示例#1
0
    def ask_vault_passwords(self):
        b_vault_passwords = []

        for prompt_format in self.prompt_formats:
            prompt = prompt_format % {'vault_id': self.vault_id}
            try:
                vault_pass = display.prompt(prompt, private=True)
            except EOFError:
                raise AnsibleVaultError(
                    'EOFError (ctrl-d) on prompt for (%s)' % self.vault_id)

            verify_secret_is_not_empty(vault_pass)

            b_vault_pass = to_bytes(vault_pass,
                                    errors='strict',
                                    nonstring='simplerepr').strip()
            b_vault_passwords.append(b_vault_pass)

        # Make sure the passwords match by comparing them all to the first password
        for b_vault_password in b_vault_passwords:
            self.confirm(b_vault_passwords[0], b_vault_password)

        if b_vault_passwords:
            return b_vault_passwords[0]

        return None
示例#2
0
    def ask_vault_passwords(self):
        b_vault_passwords = []

        for prompt_format in self.prompt_formats:
            prompt = prompt_format % {'vault_id': self.vault_id}
            try:
                vault_pass = display.prompt(prompt, private=True)
            except EOFError:
                break
            b_vault_pass = to_bytes(vault_pass, errors='strict', nonstring='simplerepr').strip()
            b_vault_passwords.append(b_vault_pass)

        # Make sure the passwords match by comparing them all to the first password
        for b_vault_password in b_vault_passwords:
            self.confirm(b_vault_passwords[0], b_vault_password)

        if b_vault_passwords:
            return b_vault_passwords[0]

        return None
示例#3
0
    def _take_step(self, task, host=None):

        ret=False
        msg=u'Perform task: %s ' % task
        if host:
            msg += u'on %s ' % host
        msg += u'(N)o/(y)es/(c)ontinue: '
        resp = display.prompt(msg)

        if resp.lower() in ['y','yes']:
            display.debug("User ran task")
            ret = True
        elif resp.lower() in ['c', 'continue']:
            display.debug("User ran task and cancled step mode")
            self._step = False
            ret = True
        else:
            display.debug("User skipped task")

        display.banner(msg)

        return ret
示例#4
0
    def _take_step(self, task, host=None):

        ret = False
        if host:
            msg = u'Perform task: %s on %s (y/n/c): ' % (task, host)
        else:
            msg = u'Perform task: %s (y/n/c): ' % task
        resp = display.prompt(msg)

        if resp.lower() in ['y', 'yes']:
            display.debug("User ran task")
            ret = True
        elif resp.lower() in ['c', 'continue']:
            display.debug("User ran task and cancled step mode")
            self._step = False
            ret = True
        else:
            display.debug("User skipped task")

        display.banner(msg)

        return ret
    def _take_step(self, task, host=None):

        ret=False
        msg=u'Perform task: %s ' % task
        if host:
            msg += u'on %s ' % host
        msg += u'(N)o/(y)es/(c)ontinue: '
        resp = display.prompt(msg)

        if resp.lower() in ['y','yes']:
            display.debug("User ran task")
            ret = True
        elif resp.lower() in ['c', 'continue']:
            display.debug("User ran task and cancled step mode")
            self._step = False
            ret = True
        else:
            display.debug("User skipped task")

        display.banner(msg)

        return ret
示例#6
0
    def _take_step(self, task, host=None):

        ret=False
        if host:
            msg = u'Perform task: %s on %s (y/n/c): ' % (task, host)
        else:
            msg = u'Perform task: %s (y/n/c): ' % task
        resp = display.prompt(msg)

        if resp.lower() in ['y','yes']:
            display.debug("User ran task")
            ret = True
        elif resp.lower() in ['c', 'continue']:
            display.debug("User ran task and cancled step mode")
            self._step = False
            ret = True
        else:
            display.debug("User skipped task")

        display.banner(msg)

        return ret
示例#7
0
    def ask_vault_passwords(self):
        b_vault_passwords = []

        for prompt_format in self.prompt_formats:
            prompt = prompt_format % {'vault_id': self.vault_id}
            try:
                vault_pass = display.prompt(prompt, private=True)
            except EOFError:
                raise AnsibleVaultError('EOFError (ctrl-d) on prompt for (%s)' % self.vault_id)

            verify_secret_is_not_empty(vault_pass)

            b_vault_pass = to_bytes(vault_pass, errors='strict', nonstring='simplerepr').strip()
            b_vault_passwords.append(b_vault_pass)

