encrypt: roles to encrypt and decrypt files
Use the 'gpg' linux command to encrypt/decrypt a file. The encryption method is "--symmetric", with a user supplied passphrase. See also man 'gpg' for description of the command options. Ansible variable options are described in roles/encrypt/vars/main.yml and roles/decrypt/vars/main.yml Story: 2011073 Task: 49929 Test Plan: pass ansible-lint pass Unit test Change-Id: Ibc4fc574733b321e3f8e309417cfd5ec7fc91071 Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
This commit is contained in:
parent
3be2050e2e
commit
7485f501ff
|
@ -0,0 +1,85 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# Decrypt the file specified by decrypt_file variable.
|
||||
# Refer to vars/main.yml for options
|
||||
#
|
||||
|
||||
- name: Assert that decrypt_command exists
|
||||
command: "{{ decrypt_command }} --version"
|
||||
changed_when: false
|
||||
|
||||
- name: Assert that decrypt_file is provided
|
||||
assert:
|
||||
that:
|
||||
- decrypt_file is string
|
||||
- decrypt_file | length > 0
|
||||
|
||||
- name: Get the file stat of decrypt_file
|
||||
stat:
|
||||
path: "{{ decrypt_file }}"
|
||||
register: decrypt_internal_file
|
||||
|
||||
- name: Fail if the input file does not exist
|
||||
fail:
|
||||
msg: "The path {{ decrypt_file }} does not exist"
|
||||
when: not decrypt_internal_file.stat.exists
|
||||
|
||||
- name: Fail if the input file is not a regular file
|
||||
fail:
|
||||
msg: "The path {{ decrypt_file }} is not a regular file"
|
||||
when: not decrypt_internal_file.stat.isreg
|
||||
|
||||
- name: Assert that decrypt_passphrase is provided
|
||||
assert:
|
||||
that:
|
||||
- decrypt_passphrase is string
|
||||
- decrypt_passphrase | length > 0
|
||||
|
||||
- name: Assert that decrypt_output_file is provided
|
||||
assert:
|
||||
that:
|
||||
- decrypt_output_file is string
|
||||
- decrypt_output_file | length > 0
|
||||
|
||||
- name: Get the file stat of decrypt_output_file
|
||||
stat:
|
||||
path: "{{ decrypt_output_file }}"
|
||||
register: decrypt_internal_output_file
|
||||
|
||||
- name: Fail if the output file exists
|
||||
fail:
|
||||
msg: "The output path {{ decrypt_output_file }} exists"
|
||||
when: decrypt_internal_output_file.stat.exists
|
||||
|
||||
- name: Run the decryption command
|
||||
command:
|
||||
argv:
|
||||
- "{{ decrypt_command }}"
|
||||
- "--no-symkey-cache"
|
||||
- "-q"
|
||||
- "-o"
|
||||
- "{{ decrypt_output_file }}"
|
||||
- "--passphrase-fd"
|
||||
- "0"
|
||||
- "--batch"
|
||||
- "--pinentry-mode"
|
||||
- "loopback"
|
||||
- "--decrypt"
|
||||
- "{{ decrypt_file }}"
|
||||
stdin: "{{ decrypt_passphrase }}"
|
||||
changed_when: true
|
||||
|
||||
- name: Get the stat of decrypt_output_file
|
||||
stat:
|
||||
path: "{{ decrypt_output_file }}"
|
||||
register: decrypt_internal_new_file
|
||||
|
||||
- name: Fail if the output file does not exist
|
||||
fail:
|
||||
msg: "{{ decrypt_command }} did not create {{ decrypt_output_file }}"
|
||||
when: not decrypt_internal_new_file.stat.exists
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
# refer also to the 'gpg' linux command
|
||||
|
||||
decrypt_passphrase: ""
|
||||
# The passphrase with which to decrypt the file. Implemented with
|
||||
# "--passphrase-fd 0", input from stdin
|
||||
# string: the passphrase; Required
|
||||
|
||||
decrypt_file: ""
|
||||
# The file to decrypt. Decryption is accomplished with gpg command.
|
||||
# Supports symmetric encrypted files only (passphrase)
|
||||
# string: the file to decrypt; Required
|
||||
|
||||
decrypt_output_file: ""
|
||||
# Then name/path of the output file. The output file must
|
||||
# not be pre-existing; the playbook does not support overwriting
|
||||
# the output file.
|
||||
# string: the name/path of the decrypted file; Required
|
||||
|
||||
decrypt_command: "gpg"
|
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# Encrypt the file specified by encrypt_file variable.
