diff --git a/v2/ansible/plugins/strategies/linear.py b/v2/ansible/plugins/strategies/linear.py index f8c0e3bee8..c6b9445b2e 100644 --- a/v2/ansible/plugins/strategies/linear.py +++ b/v2/ansible/plugins/strategies/linear.py @@ -224,6 +224,7 @@ class StrategyModule(StrategyBase): def __repr__(self): return "%s (%s): %s" % (self._filename, self._args, self._hosts) + # FIXME: this should also be moved to the base class in a method included_files = [] for res in host_results: if res._task.action == 'include': @@ -253,6 +254,9 @@ class StrategyModule(StrategyBase): inc_file.add_host(res._host) + # FIXME: should this be moved into the iterator class? Main downside would be + # that accessing the TQM's callback member would be more difficult, if + # we do want to send callbacks from here if len(included_files) > 0: noop_task = Task() noop_task.action = 'meta' @@ -263,7 +267,14 @@ class StrategyModule(StrategyBase): for included_file in included_files: # included hosts get the task list while those excluded get an equal-length # list of noop tasks, to make sure that they continue running in lock-step - new_tasks = self._load_included_file(included_file) + try: + new_tasks = self._load_included_file(included_file) + except AnsibleError, e: + for host in included_file._hosts: + iterator.mark_host_failed(host) + # FIXME: callback here? + print(e) + noop_tasks = [noop_task for t in new_tasks] for host in hosts_left: if host in included_file._hosts: diff --git a/v2/ansible/utils/vault.py b/v2/ansible/utils/vault.py new file mode 100644 index 0000000000..04634aa377 --- /dev/null +++ b/v2/ansible/utils/vault.py @@ -0,0 +1,56 @@ +# (c) 2012-2014, Michael DeHaan +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# Make coding more python3-ish +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import subprocess + +from ansible import constants as C +from ansible.errors import AnsibleError +from ansible.utils.path import is_executable + +def read_vault_file(vault_password_file): + """ + Read a vault password from a file or if executable, execute the script and + retrieve password from STDOUT + """ + + this_path = os.path.realpath(os.path.expanduser(vault_password_file)) + if not os.path.exists(this_path): + raise AnsibleError("The vault password file %s was not found" % this_path) + + if is_executable(this_path): + try: + # STDERR not captured to make it easier for users to prompt for input in their scripts + p = subprocess.Popen(this_path, stdout=subprocess.PIPE) + except OSError, e: + raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e)) + stdout, stderr = p.communicate() + vault_pass = stdout.strip('\r\n') + else: + try: + f = open(this_path, "rb") + vault_pass=f.read().strip() + f.close() + except (OSError, IOError), e: + raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e)) + + return vault_pass + diff --git a/v2/bin/ansible-playbook b/v2/bin/ansible-playbook index eafccedcba..bdd9598ec8 100755 --- a/v2/bin/ansible-playbook +++ b/v2/bin/ansible-playbook @@ -15,6 +15,7 @@ from ansible.playbook.task import Task from ansible.utils.cli import base_parser from ansible.utils.unicode import to_unicode from ansible.utils.vars import combine_vars +from ansible.utils.vault import read_vault_file from ansible.vars import VariableManager # Implement an ansible.utils.warning() function later @@ -34,8 +35,8 @@ def main(args): check_opts=True, diff_opts=True ) - #parser.add_option('--vault-password', dest="vault_password", - # help="password for vault encrypted files") + parser.add_option('--vault-password', dest="vault_password", + help="password for vault encrypted files") parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append", help="set additional variables as key=value or YAML/JSON", default=[]) parser.add_option('-t', '--tags', dest='tags', default='all', @@ -61,47 +62,14 @@ def main(args): parser.print_help(file=sys.stderr) return 1 - #--------------------------------------------------------------------------------------------------- - # FIXME: su/sudo stuff needs to be generalized - # su and sudo command line arguments need to be mutually exclusive - #if (options.su or options.su_user or options.ask_su_pass) and \ - # (options.sudo or options.sudo_user or options.ask_sudo_pass): - # parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') " - # "and su arguments ('-su', '--su-user', and '--ask-su-pass') are " - # "mutually exclusive") - # - #if (options.ask_vault_pass and options.vault_password_file): - # parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive") - # - #sshpass = None - #sudopass = None - #su_pass = None - #vault_pass = None - # - #options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS - # - #if options.listhosts or options.syntax or options.listtasks: - # (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass) - #else: - # options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS - # # Never ask for an SSH password when we run with local connection - # if options.connection == "local": - # options.ask_pass = False - # options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS - # options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS - # (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass) - # options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER - # options.su_user = options.su_user or C.DEFAULT_SU_USER - # - ## read vault_pass from a file - #if not options.ask_vault_pass and options.vault_password_file: - # vault_pass = utils.read_vault_file(options.vault_password_file) - # END FIXME - #--------------------------------------------------------------------------------------------------- + vault_pass = None + if options.ask_vault_pass: + # FIXME: prompt here + pass + elif options.vault_password_file: + # read vault_pass from a file + vault_pass = read_vault_file(options.vault_password_file) - # FIXME: this hard-coded value will be removed after fixing the removed block - # above, which dealt wtih asking for passwords during runtime - vault_pass = 'testing' loader = DataLoader(vault_password=vault_pass) extra_vars = {}