commit
33761efd19
8 changed files with 94 additions and 4 deletions
|
@ -194,5 +194,7 @@ class AdHocCLI(CLI):
|
|||
finally:
|
||||
if self._tqm:
|
||||
self._tqm.cleanup()
|
||||
if loader:
|
||||
loader.cleanup_all_tmp_files()
|
||||
|
||||
return result
|
||||
|
|
|
@ -215,6 +215,8 @@ class ConsoleCLI(CLI, cmd.Cmd):
|
|||
finally:
|
||||
if self._tqm:
|
||||
self._tqm.cleanup()
|
||||
if self.loader:
|
||||
self.loader.cleanup_all_tmp_files()
|
||||
|
||||
if result is None:
|
||||
display.error("No hosts found")
|
||||
|
|
|
@ -194,6 +194,8 @@ class PlaybookExecutor:
|
|||
finally:
|
||||
if self._tqm is not None:
|
||||
self._tqm.cleanup()
|
||||
if self._loader:
|
||||
self._loader.cleanup_all_tmp_files()
|
||||
|
||||
if self._options.syntax:
|
||||
display.display("No issues encountered")
|
||||
|
|
|
@ -23,7 +23,9 @@ import copy
|
|||
import os
|
||||
import json
|
||||
import subprocess
|
||||
import tempfile
|
||||
from yaml import YAMLError
|
||||
|
||||
from ansible.compat.six import text_type, string_types
|
||||
|
||||
from ansible.errors import AnsibleFileNotFound, AnsibleParserError, AnsibleError
|
||||
|
@ -58,6 +60,7 @@ class DataLoader():
|
|||
def __init__(self):
|
||||
self._basedir = '.'
|
||||
self._FILE_CACHE = dict()
|
||||
self._tempfiles = set()
|
||||
|
||||
# initialize the vault stuff with an empty password
|
||||
self.set_vault_password(None)
|
||||
|
@ -292,3 +295,72 @@ class DataLoader():
|
|||
f.close()
|
||||
except (OSError, IOError) as e:
|
||||
raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
|
||||
|
||||
def _create_content_tempfile(self, content):
|
||||
''' Create a tempfile containing defined content '''
|
||||
fd, content_tempfile = tempfile.mkstemp()
|
||||
f = os.fdopen(fd, 'wb')
|
||||
content = to_bytes(content)
|
||||
try:
|
||||
f.write(content)
|
||||
except Exception as err:
|
||||
os.remove(content_tempfile)
|
||||
raise Exception(err)
|
||||
finally:
|
||||
f.close()
|
||||
return content_tempfile
|
||||
|
||||
def get_real_file(self, file_path):
|
||||
"""
|
||||
If the file is vault encrypted return a path to a temporary decrypted file
|
||||
If the file is not encrypted then the path is returned
|
||||
Temporary files are cleanup in the destructor
|
||||
"""
|
||||
|
||||
if not file_path or not isinstance(file_path, string_types):
|
||||
raise AnsibleParserError("Invalid filename: '%s'" % str(file_path))
|
||||
|
||||
if not self.path_exists(file_path) or not self.is_file(file_path):
|
||||
raise AnsibleFileNotFound("the file_name '%s' does not exist, or is not readable" % file_path)
|
||||
|
||||
if not self._vault:
|
||||
self._vault = VaultLib(password="")
|
||||
|
||||
real_path = self.path_dwim(file_path)
|
||||
|
||||
try:
|
||||
with open(real_path, 'rb') as f:
|
||||
data = f.read()
|
||||
if self._vault.is_encrypted(data):
|
||||
# if the file is encrypted and no password was specified,
|
||||
# the decrypt call would throw an error, but we check first
|
||||
# since the decrypt function doesn't know the file name
|
||||
if not self._vault_password:
|
||||
raise AnsibleParserError("A vault password must be specified to decrypt %s" % file_path)
|
||||
|
||||
data = self._vault.decrypt(data)
|
||||
# Make a temp file
|
||||
real_path = self._create_content_tempfile(data)
|
||||
self._tempfiles.add(real_path)
|
||||
|
||||
return real_path
|
||||
|
||||
except (IOError, OSError) as e:
|
||||
raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (real_path, str(e)))
|
||||
|
||||
def cleanup_tmp_file(self, file_path):
|
||||
"""
|
||||
Removes any temporary files created from a previous call to
|
||||
get_real_file. file_path must be the path returned from a
|
||||
previous call to get_real_file.
