def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] args.vault_password_file = args.vault_password_file or \ "{}.vault_password".format(file_prefix) if os.path.exists(args.vault_password_file): with open(args.vault_password_file, "r") as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password_file)) else: raise YBOpsRuntimeError("Vault password file doesn't exists.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) vault = Vault(vault_password) data = vault.load(open(args.vault_file).read()) if args.has_sudo_password: if not YB_SUDO_PASS: raise YBOpsRuntimeError("Did not find sudo password.") data['ansible_become_pass'] = YB_SUDO_PASS vault.dump(data, open(args.vault_file, 'w')) print( json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password_file }))
def decrypt_file(path, password_file, newpath=None): '''Decrypts an Ansible Vault YAML file and returns a dict. Set newpath to write the result somewhere.''' # log.debug('decrypt_file({}, {}, {})'.format(path, password_file, newpath)) if is_file_secret(path): # log.debug('file is fully encrypted') with open(password_file) as f: vault = Vault(f.read().strip()) # log.debug('vault fetched with password file: {}'.format(password_file)) with open(path) as f: r = vault.load(f.read()) # log.debug('loaded file: {}'.format(r)) else: r = parse_yaml(path) for s in find_yaml_secrets(r): v = get_dict_value(r, s) plaintext = v.decrypt(open(password_file).read().strip()) put_dict_value(r, s, plaintext) if not r: raise ValueError( 'The Vault library extracted nothing from the file. Is it actually encrypted?' ) if newpath: if not os.path.isdir(os.path.dirname(newpath)): os.makedirs(os.path.dirname(newpath)) with open(newpath, 'w+') as f: f.write(yaml.dump(r)) return r
def combine_vault_with_playbook(self, data, content): """Combines the vault data with the playbook data Args: data (dict) content (dict) Returns: dict """ vault = Vault(config.settings['common']['vault_enc_key']) secrets = vault.load(base64.b64decode(data['vault'])) for k, v in content[0]['tasks'][1]['param_pusher'][ 'parameters'].iteritems(): if ('VAULT' in v) and ( k in content[0]['tasks'][1]['param_pusher']['parameters']): if "VAULT_{}".format(k) in secrets: content[0]['tasks'][1]['param_pusher']['parameters'][ k] = secrets["VAULT_" + k] else: print v print "VAULT_{}".format(k) print secrets content[0]['tasks'][1]['param_pusher']['parameters'][ k] = "KEY NAME MISMATCH" return content[0]['tasks'][1]['param_pusher']['parameters']
def decrypt(vault_string, vault_pass): """Decrypt a VaultString object with a specified Vault pass.""" if not isinstance(vault_string, VaultString): raise TypeError('vault_string must be an instance of VaultString') vault = Vault(vault_pass) return vault.load(vault_string.value)
def write_group_vars(settings): vault_secret = open("ansible/.vault_pass.txt", "r").read().rstrip("\n") vault = Vault(vault_secret) secret_keywords = [ "user", "pass", "access_key", "secret_key", "token", "ansible_user", "ansible_become_pass" ] for k, v in settings.items(): secrets = dict() options = dict() for i in v: if i in secret_keywords: secrets[i] = v[i] else: if i != "host": options[i] = v[i] vault.dump(secrets, open("ansible/group_vars/{}/vault.yml".format(k), "wb")) if options: with open("ansible/group_vars/{}/options.yml".format(k), "w") as infile: yaml.dump(options, infile)
def encrypt_file(path, password_file, newpath=None, secrets=None): '''Encrypts an Ansible Vault YAML file. Returns encrypted data. Set newpath to write the result somewhere. Set secrets to specify inline secret addresses.''' log.debug('Reading decrypted data from {}...'.format(path)) data = parse_yaml(path) if not data: raise ValueError('The YAML file "{}" could not be parsed'.format(path)) else: log.debug('Got vars: {}'.format(data)) with open(password_file) as f: p = f.read().strip() log.debug('Read pass from {}: {}'.format(password_file, p)) if secrets: # newdata = data.copy() secrets = list(secrets) log.debug('Received {} secrets: {}'.format(len(secrets), secrets)) for address in secrets: plaintext = get_dict_value(data, address) log.debug('Re-encrypting "{}" at {} with new password...'.format( plaintext, address)) put_dict_value( data, address, VaultString.encrypt(plaintext=plaintext, password=p)) if newpath: log.debug('Writing {} to {}...'.format(data, newpath, p)) write_yaml(newpath, data) return data else: vault = Vault(p) encrypted = vault.dump(data) with open(newpath, 'w') as f: f.write(encrypted) return encrypted
def get_yaml_vault_data(): """Gets data from vault and prints it.""" vault_pass_file = open(ARGS.vault_password_file, "r") vault_password = vault_pass_file.read() vault = Vault(vault_password.rstrip()) vault_data = vault.load(open(ARGS.vaultfile).read()) myoutput = vault_data.get(ARGS.yaml_key) return myoutput
