mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-25 03:41:25 -07:00
edcbef27ec
* Retain vault password as bytes in 2.2 Prior to 2.2.1, the vault password was read in as byes and then remained bytes all the way through the code. A bug existed where bytes and text were mixed, leading to a traceback with non-ascii passwords. In devel, this was fixed by changing the read in password to text type to match with our overall strategy of converting at the borders. This was backported to stable-2.2 for the 2.2.1 release. On reflection, this should not have been backported as it causes passwords which were originally non-utf-8 to become utf-8. People will then have their working 2.2.x vault files become in-accessible. this commit pipes bytes all the way through the system for vault password. That way if a password is read in as a non-utf-8 character sequence, it will continue to work in 2.2.2+. This change is only for the 2.2 branch, not for 2.3 and beyond. Why not everywhere? The reason is that non-utf-8 passwords will cause problems when vault files are shared between systems or users. If the password is read from the prompt and one user/machine has a latin1 encoded locale while a second one has utf-8, the non-ascii password typed in won't match between machines. Deal with this by making sure that when we encrypt the data, we always use valid utf-8. Fixes #20398 (cherry picked from commit 5dcce0666a81917c68b76286685642fd72d84327)
228 lines
9.7 KiB
Python
228 lines
9.7 KiB
Python
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
#
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
########################################################
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
import os
|
|
import stat
|
|
|
|
from ansible.cli import CLI
|
|
from ansible.errors import AnsibleError, AnsibleOptionsError
|
|
from ansible.executor.playbook_executor import PlaybookExecutor
|
|
from ansible.inventory import Inventory
|
|
from ansible.parsing.dataloader import DataLoader
|
|
from ansible.playbook.block import Block
|
|
from ansible.playbook.play_context import PlayContext
|
|
from ansible.utils.vars import load_extra_vars
|
|
from ansible.utils.vars import load_options_vars
|
|
from ansible.vars import VariableManager
|
|
|
|
try:
|
|
from __main__ import display
|
|
except ImportError:
|
|
from ansible.utils.display import Display
|
|
display = Display()
|
|
|
|
|
|
#---------------------------------------------------------------------------------------------------
|
|
|
|
class PlaybookCLI(CLI):
|
|
''' code behind ansible playbook cli'''
|
|
|
|
def parse(self):
|
|
|
|
# create parser for CLI options
|
|
parser = CLI.base_parser(
|
|
usage = "%prog playbook.yml",
|
|
connect_opts=True,
|
|
meta_opts=True,
|
|
runas_opts=True,
|
|
subset_opts=True,
|
|
check_opts=True,
|
|
inventory_opts=True,
|
|
runtask_opts=True,
|
|
vault_opts=True,
|
|
fork_opts=True,
|
|
module_opts=True,
|
|
)
|
|
|
|
# ansible playbook specific opts
|
|
parser.add_option('--list-tasks', dest='listtasks', action='store_true',
|
|
help="list all tasks that would be executed")
|
|
parser.add_option('--list-tags', dest='listtags', action='store_true',
|
|
help="list all available tags")
|
|
parser.add_option('--step', dest='step', action='store_true',
|
|
help="one-step-at-a-time: confirm each task before running")
|
|
parser.add_option('--start-at-task', dest='start_at_task',
|
|
help="start the playbook at the task matching this name")
|
|
|
|
self.parser = parser
|
|
super(PlaybookCLI, self).parse()
|
|
|
|
if len(self.args) == 0:
|
|
raise AnsibleOptionsError("You must specify a playbook file to run")
|
|
|
|
display.verbosity = self.options.verbosity
|
|
self.validate_conflicts(runas_opts=True, vault_opts=True, fork_opts=True)
|
|
|
|
def run(self):
|
|
|
|
super(PlaybookCLI, self).run()
|
|
|
|
# Note: slightly wrong, this is written so that implicit localhost
|
|
# Manage passwords
|
|
sshpass = None
|
|
becomepass = None
|
|
b_vault_pass = None
|
|
passwords = {}
|
|
|
|
# initial error check, to make sure all specified playbooks are accessible
|
|
# before we start running anything through the playbook executor
|
|
for playbook in self.args:
|
|
if not os.path.exists(playbook):
|
|
raise AnsibleError("the playbook: %s could not be found" % playbook)
|
|
if not (os.path.isfile(playbook) or stat.S_ISFIFO(os.stat(playbook).st_mode)):
|
|
raise AnsibleError("the playbook: %s does not appear to be a file" % playbook)
|
|
|
|
# don't deal with privilege escalation or passwords when we don't need to
|
|
if not self.options.listhosts and not self.options.listtasks and not self.options.listtags and not self.options.syntax:
|
|
self.normalize_become_options()
|
|
(sshpass, becomepass) = self.ask_passwords()
|
|
passwords = { 'conn_pass': sshpass, 'become_pass': becomepass }
|
|
|
|
loader = DataLoader()
|
|
|
|
if self.options.vault_password_file:
|
|
# read vault_pass from a file
|
|
b_vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader=loader)
|
|
loader.set_vault_password(b_vault_pass)
|
|
elif self.options.ask_vault_pass:
|
|
b_vault_pass = self.ask_vault_passwords()
|
|
loader.set_vault_password(b_vault_pass)
|
|
|
|
# create the variable manager, which will be shared throughout
|
|
# the code, ensuring a consistent view of global variables
|
|
variable_manager = VariableManager()
|
|
variable_manager.extra_vars = load_extra_vars(loader=loader, options=self.options)
|
|
|
|
variable_manager.options_vars = load_options_vars(self.options)
|
|
|
|
# create the inventory, and filter it based on the subset specified (if any)
|
|
inventory = Inventory(loader=loader, variable_manager=variable_manager, host_list=self.options.inventory)
|
|
variable_manager.set_inventory(inventory)
