VhNZddlmZddlmZddlZddlZddlmZddlm Z ddl m Z ddl mZddlmZmZdd lmZdd lmZmZmZdd lmZeZGd d eZddZedk(reyy)) annotations)CLIN) constants)context)option_helpers)AnsibleOptionsError)to_textto_bytes) DataLoader) VaultEditorVaultLibmatch_encrypt_secret)DisplayceZdZdZdZdZdZdZfdZfdZ fdZ fd Z d Z e dd Zd Zdd ZdZdZdZdZdZxZS)VaultCLIa9 can encrypt any structured data file used by Ansible. This can include *group_vars/* or *host_vars/* inventory variables, variables loaded by *include_vars* or *vars_files*, or variable files passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*. Role variables and defaults are also included! Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted. z ansible-vaultstdinzthe command line argszthe interactive promptcd|_d|_d|_d|_d|_d|_d|_tt|'|y)NF) b_vault_passb_new_vault_passencrypt_string_read_stdinencrypt_secretencrypt_vault_idnew_encrypt_secretnew_encrypt_vault_idsuperr__init__)selfargs __class__s A/home/dcms/DCMS/lib/python3.12/site-packages/ansible/cli/vault.pyrzVaultCLI.__init__,sJ  $).&" $"&$(! h&t,ctt| ddtjj t jdztjd}tj|tj||jjd}d |_tjd}|jd dd d tj tjd}|jdgddt"d|j%dd||g}|j'|j(|jdddd|jddddd |j%d!d"||g}|j'|j*|jdddd|j%d#d$||g}|j'|j,|jdddd|j%d%d&|g}|j'|j.|jdddd|j%d'd(|||g} | j'|j0| jdddd|j%d)d*|||g} | j'|j2| jdd+d,d| jd-d.d/dd01| jd2d3ddd45| jd6d7d8d9d:1| jd;d|j%d?d@||g} | j'|j4| j7} | jdAddBdCtj | jdDddEt"dFG| jddddy)HNz4encryption/decryption utility for Ansible data fileszH See '%s --help' for more information on a specific command. r)descepilogF)add_helpaction)destTz--output output_filez9output file name for encrypt or decrypt; use - for stdout)defaultr'helptypez--encrypt-vault-idrstorezMthe vault id used to encrypt (required if more than one vault-id is provided))r)r'r&r+r*createzCreate new vault encrypted file)r*parents)funcrFilename file_name*)r*metavarnargsz--skip-tty-checkz/allows editor to be opened when no tty attachedskip_tty_check store_true)r)r*r'r&decryptzDecrypt vault encrypted fileeditzEdit vault encrypted fileviewzView vault encrypted fileencryptzEncrypt YAML fileencrypt_stringzEncrypt a stringzString to encryptstring_to_encryptz-pz--promptencrypt_string_promptz Prompt for the string to encrypt)r'r&r*z --show-inputshow_string_inputz9Do not hide input when prompted for the string to encrypt)r'r)r&r*z-nz--nameencrypt_string_namesappendzSpecify the variable namez --stdin-nameencrypt_string_stdin_namez#Specify the variable name for stdin)r'r)r*rekeyzRe-key a vault encrypted filez--new-vault-password-filenew_vault_password_filez!new vault password file for rekeyz--new-vault-id new_vault_idz'the new vault identity to use for rekey)r)r'r+r*)rr init_parserospathbasenamesysargvopt_helpArgumentParseradd_vault_optionsadd_verbosity_optionsparseradd_subparsersrequired add_argument unfrack_pathstr add_parser set_defaultsexecute_createexecute_decrypt execute_edit execute_viewexecute_encryptexecute_encrypt_string execute_rekeyadd_mutually_exclusive_group)rcommon subparsersoutputvault_id create_parserdecrypt_parser edit_parser view_parserencrypt_parserenc_str_parser rekey_parserrekey_new_grouprs r rEzVaultCLI.init_parser9s3 h)G`cecjcjcscstwt|t|}~tdAA * ((%8""6*&&v.