-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Replace socket data format from json to plain text - Fix fetching entities contains slashes in path - Move code into one file (socket opening by the plugin)
- Loading branch information
Showing
10 changed files
with
390 additions
and
371 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,69 +1,51 @@ | ||
# Ansible KeePass Lookup Plugin | ||
|
||
Perhaps, from a security view point, this solution is the same as `ansible-vault`. | ||
Just if you are storing secrets data in KeePass, then why not use it, | ||
instead of duplicating to `ansible-vault`. | ||
The plugin allows to read data from KeePass file (modifying is not supported) | ||
|
||
## How it works | ||
|
||
The plugin opens a UNIX socket with decrypted KeePass file. | ||
For performance reasons, decryption occurs only once at socket startup, | ||
and the KeePass file remains decrypted as long as the socket is open. | ||
The UNIX socket file is stored in a temporary folder according to OS. | ||
|
||
|
||
## Installation | ||
|
||
Dependency: `pykeepass==3.2.1` | ||
Requirements: `python 3`, `pykeepass==4.0.1` | ||
|
||
pip install 'pykeepass==3.2.1' --user | ||
pip install 'pykeepass==4.0.1' --user | ||
mkdir -p ~/.ansible/plugins/lookup && cd "$_" | ||
curl https://raw.githubusercontent.com/viczem/ansible-keepass/master/keepass.py -o ./keepass.py | ||
|
||
[More about ansible plugins installation](https://docs.ansible.com/ansible/latest/dev_guide/developing_locally.html) | ||
curl https://raw.githubusercontent.com/viczem/ansible-keepass/main/keepass.py -o ./keepass.py | ||
|
||
|
||
## Variables | ||
|
||
- `keepass_dbx` - path to KeePass file | ||
- `keepass_psw` - password. [*optional*] if the socket is used | ||
- `keepass_key` - [*optional*] path to keyfile | ||
|
||
|
||
## Usage with UNIX socket | ||
|
||
> _This usage is more preferred for performance reason, | ||
because of KeePass file stay decrypted and not need to reopen after done each playbook task | ||
[(see the issue for more info)](https://github.com/viczem/ansible-keepass/issues/1)_ | ||
|
||
In this case, there is no need to enter a password for KeePass each time Ansible is called. | ||
Run socket by the command and after that enter a password to make to open KeePass file. | ||
- `keepass_psw` - password | ||
- `keepass_key` - *Optional*. Path to keyfile | ||
- `keepass_ttl` - *Optional*. Socket TTL (will be closed automatically when not used). | ||
Default 60 seconds. | ||
|
||
**Supported only Python 3** | ||
|
||
python3 kpsock.py ~/.keepass/database.kdbx | ||
## Usage | ||
|
||
`ansible-doc -t lookup keepass` to get description of the plugin | ||
|
||
The command will creates UNIX socket in a system temp directory. Only one socket | ||
> **WARNING**: The KeePass file and password are stay decrypted in memory while the socket is open. | ||
> **WARNING**: For security reasons, do not store KeePass passwords in plain text. | ||
Use `ansible-vault encrypt_string` to encrypt it and use it like below | ||
|
||
The socket timeout is 1 minute since past access (will be closed automatically when not used). | ||
To change timeout use `--ttl` argument. | ||
For logging requests in a file use `--log` (default `--log-level` is `INFO`). | ||
# file: group_vars/all | ||
|
||
For help `python kpsock.py --help` | ||
|
||
To send the running command in background press <kbd>CTRL</kbd>+<kbd>Z</kbd> and execute `bg` | ||
(`fg` to get the job into the foreground again). | ||
|
||
|
||
## Example | ||
|
||
Define variables you need e.g. in any file in group_vars | ||
keepass_dbx: "~/.keepass/database.kdbx" | ||
keepass_psw: !vault | | ||
$ANSIBLE_VAULT;1.1;AES256 | ||
...encrypted password... | ||
|
||
### Example | ||
|
||
ansible_user : "{{ lookup('keepass', 'path/to/entry', 'username') }}" | ||
ansible_become_pass : "{{ lookup('keepass', 'path/to/entry', 'password') }}" | ||
ansible_custom_field : "{{ lookup('keepass', 'path/to/entry', 'custom_field_property', true) }}" | ||
ansible_all_custom_fields: "{{ lookup('keepass', 'path/to/entry', '*', true) }}" | ||
|
||
|
||
You can get another [properties of an KeePass entry](https://github.com/pschmitt/pykeepass/blob/master/pykeepass/entry.py) | ||
(not only `username` or `password`) | ||
ansible_custom_field : "{{ lookup('keepass', 'path/to/entry', 'custom_properties', 'a_custom_property_name') }}" | ||
|
||
Specify a boolean value of true to use custom field properties | ||
|
||
`ansible-doc -t lookup keepass` - to get description of the plugin | ||
More examples see in [/examples](/examples). |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Example | ||
|
||
`ansible-playbook example-playbook.yml --ask-vault-pass -vvv` | ||
|
||
Password: `spamham` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
- name: Example | ||
hosts: 127.0.0.1 | ||
connection: local | ||
vars: | ||
spam_login: "{{ lookup('keepass', 'spam', 'username') }}" | ||
spam_password: "{{ lookup('keepass', 'spam', 'password') }}" | ||
ham_login: "{{ lookup('keepass', 'example/ham', 'username') }}" | ||
ham_password: "{{ lookup('keepass', 'example/ham', 'password') }}" | ||
slash_login: "{{ lookup('keepass', 'slash\\/group/slash\\/title', 'username') }}" | ||
slash_url: "{{ lookup('keepass', 'slash\\/group/slash\\/title', 'url') }}" | ||
pork_custom_property: "{{ lookup('keepass', 'example/pork', 'custom_properties', 'pork_custom_property')}}" | ||
|
||
|
||
tasks: | ||
- debug: | ||
msg: "fetch entry: '/spam'; username: '{{ spam_login }}'; password: '{{ spam_password }}'" | ||
|
||
- debug: | ||
msg: "fetch entry: '/examples/ham'; username: '{{ ham_login }}'; password: '{{ ham_password }}'" | ||
|
||
- name: pause to emulate long time operation (greater than keepass_ttl) | ||
pause: | ||
seconds: 5 | ||
|
||
- debug: | ||
msg: "fetch entry: '/examples/pork'; custom_properties: 'pork_custom_property' - '{{ pork_custom_property }}'" | ||
|
||
- debug: | ||
msg: "fetch entry: '/slash\\/group/slash\\/title'; username: '{{ slash_login }}'; url: '{{ slash_url }}'" | ||
|
||
- debug: "{{ lookup('keepass', 'close') }}" |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.