|
|
|
|
# (which is not returned in list_hosts()) is taken into account for
|
|
# warning if inventory is empty. But it can't be taken into account for
|
|
# checking if limit doesn't match any hosts. Instead we don't worry about
|
|
# limit if only implicit localhost was in inventory to start with.
|
|
#
|
|
# Fix this when we rewrite inventory by making localhost a real host (and thus show up in list_hosts())
|
|
no_hosts = False
|
|
if len(inventory.list_hosts()) == 0:
|
|
# Empty inventory
|
|
display.warning("provided hosts list is empty, only localhost is available")
|
|
no_hosts = True
|
|
inventory.subset(self.options.subset)
|
|
if len(inventory.list_hosts()) == 0 and no_hosts is False:
|
|
# Invalid limit
|
|
raise AnsibleError("Specified --limit does not match any hosts")
|
|
|
|
# flush fact cache if requested
|
|
if self.options.flush_cache:
|
|
self._flush_cache(inventory, variable_manager)
|
|
|
|
# create the playbook executor, which manages running the plays via a task queue manager
|
|
pbex = PlaybookExecutor(playbooks=self.args, inventory=inventory, variable_manager=variable_manager, loader=loader, options=self.options, passwords=passwords)
|
|
|
|
results = pbex.run()
|
|
|
|
if isinstance(results, list):
|
|
for p in results:
|
|
|
|
display.display('\nplaybook: %s' % p['playbook'])
|
|
for idx, play in enumerate(p['plays']):
|
|
if play._included_path is not None:
|
|
loader.set_basedir(play._included_path)
|
|
else:
|
|
pb_dir = os.path.realpath(os.path.dirname(p['playbook']))
|
|
loader.set_basedir(pb_dir)
|
|
|
|
msg = "\n play #%d (%s): %s" % (idx + 1, ','.join(play.hosts), play.name)
|
|
mytags = set(play.tags)
|
|
msg += '\tTAGS: [%s]' % (','.join(mytags))
|
|
|
|
if self.options.listhosts:
|
|
playhosts = set(inventory.get_hosts(play.hosts))
|
|
msg += "\n pattern: %s\n hosts (%d):" % (play.hosts, len(playhosts))
|
|
for host in playhosts:
|
|
msg += "\n %s" % host
|
|
|
|
display.display(msg)
|
|
|
|
all_tags = set()
|
|
if self.options.listtags or self.options.listtasks:
|
|
taskmsg = ''
|
|
if self.options.listtasks:
|
|
taskmsg = ' tasks:\n'
|
|
|
|
def _process_block(b):
|
|
taskmsg = ''
|
|
for task in b.block:
|
|
if isinstance(task, Block):
|
|
taskmsg += _process_block(task)
|
|
else:
|
|
if task.action == 'meta':
|
|
continue
|
|
|
|
all_tags.update(task.tags)
|
|
if self.options.listtasks:
|
|
cur_tags = list(mytags.union(set(task.tags)))
|
|
cur_tags.sort()
|
|
if task.name:
|
|
taskmsg += " %s" % task.get_name()
|
|
else:
|
|
taskmsg += " %s" % task.action
|
|
taskmsg += "\tTAGS: [%s]\n" % ', '.join(cur_tags)
|
|
|
|
return taskmsg
|
|
|
|
all_vars = variable_manager.get_vars(loader=loader, play=play)
|
|
play_context = PlayContext(play=play, options=self.options)
|
|
for block in play.compile():
|
|
block = block.filter_tagged_tasks(play_context, all_vars)
|
|
if not block.has_tasks():
|
|
continue
|
|
taskmsg += _process_block(block)
|
|
|
|
if self.options.listtags:
|
|
cur_tags = list(mytags.union(all_tags))
|
|
cur_tags.sort()
|
|
taskmsg += " TASK TAGS: [%s]\n" % ', '.join(cur_tags)
|
|
|
|
display.display(taskmsg)
|
|
|
|
return 0
|
|
else:
|
|
return results
|
|
|
|
def _flush_cache(self, inventory, variable_manager):
|
|
for host in inventory.list_hosts():
|
|
hostname = host.get_name()
|
|
variable_manager.clear_facts(hostname)
|