Merge pull request #19002 from NickLaMuro/ansible_runner_vault_creden…

…tial [ansible_runner] Add VaultCredential
ManageIQ · Jul 18, 2019 · 1a1b4a6 · 1a1b4a6
2 parents 21515a7 + 62dd90c
commit 1a1b4a6
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 0 deletions.
diff --git a/lib/ansible/runner/credential/vault_credential.rb b/lib/ansible/runner/credential/vault_credential.rb
@@ -0,0 +1,32 @@
+module Ansible
+  class Runner
+    class VaultCredential < Credential
+      def self.auth_type
+        "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::VaultCredential"
+      end
+
+      def env_vars
+        if auth.vault_password.present?
+          { "ANSIBLE_VAULT_PASSWORD_FILE" => vault_password_file }
+        else
+          {}
+        end
+      end
+
+      def write_config_files
+        write_vault_password_file if auth.vault_password.present?
+      end
+
+      private
+
+      def write_vault_password_file
+        File.write(vault_password_file, auth.vault_password)
+        File.chmod(0o0400, vault_password_file)
+      end
+
+      def vault_password_file
+        File.join(base_dir, "vault_password")
+      end
+    end
+  end
+end
diff --git a/spec/lib/ansible/runner/credential/vault_credential_spec.rb b/spec/lib/ansible/runner/credential/vault_credential_spec.rb
@@ -0,0 +1,73 @@
+require 'ansible/runner'
+require 'ansible/runner/credential'
+
+RSpec.describe Ansible::Runner::VaultCredential do
+  it ".auth_type is the correct Authentication sub-class" do
+    expect(described_class.auth_type).to eq("ManageIQ::Providers::EmbeddedAnsible::AutomationManager::VaultCredential")
+  end
+
+  context "with a credential object" do
+    around do |example|
+      Dir.mktmpdir("ansible-runner-credential-test") do |dir|
+        @base_dir = dir
+        example.run
+      end
+    end
+
+    let(:auth)            { FactoryBot.create(:embedded_ansible_vault_credential, auth_attributes) }
+    let(:cred)            { described_class.new(auth.id, @base_dir) }
+    let(:auth_attributes) { { :password => "vault_secret" } }
+    let(:vault_filename)  { File.join(@base_dir, "vault_password") }
+
+    describe "#command_line" do
+      it "returns an empty hash" do
+        expect(cred.command_line).to eq({})
+      end
+    end
+
+    describe "#env_vars" do
+      context "with a password" do
+        it "passes --vault-password-file" do
+          expected = { "ANSIBLE_VAULT_PASSWORD_FILE" => vault_filename }
+          expect(cred.env_vars).to eq(expected)
+        end
+      end
+
+      context "without a password" do
+        it "passes --vault-password-file" do
+          auth.update!(:password => nil)
+          expect(cred.env_vars).to eq({})
+        end
+      end
+    end
+
+    describe "#extra_vars" do
+      it "returns an empty hash" do
+        expect(cred.extra_vars).to eq({})
+      end
+    end
+
+    describe "#write_config_files" do
+      context "with a password" do
+        before { cred.write_config_files }
+
+        it "writes the vault password file with the password" do
+          expect(File.read(vault_filename)).to eq("vault_secret")
+        end
+
+        it "sets the permission to 400" do
+          expect(File.stat(vault_filename).mode).to eq(0o100400)
+        end
+      end
+
+      context "without a password" do
+        it "does nothing" do
+          auth.update!(:password => nil)
+          cred.write_config_files
+
+          expect(File.exist?(vault_filename)).to be_falsey
+        end
+      end
+    end
+  end
+end