mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-05-23 01:19:08 -07:00
c38ff3b8f8
* rm unneeded parens following assert * rm unused parse_vaulttext_envelope from yaml.constructor * No longer need index/enumerate over vault_ids * rm unnecessary else * rm unused VaultCli.secrets * rm unused vault_id arg on VaultAES.decrypt() pylint: Unused argument 'vault_id' pylint: Unused parse_vaulttext_envelope imported from ansible.parsing.vault pylint: Unused variable 'index' pylint: Unnecessary parens after 'assert' keyword pylint: Unnecessary "else" after "return" (no-else-return) pylint: Attribute 'editor' defined outside __init__ * use 'dummy' for unused variables instead of _ Based on pylint unused variable warnings. Existing code use '_' for this, but that is old and busted. The hot new thing is 'dummy'. It is so fetch. Except for where we get warnings for reusing the 'dummy' var name inside of a list comprehension. * Add super().__init__ call to PromptVaultSecret.__init__ pylint: __init__ method from base class 'VaultSecret' is not called (super-init-not-called) * Make FileVaultSecret.read_file reg method again The base class read_file() doesnt need self but the sub classes do. Rm now unneeded loader arg to read_file() * Fix err msg string literal that had no effect pylint: String statement has no effect The indent on the continuation of the msg_format was wrong so the second half was dropped. There was also no need to join() filename (copy/paste from original with a command list I assume...) * Use local cipher_name in VaultEditor.edit_file not instance pylint: Unused variable 'cipher_name' pylint: Unused variable 'b_ciphertext' Use the local cipher_name returned from parse_vaulttext_envelope() instead of the instance self.cipher_name var. Since there is only one valid cipher_name either way, it was equilivent, but it will not be with more valid cipher_names * Rm unused b_salt arg on VaultAES256._encrypt* pylint: Unused argument 'b_salt' Previously the methods computed the keys and iv themselves so needed to be passed in the salt, but now the key/iv are built before and passed in so b_salt arg is not used anymore. * rm redundant import of call from subprocess pylint: Imports from package subprocess are not grouped use via subprocess module now instead of direct import. * self._bytes is set in super init now, rm dup * Make FileVaultSecret.read_file() -> _read_file() _read_file() is details of the implementation of load(), so now 'private'.
749 lines
36 KiB
Python
749 lines
36 KiB
Python
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
|
|
# (c) 2016, Toshio Kuratomi <tkuratomi@ansible.com>
|
|
#
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# Make coding more python3-ish
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
import getpass
|
|
import operator
|
|
import optparse
|
|
import os
|
|
import subprocess
|
|
import re
|
|
import sys
|
|
import time
|
|
import yaml
|
|
|
|
from abc import ABCMeta, abstractmethod
|
|
|
|
import ansible
|
|
from ansible import constants as C
|
|
from ansible.errors import AnsibleOptionsError
|
|
from ansible.inventory.manager import InventoryManager
|
|
from ansible.module_utils.six import with_metaclass, string_types
|
|
from ansible.module_utils._text import to_bytes, to_text
|
|
from ansible.parsing.dataloader import DataLoader
|
|
from ansible.release import __version__
|
|
from ansible.utils.path import unfrackpath
|
|
from ansible.utils.vars import load_extra_vars, load_options_vars
|
|
from ansible.vars.manager import VariableManager
|
|
from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret
|
|
|
|
try:
|
|
from __main__ import display
|
|
except ImportError:
|
|
from ansible.utils.display import Display
|
|
display = Display()
|
|
|
|
|
|
class SortedOptParser(optparse.OptionParser):
|
|
'''Optparser which sorts the options by opt before outputting --help'''
|
|
|
|
def format_help(self, formatter=None, epilog=None):
|
|
self.option_list.sort(key=operator.methodcaller('get_opt_string'))
|
|
return optparse.OptionParser.format_help(self, formatter=None)
|
|
|
|
|
|
# Note: Inherit from SortedOptParser so that we get our format_help method
|
|
class InvalidOptsParser(SortedOptParser):
|
|
'''Ignore invalid options.