|
||||
# Refer to vars/main.yml for options
|
||||
#
|
||||
|
||||
- name: Assert that the encrypt command exists
|
||||
command: "{{ encrypt_command }} --version"
|
||||
changed_when: false
|
||||
|
||||
- name: Assert that encrypt_file is provided
|
||||
assert:
|
||||
that:
|
||||
- encrypt_file is string
|
||||
- encrypt_file | length > 0
|
||||
|
||||
- name: Assert that encrypt_passphrase is provided
|
||||
assert:
|
||||
that:
|
||||
- encrypt_passphrase is string
|
||||
- encrypt_passphrase | length > 0
|
||||
|
||||
- name: Get the file stat of encrypt_file
|
||||
stat:
|
||||
path: "{{ encrypt_file }}"
|
||||
register: encrypt_internal_file
|
||||
|
||||
- name: Fail if the input file does not exist
|
||||
fail:
|
||||
msg: "The path {{ encrypt_file }} does not exist"
|
||||
when: not encrypt_internal_file.stat.exists
|
||||
|
||||
- name: Fail if the input file is not a regular file
|
||||
fail:
|
||||
msg: "The path {{ encrypt_file }} is not a regular file"
|
||||
when: not encrypt_internal_file.stat.isreg
|
||||
|
||||
- name: Fail if the encrypt_output_file is not a string
|
||||
fail:
|
||||
msg: "encrypt_output_file must be a string"
|
||||
when: encrypt_output_file is not string
|
||||
|
||||
- name: Compose output file path if not provided
|
||||
set_fact:
|
||||
encrypt_output_file: "{{ encrypt_file }}.{{ encrypt_file_extension }}"
|
||||
when: encrypt_output_file | length == 0
|
||||
|
||||
- name: Get the file stat of encrypt_output_file
|
||||
stat:
|
||||
path: "{{ encrypt_output_file }}"
|
||||
register: encrypt_internal_output_file
|
||||
|
||||
- name: Fail if the output file exists
|
||||
fail:
|
||||
msg: "The output path {{ encrypt_output_file }} exists"
|
||||
when: encrypt_internal_output_file.stat.exists
|
||||
|
||||
- name: Run the encryption command
|
||||
command:
|
||||
argv:
|
||||
- "{{ encrypt_command }}"
|
||||
- "--symmetric"
|
||||
- "--no-symkey-cache"
|
||||
- "-o"
|
||||
- "{{ encrypt_output_file }}"
|
||||
- "--passphrase-fd"
|
||||
- "0"
|
||||
- "--batch"
|
||||
- "--pinentry-mode"
|
||||
- "loopback"
|
||||
- "{{ encrypt_file }}"
|
||||
stdin: "{{ encrypt_passphrase }}"
|
||||
changed_when: true
|
||||
|
||||
- name: Get the file stat of new file
|
||||
stat:
|
||||
path: "{{ encrypt_output_file }}"
|
||||
register: encrypt_internal_new_file
|
||||
|
||||
- name: Fail if the output file does not exist
|
||||
fail:
|
||||
msg: "{{ encrypt_command }} did not create {{ encrypt_output_file }}"
|
||||
when: not encrypt_internal_new_file.stat.exists
|
||||
|
||||
- name: Import the shred role
|
||||
import_role:
|
||||
name: shred
|
||||
vars:
|
||||
shred_path: "{{ encrypt_file }}"
|
||||
when: encrypt_shred|bool
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
# refer also to the 'gpg' linux command
|
||||
|
||||
encrypt_shred: true
|
||||
# Whether to shred and delete the source encrypt_file after
|
||||
# encryption.
|
||||
# boolean: implemented with roles/shred; default True
|
||||
|
||||
encrypt_passphrase: ""
|
||||
# The passphrase with which to encrypt the file.
|
||||
# string: the passphrase; Required
|
||||
|
||||
encrypt_file: ""
|
||||
# The file to encrypt. Only regular files are supported.
|
||||
# Encryption is accomplished with gpg command with option
|
||||
# '--passphrase-fd 0".
|
||||
# string: the file to encrypt; Required
|
||||
|
||||
encrypt_output_file: ""
|
||||
# Then name/path of the output file. When omitted, the output file
|
||||
# will be encrypt_file with ".gpg" appended. The output file must
|
||||
# not be pre-existing; the playbook does not support overwriting
|
||||
# the output file.
|
||||
# string: the name/path of the encrypted file; Default is to append
|
||||
# '.gpg' to encrypt_file
|
||||
|
||||
encrypt_command: "gpg"
|
||||
|
||||
encrypt_file_extension: "gpg"
|
Loading…
Reference in New Issue