a )gW@sddlmZmZmZeZddlmZddlZddl Z ddl m Z ddl m Z ddlmZddlmZddlmZmZdd lmZdd lmZmZmZdd lmZeZGd d d eZdddZ e!dkre dS))absolute_importdivisionprint_function)CLIN) constants)context)option_helpers)AnsibleOptionsError)to_textto_bytes) DataLoader) VaultEditorVaultLibmatch_encrypt_secret)DisplaycseZdZdZdZdZdZdZfddZfdd Z fd d Z fd d Z ddZ e d!ddZddZd"ddZddZddZddZddZdd ZZS)#VaultCLIa9 can encrypt any structured data file used by Ansible. This can include *group_vars/* or *host_vars/* inventory variables, variables loaded by *include_vars* or *vars_files*, or variable files passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*. Role variables and defaults are also included! Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted. z ansible-vaultstdinzthe command line argszthe interactive promptcs>d|_d|_d|_d|_d|_d|_d|_tt| |dS)NF) Z b_vault_passZb_new_vault_passencrypt_string_read_stdinencrypt_secretencrypt_vault_idnew_encrypt_secretnew_encrypt_vault_idsuperr__init__)selfargs __class__5/usr/lib/python3.9/site-packages/ansible/cli/vault.pyr-szVaultCLI.__init__c stt|jddtjtjddtj j dd}t |t ||j jdd}d |_tj j dd}|jd dd d td tj j dd}|jdgddtdd|jdd||gd}|j|jd|jddddd|jdd||gd}|j|jd|jddddd|jdd||gd}|j|jd|jddddd|jd d!|gd}|j|jd|jddddd|jd"d#|||gd} | j|jd| jddddd|jd$d%|||gd} | j|jd| jdd&d'dd| jd(d)d*d+d,d-| jd.d/dd+d0d1| jd2d3d4d5d6d-| jd7d8dd9d:|jd;d<||gd} | j|jd| } | jd=dd>d?td | jd@ddAtdBdC| jddddddS)DNz4encryption/decryption utility for Ansible data fileszH See '%s --help' for more information on a specific command. r)ZdescepilogF)add_helpaction)destTz--output output_filez9output file name for encrypt or decrypt; use - for stdout)defaultr#helptypez--encrypt-vault-idrstorezMthe vault id used to encrypt (required if more than one vault-id is provided))r%r#r"r'r&createzCreate new vault encrypted file)r&parents)funcrZFilename file_name*)r&metavarnargsdecryptzDecrypt vault encrypted fileeditzEdit vault encrypted fileviewzView vault encrypted fileencryptzEncrypt YAML fileencrypt_stringzEncrypt a stringzString to encryptZstring_to_encryptz-pz--promptencrypt_string_prompt store_truez Prompt for the string to encrypt)r#r"r&z --show-inputshow_string_inputz9Do not hide input when prompted for the string to encrypt)r#r%r"r&z-nz--nameencrypt_string_namesappendzSpecify the variable namez --stdin-nameencrypt_string_stdin_namez#Specify the variable name for stdin)r#r%r&rekeyzRe-key a vault encrypted filez--new-vault-password-filenew_vault_password_filez!new vault password file for rekeyz--new-vault-id new_vault_idz'the new vault identity to use for rekey)r%r#r'r&)rr init_parserospathbasenamesysargvopt_helpargparseArgumentParserZadd_vault_optionsZadd_verbosity_optionsparseradd_subparsersrequired add_argumentZ unfrack_pathstr add_parser set_defaultsexecute_createexecute_decrypt execute_edit execute_viewexecute_encryptexecute_encrypt_string execute_rekeyadd_mutually_exclusive_group) rcommonZ subparsersoutputvault_idZ create_parserZdecrypt_parserZ edit_parserZ view_parserZencrypt_parserZenc_str_parserZ rekey_parserZrekey_new_grouprrrr>:s|          zVaultCLI.init_parsercstt||}|jt_|jr>|jD]}d|vr$td|q$t|ddr`t|j dkr`td|j dkrd|j vs|j r|j rd|_ |j r|j rtd |S) N;zK'%s' is not a valid vault id. The character ';' is not allowed in vault idsr$z;At most one input file may be used with the --output optionr4-TzEThe --prompt option is not supported if also reading input from stdin)rrpost_process_args verbositydisplay vault_idsr getattrlenrr"r:rr5)roptionsrXrrrr\~s   zVaultCLI.post_process_argscstt|t}td}ttjd}t j }||}tjd}|dvrz|j ||ttjdtjdd}|szt d|d vr"d}|d vrtjd pt j }d}|j ||ttjdtjdd d }t|dkr|st dddd|D|st dt||d}|d|_|d|_|dvrtjd pz VaultCLI.run..)rr)r;r=r<z=A new vault password is required to use Ansible's Vault rekeyr+)rrrunr r?umasklistrCLIARGSCZDEFAULT_VAULT_IDENTITY_LISTZsetup_vault_secretsr