|
|
|
|
Meant for the special case where we need to take care of help and version
|
|
but may not know the full range of options yet. (See it in use in set_action)
|
|
'''
|
|
def __init__(self, parser):
|
|
# Since this is special purposed to just handle help and version, we
|
|
# take a pre-existing option parser here and set our options from
|
|
# that. This allows us to give accurate help based on the given
|
|
# option parser.
|
|
SortedOptParser.__init__(self, usage=parser.usage,
|
|
option_list=parser.option_list,
|
|
option_class=parser.option_class,
|
|
conflict_handler=parser.conflict_handler,
|
|
description=parser.description,
|
|
formatter=parser.formatter,
|
|
add_help_option=False,
|
|
prog=parser.prog,
|
|
epilog=parser.epilog)
|
|
self.version = parser.version
|
|
|
|
def _process_long_opt(self, rargs, values):
|
|
try:
|
|
optparse.OptionParser._process_long_opt(self, rargs, values)
|
|
except optparse.BadOptionError:
|
|
pass
|
|
|
|
def _process_short_opts(self, rargs, values):
|
|
try:
|
|
optparse.OptionParser._process_short_opts(self, rargs, values)
|
|
except optparse.BadOptionError:
|
|
pass
|
|
|
|
|
|
class CLI(with_metaclass(ABCMeta, object)):
|
|
''' code behind bin/ansible* programs '''
|
|
|
|
VALID_ACTIONS = []
|
|
|
|
_ITALIC = re.compile(r"I\(([^)]+)\)")
|
|
_BOLD = re.compile(r"B\(([^)]+)\)")
|
|
_MODULE = re.compile(r"M\(([^)]+)\)")
|
|
_URL = re.compile(r"U\(([^)]+)\)")
|
|
_CONST = re.compile(r"C\(([^)]+)\)")
|
|
|
|
PAGER = 'less'
|
|
|
|
# -F (quit-if-one-screen) -R (allow raw ansi control chars)
|
|
# -S (chop long lines) -X (disable termcap init and de-init)
|
|
LESS_OPTS = 'FRSX'
|
|
|
|
def __init__(self, args, callback=None):
|
|
"""
|
|
Base init method for all command line programs
|
|
"""
|
|
|
|
self.args = args
|
|
self.options = None
|
|
self.parser = None
|
|
self.action = None
|
|
self.callback = callback
|
|
|
|
def set_action(self):
|
|
"""
|
|
Get the action the user wants to execute from the sys argv list.
|
|
"""
|
|
for i in range(0, len(self.args)):
|
|
arg = self.args[i]
|
|
if arg in self.VALID_ACTIONS:
|
|
self.action = arg
|
|
del self.args[i]
|
|
break
|
|
|
|
if not self.action:
|
|
# if we're asked for help or version, we don't need an action.
|
|
# have to use a special purpose Option Parser to figure that out as
|
|
# the standard OptionParser throws an error for unknown options and
|
|
# without knowing action, we only know of a subset of the options
|
|
# that could be legal for this command
|
|
tmp_parser = InvalidOptsParser(self.parser)
|
|
tmp_options, tmp_args = tmp_parser.parse_args(self.args)
|
|
if not(hasattr(tmp_options, 'help') and tmp_options.help) or (hasattr(tmp_options, 'version') and tmp_options.version):
|
|
raise AnsibleOptionsError("Missing required action")
|
|
|
|
def execute(self):
|
|
"""
|
|
Actually runs a child defined method using the execute_<action> pattern
|
|
"""
|
|
fn = getattr(self, "execute_%s" % self.action)
|
|
fn()
|
|
|
|
@abstractmethod
|
|
def run(self):
|
|
"""Run the ansible command
|
|
|
|
Subclasses must implement this method. It does the actual work of
|
|
running an Ansible command.
|
|
"""
|
|
|
|
display.vv(to_text(self.parser.get_version()))
|
|
|
|
if C.CONFIG_FILE:
|
|
display.v(u"Using %s as config file" % to_text(C.CONFIG_FILE))
|
|
else:
|
|
display.v(u"No config file found; using defaults")
|
|
|
|
@staticmethod
|
|
def split_vault_id(vault_id):
|
|
# return (before_@, after_@)
|
|
# if no @, return whole string as after_
|
|
if '@' not in vault_id:
|
|
return (None, vault_id)
|
|
|
|
parts = vault_id.split('@', 1)
|
|
ret = tuple(parts)
|
|
return ret
|
|
|
|
@staticmethod
|
|
def build_vault_ids(vault_ids, vault_password_files=None, ask_vault_pass=None):
|
|
vault_password_files = vault_password_files or []
|
|
vault_ids = vault_ids or []
|
|
|
|
# convert vault_password_files into vault_ids slugs
|
|
for password_file in vault_password_files:
|
|
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, password_file)
|
|
|
|
# note this makes --vault-id higher precendence than --vault-password-file
|
|
# if we want to intertwingle them in order probably need a cli callback to populate vault_ids
|
|
# used by --vault-id and --vault-password-file
|
|
vault_ids.append(id_slug)
|
|
|
|
if ask_vault_pass:
|
|
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass')
|
|
vault_ids.append(id_slug)
|
|
|
|
return vault_ids
|
|
|
|
# TODO: remove the now unused args
|
|
@staticmethod
|
|
def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
|
|
ask_vault_pass=None, create_new_password=False):
|
|
# list of tuples
|
|
vault_secrets = []