def _set_secret(self, var, value): # No effort is made to preserve the original YAML format (comments, etc.), # and no edge cases are handled (e.g. vault does not exist, etc.) data = self._get_vault_variables() or {} data[var] = value vault = Vault(self._get_ansible_vault_password()) with open(self.vault_file_path, 'wb') as vf: vault.dump(data, vf) self._get_vault_variables.reset_cache(self)
def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] try: if args.vault_password_file is None: vault_password = generate_random_password() args.vault_password_file = "{}.vault_password".format( file_prefix) with open(args.vault_password_file, "w") as f: f.write(vault_password) elif os.path.exists(args.vault_password_file): with open(args.vault_password_file, "r") as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password_file)) else: raise YBOpsRuntimeError("Vault password file doesn't exist.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) rsa_key = validated_key_file(args.private_key_file) except Exception: self._cleanup_dir(os.path.dirname(args.private_key_file)) raise # TODO: validate if the file provided is actually a private key file or not. public_key = format_rsa_key(rsa_key, public_key=True) private_key = format_rsa_key(rsa_key, public_key=False) self.cluster_vault.update(id_rsa=private_key, id_rsa_pub=public_key, authorized_keys=public_key) # These are saved for itest specific improvements. aws_access_key = os.environ.get('AWS_ACCESS_KEY_ID', "") aws_secret = os.environ.get('AWS_SECRET_ACCESS_KEY', "") if aws_access_key and aws_secret: self.cluster_vault.update( AWS_ACCESS_KEY_ID=os.environ['AWS_ACCESS_KEY_ID'], AWS_SECRET_ACCESS_KEY=os.environ['AWS_SECRET_ACCESS_KEY']) vault_data = dict(cluster_server_vault=self.cluster_vault) if args.has_sudo_password: sudo_password = getpass.getpass("SUDO Password: "******"ansible_become_pass": sudo_password}) vault = Vault(vault_password) vault.dump(vault_data, open(args.vault_file, 'w')) print( json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password_file }))
def main(): home = expanduser("~") failed = False fields = { "file": { "required": True, "type": "str" }, "region": { "required": True, "type": "str" }, "roles": { "required": True, "type": "list" }, } module = AnsibleModule(argument_spec=fields) try: file = open(home + "/" + module.params['file'], "r") access_key = file.readline().rstrip('\n') secret_key = file.readline().rstrip('\n') file.close() file = open(home + "/" + "passwd/ansible-passwd", "r") data = { "region": module.params['region'], "access_key": access_key, "secret_key": secret_key } vault = Vault(file.readline().rstrip('\n')) awsconffile = open(home + "/" + ".aws/credentials", "w") awsconffile.write('[default]\n') awsconffile.write('aws_access_key_id = ' + access_key + '\n') awsconffile.write('aws_secret_access_key= ' + secret_key + '\n') awsconffile.close() awsconffile = open(home + "/" + ".aws/config", "w") awsconffile.write('[default]\n') awsconffile.write('region = ' + module.params['region'] + '\n') awsconffile.close() for role in module.params['roles']: vault.dump(data, open("./roles/" + role + "/vars/vault.yml", "w")) response = "Done" except: response = "Error" failed = True module.exit_json(changed=False, meta=response, failed=failed)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) settings = mgmt.tm.gtm.global_settings.metrics.load() assert settings.defaultProbeLimit == 10
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) tg = mgmt.tm.cm.traffic_groups.traffic_group.load(name="my_traffic_group") assert tg.name == "my_traffic_group" assert tg.description == "My traffic group"
def convert(yaml_file, vault_pass, out_file=None): if not out_file: out_file = yaml_file vault = Vault(vault_pass) unencrypted_data = vault.load(open(yaml_file).read()) encrypted_data = encrypt_values(unencrypted_data, vault_pass) yaml.safe_dump(encrypted_data, open(out_file, 'w'), default_style='|', default_flow_style=False)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) partition = mgmt.tm.auth.partitions.partition.load(name="my_partition") assert partition.name == "my_partition" assert partition.description == "My partition"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) td = mgmt.tm.cm.trust_domains.trust_domain.load(name="Root") assert td.name == "Root" assert hasattr(td, "caDevices") is False
