Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add option to ansible-vault to read new password from file for rekey #11767

Merged
merged 1 commit into from
Aug 25, 2015
Merged

add option to ansible-vault to read new password from file for rekey #11767

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions docs/man/man1/ansible-vault.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
.\" Title: ansible-vault
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12/09/2014
.\" Date: 07/28/2015
.\" Manual: System administration commands
.\" Source: Ansible 1.9
.\" Source: Ansible 2.0.0
.\" Language: English
.\"
.TH "ANSIBLE\-VAULT" "1" "12/09/2014" "Ansible 1\&.9" "System administration commands"
.TH "ANSIBLE\-VAULT" "1" "07/28/2015" "Ansible 2\&.0\&.0" "System administration commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
Expand Down Expand Up @@ -43,7 +43,12 @@ The following options are available to all sub\-commands:
.PP
\fB\-\-vault\-password\-file=\fR\fIFILE\fR
.RS 4
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&.
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
.RE
.PP
\fB\-\-new\-vault\-password\-file=\fR\fIFILE\fR
.RS 4
A file containing the new vault password to be used when rekeying a file\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
Expand Down
10 changes: 9 additions & 1 deletion docs/man/man1/ansible-vault.1.asciidoc.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,15 @@ The following options are available to all sub-commands:
*--vault-password-file=*'FILE'::

A file containing the vault password to be used during the encryption/decryption
steps. Be sure to keep this file secured if it is used.
steps. Be sure to keep this file secured if it is used. If the file is executable,
it will be run and its standard output will be used as the password.

*--new-vault-password-file=*'FILE'::

A file containing the new vault password to be used when rekeying a
file. Be sure to keep this file secured if it is used. If the file
is executable, it will be run and its standard output will be used as
the password.

*-h*, *--help*::

Expand Down
4 changes: 4 additions & 0 deletions lib/ansible/cli/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,10 @@ def base_parser(usage="", output_opts=False, runas_opts=False, meta_opts=False,
parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE,
dest='vault_password_file', help="vault password file", action="callback",
callback=CLI.expand_tilde, type=str)
parser.add_option('--new-vault-password-file',
dest='new_vault_password_file', help="new vault password file for rekey", action="callback",
callback=CLI.expand_tilde, type=str)


if subset_opts:
parser.add_option('-t', '--tags', dest='tags', default='all',
Expand Down
10 changes: 9 additions & 1 deletion lib/ansible/cli/vault.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ def run(self):
else:
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)

if self.options.new_vault_password_file:
# for rekey only
self.new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file)

if not self.vault_pass:
raise AnsibleOptionsError("A password is required to use Ansible's Vault")

Expand Down Expand Up @@ -125,7 +129,11 @@ def execute_rekey(self):
for f in self.args:
if not (os.path.isfile(f)):
raise AnsibleError(f + " does not exist")
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)

if self.new_vault_pass:
new_password = self.new_vault_pass
else:
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)

for f in self.args:
this_editor = VaultEditor(None, self.vault_pass, f)
Expand Down