관리-도구

편집 파일: vault.cpython-39.pyc

�����)g�W����������������������@���s����d�dl�mZmZmZ�eZd�dlmZ�d�dlZd�dl	Z	d�dl
mZ�d�dl
m
Z
�d�dlmZ�d�dlmZ�d�dlmZmZ�d�d	lmZ�d�d
lmZmZmZ�d�dlmZ�e��ZG�dd
��d
e�Zddd�Z e!dkr�e ���dS�)�����)�absolute_import�division�print_function)�CLIN)�	constants)�context)�option_helpers)�AnsibleOptionsError)�to_text�to_bytes)�
DataLoader)�VaultEditor�VaultLib�match_encrypt_secret)�Displayc�����������������������s����e�Zd�ZdZdZdZdZdZ��fdd�Z��fdd	�Z	��fd
d�Z
��fdd
�Zdd��Ze
d!dd��Zdd��Zd"dd�Zdd��Zdd��Zdd��Zdd��Zdd ��Z���ZS�)#�VaultCLIa9�� can encrypt any structured data file used by Ansible.
    This can include *group_vars/* or *host_vars/* inventory variables,
    variables loaded by *include_vars* or *vars_files*, or variable files
    passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*.
    Role variables and defaults are also included!

Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault.
    If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted.
    z
ansible-vault�stdinzthe command line argszthe interactive promptc��������������������s>���d�|�_�d�|�_d|�_d�|�_d�|�_d�|�_d�|�_tt|���	|��d�S�)NF)
Zb_vault_passZb_new_vault_pass�encrypt_string_read_stdin�encrypt_secret�encrypt_vault_id�new_encrypt_secret�new_encrypt_vault_id�superr����__init__)�self�args��	__class__���5/usr/lib/python3.9/site-packages/ansible/cli/vault.pyr���-���s����zVaultCLI.__init__c�����������
���������s���t�t|��jddtj�tjd���d��tj	j
dd�}t�|��t�|��|�j
jdd�}d	|_tj	j
dd�}|jd
d�ddt���d
��tj	j
dd�}|jdg�ddtdd��|jdd||gd�}|j|�jd��|jddddd��|jdd||gd�}|j|�jd��|jddddd��|jdd||gd�}|j|�jd��|jddddd��|jd d!|gd�}|j|�jd��|jddddd��|jd"d#|||gd�}	|	j|�jd��|	jddddd��|jd$d%|||gd�}
|
j|�jd��|
jdd&d'dd��|
jd(d)d*d+d,d-��|
jd.d/dd+d0d1��|
jd2d3d4d5d6d-��|
jd7d8d�d9d:��|jd;d<||gd�}|j|�jd��|���}|jd=d�d>d?t���d
��|jd@d�dAtdBdC��|jddddd��d�S�)DNz4encryption/decryption utility for Ansible data fileszH
See '%s <command> --help' for more information on a specific command.

r���)Zdesc�epilogF)�add_help�action)�destTz--output�output_filez9output file name for encrypt or decrypt; use - for stdout)�defaultr#����help�typez--encrypt-vault-idr����storezMthe vault id used to encrypt (required if more than one vault-id is provided))r%���r#���r"���r'���r&����createzCreate new vault encrypted file)r&����parents)�funcr���ZFilename�	file_name�*)r&����metavar�nargs�decryptzDecrypt vault encrypted file�editzEdit vault encrypted file�viewzView vault encrypted file�encryptzEncrypt YAML file�encrypt_stringzEncrypt a stringzString to encryptZstring_to_encryptz-pz--prompt�encrypt_string_prompt�
store_truez Prompt for the string to encrypt)r#���r"���r&���z--show-input�show_string_inputz9Do not hide input when prompted for the string to encrypt)r#���r%���r"���r&���z-nz--name�encrypt_string_names�appendzSpecify the variable namez--stdin-name�encrypt_string_stdin_namez#Specify the variable name for stdin)r#���r%���r&����rekeyzRe-key a vault encrypted filez--new-vault-password-file�new_vault_password_filez!new vault password file for rekeyz--new-vault-id�new_vault_idz'the new vault identity to use for rekey)r%���r#���r'���r&���)r���r����init_parser�os�path�basename�sys�argv�opt_help�argparse�ArgumentParserZadd_vault_optionsZadd_verbosity_options�parser�add_subparsers�required�add_argumentZunfrack_path�str�
add_parser�set_defaults�execute_create�execute_decrypt�execute_edit�execute_view�execute_encrypt�execute_encrypt_string�
execute_rekey�add_mutually_exclusive_group)
r����commonZ
subparsers�output�vault_idZ
create_parserZdecrypt_parserZedit_parserZview_parserZencrypt_parserZenc_str_parserZrekey_parserZrekey_new_groupr���r���r���r>���:���s|����
�

�
�
��
��
��zVaultCLI.init_parserc��������������������s����t�t|���|�}|jt_|jr>|jD�]}d|v�r$td|���q$t|dd��r`t|j	�dkr`td��|j
dkr�d|j	v�s�|j	r�|jr�d|�_|j
r�|�jr�td	��|S�)
N�;zK'%s' is not a valid vault id. The character ';' is not allowed in vault idsr$�������z;At most one input file may be used with the --output optionr4����-TzEThe --prompt option is not supported if also reading input from stdin)r���r����post_process_args�	verbosity�display�	vault_idsr	����getattr�lenr���r"���r:���r���r5���)r����optionsrX���r���r���r���r\���~���s����

zVaultCLI.post_process_argsc��������������������s��t�t|������t��}t�d�}ttjd��}t	j
}||�}tjd�}|dv�rz|�j||ttjd��tjd�d�}|sztd��|d	v��r"d�}|d
vr�tjd�p�t	j
}d�}|�j||ttjd��tjd�dd
�}t|�dkr�|s�tdd�dd��|D������|�std��t||d�}|d�|�_|d�|�_|dv��r�tjd��p<t	j
}g�}	|�rL|}	tjd��rh|	�tjd���g�}
tjd��r�|
�tjd���|�j||	|
tjd�dd
�}|�s�td��t||d�}|d�|�_|d�|�_|�|��t|�}
t|
�|�_tjd����t�|��d�S�)N�?���r_���r"���)r0���r2���r;���r1����vault_password_files�ask_vault_pass)r_���rd���re���z3A vault password is required to use Ansible's Vault)r3���r4���r)���)r1���r���T)r_���rd���re���Zcreate_new_passwordrZ���zbThe vault-ids %s are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id�,c�����������������S���s���g�|�]}|d���qS�)r���r�����.0�xr���r���r����
<listcomp>���������z VaultCLI.run.<locals>.<listcomp>)r���r���)r;���r=���r<���z=A new vault password is required to use Ansible's Vault rekeyr+���)r���r����runr���r?����umask�listr����CLIARGS�CZDEFAULT_VAULT_IDENTITY_LISTZsetup_vault_secretsr	���ZDEFAULT_VAULT_ENCRYPT_IDENTITYra����joinr���r���r���r9���r���r���Zset_vault_secretsr���r
����editor)r����loaderZ	old_umaskr_���Zdefault_vault_idsr"���Z
vault_secretsr���r���Z
new_vault_idsZnew_vault_password_filesZnew_vault_secretsr���Zvaultr���r���r���rl�������s�����

�
����

���

zVaultCLI.runc�����������������C���sr���t�jd�s"tj���r"tjddd��t�jd�p0dgD�]"}|�jj||�j|�j	t�jd�d��q2tj
���rntjddd��d	S�)
z; encrypt the supplied file using the provided vault secret r���z"Reading plaintext input from stdinT��stderrr[���r$���)rX���r$����Encryption successfulN)r���ro���rB���r����isattyr^���rr���Zencrypt_filer���r����stdout�r����fr���r���r���rR�������s�����
zVaultCLI.execute_encryptNc�����������	������C���sh���|pd}d}|rd|�}d|�}g�}t�|��}|�|��|���D�]}|�dd|�|f���q>d�|�}|S�)N�
�����z%s: z
%s!vault |z%s%s� �
)r
���r9����
splitlinesrq���)	�b_ciphertext�indent�nameZblock_format_var_nameZblock_format_header�linesZvault_ciphertext�lineZyaml_ciphertextr���r���r����format_ciphertext_yaml��s����

