def write_group_vars(settings): vault_secret = open("ansible/.vault_pass.txt", "r").read().rstrip("\n") vault = Vault(vault_secret) secret_keywords = [ "user", "pass", "access_key", "secret_key", "token", "ansible_user", "ansible_become_pass" ] for k, v in settings.items(): secrets = dict() options = dict() for i in v: if i in secret_keywords: secrets[i] = v[i] else: if i != "host": options[i] = v[i] vault.dump(secrets, open("ansible/group_vars/{}/vault.yml".format(k), "wb")) if options: with open("ansible/group_vars/{}/options.yml".format(k), "w") as infile: yaml.dump(options, infile)
def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] args.vault_password_file = args.vault_password_file or \ "{}.vault_password".format(file_prefix) if os.path.exists(args.vault_password_file): with open(args.vault_password_file, "r") as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password_file)) else: raise YBOpsRuntimeError("Vault password file doesn't exists.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) vault = Vault(vault_password) data = vault.load(open(args.vault_file).read()) if args.has_sudo_password: if not YB_SUDO_PASS: raise YBOpsRuntimeError("Did not find sudo password.") data['ansible_become_pass'] = YB_SUDO_PASS vault.dump(data, open(args.vault_file, 'w')) print( json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password_file }))
def _set_secret(self, var, value): # No effort is made to preserve the original YAML format (comments, etc.), # and no edge cases are handled (e.g. vault does not exist, etc.) data = self._get_vault_variables() or {} data[var] = value vault = Vault(self._get_ansible_vault_password()) with open(self.vault_file_path, 'wb') as vf: vault.dump(data, vf) self._get_vault_variables.reset_cache(self)
def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] try: if args.vault_password_file is None: vault_password = generate_random_password() args.vault_password_file = "{}.vault_password".format( file_prefix) with open(args.vault_password_file, "w") as f: f.write(vault_password) elif os.path.exists(args.vault_password_file): with open(args.vault_password_file, "r") as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password_file)) else: raise YBOpsRuntimeError("Vault password file doesn't exist.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) rsa_key = validated_key_file(args.private_key_file) except Exception: self._cleanup_dir(os.path.dirname(args.private_key_file)) raise # TODO: validate if the file provided is actually a private key file or not. public_key = format_rsa_key(rsa_key, public_key=True) private_key = format_rsa_key(rsa_key, public_key=False) self.cluster_vault.update(id_rsa=private_key, id_rsa_pub=public_key, authorized_keys=public_key) # These are saved for itest specific improvements. aws_access_key = os.environ.get('AWS_ACCESS_KEY_ID', "") aws_secret = os.environ.get('AWS_SECRET_ACCESS_KEY', "") if aws_access_key and aws_secret: self.cluster_vault.update( AWS_ACCESS_KEY_ID=os.environ['AWS_ACCESS_KEY_ID'], AWS_SECRET_ACCESS_KEY=os.environ['AWS_SECRET_ACCESS_KEY']) vault_data = dict(cluster_server_vault=self.cluster_vault) if args.has_sudo_password: sudo_password = getpass.getpass("SUDO Password: "******"ansible_become_pass": sudo_password}) vault = Vault(vault_password) vault.dump(vault_data, open(args.vault_file, 'w')) print( json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password_file }))
def main(): home = expanduser("~") failed = False fields = { "file": { "required": True, "type": "str" }, "region": { "required": True, "type": "str" }, "roles": { "required": True, "type": "list" }, } module = AnsibleModule(argument_spec=fields) try: file = open(home + "/" + module.params['file'], "r") access_key = file.readline().rstrip('\n') secret_key = file.readline().rstrip('\n') file.close() file = open(home + "/" + "passwd/ansible-passwd", "r") data = { "region": module.params['region'], "access_key": access_key, "secret_key": secret_key } vault = Vault(file.readline().rstrip('\n')) awsconffile = open(home + "/" + ".aws/credentials", "w") awsconffile.write('[default]\n') awsconffile.write('aws_access_key_id = ' + access_key + '\n') awsconffile.write('aws_secret_access_key= ' + secret_key + '\n') awsconffile.close() awsconffile = open(home + "/" + ".aws/config", "w") awsconffile.write('[default]\n') awsconffile.write('region = ' + module.params['region'] + '\n') awsconffile.close() for role in module.params['roles']: vault.dump(data, open("./roles/" + role + "/vars/vault.yml", "w")) response = "Done" except: response = "Error" failed = True module.exit_json(changed=False, meta=response, failed=failed)