[[//X/> " ((%8J=!\!)!6!6!8  : **E:2BEW%,3#r  t#--h=^iqsyhz-{ ""(;(;"<""6 KWZ"[""#5uK|(8 # O$..y?]hnpvgw.x##)=)=#>##F[X[#\ ++F9T_gio^p+q   d&7&7 8  j+UX Y ++F9T_e^f+g   d&7&7 8  j+UX Y#..y?R]cekmu\v.w##)=)=#>##F[X[#\#../?FXcikqs{b|.}##)D)D#E##F1DNail#m##D*;R+7)K $ M ##N9LV[dp)d $ f##D(9O+3)D $ F ##N9T,0)N $ P",,W;Zekmudv,w !!t'9'9!:&CCE$$%@$Un*MT\TiTiTk % m$$%5t._b*S % U!!&z;VY!Zr!ctt| |}|jt_|j r#|j D]}d|vst d|zt|ddr#t|jdkDr t d|jdk(r\d|jvs$|js|js|jsd|_ |jr|jr t d |S) N;zK'%s' is not a valid vault id. The character ';' is not allowed in vault idsr(z;At most one input file may be used with the --output optionr;-TzEThe --prompt option is not supported if also reading input from stdin)rrpost_process_args verbositydisplay vault_idsrgetattrlenrr&rAr=r)roptionsrbrs r rozVaultCLI.post_process_argss$9'B#--   #-- H8#-.{G/GHH H 7M4 0S5F5J%&cd d >>- -gll"g&G&GPWP\P\elfCfC15.,,1O1O)*qrrr!c tt| t}t j d}t tjd}tj}||z}tjd}|dvrM|j||t tjdtjd}|s td|d vrd}|d vr%tjd xstj}d}|j||t tjdtjdd }t|dkDr0|s.tddj|Dcgc]}|d c}z|s tdt!||} | d|_| d|_|dvrtjd xstj}g} |r|} tjdr"| j'tjdg} tjdr"| j'tjd|j|| | tjdd } | s tdt!| |} | d|_| d|_|j-t/|}t1||_tjdt j |ycc}w)N?rrr&)r7r9rBr8vault_password_filesask_vault_pass)rrrxryz3A vault password is required to use Ansible's Vault)r:r;r-)r8rT)rrrxrycreate_new_passwordrmzbThe vault-ids %s are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id,r)r)rBrDrCz=A new vault password is required to use Ansible's Vault rekeyr/)rrrunr rFumasklistrCLIARGSCDEFAULT_VAULT_IDENTITY_LISTsetup_vault_secretsrDEFAULT_VAULT_ENCRYPT_IDENTITYrtjoinrrrr@rrset_vault_secretsr r editor)rloader old_umaskrrdefault_vault_idsr& vault_secretsrxr new_vault_idsnew_vault_password_filesnew_vault_secretsrvaultrs r r|z VaultCLI.runs h!#HHUO 56 99% 1 * 9 9 44VyJNw_uOvJwDKOOTdDe5gM!)*_`` < <# X%#*??3E#F#j!JjJj  M((3<>B7??SiCj>k8?HX8Y=A )C =!A%.>)+O*-((-3PQAaD3P*Q+RSS!)*_``1-CSUN %31$5D !"0"3D  Y &/ABfaFfFf  M 1 ~.$$W__^%DE') $89(//@Y0Z[((3@>V8?HX8Y=A )C %)*ijj"66GGW"Y );1(=D %&8&;D #  /'!%( ! s4Qs K/ctjds5tjj rt j ddtjdxsdgD]F}|j j||j|jtjdHtjj rt j ddy y ) z; encrypt the supplied file using the provided vault secret rz"Reading plaintext input from stdinTstderrrnr()rbr(Encryption successfulN) rrrIrisattyrqr encrypt_filerrstdoutrfs r r[zVaultCLI.execute_encryptsv&399+;+;+= OO@O N(1SE QA KK $ $Q(;(;.2.C.C181O % Q Q ::    OO3DO A r!c|xsd}d}|rd|z}d|z}g}t|}|j||jD]}|jd|z|dj|}|S)N z%s: z %s!vault |  )r r@ splitlinesr) b_ciphertextindentnameblock_format_var_nameblock_format_headerlinesvault_ciphertextlineyaml_ciphertexts r format_ciphertext_yamlzVaultCLI.format_ciphertext_yamls2 " $*TM !