|
|
|
|
# Depending on the vault_id value (including how --ask-vault-pass / --vault-password-file create a vault_id)
|
|
# we need to show different prompts. This is for compat with older Towers that expect a
|
|
# certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format.
|
|
prompt_formats = {}
|
|
|
|
vault_password_files = vault_password_files or []
|
|
if C.DEFAULT_VAULT_PASSWORD_FILE:
|
|
vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE)
|
|
|
|
if create_new_password:
|
|
prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ',
|
|
'Confirm vew vault password (%(vault_id)s): ']
|
|
else:
|
|
prompt_formats['prompt'] = ['Vault password (%(vault_id)s): ']
|
|
# The format when we use just --ask-vault-pass needs to match 'Vault password:\s*?$'
|
|
prompt_formats['prompt_ask_vault_pass'] = ['Vault password: ']
|
|
|
|
vault_ids = CLI.build_vault_ids(vault_ids,
|
|
vault_password_files,
|
|
ask_vault_pass)
|
|
|
|
for vault_id_slug in vault_ids:
|
|
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
|
|
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
|
|
|
|
# --vault-id some_name@prompt_ask_vault_pass --vault-id other_name@prompt_ask_vault_pass will be a little
|
|
# confusing since it will use the old format without the vault id in the prompt
|
|
if vault_id_name:
|
|
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
|
|
vault_id=vault_id_name)
|
|
prompted_vault_secret.load()
|
|
vault_secrets.append((vault_id_name, prompted_vault_secret))
|
|
else:
|
|
# ie, we used --ask-vault-pass, so we need to use the old vault password prompt
|
|
# format since Tower needs to match on that format.
|
|
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
|
|
vault_id=C.DEFAULT_VAULT_IDENTITY)
|
|
prompted_vault_secret.load()
|
|
vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, prompted_vault_secret))
|
|
|
|
# update loader with new secrets incrementally, so we can load a vault password
|
|
# that is encrypted with a vault secret provided earlier
|
|
loader.set_vault_secrets(vault_secrets)
|
|
continue
|
|
|
|
# assuming anything else is a password file
|
|
display.vvvvv('Reading vault password file: %s' % vault_id_value)
|
|
# read vault_pass from a file
|
|
file_vault_secret = get_file_vault_secret(filename=vault_id_value,
|
|
vault_id_name=vault_id_name,
|
|
loader=loader)
|
|
file_vault_secret.load()
|
|
if vault_id_name:
|
|
vault_secrets.append((vault_id_name, file_vault_secret))
|
|
else:
|
|
vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, file_vault_secret))
|
|
|
|
# update loader with as-yet-known vault secrets
|
|
loader.set_vault_secrets(vault_secrets)
|
|
|
|
return vault_secrets
|
|
|
|
def ask_passwords(self):
|
|
''' prompt for connection and become passwords if needed '''
|
|
|
|
op = self.options
|
|
sshpass = None
|
|
becomepass = None
|
|
become_prompt = ''
|
|
|
|
try:
|
|
if op.ask_pass:
|
|
sshpass = getpass.getpass(prompt="SSH password: ")
|
|
become_prompt = "%s password[defaults to SSH password]: " % op.become_method.upper()
|
|
if sshpass:
|
|
sshpass = to_bytes(sshpass, errors='strict', nonstring='simplerepr')
|
|
else:
|
|
become_prompt = "%s password: " % op.become_method.upper()
|
|
|
|
if op.become_ask_pass:
|
|
becomepass = getpass.getpass(prompt=become_prompt)
|
|
if op.ask_pass and becomepass == '':
|
|
becomepass = sshpass
|
|
if becomepass:
|
|
becomepass = to_bytes(becomepass)
|
|
except EOFError:
|
|
pass
|
|
|
|
return (sshpass, becomepass)
|
|
|
|
def normalize_become_options(self):
|
|
''' this keeps backwards compatibility with sudo/su self.options '''
|
|
self.options.become_ask_pass = self.options.become_ask_pass or self.options.ask_sudo_pass or self.options.ask_su_pass or C.DEFAULT_BECOME_ASK_PASS
|
|
self.options.become_user = self.options.become_user or self.options.sudo_user or self.options.su_user or C.DEFAULT_BECOME_USER
|
|
|
|