def encrypt_file(path, password_file, newpath=None, secrets=None): '''Encrypts an Ansible Vault YAML file. Returns encrypted data. Set newpath to write the result somewhere. Set secrets to specify inline secret addresses.''' log.debug('Reading decrypted data from {}...'.format(path)) data = parse_yaml(path) if not data: raise ValueError('The YAML file "{}" could not be parsed'.format(path)) else: log.debug('Got vars: {}'.format(data)) with open(password_file) as f: p = f.read().strip() log.debug('Read pass from {}: {}'.format(password_file, p)) if secrets: # newdata = data.copy() secrets = list(secrets) log.debug('Received {} secrets: {}'.format(len(secrets), secrets)) for address in secrets: plaintext = get_dict_value(data, address) log.debug('Re-encrypting "{}" at {} with new password...'.format( plaintext, address)) put_dict_value( data, address, VaultString.encrypt(plaintext=plaintext, password=p)) if newpath: log.debug('Writing {} to {}...'.format(data, newpath, p)) write_yaml(newpath, data) return data else: vault = Vault(p) encrypted = vault.dump(data) with open(newpath, 'w') as f: f.write(encrypted) return encrypted
class Vault(): @staticmethod def to_encrypted_name(name): return f'{name}.encrypted' @staticmethod def to_decrypted_name(name): return '.'.join(name.split('.')[:-1]) def __init__(self, password): self.ansible_vault = AnsibleVault(password) self.fs = FileSystem() def encrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_encrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: raw_data = input_file.read() with open(dest, 'wb') as output_file: self.ansible_vault.dump(raw_data, output_file) def decrypt(self, src, dest=None): srcs = self.fs.deserialize_name(src) assert self.fs.is_file(srcs), 'src should be a file' if not dest: dests = srcs.copy() dests[-1] = Vault.to_decrypted_name(srcs[-1]) dest = self.fs.serialize_name(dests) with open(src, 'r') as input_file: encrypted_data = input_file.read() try: decrypted_data = self.ansible_vault.load(encrypted_data) except AnsibleVaultError as e: raise Exception('Decrypt failed') with open(dest, 'w') as output_file: output_file.write(decrypted_data)
def callback(self, args): file_prefix = os.path.splitext(args.private_key_file)[0] if args.vault_password is None: vault_password = generate_random_password() args.vault_password = "******".format(file_prefix) with file(args.vault_password, "w") as f: f.write(vault_password) elif os.path.exists(args.vault_password): with file(args.vault_password) as f: vault_password = f.read().strip() if vault_password is None: raise YBOpsRuntimeError("Unable to read {}".format( args.vault_password)) else: raise YBOpsRuntimeError("Vault password file doesn't exists.") if args.vault_file is None: args.vault_file = "{}.vault".format(file_prefix) rsa_key = validated_key_file(args.private_key_file) # TODO: validate if the file provided is actually a private key file or not. public_key = format_rsa_key(rsa_key, public_key=True) private_key = format_rsa_key(rsa_key, public_key=False) self.cluster_vault.update(id_rsa=private_key, id_rsa_pub=public_key, authorized_keys=public_key) vault_data = dict(cluster_server_vault=self.cluster_vault) if args.has_sudo_password: sudo_password = getpass.getpass("SUDO Password: "******"ansible_become_pass": sudo_password}) vault = Vault(vault_password) vault.dump(vault_data, open(args.vault_file, 'w')) print json.dumps({ "vault_file": args.vault_file, "vault_password": args.vault_password })
def create_pool(): pooltype = request.form['pooltype'] poolname = request.form['poolname'].upper() if pooltype == 'vmware': vcname = request.form['vcname'] vcuser = request.form['vcuser'] vcpass = request.form['vcpass'] clustername = request.form['clustername'] networkname = request.form.get('networkname', None) datastorename = request.form.get('datastorename', None) datacentername = request.form.get('datacentername', None) dbsession = db.get_session() dbsession = db.get_session() pooltable = db.get_pooltbl() privatepool = db.get_privatepooltbl() poolid = str(uuid.uuid4()) passwd = passgen() #from Crypto.Cipher import AES import base64 ## Encryption #encryption_suite = AES.new('BM^@Y5BENeX2qpw$rRRkfR1LQ5$jQtMf', AES.MODE_CBC, 'This is an IV456') #passwd = encryption_suite.encrypt(passwd) hashpass = base64.b64encode(passwd) from ansible_vault import Vault vault = Vault(passwd) vault_content = vault.dump({'poolpass' : str(vcpass)}) hashcontent = base64.b64encode(vault_content) try: sys.path.append(ductrix_root) dbsession.add(pooltable( poolname=poolname, pooltype=pooltype, poolid=poolid)) dbsession.add(privatepool(username=vcuser,password=hashpass, content=hashcontent, targetserver=vcname, clusternm=clustername, poolid=poolid, networknm=networkname, storagenm=datastorename, datacenternm=datacentername)) dbsession.commit() dbsession.close() successmsg = "{0} Pool has been created sucessfully".format(poolname) job_msg = gen_message("success", successmsg) except Exception as inst: error = inst errormsg = "Error occured while connecting to {0} : {1} ".format(poolname, error) job_msg = gen_message("danger", errormsg) return redirect(url_for('pools', message=job_msg))
def saveVaultFile(file, data): vault = Vault(vaultpwd) vault.dump(data, open(vaultFile, 'w'))
from ansible_vault import Vault #from CorrectPythonPackage.token import * vault = Vault('tower@123') data = vault.dump(vault, open('vault.yml', 'w')) # also you can get encrypted text print(vault.dump(data))
class AnsibleVaultService: def __init__(self, password: str): self.__vault = Vault(password) def encrypt(self, data: str): return self.__vault.dump(data)