def setup_roles(args, tags=None): '''Used to assign and execute a role on a server''' vpass = args.get('vault_pass', None) vault_content = args.get('vault_content', None) if vpass: from ansible_vault import Vault vault = Vault(vpass) data = vault.load(vault_content) return runplay(config.get('books', 'setup'), args['servername'], args=args, tags=tags)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) dc = mgmt.tm.gtm.datacenters.datacenter.load(name="my_datacenter") assert dc.name == "my_datacenter" assert dc.description == "My datacenter" assert dc.contact == "admin@localhost" assert dc.location == "Somewhere"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) monitor = mgmt.tm.gtm.monitor.tcps.tcp.load(name="my_tcp_monitor", partition="Common") assert monitor.name == "my_tcp_monitor" assert monitor.partition == "Common" assert monitor.description == "My tcp monitor"
def get_vault_variables(self): # try unencrypted first for tests with open(self.paths.vault_yml, 'r') as f: vault_vars = yaml.load(f) if isinstance(vault_vars, dict): return vault_vars while True: try: vault = Vault(self.get_ansible_vault_password()) with open(self.paths.vault_yml, 'r') as vf: return vault.load(vf.read()) except AnsibleVaultError: print('incorrect password') self.get_ansible_vault_password.reset_cache(self)
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) listener = mgmt.tm.gtm.listeners.listener.load( name="my_listener", partition="Common" ) assert listener.name == "my_listener" assert listener.partition == "Common" assert listener.description == "My listener" assert listener.address == "10.10.1.1"
class AnsibleVaultSearch(object): def __init__(self, vault_password, vault_path): try: self.vault = Vault(vault_password) self.data = self.vault.load(open(vault_path).read()) except Exception as e: raise e def search(self, query, raw_structure): obj = None last_attr = None for attr in query.split("."): try: if not obj: last_attr = attr obj = self.data[attr] else: last_attr = attr obj = obj[attr] except (TypeError, KeyError): # Type not dictionary, so fail as not implemented obj = getattr(obj, attr) if raw_structure: print obj else: json_obj = json.dumps({last_attr: obj}) print json_obj
def get_creds_vault(vault_file,vault_password): try: vault = Vault(vault_password) secrets = vault.load(open(vault_file).read()) except: err=f"can't decode {vault_file}" print(err) logging.debug(f"ERROR: {err}") sys.exit() #####HACK for ansible version https://github.com/tomoh1r/ansible-vault/pull/34 #vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(vault_password.encode()))]) #secrets = yaml.safe_load(vault.decrypt(open(vault_file).read())) ##### # print(secrets) return secrets
def decrypt_keyfile_data(keyfile_data: bytes, password: str = None) -> bytes: """ Decrypts passed keyfile data using ansible vault. Args: keyfile_data ( bytes, required ): Bytes to validate password ( bool, optional ): It set, uses this password to decrypt data. Returns: decrypted_data (bytes): Decrypted data. Raises: KeyFileError: Raised if the file is corrupted or if the password is incorrect. """ password = getpass.getpass( "Enter password to unlock key: ") if password == None else password try: password = getpass.getpass( "Enter password to unlock key: ") if password == None else password console = bittensor.__console__ with console.status(":key: Decrypting key..."): # Ansible decrypt. if keyfile_data_is_encrypted_ansible(keyfile_data): vault = Vault(password) decrypted_keyfile_data = vault.load(keyfile_data) # Legacy decrypt. elif keyfile_data_is_encrypted_legacy(keyfile_data): __SALT = b"Iguesscyborgslikemyselfhaveatendencytobeparanoidaboutourorigins" kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), salt=__SALT, length=32, iterations=10000000, backend=default_backend()) key = base64.urlsafe_b64encode(kdf.derive(password.encode())) cipher_suite = Fernet(key) decrypted_keyfile_data = cipher_suite.decrypt(keyfile_data) # Unknown. else: raise KeyFileError( "Keyfile data: {} is corrupt".format(keyfile_data)) except (InvalidSignature, InvalidKey, InvalidToken): raise KeyFileError('Invalid password') if not isinstance(decrypted_keyfile_data, bytes): decrypted_keyfile_data = json.dumps(decrypted_keyfile_data).encode() return decrypted_keyfile_data
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) dg = mgmt.tm.cm.device_groups.device_group.load(name="my_device_group") assert dg.name == "my_device_group" assert dg.description == "My device group" devices = dg.devices_s.get_collection() assert len(devices) == 1 decrypted_device_name = vault.load(vars["device_name"]["__ansible_vault"]) assert devices[0].name == decrypted_device_name
