From bd44a8ba0e4b9189792786d0fe3516534d690121 Mon Sep 17 00:00:00 2001
From: esum & shirenn <shirenn@crans.org>
Date: Tue, 17 May 2022 20:55:09 +0200
Subject: [PATCH] Implements new mechanism for gpg vault
The vault may now be split in multiple files under `ansible/{name}.gpg` and all
variables inside it will be loaded under `vault.name`.
---
vars_plugins/pass.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/vars_plugins/pass.py b/vars_plugins/pass.py
index 6db46854..a64e8cd2 100644
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
@@ -6,6 +6,7 @@ import os
from pathlib import Path
import subprocess
import sys
+import json
from ansible.module_utils.six.moves import configparser
from ansible.plugins.vars import BaseVarsPlugin
@@ -88,11 +89,32 @@ class VarsModule(BaseVarsPlugin):
passwords = {}
+ config = configparser.ConfigParser()
+ config.read(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'pass.ini'))
+
+ password_store = Path(config.get('pass', 'password_store_dir',
+ fallback=os.getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store')))
+
+ password_store /= config.get('pass', 'crans_password_store_submodule',
+ fallback=os.getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans'))
+
+ password_store /= '.last_group.json'
+
+ with open(password_store) as file:
+ files = json.load(file)
+
+ files = [ file for file in files if file.startswith('ansible/') ]
+
for entity in entities:
# Load vault passwords
if entity.get_name() == 'all':
+ passwords['vault'] = {}
+ # Backward compatibility with old ansible_vault
passwords['vault'] = loader.load(
VarsModule.decrypt_password('ansible_vault', True))
+ for file in files:
+ passwords['vault'][file.lstrip('ansible/')] = loader.load(
+ VarsModule.decrypt_password(file, True))
# Load become password
become_password = VarsModule.become_password(entity)
--
GitLab