def _dep(which):
|
|
display.deprecated('The %s command line option has been deprecated in favor of the "become" command line arguments' % which, '2.6')
|
|
|
|
if self.options.become:
|
|
pass
|
|
elif self.options.sudo:
|
|
self.options.become = True
|
|
self.options.become_method = 'sudo'
|
|
_dep('sudo')
|
|
elif self.options.su:
|
|
self.options.become = True
|
|
self.options.become_method = 'su'
|
|
_dep('su')
|
|
|
|
# other deprecations:
|
|
if self.options.ask_sudo_pass or self.options.sudo_user:
|
|
_dep('sudo')
|
|
if self.options.ask_su_pass or self.options.su_user:
|
|
_dep('su')
|
|
|
|
def validate_conflicts(self, vault_opts=False, runas_opts=False, fork_opts=False):
|
|
''' check for conflicting options '''
|
|
|
|
op = self.options
|
|
|
|
if vault_opts:
|
|
# Check for vault related conflicts
|
|
if (op.ask_vault_pass and op.vault_password_files):
|
|
self.parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
|
|
|
|
if runas_opts:
|
|
# Check for privilege escalation conflicts
|
|
if ((op.su or op.su_user) and (op.sudo or op.sudo_user) or
|
|
(op.su or op.su_user) and (op.become or op.become_user) or
|
|
(op.sudo or op.sudo_user) and (op.become or op.become_user)):
|
|
|
|
self.parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') and su arguments ('--su', '--su-user', and '--ask-su-pass') "
|
|
"and become arguments ('--become', '--become-user', and '--ask-become-pass') are exclusive of each other")
|
|
|
|
if fork_opts:
|
|
if op.forks < 1:
|
|
self.parser.error("The number of processes (--forks) must be >= 1")
|
|
|
|
@staticmethod
|
|
def unfrack_paths(option, opt, value, parser):
|
|
paths = getattr(parser.values, option.dest)
|
|
if isinstance(value, string_types):
|
|
paths[:0] = [unfrackpath(x) for x in value.split(os.pathsep)]
|
|
elif isinstance(value, list):
|
|
paths[:0] = [unfrackpath(x) for x in value]
|
|
else:
|
|
pass # FIXME: should we raise options error?
|
|
setattr(parser.values, option.dest, paths)
|
|
|
|
@staticmethod
|
|
def unfrack_path(option, opt, value, parser):
|
|
setattr(parser.values, option.dest, unfrackpath(value))
|
|
|
|
@staticmethod
|
|
def base_parser(usage="", output_opts=False, runas_opts=False, meta_opts=False, runtask_opts=False, vault_opts=False, module_opts=False,
|
|
async_opts=False, connect_opts=False, subset_opts=False, check_opts=False, inventory_opts=False, epilog=None, fork_opts=False,
|
|
runas_prompt_opts=False, desc=None):
|
|
''' create an options parser for most ansible scripts '''
|
|
|
|
# base opts
|
|
parser = SortedOptParser(usage, version=CLI.version("%prog"), description=desc, epilog=epilog)
|
|
parser.add_option('-v', '--verbose', dest='verbosity', default=C.DEFAULT_VERBOSITY, action="count",
|
|
help="verbose mode (-vvv for more, -vvvv to enable connection debugging)")
|
|
|
|
if inventory_opts:
|
|
parser.add_option('-i', '--inventory', '--inventory-file', dest='inventory', action="append",
|
|
help="specify inventory host path (default=[%s]) or comma separated host list. "
|
|
"--inventory-file is deprecated" % C.DEFAULT_HOST_LIST)
|
|
parser.add_option('--list-hosts', dest='listhosts', action='store_true',
|
|
help='outputs a list of matching hosts; does not execute anything else')
|
|
parser.add_option('-l', '--limit', default=C.DEFAULT_SUBSET, dest='subset',
|
|
help='further limit selected hosts to an additional pattern')
|
|
|
|
if module_opts:
|
|
parser.add_option('-M', '--module-path', dest='module_path', default=None,
|
|
help="prepend path(s) to module library (default=%s)" % C.DEFAULT_MODULE_PATH,
|
|
action="callback", callback=CLI.unfrack_path, type='str')
|
|
if runtask_opts:
|
|
parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
|
|
help="set additional variables as key=value or YAML/JSON, if filename prepend with @", default=[])
|
|
|
|
if fork_opts:
|
|
parser.add_option('-f', '--forks', dest='forks', default=C.DEFAULT_FORKS, type='int',