        # Make sure the passwords match by comparing them all to the first password
        for b_vault_password in b_vault_passwords:
            self.confirm(b_vault_passwords[0], b_vault_password)

        if b_vault_passwords:
            return b_vault_passwords[0]

        return None
示例#8
0
文件: vault.py 项目: tonin/ansible
    def execute_encrypt_string(self):
        ''' encrypt the supplied string using the provided vault secret '''
        b_plaintext = None

        # Holds tuples (the_text, the_source_of_the_string, the variable name if its provided).
        b_plaintext_list = []

        # remove the non-option '-' arg (used to indicate 'read from stdin') from the candidate args so
        # we don't add it to the plaintext list
        args = [x for x in self.args if x != '-']

        # We can prompt and read input, or read from stdin, but not both.
        if self.options.encrypt_string_prompt:
            msg = "String to encrypt: "

            name = None
            name_prompt_response = display.prompt('Variable name (enter for no name): ')

            # TODO: enforce var naming rules?
            if name_prompt_response != "":
                name = name_prompt_response

            # TODO: could prompt for which vault_id to use for each plaintext string
            #       currently, it will just be the default
            # could use private=True for shadowed input if useful
            prompt_response = display.prompt(msg)

            if prompt_response == '':
                raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')

            b_plaintext = to_bytes(prompt_response)
            b_plaintext_list.append((b_plaintext, self.FROM_PROMPT, name))

        # read from stdin
        if self.encrypt_string_read_stdin:
            if sys.stdout.isatty():
                display.display("Reading plaintext input from stdin. (ctrl-d to end input)", stderr=True)

            stdin_text = sys.stdin.read()
            if stdin_text == '':
                raise AnsibleOptionsError('stdin was empty, not encrypting')

            b_plaintext = to_bytes(stdin_text)

            # defaults to None
            name = self.options.encrypt_string_stdin_name
            b_plaintext_list.append((b_plaintext, self.FROM_STDIN, name))

        # use any leftover args as strings to encrypt
        # Try to match args up to --name options
        if hasattr(self.options, 'encrypt_string_names') and self.options.encrypt_string_names:
            name_and_text_list = list(zip(self.options.encrypt_string_names, args))

            # Some but not enough --name's to name each var
            if len(args) > len(name_and_text_list):
                # Trying to avoid ever showing the plaintext in the output, so this warning is vague to avoid that.
                display.display('The number of --name options do not match the number of args.',
                                stderr=True)
                display.display('The last named variable will be "%s". The rest will not have names.' % self.options.encrypt_string_names[-1],
                                stderr=True)

            # Add the rest of the args without specifying a name
            for extra_arg in args[len(name_and_text_list):]:
                name_and_text_list.append((None, extra_arg))

        # if no --names are provided, just use the args without a name.
        else:
            name_and_text_list = [(None, x) for x in args]

        # Convert the plaintext text objects to bytestrings and collect
        for name_and_text in name_and_text_list:
            name, plaintext = name_and_text

            if plaintext == '':
                raise AnsibleOptionsError('The plaintext provided from the command line args was empty, not encrypting')

            b_plaintext = to_bytes(plaintext)
            b_plaintext_list.append((b_plaintext, self.FROM_ARGS, name))

        # TODO: specify vault_id per string?
        # Format the encrypted strings and any corresponding stderr output
        outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id)

        for output in outputs:
            err = output.get('err', None)
            out = output.get('out', '')
            if err:
                sys.stderr.write(err)
            print(out)

        if sys.stdout.isatty():
            display.display("Encryption successful", stderr=True)
示例#9
0
    def run(self, iterator, play_context):
        '''
        The linear strategy is simple - get the next task and queue
        it for all hosts, then wait for the queue to drain before
        moving on to the next task
        '''

        # iteratate over each task, while there is one left to run
        result = self._tqm.RUN_OK
        work_to_do = True
        while work_to_do and not self._tqm._terminated:

            try:
                display.debug("getting the remaining hosts for this loop")
                hosts_left = self.get_hosts_left(iterator)
                display.debug("done getting the remaining hosts for this loop")

                # queue up this task for each host in the inventory
                callback_sent = False
                work_to_do = False

                host_results = []
                host_tasks = self._get_next_task_lockstep(hosts_left, iterator)

                # skip control
                skip_rest = False
                choose_step = True

                # flag set if task is set to any_errors_fatal
                any_errors_fatal = False

                succeeded_hosts = {}
                retry_task = True

                while retry_task:

                    results = []
                    for (host, task) in host_tasks:
                        if not task:
                            continue

                        if self._tqm._terminated:
                            break

                        run_once = False
                        work_to_do = True

                        # test to see if the task across all hosts points to an action plugin which
                        # sets BYPASS_HOST_LOOP to true, or if it has run_once enabled. If so, we
                        # will only send this task to the first host in the list.