|
||||
"""
|
||||
if file_path in self._tempfiles:
|
||||
os.unlink(file_path)
|
||||
self._tempfiles.remove(file_path);
|
||||
|
||||
def cleanup_all_tmp_files(self):
|
||||
for f in self._tempfiles:
|
||||
try:
|
||||
self.cleanup_tmp_file(f)
|
||||
except:
|
||||
pass #TODO: this should at least warn
|
||||
|
|
|
@ -152,6 +152,8 @@ class ActionModule(ActionBase):
|
|||
diffs = []
|
||||
for source_full, source_rel in source_files:
|
||||
|
||||
source_full = self._loader.get_real_file(source_full)
|
||||
|
||||
# Generate a hash of the local file.
|
||||
local_checksum = checksum(source_full)
|
||||
|
||||
|
@ -218,6 +220,7 @@ class ActionModule(ActionBase):
|
|||
|
||||
# We have copied the file remotely and no longer require our content_tempfile
|
||||
self._remove_tempfile_if_content_defined(content, content_tempfile)
|
||||
self._loader.cleanup_tmp_file(source_full)
|
||||
|
||||
# fix file permissions when the copy is done as a different user
|
||||
self._fixup_perms(tmp, remote_user, recursive=True)
|
||||
|
@ -246,6 +249,7 @@ class ActionModule(ActionBase):
|
|||
# no need to transfer the file, already correct hash, but still need to call
|
||||
# the file module in case we want to change attributes
|
||||
self._remove_tempfile_if_content_defined(content, content_tempfile)
|
||||
self._loader.cleanup_tmp_file(source_full)
|
||||
|
||||
if raw:
|
||||
# Continue to next iteration if raw is defined.
|
||||
|
|
|
@ -144,10 +144,10 @@ test_var_precedence: setup
|
|||
ansible-playbook test_var_precedence.yml -i $(INVENTORY) $(CREDENTIALS_ARG) $(TEST_FLAGS) -v -e outputdir=$(TEST_DIR) -e 'extra_var=extra_var' -e 'extra_var_override=extra_var_override'
|
||||
|
||||
test_vault: setup
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks -e outputdir=$(TEST_DIR)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-hosts -e outputdir=$(TEST_DIR)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --syntax-check -e outputdir=$(TEST_DIR)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) -e outputdir=$(TEST_DIR)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-tasks -e outputdir=$(TEST_DIR) -e @$(VARS_FILE)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --list-hosts -e outputdir=$(TEST_DIR) -e @$(VARS_FILE)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) --syntax-check -e outputdir=$(TEST_DIR) -e @$(VARS_FILE)
|
||||
ansible-playbook test_vault.yml -i $(INVENTORY) $(CREDENTIALS_ARG) -v $(TEST_FLAGS) --vault-password-file $(VAULT_PASSWORD_FILE) -e outputdir=$(TEST_DIR) -e @$(VARS_FILE)
|
||||
|
||||
# test_delegate_to does not work unless we have permission to ssh to localhost.
|
||||
# Would take some more effort on our test systems to implement that -- probably
|
||||
|
|
|
@ -8,4 +8,6 @@
|
|||
- assert:
|
||||
that:
|
||||
- 'secret_var == "secret"'
|
||||
|
||||
- copy: src=vault-secret.txt dest={{output_dir}}/secret.txt
|
||||
|
||||
|
|
6
test/integration/vault-secret.txt
Normal file
6
test/integration/vault-secret.txt
Normal file
|
@ -0,0 +1,6 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39303432393062643236616234306333383838333662386165616633303735336537613337396337
|
||||
6662666233356462326631653161663663363166323338320a653131656636666339633863346530
|
||||
32326238646631653133643936306666643065393038386234343736663239363665613963343661
|
||||
3230353633643361650a363034323631613864326438396665343237383566336339323837326464
|
||||
3930
|
Loading…
Reference in a new issue