|
|
help="specify number of parallel processes to use (default=%s)" % C.DEFAULT_FORKS)
|
|
|
|
if vault_opts:
|
|
parser.add_option('--ask-vault-pass', default=C.DEFAULT_ASK_VAULT_PASS, dest='ask_vault_pass', action='store_true',
|
|
help='ask for vault password')
|
|
parser.add_option('--vault-password-file', default=[], dest='vault_password_files',
|
|
help="vault password file", action="callback", callback=CLI.unfrack_paths, type='string')
|
|
parser.add_option('--new-vault-password-file', default=[], dest='new_vault_password_files',
|
|
help="new vault password file for rekey", action="callback", callback=CLI.unfrack_paths, type='string')
|
|
parser.add_option('--output', default=None, dest='output_file',
|
|
help='output file name for encrypt or decrypt; use - for stdout',
|
|
action="callback", callback=CLI.unfrack_path, type='string'),
|
|
parser.add_option('--vault-id', default=[], dest='vault_ids', action='append', type='string',
|
|
help='the vault identity to use')
|
|
parser.add_option('--new-vault-id', default=None, dest='new_vault_id', type='string',
|
|
help='the new vault identity to use for rekey')
|
|
|
|
if subset_opts:
|
|
parser.add_option('-t', '--tags', dest='tags', default=[], action='append',
|
|
help="only run plays and tasks tagged with these values")
|
|
parser.add_option('--skip-tags', dest='skip_tags', default=[], action='append',
|
|
help="only run plays and tasks whose tags do not match these values")
|
|
|
|
if output_opts:
|
|
parser.add_option('-o', '--one-line', dest='one_line', action='store_true',
|
|
help='condense output')
|
|
parser.add_option('-t', '--tree', dest='tree', default=None,
|
|
help='log output to this directory')
|
|
|
|
if connect_opts:
|
|
connect_group = optparse.OptionGroup(parser, "Connection Options", "control as whom and how to connect to hosts")
|
|
connect_group.add_option('-k', '--ask-pass', default=C.DEFAULT_ASK_PASS, dest='ask_pass', action='store_true',
|
|
help='ask for connection password')
|
|
connect_group.add_option('--private-key', '--key-file', default=C.DEFAULT_PRIVATE_KEY_FILE, dest='private_key_file',
|
|
help='use this file to authenticate the connection', action="callback", callback=CLI.unfrack_path, type='string')
|
|
connect_group.add_option('-u', '--user', default=C.DEFAULT_REMOTE_USER, dest='remote_user',
|
|
help='connect as this user (default=%s)' % C.DEFAULT_REMOTE_USER)
|
|
connect_group.add_option('-c', '--connection', dest='connection', default=C.DEFAULT_TRANSPORT,
|
|
help="connection type to use (default=%s)" % C.DEFAULT_TRANSPORT)
|
|
connect_group.add_option('-T', '--timeout', default=C.DEFAULT_TIMEOUT, type='int', dest='timeout',
|
|
help="override the connection timeout in seconds (default=%s)" % C.DEFAULT_TIMEOUT)
|
|
connect_group.add_option('--ssh-common-args', default='', dest='ssh_common_args',
|
|
help="specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand)")
|
|
connect_group.add_option('--sftp-extra-args', default='', dest='sftp_extra_args',
|
|
help="specify extra arguments to pass to sftp only (e.g. -f, -l)")
|
|
connect_group.add_option('--scp-extra-args', default='', dest='scp_extra_args',
|
|
help="specify extra arguments to pass to scp only (e.g. -l)")
|
|
connect_group.add_option('--ssh-extra-args', default='', dest='ssh_extra_args',
|
|
help="specify extra arguments to pass to ssh only (e.g. -R)")
|
|
|
|
parser.add_option_group(connect_group)
|
|
|
|
runas_group = None
|
|
rg = optparse.OptionGroup(parser, "Privilege Escalation Options", "control how and which user you become as on target hosts")
|
|
if runas_opts:
|
|
runas_group = rg
|
|
# priv user defaults to root later on to enable detecting when this option was given here
|
|
runas_group.add_option("-s", "--sudo", default=C.DEFAULT_SUDO, action="store_true", dest='sudo',
|
|