                        try:
                            action = action_loader.get(task.action,
                                                       class_only=True)
                        except KeyError:
                            # we don't care here, because the action may simply not have a
                            # corresponding action plugin
                            action = None

                        # check to see if this task should be skipped, due to it being a member of a
                        # role which has already run (and whether that role allows duplicate execution)
                        if task._role and task._role.has_run(host):
                            # If there is no metadata, the default behavior is to not allow duplicates,
                            # if there is metadata, check to see if the allow_duplicates flag was set to true
                            if task._role._metadata is None or task._role._metadata and not task._role._metadata.allow_duplicates:
                                display.debug(
                                    "'%s' skipped because role has already run"
                                    % task)
                                continue

                        if task.action == 'meta':
                            # for the linear strategy, we run meta tasks just once and for
                            # all hosts currently being iterated over rather than one host
                            results.extend(
                                self._execute_meta(task, play_context,
                                                   iterator, host))
                            if task.args.get('_raw_params', None) != 'noop':
                                run_once = True
                        else:
                            # handle step if needed, skip meta actions as they are used internally
                            if self._step and choose_step:
                                if self._take_step(task):
                                    choose_step = False
                                else:
                                    skip_rest = True
                                    break

                            display.debug("getting variables")
                            task_vars = self._variable_manager.get_vars(
                                play=iterator._play, host=host, task=task)
                            self.add_tqm_variables(task_vars,
                                                   play=iterator._play)
                            templar = Templar(loader=self._loader,
                                              variables=task_vars)
                            display.debug("done getting variables")

                            run_once = templar.template(
                                task.run_once) or action and getattr(
                                    action, 'BYPASS_HOST_LOOP', False)

                            if (task.any_errors_fatal
                                    or run_once) and not task.ignore_errors:
                                any_errors_fatal = True

                            if not callback_sent:
                                display.debug(
                                    "sending task start callback, copying the task so we can template it temporarily"
                                )
                                saved_name = task.name
                                display.debug(
                                    "done copying, going to template now")
                                try:
                                    task.name = to_text(templar.template(
                                        task.name, fail_on_undefined=False),
                                                        nonstring='empty')
                                    display.debug("done templating")
                                except:
                                    # just ignore any errors during task name templating,
                                    # we don't care if it just shows the raw name
                                    display.debug(
                                        "templating failed for some reason")
                                    pass
                                display.debug("here goes the callback...")
                                self._tqm.send_callback(
                                    'v2_playbook_on_task_start',
                                    task,
                                    is_conditional=False)
                                task.name = saved_name
                                callback_sent = True
                                display.debug("sending task start callback")

                            if host not in succeeded_hosts:
                                self._blocked_hosts[host.get_name()] = True
                                self._queue_task(host, task, task_vars,
                                                 play_context)
                            del task_vars

                        # if we're bypassing the host loop, break out now
                        if run_once:
                            break

                        results += self._process_pending_results(
                            iterator,
                            max_passes=max(1,
                                           int(len(self._tqm._workers) * 0.1)))

                    # go to next host/task group
                    if skip_rest:
                        continue

                    display.debug(
                        "done queuing things up, now waiting for results queue to drain"
                    )
                    if self._pending_results > 0:
                        results += self._wait_on_pending_results(iterator)

                    host_results.extend(results)

                    try:
                        included_files = IncludedFile.process_include_results(
                            host_results,
                            self._tqm,
                            iterator=iterator,
                            inventory=self._inventory,
                            loader=self._loader,
                            variable_manager=self._variable_manager)
                    except AnsibleError as e:
                        # this is a fatal error, so we abort here regardless of block state
                        return self._tqm.RUN_ERROR

                    include_failure = False
                    if len(included_files) > 0:
                        display.debug("we have included files to process")

                        # A noop task for use in padding dynamic includes
                        noop_task = Task()
                        noop_task.action = 'meta'
                        noop_task.args['_raw_params'] = 'noop'
                        noop_task.set_loader(iterator._play._loader)

                        display.debug("generating all_blocks data")
                        all_blocks = dict((host, []) for host in hosts_left)
                        display.debug("done generating all_blocks data")
                        for included_file in included_files:
                            display.debug("processing included file: %s" %
                                          included_file._filename)
                            # included hosts get the task list while those excluded get an equal-length
                            # list of noop tasks, to make sure that they continue running in lock-step
                            try:
                                if included_file._is_role:
                                    new_ir = included_file._task.copy()
                                    new_ir.vars.update(included_file._args)

