Read become password from pass

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-04-08 10:48:05 +02:00 · 2021-04-08 10:48:05 +02:00 · 7f39ea724a
commit 7f39ea724a
parent 475fe06fb7
6 changed files with 117 additions and 1 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,13 +1,15 @@
 [defaults]
 # Explicitely redefined some defaults to make play execution work
 roles_path = ./roles
 vars_plugins = ./vars_plugins
 inventory = ./hosts
 timeout = 60
 [privilege_escalation]
 become = True
-become_ask_pass = True
+# Use a separate module to read passwords from pass
 become_ask_pass = False
 [ssh_connection]
 pipelining = True
--- a/vars_plugins/pycache/pass.cpython-39.pyc
+++ b/vars_plugins/pycache/pass.cpython-39.pyc
--- a/vars_plugins/pycache/vault_cranspasswords.cpython-39.pyc
+++ b/vars_plugins/pycache/vault_cranspasswords.cpython-39.pyc
--- a/vars_plugins/pass.ini
+++ b/vars_plugins/pass.ini
@ -0,0 +1,6 @@
 [pass]
 # password_store_dir=/home/ynerant/.password-store
 # crans_password_store_submodule=crans
 [pass_become]
 all=templier
--- a/vars_plugins/pass.ini.example
+++ b/vars_plugins/pass.ini.example
@ -0,0 +1,6 @@
 [pass]
 # password_store_dir=/home/me/.password-store
 # crans_password_store_submodule=crans
 [pass_become]
 # all=mdp-root
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
@ -0,0 +1,102 @@
 #!/usr/bin/env python
 from functools import lru_cache
 from getpass import getpass
 import os
 from pathlib import Path
 import subprocess
 import sys
 from ansible.module_utils.six.moves import configparser
 from ansible.plugins.vars import BaseVarsPlugin
 DOCUMENTATION = """
    module: pass
    vars: vault
    version_added: 2.9
    short_description: Load vault passwords from pass
    description:
        - Works exactly as a vault, loading variables from pass.
        - Decrypts the YAML file `ansible_vault` from cranspasswords.
        - Loads the secret variables.
        - Makes use of data caching in order to avoid calling cranspasswords multiple times.
        - Uses the local gpg key from the user running ansible on the Control node.
 """
 class VarsModule(BaseVarsPlugin):
    @staticmethod
    @lru_cache
    def decrypt_password(name, crans_submodule=False):
        """
        Passwords are decrypted from the local password store, then are cached.
        By that way, we don't decrypt these passwords everytime.
        """
        # Load config
        config = configparser.ConfigParser()
        config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
        password_store = Path(config.get('pass', 'password_store_dir',
            fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
        if crans_submodule:
            password_store /= config.get('pass', 'crans_password_store_submodule',
                    fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
        full_command = ['gpg', '-d', password_store / f'{name}.gpg']
        proc = subprocess.run(full_command, capture_output=True, close_fds=True)
        clear_text = proc.stdout.decode('UTF-8')
        sys.stderr.write(proc.stderr.decode('UTF-8'))
        return clear_text
    @staticmethod
    @lru_cache
    def become_password(entity):
        """
        Query the become password that should be used for the given entity.
        If entity is the whole group that has no default password,
        the become password will be prompted.
        The configuration should be given in pass.ini, in the `pass_become`
        group. You have only to write `group=pass-filename`.
        """
        # Load config
        config = configparser.ConfigParser()
        config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
        if config.has_option('pass_become', entity.get_name()):
            return VarsModule.decrypt_password(
                    config.get('pass_become', entity.get_name())).split('\n')[0]
        if entity.get_name() == "all":
            return getpass("BECOME password: ", stream=None)
        return None
    def get_vars(self, loader, path, entities):
        """
        Get all vars for entities, called by Ansible.
        loader: Ansible's DataLoader.
        path: Current play's playbook directory.
        entities: Host or group names pertinent to the variables needed.
        """
        # VarsModule objects are called every time you need host vars, per host,
        # and per group the host is part of.
        # It is about 6 times per host per task in current state
        # of Ansible Crans configuration.
        # It is way to much.
        # So we cache the data into the DataLoader (see parsing/DataLoader).
        passwords = {}
        for entity in entities:
            # Load vault passwords
            if entity.get_name() == 'all':
                passwords['vault'] = loader.load(
                        VarsModule.decrypt_password('ansible_vault', True))
            # Load become password
            become_password = VarsModule.become_password(entity)
            if become_password is not None:
                passwords['ansible_become_password'] = become_password
        return passwords