encrypt: roles to encrypt and decrypt files

Use the 'gpg' linux command to encrypt/decrypt a file. The encryption method is "--symmetric", with a user supplied passphrase. See also man 'gpg' for description of the command options. Ansible variable options are described in roles/encrypt/vars/main.yml and roles/decrypt/vars/main.yml Story: 2011073 Task: 49929 Test Plan: pass ansible-lint pass Unit test Change-Id: Ibc4fc574733b321e3f8e309417cfd5ec7fc91071 Signed-off-by: Michel Thebeau <michel.thebeau@windriver.com>
2024-04-23 14:08:10 -04:00 · 2024-04-23 14:08:10 -04:00 · 7485f501ff
parent 3be2050e2e
commit 7485f501ff
4 changed files with 241 additions and 0 deletions
--- a/playbookconfig/src/playbooks/roles/decrypt/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/decrypt/tasks/main.yml
@ -0,0 +1,85 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# ROLE DESCRIPTION:
+#   Decrypt the file specified by decrypt_file variable.
+#   Refer to vars/main.yml for options
+#
+
+- name: Assert that decrypt_command exists
+  command: "{{ decrypt_command }} --version"
+  changed_when: false
+
+- name: Assert that decrypt_file is provided
+  assert:
+    that:
+    - decrypt_file is string
+    - decrypt_file | length > 0
+
+- name: Get the file stat of decrypt_file
+  stat:
+    path: "{{ decrypt_file }}"
+  register: decrypt_internal_file
+
+- name: Fail if the input file does not exist
+  fail:
+    msg: "The path {{ decrypt_file }} does not exist"
+  when: not decrypt_internal_file.stat.exists
+
+- name: Fail if the input file is not a regular file
+  fail:
+    msg: "The path {{ decrypt_file }} is not a regular file"
+  when: not decrypt_internal_file.stat.isreg
+
+- name: Assert that decrypt_passphrase is provided
+  assert:
+    that:
+    - decrypt_passphrase is string
+    - decrypt_passphrase | length > 0
+
+- name: Assert that decrypt_output_file is provided
+  assert:
+    that:
+    - decrypt_output_file is string
+    - decrypt_output_file | length > 0
+
+- name: Get the file stat of decrypt_output_file
+  stat:
+    path: "{{ decrypt_output_file }}"
+  register: decrypt_internal_output_file
+
+- name: Fail if the output file exists
+  fail:
+    msg: "The output path {{ decrypt_output_file }} exists"
+  when: decrypt_internal_output_file.stat.exists
+
+- name: Run the decryption command
+  command:
+    argv:
+    - "{{ decrypt_command }}"
+    - "--no-symkey-cache"
+    - "-q"
+    - "-o"
+    - "{{ decrypt_output_file }}"
+    - "--passphrase-fd"
+    - "0"
+    - "--batch"
+    - "--pinentry-mode"
+    - "loopback"
+    - "--decrypt"
+    - "{{ decrypt_file }}"
+    stdin: "{{ decrypt_passphrase }}"
+  changed_when: true
+
+- name: Get the stat of decrypt_output_file
+  stat:
+    path: "{{ decrypt_output_file }}"
+  register: decrypt_internal_new_file
+
+- name: Fail if the output file does not exist
+  fail:
+    msg: "{{ decrypt_command }} did not create {{ decrypt_output_file }}"
+  when: not decrypt_internal_new_file.stat.exists
--- a/playbookconfig/src/playbooks/roles/decrypt/vars/main.yml
+++ b/playbookconfig/src/playbooks/roles/decrypt/vars/main.yml
@ -0,0 +1,26 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# refer also to the 'gpg' linux command
+
+decrypt_passphrase: ""
+    # The passphrase with which to decrypt the file. Implemented with
+    # "--passphrase-fd 0", input from stdin
+    # string: the passphrase; Required
+
+decrypt_file: ""
+    # The file to decrypt. Decryption is accomplished with gpg command.
+    # Supports symmetric encrypted files only (passphrase)
+    # string: the file to decrypt; Required
+
+decrypt_output_file: ""
+    # Then name/path of the output file. The output file must
+    # not be pre-existing; the playbook does not support overwriting
+    # the output file.
