From cc9d4c582d7816545ab8f03e60f5d620dc835ded Mon Sep 17 00:00:00 2001 From: ndwarshuis Date: Thu, 10 Jun 2021 22:57:15 -0400 Subject: [PATCH] ADD ansible vault pass client script --- dot_bin/ansible-vault-pass-client | 89 +++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 dot_bin/ansible-vault-pass-client diff --git a/dot_bin/ansible-vault-pass-client b/dot_bin/ansible-vault-pass-client new file mode 100644 index 0000000..649c144 --- /dev/null +++ b/dot_bin/ansible-vault-pass-client @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# -*- coding: utf8 -*- + +""" +A script that allows to keep Ansible Vault passwords in a gpg encrypted files +managed by pass (https://www.passwordstore.org) or compatible password managers +like gopass (https://www.gopass.pw). +""" + +from argparse import ArgumentParser as AP +from configparser import ConfigParser, NoOptionError, NoSectionError +from os import environ, getcwd, path +from subprocess import PIPE, Popen +from sys import exit, stderr, stdout + +# Password manager to use (pass or gopass) +pass_command = 'pass' + +# Get Ansible config file +try: + import ansible.constants as C + ansible_config_file = C.CONFIG_FILE +except ImportError: + try: + ansible_config_file = environ['ANSIBLE_CONFIG'] + except KeyError: + cfg = getcwd() + '/' + 'ansible.cfg' + if path.isfile(cfg): + ansible_config_file = cfg + else: + ansible_config_file = path.expanduser('~/.ansible.cfg') + + +def get_vault_id(): + # Get passwordstore name from '--vault-id' CLI option + parser = AP(description='Get a vault password from passwordstore', + epilog='Please read the README.md file for more info.', + allow_abbrev=False) + + parser.add_argument('--vault-id', action='store', default='default', + dest='vault_id', + help='passwordstore containing the vault password') + + vault_id = parser.parse_args().vault_id.strip() + + return vault_id + + +def get_config_passwordstore(): + # Get passwordstore name from Ansible config file + if ansible_config_file: + try: + # Raad Ansible config + config = ConfigParser() + config.read(ansible_config_file) + # Get passwordstore name from Ansible config + passwordstore = config.get('vault', 'passwordstore', + fallback='').strip() + except NoOptionError: + pass + except NoSectionError: + pass + else: + pass + return passwordstore + + +def main(): + vault_id = get_vault_id() + if (vault_id != 'default' and vault_id != ""): + passwordstore = vault_id + else: + passwordstore = get_config_passwordstore() + + if passwordstore: + # Get vault password from passwordstore + proc = Popen([pass_command, passwordstore], stdout=PIPE, stderr=PIPE) + output = proc.communicate()[0].decode('utf-8').strip().split("\n")[0] + stdout.write(output) + exit(0) + else: + stderr.write("Couldn't get passwordstore settings from Ansible config " + "file or --vault-id option!\nPlease read the README.md " + "file for more info about script settings.\n") + exit(1) + + +if __name__ == '__main__': + main()