help="run operations with sudo (nopasswd) (deprecated, use become)")
|
|
runas_group.add_option('-U', '--sudo-user', dest='sudo_user', default=None,
|
|
help='desired sudo user (default=root) (deprecated, use become)')
|
|
runas_group.add_option('-S', '--su', default=C.DEFAULT_SU, action='store_true',
|
|
help='run operations with su (deprecated, use become)')
|
|
runas_group.add_option('-R', '--su-user', default=None,
|
|
help='run operations with su as this user (default=%s) (deprecated, use become)' % C.DEFAULT_SU_USER)
|
|
|
|
# consolidated privilege escalation (become)
|
|
runas_group.add_option("-b", "--become", default=C.DEFAULT_BECOME, action="store_true", dest='become',
|
|
help="run operations with become (does not imply password prompting)")
|
|
runas_group.add_option('--become-method', dest='become_method', default=C.DEFAULT_BECOME_METHOD, type='choice', choices=C.BECOME_METHODS,
|
|
help="privilege escalation method to use (default=%s), valid choices: [ %s ]" %
|
|
(C.DEFAULT_BECOME_METHOD, ' | '.join(C.BECOME_METHODS)))
|
|
runas_group.add_option('--become-user', default=None, dest='become_user', type='string',
|
|
help='run operations as this user (default=%s)' % C.DEFAULT_BECOME_USER)
|
|
|
|
if runas_opts or runas_prompt_opts:
|
|
if not runas_group:
|
|
runas_group = rg
|
|
runas_group.add_option('--ask-sudo-pass', default=C.DEFAULT_ASK_SUDO_PASS, dest='ask_sudo_pass', action='store_true',
|
|
help='ask for sudo password (deprecated, use become)')
|
|
runas_group.add_option('--ask-su-pass', default=C.DEFAULT_ASK_SU_PASS, dest='ask_su_pass', action='store_true',
|
|
help='ask for su password (deprecated, use become)')
|
|
runas_group.add_option('-K', '--ask-become-pass', default=False, dest='become_ask_pass', action='store_true',
|
|
help='ask for privilege escalation password')
|
|
|
|
if runas_group:
|
|
parser.add_option_group(runas_group)
|
|
|
|
if async_opts:
|
|
parser.add_option('-P', '--poll', default=C.DEFAULT_POLL_INTERVAL, type='int', dest='poll_interval',
|
|
help="set the poll interval if using -B (default=%s)" % C.DEFAULT_POLL_INTERVAL)
|
|
parser.add_option('-B', '--background', dest='seconds', type='int', default=0,
|
|
help='run asynchronously, failing after X seconds (default=N/A)')
|
|
|
|
if check_opts:
|
|
parser.add_option("-C", "--check", default=False, dest='check', action='store_true',
|
|
help="don't make any changes; instead, try to predict some of the changes that may occur")
|
|
parser.add_option('--syntax-check', dest='syntax', action='store_true',
|
|
help="perform a syntax check on the playbook, but do not execute it")
|
|
parser.add_option("-D", "--diff", default=C.DIFF_ALWAYS, dest='diff', action='store_true',
|
|
help="when changing (small) files and templates, show the differences in those files; works great with --check")
|
|
|
|
if meta_opts:
|
|
parser.add_option('--force-handlers', default=C.DEFAULT_FORCE_HANDLERS, dest='force_handlers', action='store_true',
|
|
help="run handlers even if a task fails")
|
|
parser.add_option('--flush-cache', dest='flush_cache', action='store_true',
|
|
help="clear the fact cache")
|
|
|
|
return parser
|
|
|
|
@abstractmethod
|
|
def parse(self):
|
|
"""Parse the command line args
|
|
|
|
This method parses the command line arguments. It uses the parser
|
|
stored in the self.parser attribute and saves the args and options in
|
|
self.args and self.options respectively.
|
|
|
|
Subclasses need to implement this method. They will usually create
|
|
a base_parser, add their own options to the base_parser, and then call
|
|
this method to do the actual parsing. An implementation will look
|
|
something like this::
|
|
|
|
def parse(self):
|
|
parser = super(MyCLI, self).base_parser(usage="My Ansible CLI", inventory_opts=True)
|
|
parser.add_option('--my-option', dest='my_option', action='store')
|
|
self.parser = parser
|
|
super(MyCLI, self).parse()
