bin/mu-ansible-secret
#!/usr/local/ruby-current/bin/ruby
#
# Copyright:: Copyright (c) 2019 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
# http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require File.expand_path(File.dirname(__FILE__))+"/mu-load-config.rb"
require 'rubygems'
require 'bundler/setup'
require 'optimist'
require 'mu'
$secretdir = MU.dataDir + "/ansible-secrets"
$opts = Optimist::options do
banner <<-EOS
Interface with Mu's central repository of Ansible vaults. All encrypting/decrypting will take place with the current user's default Mu Ansible Vault password, which is automatically generated.
#{$0} [--create|--update <vault> [[<itemname>] --file <filename>|<itemname> --string <encrypt_me>]] | [--delete|--show <vault> [<itemname>]] | [--list] | [--string <data> [<var_name>] ]
EOS
opt :list, "List vaults owned by this user.", :require => false, :default => false, :type => :boolean
opt :show, "Show a vault or item. If only a vault name is specified, item names are listed. Otherwise, item contents are shown.", :require => false, :default => false, :type => :boolean
opt :create, "Create a new vault and item", :require => false, :default => false, :type => :boolean
opt :update, "Alias for --create", :require => false, :default => false, :type => :boolean
opt :delete, "", :require => false, :default => false, :type => :boolean
opt :file, "Path to a file to encrypt, in lieu of encrypting string data provided as an argument", :require => false, :type => :string
opt :string, "Encrypt a string, suitable for embedding in an Ansible vars file. If the optional <name> argument is not provided, the variable will be called my_encrypted_variable", :require => false, :type => :string
end
def bail(err)
MU.log err, MU::ERR
Optimist::educate
exit 1
end
if $opts[:list]
MU::Groomer::Ansible.listSecrets.each { |vault|
puts vault
}
exit
end
if $opts[:string]
namestr = if ARGV.size != 1
"my_encrypted_var"
else
ARGV.shift
end
MU::Groomer::Ansible.encryptString(namestr, $opts[:string])
exit
end
if $opts[:show]
bail("Must specify a vault name with --show") if ARGV.size == 0
vaultname = ARGV.shift
itemname = ARGV.shift if ARGV.size > 0
data = MU::Groomer::Ansible.getSecret(vault: vaultname, item: itemname)
if !data
MU.log "No data returned from vault #{vaultname} #{itemname ? "item "+itemname : ""}"
elsif data.is_a?(Array)
data.each { |entry|
puts entry
}
elsif data.is_a?(Hash)
puts JSON.pretty_generate(data)
else
puts data
end
exit
end
if $opts[:create] or $opts[:update]
bail("Must specify a vault name with --create or --update") if ARGV.size == 0
vaultname = ARGV.shift
data = if $opts[:file]
item = $opts[:file].gsub(/.*?([^\/]+)$/, '\1')
if ARGV.size > 0
bail("Cannot specify item arg with --file (extra argument(s): #{ARGV.join(" ")})")
end
File.read($opts[:file])
elsif $opts[:string]
bail("Must specify an item name when using --string") if ARGV.size == 0
item = ARGV.shift
$opts[:string]
data = ARGV.shift
if ARGV.size > 0
bail("Don't know what to do with extra argument(s): #{ARGV.join(" ")}")
end
data
else
bail("Must specify either --file or --string when using --create or --update")
end
MU::Groomer::Ansible.saveSecret(vault: vaultname, item: item, data: data)
exit
end
if $opts[:delete]
bail("Must specify at least a vault name with --delete") if ARGV.size == 0
vaultname = ARGV.shift
itemname = ARGV.shift if ARGV.size > 0
MU::Groomer::Ansible.deleteSecret(vault: vaultname, item: itemname)
exit
end