zVaultCLI.format_ciphertext_yamlc�����������������C���s~��d}g�}dd��t�jd�D��}t�jd�r�d}d}t�d�}|dkrD|}t�jd	��}|rZd
}nd}tj||d�}|dkr|td
��t|�}|�||�j|f��|�j�rt	j
���r�tjddd��t	j�
��}	|	dkr�td��t	j
���r�|	�d�s�t�d��t|	�}t�jd�}|�||�j|f��t�j�dd��r�ttt�jd�|��}
t|�t|
�k�rrtjddd��tjdt�jd�d��dd��|t|
�d��D�]}|
�d|f���q�ndd��|D��}
|
D�]:}|\}}
|
dk�r�td��t|
�}|�||�j|f���q�|�j||�jd�}g�}|D�]>}|�dd�}|�dd�}|�r.t	j�|��|�t|����q�|�j�d�|�t�jd��p\d ��t	j
����rztjd!dd��dS�)"z= encrypt the supplied string using the provided vault secret Nc�����������������S���s���g�|�]}|d�kr|�qS�)r[���r���rg���r���r���r���rj���(��rk���z3VaultCLI.execute_encrypt_string.<locals>.<listcomp>r���r5���zString to encrypt: z#Variable name (enter for no name): r|���r7���zString to encrypt (hidden): zString to encrypt:)Zprivatez@The plaintext provided from the prompt was empty, not encryptingzpReading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)Trt���zstdin was empty, not encryptingr~���r:���r8���Fz=The number of --name options do not match the number of args.zCThe last named variable will be "%s". The rest will not have names.���c�����������������S���s���g�|�]}d�|f�qS��Nr���rg���r���r���r���rj���k��rk���zKThe plaintext provided from the command line args was empty, not encrypting�rX����err�out����
r$���r[���rv���)r���ro���r^����promptr	���r���r9����FROM_PROMPTr���rB���rx���rw���r����read�endswith�
FROM_STDIN�getrn����zipra����	FROM_ARGS�_format_output_vault_stringsr���ru����writerr���Z
write_datarq���)r����b_plaintext�b_plaintext_listr����msgr����Zname_prompt_responseZ
hide_inputZprompt_responseZ
stdin_textZname_and_text_listZ	extra_argZ
name_and_text�	plaintextZoutputsZb_outsrW���r����r����r���r���r���rS�����sx����

���
 zVaultCLI.execute_encrypt_stringc�����������������C���s����d}t�|�dkrd}g�}t|�D�]t\}}|\}}}	|�jj||�j|d�}
|�j|
|	d�}d�}|r�|d�}
|	rxd|	|
|f�}nd|
|f�}|�||d���q |S�)	NFrZ���Tr����)r����zD# The encrypted version of variable ("%s", the string #%d from %s).
z4# The encrypted version of the string #%d from %s.)
)r����r����)ra����	enumeraterr���Z
encrypt_bytesr���r����r9���)r���r����rX���Zshow_delimiterrW����indexZb_plaintext_infor�����srcr����r����Z	yaml_text�err_msgZhuman_indexr���r���r���r�������s ����
z%VaultCLI._format_output_vault_stringsc�����������������C���sj���t�jd�s"tj���r"tjddd��t�jd�p0dgD�]}|�jj|t�jd�d��q2tj���rftjddd��d	S�)
z; decrypt the supplied file using the provided vault secret r���z#Reading ciphertext input from stdinTrt���r[���r$���)r$���zDecryption successfulN)	r���ro���rB���r���rw���r^���rr���Zdecrypt_filerx���ry���r���r���r���rO������s����
zVaultCLI.execute_decryptc�����������������C���s>���t�tjd��dkrtd��|�jjtjd�d�|�j|�jd��dS�)zf create and open a file in an editor that will be encrypted with the provided vault secret when closedr���rZ���z8ansible-vault create can take only one filename argumentr���r����N)ra���r���ro���r	���rr���Zcreate_filer���r���)r���r���r���r���rN������s
�����zVaultCLI.execute_createc�����������������C���s ���t�jd�D�]}|�j�|��q
dS�)za open and decrypt an existing vaulted file in an editor, that will be encrypted again when closedr���N)r���ro���rr���Z	edit_filery���r���r���r���rP������s����zVaultCLI.execute_editc�����������������C���s.���t�jd�D�]}|�j�|�}|��t|���q
dS�)z_ open, decrypt and view an existing vaulted file using a pager using the supplied vault secret r���N)r���ro���rr���r����Zpagerr
���)r���rz���r����r���r���r���rQ������s����zVaultCLI.execute_viewc�����������������C���s6���t�jd�D�]}|�j�||�j|�j��q
tjddd��dS�)zN re-encrypt a vaulted file with a new secret, the previous secret is required r���zRekey successfulTrt���N)r���ro���rr���Z
rekey_filer���r���r^���ry���r���r���r���rT������s
�����zVaultCLI.execute_rekey)NN)N)�__name__�
__module__�__qualname__�__doc__r����r����r����r����r���r>���r\���rl���rR����staticmethodr����rS���r����rO���rN���rP���rQ���rT����
__classcell__r���r���r���r���r������s&���

Dhk
!	r���c�����������������C���s���t��|���d�S�r����)r���Zcli_executor)r���r���r���r����main���s����r�����__main__)N)"Z
__future__r���r���r���r'���Z
__metaclass__Zansible.clir���r?���rB���Zansibler���rp���r���Zansible.cli.argumentsr���rD���Zansible.errorsr	���Zansible.module_utils._textr
���r���Zansible.parsing.dataloaderr���Zansible.parsing.vaultr
���r���r���Zansible.utils.displayr���r^���r���r����r����r���r���r���r����<module>���s(������B