+    # string: the name/path of the decrypted file; Required
+
+decrypt_command: "gpg"
--- a/playbookconfig/src/playbooks/roles/encrypt/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/encrypt/tasks/main.yml
@ -0,0 +1,95 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# ROLE DESCRIPTION:
+#   Encrypt the file specified by encrypt_file variable.
+#   Refer to vars/main.yml for options
+#
+
+- name: Assert that the encrypt command exists
+  command: "{{ encrypt_command }} --version"
+  changed_when: false
+
+- name: Assert that encrypt_file is provided
+  assert:
+    that:
+    - encrypt_file is string
+    - encrypt_file | length > 0
+
+- name: Assert that encrypt_passphrase is provided
+  assert:
+    that:
+    - encrypt_passphrase is string
+    - encrypt_passphrase | length > 0
+
+- name: Get the file stat of encrypt_file
+  stat:
+    path: "{{ encrypt_file }}"
+  register: encrypt_internal_file
+
+- name: Fail if the input file does not exist
+  fail:
+    msg: "The path {{ encrypt_file }} does not exist"
+  when: not encrypt_internal_file.stat.exists
+
+- name: Fail if the input file is not a regular file
+  fail:
+    msg: "The path {{ encrypt_file }} is not a regular file"
+  when: not encrypt_internal_file.stat.isreg
+
+- name: Fail if the encrypt_output_file is not a string
+  fail:
+    msg: "encrypt_output_file must be a string"
+  when: encrypt_output_file is not string
+
+- name: Compose output file path if not provided
+  set_fact:
+    encrypt_output_file: "{{ encrypt_file }}.{{ encrypt_file_extension }}"
+  when: encrypt_output_file | length == 0
+
+- name: Get the file stat of encrypt_output_file
+  stat:
+    path: "{{ encrypt_output_file }}"
+  register: encrypt_internal_output_file
+
+- name: Fail if the output file exists
+  fail:
+    msg: "The output path {{ encrypt_output_file }} exists"
+  when: encrypt_internal_output_file.stat.exists
+
+- name: Run the encryption command
+  command:
+    argv:
+    - "{{ encrypt_command }}"
+    - "--symmetric"
+    - "--no-symkey-cache"
+    - "-o"
+    - "{{ encrypt_output_file }}"
+    - "--passphrase-fd"
+    - "0"
+    - "--batch"
+    - "--pinentry-mode"
+    - "loopback"
+    - "{{ encrypt_file }}"
+    stdin: "{{ encrypt_passphrase }}"
+  changed_when: true
+
+- name: Get the file stat of new file
+  stat:
+    path: "{{ encrypt_output_file }}"
+  register: encrypt_internal_new_file
+
+- name: Fail if the output file does not exist
+  fail:
+    msg: "{{ encrypt_command }} did not create {{ encrypt_output_file }}"
+  when: not encrypt_internal_new_file.stat.exists
+
+- name: Import the shred role
+  import_role:
+    name: shred
+  vars:
+    shred_path: "{{ encrypt_file }}"
+  when: encrypt_shred|bool
--- a/playbookconfig/src/playbooks/roles/encrypt/vars/main.yml
+++ b/playbookconfig/src/playbooks/roles/encrypt/vars/main.yml
@ -0,0 +1,35 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# refer also to the 'gpg' linux command
+
+encrypt_shred: true
+    # Whether to shred and delete the source encrypt_file after
+    # encryption.
+    # boolean: implemented with roles/shred; default True
+
+encrypt_passphrase: ""
+    # The passphrase with which to encrypt the file.
+    # string: the passphrase; Required
+
+encrypt_file: ""
+    # The file to encrypt.  Only regular files are supported.
+    # Encryption is accomplished with gpg command with option
+    # '--passphrase-fd 0".
+    # string: the file to encrypt; Required
+
+encrypt_output_file: ""
+    # Then name/path of the output file. When omitted, the output file
+    # will be encrypt_file with ".gpg" appended. The output file must
+    # not be pre-existing; the playbook does not support overwriting
+    # the output file.
+    # string: the name/path of the encrypted file; Default is to append
+    #         '.gpg' to encrypt_file
+
+encrypt_command: "gpg"
+
+encrypt_file_extension: "gpg"