|
|
# If some additional transformations are needed for the
|
|
# arguments and options, do it here.
|
|
"""
|
|
|
|
self.options, self.args = self.parser.parse_args(self.args[1:])
|
|
|
|
# process tags
|
|
if hasattr(self.options, 'tags') and not self.options.tags:
|
|
# optparse defaults does not do what's expected
|
|
self.options.tags = ['all']
|
|
if hasattr(self.options, 'tags') and self.options.tags:
|
|
if not C.MERGE_MULTIPLE_CLI_TAGS:
|
|
if len(self.options.tags) > 1:
|
|
display.deprecated('Specifying --tags multiple times on the command line currently uses the last specified value. '
|
|
'In 2.4, values will be merged instead. Set merge_multiple_cli_tags=True in ansible.cfg to get this behavior now.',
|
|
version=2.5, removed=False)
|
|
self.options.tags = [self.options.tags[-1]]
|
|
|
|
tags = set()
|
|
for tag_set in self.options.tags:
|
|
for tag in tag_set.split(u','):
|
|
tags.add(tag.strip())
|
|
self.options.tags = list(tags)
|
|
|
|
# process skip_tags
|
|
if hasattr(self.options, 'skip_tags') and self.options.skip_tags:
|
|
if not C.MERGE_MULTIPLE_CLI_TAGS:
|
|
if len(self.options.skip_tags) > 1:
|
|
display.deprecated('Specifying --skip-tags multiple times on the command line currently uses the last specified value. '
|
|
'In 2.4, values will be merged instead. Set merge_multiple_cli_tags=True in ansible.cfg to get this behavior now.',
|
|
version=2.5, removed=False)
|
|
self.options.skip_tags = [self.options.skip_tags[-1]]
|
|
|
|
skip_tags = set()
|
|
for tag_set in self.options.skip_tags:
|
|
for tag in tag_set.split(u','):
|
|
skip_tags.add(tag.strip())
|
|
self.options.skip_tags = list(skip_tags)
|
|
|
|
# process inventory options
|
|
if hasattr(self.options, 'inventory'):
|
|
|
|
if self.options.inventory:
|
|
|
|
# should always be list
|
|
if isinstance(self.options.inventory, string_types):
|
|
self.options.inventory = [self.options.inventory]
|
|
|
|
# Ensure full paths when needed
|
|
self.options.inventory = [unfrackpath(opt) if ',' not in opt else opt for opt in self.options.inventory]
|
|
|
|
else:
|
|
# set default if it exists
|
|
if os.path.exists(C.DEFAULT_HOST_LIST):
|
|
self.options.inventory = [C.DEFAULT_HOST_LIST]
|
|
|
|
@staticmethod
|
|
def version(prog):
|
|
''' return ansible version '''
|
|
result = "{0} {1}".format(prog, __version__)
|
|
gitinfo = CLI._gitinfo()
|
|
if gitinfo:
|
|
result = result + " {0}".format(gitinfo)
|
|
result += "\n config file = %s" % C.CONFIG_FILE
|
|
if C.DEFAULT_MODULE_PATH is None:
|
|
cpath = "Default w/o overrides"
|
|
else:
|
|
cpath = C.DEFAULT_MODULE_PATH
|
|
result = result + "\n configured module search path = %s" % cpath
|
|
result = result + "\n ansible python module location = %s" % ':'.join(ansible.__path__)
|
|
result = result + "\n executable location = %s" % sys.argv[0]
|
|
result = result + "\n python version = %s" % ''.join(sys.version.splitlines())
|
|
return result
|
|
|
|
@staticmethod
|
|
def version_info(gitinfo=False):
|
|
''' return full ansible version info '''
|
|
if gitinfo:
|
|
# expensive call, user with care
|
|
ansible_version_string = CLI.version('')
|
|
else:
|
|
ansible_version_string = __version__
|
|
ansible_version = ansible_version_string.split()[0]
|
|
ansible_versions = ansible_version.split('.')
|
|
for counter in range(len(ansible_versions)):
|
|
if ansible_versions[counter] == "":
|
|
ansible_versions[counter] = 0
|
|
try:
|
|
ansible_versions[counter] = int(ansible_versions[counter])
|
|
except:
|
|
pass
|
|
if len(ansible_versions) < 3:
|
|
for counter in range(len(ansible_versions), 3):
|
|
ansible_versions.append(0)
|
|
return {'string': ansible_version_string.strip(),
|
|
'full': ansible_version,
|
|
'major': ansible_versions[0],
|
|
'minor': ansible_versions[1],
|
|
'revision': ansible_versions[2]}
|
|
|
|
@staticmethod
|
|
def _git_repo_info(repo_path):
|
|
''' returns a string containing git branch, commit id and commit date '''
|
|
result = None
|
|
if os.path.exists(repo_path):
|
|
# Check if the .git is a file. If it is a file, it means that we are in a submodule structure.
|
|
if os.path.isfile(repo_path):
|
|
try:
|
|
gitdir = yaml.safe_load(open(repo_path)).get('gitdir')
