Add Bash/Shell environment variables for better ci integration
This commit is contained in:
parent
107fb09a1a
commit
6ca6efde8a
29
README.md
29
README.md
|
@ -4,8 +4,8 @@ This collection provides plugins that allows to read data from KeePass file (mod
|
|||
|
||||
## How it works
|
||||
|
||||
The lookup plugin opens a UNIX socket with decrypted KeePass file.
|
||||
For performance reasons, decryption occurs only once at socket startup,
|
||||
The lookup plugin opens a UNIX socket with decrypted KeePass file.
|
||||
For performance reasons, decryption occurs only once at socket startup,
|
||||
and the KeePass file remains decrypted as long as the socket is open.
|
||||
The UNIX socket file is stored in a temporary folder according to OS.
|
||||
|
||||
|
@ -22,15 +22,36 @@ Requirements: `python 3`, `pykeepass==4.0.3`
|
|||
- `keepass_dbx` - path to KeePass file
|
||||
- `keepass_psw` - *Optional*. Password (required if `keepass_key` is not set)
|
||||
- `keepass_key` - *Optional*. Path to keyfile (required if `keepass_psw` is not set)
|
||||
- `keepass_ttl` - *Optional*. Socket TTL (will be closed automatically when not used).
|
||||
- `keepass_ttl` - *Optional*. Socket TTL (will be closed automatically when not used).
|
||||
Default 60 seconds.
|
||||
|
||||
## Environment Variables
|
||||
|
||||
If you want to use ansible-keepass with continuous integration, it could be helpfull not to use ansible variables but Shell enviroment variables.
|
||||
|
||||
- `ANSIBLE_KEEPASS_PSW` Password
|
||||
- `ANSIBLE_KEEPASS_KEY` Path to keyfile
|
||||
- `ANSIBLE_KEEPASS_TTL` Socket TTL
|
||||
- `ANSIBLE_KEEPASS_SOCKET` Path to Keepass Socket
|
||||
|
||||
The environment variables will only used, if no ansible variable is set.
|
||||
|
||||
You can than start the socket in an other background process like this
|
||||
```
|
||||
export ANSIBLE_KEEPASS_PSW=mySecret
|
||||
export ANSIBLE_KEEPASS_SOCKET=/home/build/.my-ansible-sock.${CI_JOB_ID}
|
||||
export ANSIBLE_TTL=600 # 10 Minutes
|
||||
/home/build/ansible-pyenv/bin/python3 /home/build/.ansible/roles/ansible_collections/viczem/keepass/plugins/lookup/keepass.py /path-to/my-keepass.kdbx &
|
||||
ansible-playbook -v playbook1.yml
|
||||
ansible-playbook -v playbook2.yml
|
||||
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
`ansible-doc -t lookup keepass` to get description of the plugin
|
||||
|
||||
> **WARNING**: For security reasons, do not store KeePass passwords in plain text.
|
||||
> **WARNING**: For security reasons, do not store KeePass passwords in plain text.
|
||||
Use `ansible-vault encrypt_string` to encrypt it and use it like below
|
||||
|
||||
# file: group_vars/all
|
||||
|
|
|
@ -72,6 +72,9 @@ class LookupModule(LookupBase):
|
|||
|
||||
# Check key file (optional)
|
||||
var_key = self._var(variables_.get("keepass_key", ""))
|
||||
if not var_key and "ANSIBLE_KEEPASS_KEY_FILE" in os.environ:
|
||||
var_key = os.environ.get('ANSIBLE_KEEPASS_KEY_FILE')
|
||||
|
||||
if var_key:
|
||||
var_key = os.path.realpath(os.path.expanduser(os.path.expandvars(var_key)))
|
||||
if not os.path.isfile(var_key):
|
||||
|
@ -80,11 +83,17 @@ class LookupModule(LookupBase):
|
|||
# Check password (optional)
|
||||
var_psw = self._var(variables_.get("keepass_psw", ""))
|
||||
|
||||
if not var_psw and "ANSIBLE_KEEPASS_PSW" in os.environ:
|
||||
var_psw = os.environ.get('ANSIBLE_KEEPASS_PSW')
|
||||
|
||||
if not var_key and not var_psw:
|
||||
raise AnsibleError("KeePass: 'keepass_psw' and/or 'keepass_key' is not set")
|
||||
|
||||
# TTL of keepass socket (optional, default: 60 seconds)
|
||||
var_ttl = self._var(str(variables_.get("keepass_ttl", "60")))
|
||||
default_ttl="60"
|
||||
if "ANSIBLE_KEEPASS_TTL" in os.environ:
|
||||
default_ttl=os.environ.get("ANSIBLE_KEEPASS_TTL")
|
||||
var_ttl = self._var(str(variables_.get("keepass_ttl", default_ttl)))
|
||||
|
||||
socket_path = _keepass_socket_path(var_dbx)
|
||||
lock_file_ = socket_path + ".lock"
|
||||
|
@ -401,6 +410,9 @@ def _resp(cmd, status_code, payload=""):
|
|||
|
||||
def _keepass_socket_path(dbx_path):
|
||||
# UNIX socket path for a dbx (supported multiple dbx)
|
||||
if "ANSIBLE_KEEPASS_SOCKET" in os.environ:
|
||||
return os.environ.get('ANSIBLE_KEEPASS_SOCKET')
|
||||
# else:
|
||||
tempdir = tempfile.gettempdir()
|
||||
if not os.access(tempdir, os.W_OK):
|
||||
raise AnsibleError("KeePass: no write permissions to '%s'" % tempdir)
|
||||
|
@ -448,7 +460,13 @@ if __name__ == "__main__":
|
|||
password = getpass.getpass("Password: ")
|
||||
if isinstance(password, bytes):
|
||||
password = password.decode(sys.stdin.encoding)
|
||||
elif "ANSIBLE_KEEPASS_PSW" in os.environ:
|
||||
password = os.environ.get('ANSIBLE_KEEPASS_PSW')
|
||||
|
||||
arg_ttl = args.ttl
|
||||
if arg_ttl is None and "ANSIBLE_KEEPASS_TTL" in os.environ:
|
||||
arg_ttl = os.environ.get('ANSIBLE_KEEPASS_TTL')
|
||||
|
||||
os.umask(0o177)
|
||||
if lock(arg_kdbx_sock):
|
||||
_keepass_socket(arg_kdbx, arg_key, arg_kdbx_sock, args.ttl, password)
|
||||
_keepass_socket(arg_kdbx, arg_key, arg_kdbx_sock, arg_ttl, password)
|
||||
|
|
Loading…
Reference in New Issue