def _get_vault_variables(self): # try unencrypted first for tests with open(self.paths.vault_yml, 'r') as f: vault_vars = yaml.safe_load(f) if isinstance(vault_vars, dict): return vault_vars while True: try: vault = Vault(self._get_ansible_vault_password()) with open(self.paths.vault_yml, 'r') as vf: return vault.load(vf.read()) except AnsibleVaultError: if os.environ.get('ANSIBLE_VAULT_PASSWORD'): raise print('incorrect password') self._get_ansible_vault_password.reset_cache(self)
def create_pool(): pooltype = request.form['pooltype'] poolname = request.form['poolname'].upper() if pooltype == 'vmware': vcname = request.form['vcname'] vcuser = request.form['vcuser'] vcpass = request.form['vcpass'] clustername = request.form['clustername'] networkname = request.form.get('networkname', None) datastorename = request.form.get('datastorename', None) datacentername = request.form.get('datacentername', None) dbsession = db.get_session() dbsession = db.get_session() pooltable = db.get_pooltbl() privatepool = db.get_privatepooltbl() poolid = str(uuid.uuid4()) passwd = passgen() #from Crypto.Cipher import AES import base64 ## Encryption #encryption_suite = AES.new('BM^@Y5BENeX2qpw$rRRkfR1LQ5$jQtMf', AES.MODE_CBC, 'This is an IV456') #passwd = encryption_suite.encrypt(passwd) hashpass = base64.b64encode(passwd) from ansible_vault import Vault vault = Vault(passwd) vault_content = vault.dump({'poolpass' : str(vcpass)}) hashcontent = base64.b64encode(vault_content) try: sys.path.append(ductrix_root) dbsession.add(pooltable( poolname=poolname, pooltype=pooltype, poolid=poolid)) dbsession.add(privatepool(username=vcuser,password=hashpass, content=hashcontent, targetserver=vcname, clusternm=clustername, poolid=poolid, networknm=networkname, storagenm=datastorename, datacenternm=datacentername)) dbsession.commit() dbsession.close() successmsg = "{0} Pool has been created sucessfully".format(poolname) job_msg = gen_message("success", successmsg) except Exception as inst: error = inst errormsg = "Error occured while connecting to {0} : {1} ".format(poolname, error) job_msg = gen_message("danger", errormsg) return redirect(url_for('pools', message=job_msg))
def cli(token, url, login, password, vaultpass): """ Tool for storing secrets Client side encryption using ansible vault. """ global ts ts = pillbox.secrets(url, login, password, token) ts.vault = Vault(vaultpass)
def get_stack_password(): if IS_CW == 0: vault = Vault(ANSIBLE_VAULT) #try: urllib3.contrib.pyopenssl.inject_into_urllib3() urllib3.disable_warnings() user_agent = {'user-agent': 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) ..'} http = urllib3.PoolManager(10, headers=user_agent) url = 'https://api.github.com/repos/SplunkStorm/stax/contents/wormhole/secure_vars/tag_Stack_'+STACK+'/secure.yml?access_token='+TOKEN result = http.request("GET",url) if result.status == 200: req = json.loads(result.data) content = base64.decodestring(req['content']) _pass = vault.load(content)['stack_password'] return _pass else: return "ERROR_404" #stack not found #except: # return "ERROR" else: return "ERROR_CW"
def test_default(host): vars = host.ansible.get_variables() vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "") vault = Vault(vault_pass) decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"]) decrypted_user = vault.load(vars["http_user"]["__ansible_vault"]) decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"]) mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass) user = mgmt.tm.auth.users.user.load(name="user1") assert user.name == "user1" assert user.description == "User 1" partition_access = [ {"name": "Common", "role": "guest"}, {"name": "Test", "role": "operator"}, ] assert not DeepDiff( partition_access, user.partitionAccess, exclude_regex_paths={r"root\[\d+\]\['nameReference'\]"}, )
class Vault(): @staticmethod def to_encrypted_name(name): return f'{name}.encrypted' @staticmethod def to_decrypted_name(name): return '.'.join(name.split('.')[:-1]) def __init__(self, password): self.ansible_vault = AnsibleVault(password) self.fs = FileSystem() def encrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_encrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: raw_data = input_file.read() with open(dest, 'wb') as output_file: self.ansible_vault.dump(raw_data, output_file) def decrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_decrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: encrypted_data = input_file.read() try: decrypted_data = self.ansible_vault.load(encrypted_data) except AnsibleVaultError as e: raise Exception('Decrypt failed') with open(dest, 'w') as output_file: output_file.write(decrypted_data)
def openVaultFile(file): vault = Vault(vaultpwd) data = vault.load(open(vaultFile).read()) return data
def saveVaultFile(file, data): vault = Vault(vaultpwd) vault.dump(data, open(vaultFile, 'w'))