|
|
# There is a possibility the .git file to have an absolute path.
|
|
if os.path.isabs(gitdir):
|
|
repo_path = gitdir
|
|
else:
|
|
repo_path = os.path.join(repo_path[:-4], gitdir)
|
|
except (IOError, AttributeError):
|
|
return ''
|
|
f = open(os.path.join(repo_path, "HEAD"))
|
|
line = f.readline().rstrip("\n")
|
|
if line.startswith("ref:"):
|
|
branch_path = os.path.join(repo_path, line[5:])
|
|
else:
|
|
branch_path = None
|
|
f.close()
|
|
if branch_path and os.path.exists(branch_path):
|
|
branch = '/'.join(line.split('/')[2:])
|
|
f = open(branch_path)
|
|
commit = f.readline()[:10]
|
|
f.close()
|
|
else:
|
|
# detached HEAD
|
|
commit = line[:10]
|
|
branch = 'detached HEAD'
|
|
branch_path = os.path.join(repo_path, "HEAD")
|
|
|
|
date = time.localtime(os.stat(branch_path).st_mtime)
|
|
if time.daylight == 0:
|
|
offset = time.timezone
|
|
else:
|
|
offset = time.altzone
|
|
result = "({0} {1}) last updated {2} (GMT {3:+04d})".format(branch, commit, time.strftime("%Y/%m/%d %H:%M:%S", date), int(offset / -36))
|
|
else:
|
|
result = ''
|
|
return result
|
|
|
|
@staticmethod
|
|
def _gitinfo():
|
|
basedir = os.path.join(os.path.dirname(__file__), '..', '..', '..')
|
|
repo_path = os.path.join(basedir, '.git')
|
|
result = CLI._git_repo_info(repo_path)
|
|
submodules = os.path.join(basedir, '.gitmodules')
|
|
if not os.path.exists(submodules):
|
|
return result
|
|
f = open(submodules)
|
|
for line in f:
|
|
tokens = line.strip().split(' ')
|
|
if tokens[0] == 'path':
|
|
submodule_path = tokens[2]
|
|
submodule_info = CLI._git_repo_info(os.path.join(basedir, submodule_path, '.git'))
|
|
if not submodule_info:
|
|
submodule_info = ' not found - use git submodule update --init ' + submodule_path
|
|
result += "\n {0}: {1}".format(submodule_path, submodule_info)
|
|
f.close()
|
|
return result
|
|
|
|
def pager(self, text):
|
|
''' find reasonable way to display text '''
|
|
# this is a much simpler form of what is in pydoc.py
|
|
if not sys.stdout.isatty():
|
|
display.display(text, screen_only=True)
|
|
elif 'PAGER' in os.environ:
|
|
if sys.platform == 'win32':
|
|
display.display(text, screen_only=True)
|
|
else:
|
|
self.pager_pipe(text, os.environ['PAGER'])
|
|
else:
|
|
p = subprocess.Popen('less --version', shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
p.communicate()
|
|
if p.returncode == 0:
|
|
self.pager_pipe(text, 'less')
|
|
else:
|
|
display.display(text, screen_only=True)
|
|
|
|
@staticmethod
|
|
def pager_pipe(text, cmd):
|
|
''' pipe text through a pager '''
|
|
if 'LESS' not in os.environ:
|
|
os.environ['LESS'] = CLI.LESS_OPTS
|
|
try:
|
|
cmd = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=sys.stdout)
|
|
cmd.communicate(input=to_bytes(text))
|
|
except IOError:
|
|
pass
|
|
except KeyboardInterrupt:
|
|
pass
|
|
|
|
@classmethod
|
|
def tty_ify(cls, text):
|
|
|
|
t = cls._ITALIC.sub("`" + r"\1" + "'", text) # I(word) => `word'
|
|
t = cls._BOLD.sub("*" + r"\1" + "*", t) # B(word) => *word*
|
|
t = cls._MODULE.sub("[" + r"\1" + "]", t) # M(word) => [word]
|
|
t = cls._URL.sub(r"\1", t) # U(word) => word
|
|
t = cls._CONST.sub("`" + r"\1" + "'", t) # C(word) => `word'
|
|
|
|
return t
|
|
|
|
@staticmethod
|
|
def _play_prereqs(options):
|
|
|
|
# all needs loader
|
|
loader = DataLoader()
|
|
|
|
vault_secrets = CLI.setup_vault_secrets(loader,
|
|
vault_ids=options.vault_ids,
|
|
vault_password_files=options.vault_password_files,
|
|
ask_vault_pass=options.ask_vault_pass)
|
|
loader.set_vault_secrets(vault_secrets)
|
|
|
|
# create the inventory, and filter it based on the subset specified (if any)
|
|
inventory = InventoryManager(loader=loader, sources=options.inventory)
|
|
|
|
# create the variable manager, which will be shared throughout
|
|
# the code, ensuring a consistent view of global variables
|
|
variable_manager = VariableManager(loader=loader, inventory=inventory)
|
|
|
|
# load vars from cli options
|
|
variable_manager.extra_vars = load_extra_vars(loader=loader, options=options)
|
|
variable_manager.options_vars = load_options_vars(options, CLI.version_info(gitinfo=False))
|
|
|
|
return loader, inventory, variable_manager
|