                                    new_blocks, handler_blocks = new_ir.get_block_list(
                                        play=iterator._play,
                                        variable_manager=self.
                                        _variable_manager,
                                        loader=self._loader,
                                    )
                                    self._tqm.update_handler_list([
                                        handler
                                        for handler_block in handler_blocks
                                        for handler in handler_block.block
                                    ])
                                else:
                                    new_blocks = self._load_included_file(
                                        included_file, iterator=iterator)

                                display.debug(
                                    "iterating over new_blocks loaded from include file"
                                )
                                for new_block in new_blocks:
                                    task_vars = self._variable_manager.get_vars(
                                        play=iterator._play,
                                        task=included_file._task,
                                    )
                                    display.debug(
                                        "filtering new block on tags")
                                    final_block = new_block.filter_tagged_tasks(
                                        play_context, task_vars)
                                    display.debug(
                                        "done filtering new block on tags")

                                    noop_block = Block(
                                        parent_block=task._parent)
                                    noop_block.block = [
                                        noop_task for t in new_block.block
                                    ]
                                    noop_block.always = [
                                        noop_task for t in new_block.always
                                    ]
                                    noop_block.rescue = [
                                        noop_task for t in new_block.rescue
                                    ]

                                    for host in hosts_left:
                                        if host in included_file._hosts:
                                            all_blocks[host].append(
                                                final_block)
                                        else:
                                            all_blocks[host].append(noop_block)
                                display.debug(
                                    "done iterating over new_blocks loaded from include file"
                                )

                            except AnsibleError as e:
                                for host in included_file._hosts:
                                    self._tqm._failed_hosts[host.name] = True
                                    iterator.mark_host_failed(host)
                                display.error(to_text(e), wrap_text=False)
                                include_failure = True
                                continue

                        # finally go through all of the hosts and append the
                        # accumulated blocks to their list of tasks
                        display.debug(
                            "extending task lists for all hosts with included blocks"
                        )

                        for host in hosts_left:
                            iterator.add_tasks(host, all_blocks[host])

                        display.debug("done extending task lists")
                        display.debug("done processing included files")

                    display.debug("results queue empty")

                    display.debug("checking for any_errors_fatal")
                    failed_hosts = []
                    unreachable_hosts = []
                    for res in results:
                        if res.is_failed() and iterator.is_failed(res._host):
                            failed_hosts.append(res._host.name)
                        elif res.is_unreachable():
                            unreachable_hosts.append(res._host.name)
                        else:
                            succeeded_hosts[res._host] = res

                    if (len(failed_hosts) == 0):
                        # No more failures means we do not need to retry anymore.
                        retry_task = False
                    else:

                        msg = 'Host failed, ignore/retry/abort/debug: %s on [%s] (i/r/a/d): ' % (
                            str(task), ' '.join(failed_hosts)) + '\n'

                        resp = 'bogus'
                        while resp.strip().lower()[:1] not in [
                                'i', 'r', 'a', 'd'
                        ]:
                            resp = display.prompt(msg)

                        # Currently the only difference between ignore and repeat is setting the retry_task to 'False'
                        if resp.strip().lower() in ['i', 'ignore']:
                            retry_task = False

                        if resp.strip().lower() in [
                                'r', 'repeat', 'i', 'ignore'
                        ]:
                            # We need to revert the internal failed host states if we want to ignore the errors
                            # The internal state should be identical to that of a successful host
                            for failed_host in failed_hosts:
                                iterator._host_states[
                                    failed_host].run_state = PlayIterator.ITERATING_TASKS
                                iterator._host_states[
                                    failed_host].fail_state = PlayIterator.FAILED_NONE

                                # Fix child states as well
                                if iterator._host_states[
                                        failed_host].tasks_child_state:
                                    iterator._host_states[
                                        failed_host].tasks_child_state.run_state = PlayIterator.ITERATING_TASKS
                                    iterator._host_states[
                                        failed_host].tasks_child_state.fail_state = PlayIterator.FAILED_NONE
                            self._tqm.clear_failed_hosts()

                        elif resp.strip().lower() in ['a', 'abort']:
                            retry_task = False

                            for host in hosts_left:
                                (s, _) = iterator.get_next_task_for_host(
                                    host, peek=True)
                                if s.run_state != iterator.ITERATING_RESCUE or \
                                   s.run_state == iterator.ITERATING_RESCUE and s.fail_state & iterator.FAILED_RESCUE != 0:
                                    self._tqm._failed_hosts[host.name] = True
                                    result |= self._tqm.RUN_FAILED_BREAK_PLAY

