130 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Python
		
	
	
			
		
		
	
	
			130 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Python
		
	
	
| #!/usr/bin/env python
 | |
| 
 | |
| from functools import lru_cache
 | |
| from getpass import getpass
 | |
| import os
 | |
| from pathlib import Path
 | |
| import subprocess
 | |
| import sys
 | |
| import json
 | |
| 
 | |
| from ansible.module_utils.six.moves import configparser
 | |
| from ansible.plugins.vars import BaseVarsPlugin
 | |
| 
 | |
| 
 | |
| DOCUMENTATION = """
 | |
|     module: pass
 | |
|     vars: vault
 | |
|     version_added: 2.9
 | |
|     short_description: Load vault passwords from pass
 | |
|     description:
 | |
|         - Works exactly as a vault, loading variables from pass.
 | |
|         - Decrypts the YAML file `ansible_vault` from cranspasswords.
 | |
|         - Loads the secret variables.
 | |
|         - Makes use of data caching in order to avoid calling cranspasswords multiple times.
 | |
|         - Uses the local gpg key from the user running ansible on the Control node.
 | |
| """
 | |
| 
 | |
| 
 | |
| 
 | |
| class VarsModule(BaseVarsPlugin):
 | |
|     @staticmethod
 | |
|     @lru_cache
 | |
|     def decrypt_password(name, crans_submodule=False):
 | |
|         """
 | |
|         Passwords are decrypted from the local password store, then are cached.
 | |
|         By that way, we don't decrypt these passwords everytime.
 | |
|         """
 | |
|         # Load config
 | |
|         config = configparser.ConfigParser()
 | |
|         config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
 | |
| 
 | |
|         password_store = Path(config.get('pass', 'password_store_dir',
 | |
|             fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
 | |
| 
 | |
|         if crans_submodule:
 | |
|             password_store /= config.get('pass', 'crans_password_store_submodule',
 | |
|                     fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
 | |
|         full_command = ['gpg', '-q', '-d', password_store / f'{name}.gpg']
 | |
|         proc = subprocess.run(full_command, capture_output=True, close_fds=True)
 | |
|         clear_text = proc.stdout.decode('UTF-8')
 | |
|         sys.stderr.write(proc.stderr.decode('UTF-8'))
 | |
|         return clear_text
 | |
| 
 | |
|     @staticmethod
 | |
|     @lru_cache
 | |
|     def become_password(entity):
 | |
|         """
 | |
|         Query the become password that should be used for the given entity.
 | |
|         If entity is the whole group that has no default password,
 | |
|         the become password will be prompted.
 | |
|         The configuration should be given in pass.ini, in the `pass_become`
 | |
|         group. You have only to write `group=pass-filename`.
 | |
|         """
 | |
|         # Load config
 | |
|         config = configparser.ConfigParser()
 | |
|         config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
 | |
|         if config.has_option('pass_become', entity.get_name()):
 | |
|             return VarsModule.decrypt_password(
 | |
|                     config.get('pass_become', entity.get_name())).split('\n')[0]
 | |
|         if entity.get_name() == "all":
 | |
|             return getpass("BECOME password: ", stream=None)
 | |
|         return None
 | |
| 
 | |
|     def get_vars(self, loader, path, entities):
 | |
|         """
 | |
|         Get all vars for entities, called by Ansible.
 | |
| 
 | |
|         loader: Ansible's DataLoader.
 | |
|         path: Current play's playbook directory.
 | |
|         entities: Host or group names pertinent to the variables needed.
 | |
|         """
 | |
|         # VarsModule objects are called every time you need host vars, per host,
 | |
|         # and per group the host is part of.
 | |
|         # It is about 6 times per host per task in current state
 | |
|         # of Ansible Crans configuration.
 | |
| 
 | |
|         # It is way to much.
 | |
|         # So we cache the data into the DataLoader (see parsing/DataLoader).
 | |
| 
 | |
|         passwords = {}
 | |
| 
 | |
|         config = configparser.ConfigParser()
 | |
|         config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
 | |
| 
 | |
|         password_store = Path(config.get('pass', 'password_store_dir',
 | |
|             fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
 | |
| 
 | |
|         password_store /= config.get('pass', 'crans_password_store_submodule',
 | |
|             fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
 | |
| 
 | |
|         password_store /= '.last_group.json'
 | |
| 
 | |
|         with open(password_store) as file:
 | |
|             files = json.load(file)
 | |
| 
 | |
|         files = [ file for file in files if file.startswith('ansible/') ]
 | |
| 
 | |
|         for entity in entities:
 | |
|             # Load vault passwords
 | |
|             if entity.get_name() == 'all':
 | |
|                 passwords['vault'] = {}
 | |
|                 for file in files:
 | |
|                     paths = file.removeprefix('ansible/').split('/')
 | |
|                     d = passwords['vault']
 | |
|                     for path in paths[:-1]:
 | |
|                         if path not in d:
 | |
|                             d[path] = {}
 | |
|                         d = d[path]
 | |
|                     try:
 | |
|                         d[paths[-1]] = loader.load(VarsModule.decrypt_password(file, True))
 | |
|                     except Exception as e:
 | |
|                         print(file)
 | |
| 
 | |
|             # Load become password
 | |
|             become_password = VarsModule.become_password(entity)
 | |
|             if become_password is not None:
 | |
|                 passwords['ansible_become_password'] = become_password
 | |
| 
 | |
|         return passwords
 |