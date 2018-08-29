Skip to content

/ ansible

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON option for ansible-vault encrypt_string #44829

Open
AlanCoding opened this issue Aug 29, 2018 · 7 comments
Open

JSON option for ansible-vault encrypt_string #44829

AlanCoding opened this issue Aug 29, 2018 · 7 comments
Labels
affects_2.7 feature support:core

Comments

@AlanCoding
Copy link
Member

@AlanCoding AlanCoding commented Aug 29, 2018

SUMMARY

An additional step is necessary to produce encrypted variables in either JSON or universally-readable YAML. This could be eliminated with a --json option to ansible-vault encrypt_string CLI.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible-vault encrypt_string

ANSIBLE VERSION
ansible --version
ansible 2.7.0.dev0
  config file = None
  configured module search path = [u'/Users/alancoding/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/alancoding/.virtualenvs/ansible/lib/python2.7/site-packages/ansible-2.7.0.dev0-py2.7.egg/ansible
  executable location = /Users/alancoding/.virtualenvs/ansible/bin/ansible
  python version = 2.7.11 (default, Oct 17 2016, 14:59:40) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
CONFIGURATION

Defaults

OS / ENVIRONMENT

Mac OS, local actions

STEPS TO REPRODUCE

The objective is to produce hostvars with encrypted variables. This can be done today, but if it is to go through a 3rd party system, manual manipulation is needed.

For more details on this manual manipulation, see steps in:

ansible/awx#223 (comment)

ansible-vault encrypt_string "my secr3tz" --name=secret_var_name --vault-id=alan@prompt
EXPECTED RESULTS
ansible-vault encrypt_string "my secr3tz" --name=secret_var_name --vault-id=alan@prompt --json

should yield

{
  "secret_var_name": {
    "__ansible_vault": "$ANSIBLE_VAULT;1.2;AES256;alan 323965633264316231383135633438316530646437363634633438303535623237323566376661613735653531383637353264663462303566656534616539320a356566373335326535633266336438656533376431613666363838373163663433393436646664323666333166343336356439363263653037636631323033640a3436343435666634333934366666376563383632666665386336333266386665"
  }
}
ACTUAL RESULTS

This is a feature request, there is no --json option.

Note: ansible-inventory gives JSON by default and accepts a --yaml flag. This would still be a little bit of a pattern break, but the intent here is to satisfy users who will run the ansible-vault command manually, so as long as the option is there that will be fine.
@ansibot
Copy link
Contributor

@ansibot ansibot commented Aug 29, 2018

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help
@AlanCoding
Copy link
Member Author

@AlanCoding AlanCoding commented Aug 29, 2018

!component c:cli/vault
@jborean93 jborean93 removed the needs_triage label Aug 30, 2018
@jhg03a
Copy link

@jhg03a jhg03a commented Aug 22, 2019

In case someone else stumbles across this, the above JSON output doesn't work in Ansible 2.8. It doesn't include the newline characters which are required. https://gist.github.com/sivel/6991a5abcfc41bb2872d5898213575eb. Generally JSON vault support needs better documentation.
@sivel
Copy link
Member

@sivel sivel commented Aug 22, 2019

This hasn't been fully thought out, and I'm sure there is need for improvement, but this change would allow this behavior:

diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py
index 1b4b69db90..0e37e86ba9 100644
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@@ -5,6 +5,7 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
+import json
 import os
 import sys
 
@@ -14,6 +15,7 @@ from ansible.cli import CLI
 from ansible.cli.arguments import option_helpers as opt_help
 from ansible.errors import AnsibleOptionsError
 from ansible.module_utils._text import to_text, to_bytes
+from ansible.parsing.ajson import AnsibleJSONEncoder
 from ansible.parsing.dataloader import DataLoader
 from ansible.parsing.vault import VaultEditor, VaultLib, match_encrypt_secret
 from ansible.utils.display import Display
@@ -105,6 +107,8 @@ class VaultCLI(CLI):
         enc_str_parser.add_argument('--stdin-name', dest='encrypt_string_stdin_name',
                                     default=None,
                                     help="Specify the variable name for stdin")
+        enc_str_parser.add_argument('--json', dest='json', action='store_true',
+                                    help="Output in JSON format instead of the default YAML")
 
         rekey_parser = subparsers.add_parser('rekey', help='Re-key a vault encrypted file', parents=[common, vault_id])
         rekey_parser.set_defaults(func=self.execute_rekey)
@@ -358,7 +362,7 @@ class VaultCLI(CLI):
 
         # TODO: specify vault_id per string?
         # Format the encrypted strings and any corresponding stderr output
-        outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id)
+        outputs = self._format_output_vault_strings(b_plaintext_list, vault_id=self.encrypt_vault_id, _json=context.CLIARGS['json'])
 
         for output in outputs:
             err = output.get('err', None)
@@ -372,7 +376,7 @@ class VaultCLI(CLI):
 
         # TODO: offer block or string ala eyaml
 
-    def _format_output_vault_strings(self, b_plaintext_list, vault_id=None):
+    def _format_output_vault_strings(self, b_plaintext_list, vault_id=None, _json=True):
         # If we are only showing one item in the output, we don't need to included commented
         # delimiters in the text
         show_delimiter = False
@@ -393,7 +397,20 @@ class VaultCLI(CLI):
                                                      vault_id=vault_id)
 
             # block formatting
-            yaml_text = self.format_ciphertext_yaml(b_ciphertext, name=name)
+            if _json:
+                out = json.dumps(
+                    {
+                        name: {
+                            '__ansible_vault': (
+                                to_text(b_ciphertext, errors='surrogate_or_strict')
+                            )
+                        }
+                    },
+                    indent=4,
+                    cls=AnsibleJSONEncoder
+                )
+            else:
+                out = self.format_ciphertext_yaml(b_ciphertext, name=name)
 
             err_msg = None
             if show_delimiter:
@@ -402,7 +419,7 @@ class VaultCLI(CLI):
                     err_msg = '# The encrypted version of variable ("%s", the string #%d from %s).\n' % (name, human_index, src)
                 else:
                     err_msg = '# The encrypted version of the string #%d from %s.)\n' % (human_index, src)
-            output.append({'out': yaml_text, 'err': err_msg})
+            output.append({'out': out, 'err': err_msg})
 
         return output
@jhg03a
Copy link

@jhg03a jhg03a commented Aug 23, 2019

I don't think it's just making ansible-vault be able to output it (still a nice thing though); it's also a general documentation update too that this is a supported thing and not just a strange accident.
@AlanCoding
Copy link
Member Author

@AlanCoding AlanCoding commented Aug 23, 2019

I wouldn't call the implementation in

#44829 (comment)

a strange accident. Since it's only outputting a single value, this is a perfectly good way to do it. This means of representing Ansible internal types in JSON has been rolled out in several other places, and has been relatively effective in the use cases it supports.
@jhg03a
Copy link

@jhg03a jhg03a commented Aug 27, 2019

I wouldn't say the implementation is an accident, but rather that json support for ansible-vault encrypted strings in general is something that should be generally supported since it's not present in the variables documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects_2.7 feature support:core
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@sivel @AlanCoding @jhg03a @ansibot @jborean93
You can’t perform that action at this time.