*-BB"<0 ()$//1 8D LL3<6 7 8))E*r!cd}g}tjdDcgc] }|dk7s | }}tjdrd}d}tjd}|dk7r|}tjd }|rd }nd }tj|| } | dk(r t d t | }|j ||j|f|jrtjjrtjd dtjj} | dk(r t dtjjr&| jdstjdt | }tjd}|j ||j|ftjj!ddrt#t%tjd|} t'|t'| kDrEtjddtjdtjddzd|t'| dD]} | j d| fn|Dcgc]}d|f} }| D]@} | \}}|dk(r t dt |}|j ||j(|fB|j+||j,}g}|D]a}|j!dd}|j!dd}|rtj.j1||j t |c|j d|j2j5dj7|tjdxsdtjjrtjddyycc}wcc}w) z= encrypt the supplied string using the provided vault secret Nrrnr=zString to encrypt: z#Variable name (enter for no name): rr>zString to encrypt (hidden): zString to encrypt:)privatez@The plaintext provided from the prompt was empty, not encryptingzpReading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)Trzstdin was empty, not encryptingrrAr?Fz=The number of --name options do not match the number of args.zCThe last named variable will be "%s". The rest will not have names.zKThe plaintext provided from the command line args was empty, not encryptingrberroutr! r(r)rrrqpromptrr r@ FROM_PROMPTrrIrrrreadendswith FROM_STDINgetr~ziprt FROM_ARGS_format_output_vault_stringsrrwriter write_datar)r b_plaintextb_plaintext_listrrmsgrname_prompt_response hide_inputprompt_response stdin_textname_and_text_list extra_arg name_and_text plaintextoutputsb_outsrarrs r r\zVaultCLI.execute_encrypt_string!s #??62?aa3h?? ??2 3'CD#*>>2W#X $r)+%__-@AAJ4*%nnS*nEO"$)*lmm"?3K  # #[$2B2BD$I J  ) )zz  "!S\`a)JR)*KLLzz  ":+>+>t+D%":.K??#>?D  # #[$//4$H I ??  5u =!%c'//:P*QSW&X!Y 4y3122 _'+ -!*,3OO #E#%5 "Kd;;44[$BUBU`h4iL33Lt3LIG#ai eimoz|iAAGUYdfiXjjG MM)G< =! >$ r!ctjds5tjj rt j ddtjdxsdgD]0}|j j|tjd2tjj rt j ddy y ) z; decrypt the supplied file using the provided vault secret rz#Reading ciphertext input from stdinTrrnr()r(zDecryption successfulN) rrrIrrrqr decrypt_filerrs r rXzVaultCLI.execute_decryptsv&399+;+;+= OOA$O O(1SE TA KK $ $QGOOM4R $ S T ::    OO3DO A r!c\ttjddk7r tdtj j stjdrG|jjtjdd|j|jytd) zf create and open a file in an editor that will be encrypted with the provided vault secret when closedrrmz8ansible-vault create can take only one filename argumentr5rrz"not a tty, editor cannot be openedN) rtrrrrIrrr create_filerr)rs r rWzVaultCLI.execute_creates wv& '1 ,%&`a a ::   '//2B"C KK # #GOOF$;A$>@S@S-1-B-B $ D&&JK Kr!cjtjdD]}|jj|y)za open and decrypt an existing vaulted file in an editor, that will be encrypted again when closedrN)rrr edit_filers r rYzVaultCLI.execute_edits,( %A KK ! !! $ %r!ctjdD]7}|jj|}|j t |9y)z_ open, decrypt and view an existing vaulted file using a pager using the supplied vault secret rN)rrrrpagerr )rrrs r rZzVaultCLI.execute_viewsC( +A  --a0I JJwy) * +r!ctjdD]3}|jj||j|j 5t j ddy)zN re-encrypt a vaulted file with a new secret, the previous secret is required rzRekey successfulTrN)rrr rekey_filerrrqrs r r]zVaultCLI.execute_rekeysR( >A KK " "1d&=&=#'#<#< > > *48r!)NNN)__name__ __module__ __qualname____doc__rrrrrrEror|r[ staticmethodrr\rrXrWrYrZr] __classcell__)rs@r rrsz DJ'I*K -D[L0fP B$lB`B B L% +9r!rc.tj|yr)r cli_executor)rs r mainrs $r!__main__r) __future__r ansible.clirrFrIansiblerrransible.cli.argumentsrrKansible.errorsr+ansible.module_utils.common.text.convertersr r ansible.parsing.dataloaderr ansible.parsing.vaultr r ransible.utils.displayrrqrrrr!r rs_# "<.I1MM) )G9sG9T  zFr!