(
b"foobar"), "encryption check on plaintext failed"
data = b"$ANSIBLE_VAULT;9.9;TEST\n%s" + hexlify(b"ansible")
assert v.is_encrypted(data), "encryption check on headered text failed"
def __init__(self, file_name=None, vault_password=None):
self._vault_password = vault_password
self._ansible_file_name = file_name
super(AnsibleConstructor, self).__init__()
self._vaults = {}
self._vaults['default'] = VaultLib(password=self._vault_password)
def test_decrypt_decrypted(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
data = "ansible"
self.assertRaises(errors.AnsibleError, v.decrypt, data)
def __init__(self, file_name=None, vault_secrets=None):
self._ansible_file_name = file_name
super(AnsibleConstructor, self).__init__()
self._vaults = {}
self.vault_secrets = vault_secrets or []
self._vaults['default'] = VaultLib(secrets=self.vault_secrets)
def _vault_editor(self, vault_secrets=None):
if vault_secrets is None:
vault_secrets = self._secrets(self.vault_password)
return VaultEditor(VaultLib(vault_secrets))
def set_vault_password(self, vault_password):
self._vault_password = vault_password
self._vault = VaultLib(password=vault_password)
# Opening input files
kickstart_files = {
"rhel7_master": "kickstart_files/ks_rhel7.cfg",
"rhel7_worker": "kickstart_files/ks_rhel7_worker.cfg",
"esxi67": "kickstart_files/ks_esxi67.cfg"
}
config_path = 'input_files/config.json'
servers_path = 'input_files/server_details.json'
# Chckign if input files exist or not
if os.path.exists(config_path) and os.path.exists(servers_path):
# Enter decryption key to decrypt input files
key = getpass("Enter Key:")
try:
config_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(key.encode('utf-8')))])
# Opening config file
configuration_file = open(config_path)
# Decrypting config.json file
config = json.loads(config_vault.decrypt(
configuration_file.read()))
server_vault = VaultLib([(DEFAULT_VAULT_ID_MATCH,
VaultSecret(key.encode('utf-8')))])
# Opening server details file
server_input_file = open(servers_path)
# Decrypting server_details.json file
servers = json.loads(server_vault.decrypt(
server_input_file.read()))
except Exception as e:
print(