ZDEFAULT_VAULT_ENCRYPT_IDENTITYrajoinrrrr9rrZset_vault_secretsrr editor)rloaderZ old_umaskr_Zdefault_vault_idsr"Z vault_secretsrrZ new_vault_idsZnew_vault_password_filesZnew_vault_secretsrZvaultrrrrls               z VaultCLI.runcCsrtjds"tjr"tjdddtjdp0dgD]"}|jj||j|j tjddq2tj rntjdddd S) z; encrypt the supplied file using the provided vault secret rz"Reading plaintext input from stdinTstderrr[r$)rXr$Encryption successfulN) rrorBrisattyr^rrZ encrypt_filerrstdoutrfrrrrRs  zVaultCLI.execute_encryptNc Csh|pd}d}|rd|}d|}g}t|}|||D]}|dd||fq>d|}|S)N z%s: z %s!vault |z%s%s  )r r9 splitlinesrq) b_ciphertextindentnameZblock_format_var_nameZblock_format_headerlinesZvault_ciphertextlineZyaml_ciphertextrrrformat_ciphertext_yaml s   zVaultCLI.format_ciphertext_yamlcCs~d}g}ddtjdD}tjdrd}d}td}|dkrD|}tjd  }|rZd }nd }tj||d }|dkr|td t|}|||j|f|jrt j rtjdddt j } | dkrtdt j r| dstdt| }tjd}|||j|ftjddrtttjd|} t|t| krrtjdddtjdtjdddd|t| dD]} | d| fqndd|D} | D]:} | \}} | dkrtdt| }|||j|fq|j||jd}g}|D]>}|dd}|dd}|r.t j||t|q|jd|tjdp\d t j rztjd!dddS)"z= encrypt the supplied string using the provided vault secret NcSsg|]}|dkr|qS)r[rrgrrrrj(rkz3VaultCLI.execute_encrypt_string..rr5zString to encrypt: z#Variable name (enter for no name): r|r7zString to encrypt (hidden): zString to encrypt:)Zprivatez@The plaintext provided from the prompt was empty, not encryptingzpReading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)Trtzstdin was empty, not encryptingr~r:r8Fz=The number of --name options do not match the number of args.zCThe last named variable will be "%s". The rest will not have names.cSsg|] }d|fqSNrrgrrrrjkrkzKThe plaintext provided from the command line args was empty, not encryptingrXerrout r$r[rv)rror^promptr r r9 FROM_PROMPTrrBrxrwrreadendswith FROM_STDINgetrnzipra FROM_ARGS_format_output_vault_stringsrruwriterrZ write_datarq)r b_plaintextb_plaintext_listrmsgrZname_prompt_responseZ hide_inputZprompt_responseZ stdin_textZname_and_text_listZ extra_argZ name_and_text plaintextZoutputsZb_outsrWrrrrrrSsx              zVaultCLI.execute_encrypt_stringcCsd}t|dkrd}g}t|D]t\}}|\}}} |jj||j|d} |j| | d} d} |r|d} | rxd| | |f} n d| |f} || | dq |S) NFrZTr)rzD# The encrypted version of variable ("%s", the string #%d from %s). z4# The encrypted version of the string #%d from %s.) )rr)ra enumeraterrZ encrypt_bytesrrr9)rrrXZshow_delimiterrWindexZb_plaintext_inforsrcrrZ yaml_texterr_msgZ human_indexrrrrs    z%VaultCLI._format_output_vault_stringscCsjtjds"tjr"tjdddtjdp0dgD]}|jj|tjddq2tjrftjdddd S) z; decrypt the supplied file using the provided vault secret rz#Reading ciphertext input from stdinTrtr[r$)r$zDecryption successfulN) rrorBrrwr^rrZ decrypt_filerxryrrrrOs  zVaultCLI.execute_decryptcCs>ttjddkrtd|jjtjdd|j|jddS)zf create and open a file in an editor that will be encrypted with the provided vault secret when closedrrZz8ansible-vault create can take only one filename argumentrrN)rarror rrZ create_filerr)rrrrrNs zVaultCLI.execute_createcCs tjdD]}|j|q dS)za open and decrypt an existing vaulted file in an editor, that will be encrypted again when closedrN)rrorrZ edit_fileryrrrrPszVaultCLI.execute_editcCs.tjdD]}|j|}|t|q dS)z_ open, decrypt and view an existing vaulted file using a pager using the supplied vault secret rN)rrorrrZpagerr )rrzrrrrrQs zVaultCLI.execute_viewcCs6tjdD]}|j||j|jq tjddddS)zN re-encrypt a vaulted file with a new secret, the previous secret is required rzRekey successfulTrtN)rrorrZ rekey_filerrr^ryrrrrTs  zVaultCLI.execute_rekey)NN)N)__name__ __module__ __qualname____doc__rrrrrr>r\rlrR staticmethodrrSrrOrNrPrQrT __classcell__rrrrrs&  D  h k !   rcCst|dSr)rZ cli_executor)rrrrmainsr__main__)N)"Z __future__rrrr'Z __metaclass__Z ansible.clirr?rBZansiblerrprZansible.cli.argumentsrrDZansible.errorsr Zansible.module_utils._textr r Zansible.parsing.dataloaderr Zansible.parsing.vaultr rrZansible.utils.displayrr^rrrrrrrs(       B