                                # don't double-mark hosts, or the iterator will potentially
                                # fail them out of the rescue/always states
                                if host.name not in failed_hosts:
                                    self._tqm._failed_hosts[host.name] = True
                                    iterator.mark_host_failed(host)
                            self._tqm.send_callback(
                                'v2_playbook_on_no_hosts_remaining')
                            result |= self._tqm.RUN_FAILED_BREAK_PLAY

                        elif resp.strip().lower() in ['d', 'debug']:

                            msg = "Running PDB.  Refer to https://pymotw.com/2/pdb/ for instruction.\n\n"
                            msg += "Commmon commands:\n\n"
                            msg += "Print the task's error message: print(failure_debug_message)\n"
                            msg += 'Add a variable to a host: host_to_edit = hosts_left[0]; task._variable_manager.set_host_variable(host_to_edit,"new_var_key","new_var_value")\n'
                            msg += 'Print task vars: print(task_vars["var_key_name"])\n'

                            display.display(msg,
                                            color='blue',
                                            stderr=False,
                                            screen_only=False,
                                            log_only=False)
                            pdb.set_trace()

            except (IOError, EOFError) as e:
                display.debug("got IOError/EOFError in task loop: %s" % e)
                # most likely an abort, return failed
                return self._tqm.RUN_UNKNOWN_ERROR

        # run the base class run() method, which executes the cleanup function
        # and runs any outstanding handlers which have been triggered

        return super(StrategyModule, self).run(iterator, play_context, result)
示例#10
0
    def execute_encrypt_string(self):
        ''' encrypt the supplied string using the provided vault secret '''
        b_plaintext = None

        # Holds tuples (the_text, the_source_of_the_string, the variable name if its provided).
        b_plaintext_list = []

        # remove the non-option '-' arg (used to indicate 'read from stdin') from the candidate args so
        # we don't add it to the plaintext list
        args = [x for x in self.args if x != '-']

        # We can prompt and read input, or read from stdin, but not both.
        if self.options.encrypt_string_prompt:
            msg = "String to encrypt: "

            name = None
            name_prompt_response = display.prompt('Variable name (enter for no name): ')

            # TODO: enforce var naming rules?
            if name_prompt_response != "":
                name = name_prompt_response

            # TODO: could prompt for which vault_id to use for each plaintext string
            #       currently, it will just be the default
            # could use private=True for shadowed input if useful
            prompt_response = display.prompt(msg)

            if prompt_response == '':
                raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')

            b_plaintext = to_bytes(prompt_response)
            b_plaintext_list.append((b_plaintext, self.FROM_PROMPT, name))

        # read from stdin
        if self.encrypt_string_read_stdin:
            if sys.stdout.isatty():
                display.display("Reading plaintext input from stdin. (ctrl-d to end input)", stderr=True)

            stdin_text = sys.stdin.read()
            if stdin_text == '':
                raise AnsibleOptionsError('stdin was empty, not encrypting')

            b_plaintext = to_bytes(stdin_text)

            # defaults to None
            name = self.options.encrypt_string_stdin_name
            b_plaintext_list.append((b_plaintext, self.FROM_STDIN, name))

        # use any leftover args as strings to encrypt
        # Try to match args up to --name options
        if hasattr(self.options, 'encrypt_string_names') and self.options.encrypt_string_names:
            name_and_text_list = list(zip(self.options.encrypt_string_names, args))

            # Some but not enough --name's to name each var
            if len(args) > len(name_and_text_list):
                # Trying to avoid ever showing the plaintext in the output, so this warning is vague to avoid that.
                display.display('The number of --name options do not match the number of args.',
                                stderr=True)
                display.display('The last named variable will be "%s". The rest will not have names.' % self.options.encrypt_string_names[-1],
                                stderr=True)

            # Add the rest of the args without specifying a name
            for extra_arg in args[len(name_and_text_list):]:
                name_and_text_list.append((None, extra_arg))

        # if no --names are provided, just use the args without a name.
        else:
            name_and_text_list = [(None, x) for x in args]

        # Convert the plaintext text objects to bytestrings and collect
        for name_and_text in name_and_text_list:
            name, plaintext = name_and_text

            if plaintext == '':
                raise AnsibleOptionsError('The plaintext provided from the command line args was empty, not encrypting')

            b_plaintext = to_bytes(plaintext)
            b_plaintext_list.append((b_plaintext, self.FROM_ARGS, name))

        # TODO: specify vault_id per string?
        # Format the encrypted strings and any corresponding stderr output
        outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id)

        for output in outputs:
            err = output.get('err', None)
            out = output.get('out', '')
            if err:
                sys.stderr.write(err)
            print(out)

        if sys.stdout.isatty():
            display.display("Encryption successful", stderr=True)