From 0bf007173bffb806f0877f785d4570c4c92e0a90 Mon Sep 17 00:00:00 2001
From: Bryan Van Deusen
Date: Tue, 2 Jun 2026 18:41:58 -0400
Subject: [PATCH] =?UTF-8?q?feat(ansible):=20credentials=20=E2=80=94=20SSH?=
=?UTF-8?q?=20key,=20become,=20vault,=20host-key=20checking=20(task=20548)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Global Ansible credentials, applied to every run (manual + alert-triggered):
- core/settings.py: ansible.ssh_private_key / become_password / vault_password
(plaintext at rest, masked in UI — encryption tracked in #580) + host_key_checking
(default off); surfaced via to_ansible_cfg into app.config[ANSIBLE]
- executor.py: pure build_credentials() materializes creds into a 0600 temp dir
(--private-key, --vault-password-file, become via -e @vars-file so the password
never hits argv) cleaned up in finally; pure ansible_env() sets
ANSIBLE_HOST_KEY_CHECKING. build_ansible_command stays param-only
- settings/routes.py + ansible.html: admin-only Credentials section, masked-update
(blank keeps current, explicit Clear checkbox), reload app config on save
- tests: unit (build_credentials per cred + none; ansible_env toggle); integration
vault round-trip (ansible-vault encrypt a vars file, run via executor with the
vault password, assert it decrypted)
Co-Authored-By: Claude Opus 4.8 (1M context)
---
steward/ansible/executor.py | 59 ++++++++++++-
steward/core/settings.py | 14 +++-
steward/settings/routes.py | 38 ++++++++-
steward/templates/settings/ansible.html | 48 +++++++++++
tests/integration/test_ansible_credentials.py | 82 +++++++++++++++++++
tests/test_ansible_credentials.py | 57 +++++++++++++
6 files changed, 295 insertions(+), 3 deletions(-)
create mode 100644 tests/integration/test_ansible_credentials.py
create mode 100644 tests/test_ansible_credentials.py
diff --git a/steward/ansible/executor.py b/steward/ansible/executor.py
index 92ee4ab..e27eeb5 100644
--- a/steward/ansible/executor.py
+++ b/steward/ansible/executor.py
@@ -1,7 +1,11 @@
# steward/ansible/executor.py
from __future__ import annotations
import asyncio
+import json
import logging
+import os
+import shutil
+import tempfile
import time
from dataclasses import dataclass
from datetime import datetime, timezone
@@ -83,6 +87,46 @@ def build_ansible_command(
return cmd
+def build_credentials(creds: dict | None, tmpdir: str) -> tuple[list[str], list[tuple[str, str]]]:
+ """Given global Ansible creds + a temp dir, return (extra argv, files to write).
+
+ Pure: decides flags + file contents; the caller writes the files (mode 0600).
+ Secrets are always passed via files — never on argv / the process list.
+ creds keys: ssh_private_key, vault_password, become_password.
+ """
+ args: list[str] = []
+ files: list[tuple[str, str]] = []
+ creds = creds or {}
+
+ key = creds.get("ssh_private_key")
+ if key:
+ path = os.path.join(tmpdir, "id_key")
+ files.append((path, key if key.endswith("\n") else key + "\n"))
+ args += ["--private-key", path]
+
+ vault = creds.get("vault_password")
+ if vault:
+ path = os.path.join(tmpdir, "vault_pass")
+ files.append((path, vault + "\n"))
+ args += ["--vault-password-file", path]
+
+ become = creds.get("become_password")
+ if become:
+ path = os.path.join(tmpdir, "become.yml")
+ # A JSON string is valid YAML; keeps the password out of argv.
+ files.append((path, "ansible_become_password: " + json.dumps(become) + "\n"))
+ args += ["-e", "@" + path]
+
+ return args, files
+
+
+def ansible_env(creds: dict | None, base_env) -> dict:
+ """Return a copy of base_env with ANSIBLE_HOST_KEY_CHECKING set from creds."""
+ env = dict(base_env)
+ env["ANSIBLE_HOST_KEY_CHECKING"] = "True" if (creds or {}).get("host_key_checking") else "False"
+ return env
+
+
async def start_run(
app: "Quart",
run_id: str,
@@ -119,13 +163,24 @@ async def start_run(
cmd = build_ansible_command(playbook_path, inventory_path, params)
cwd = source_path if Path(source_path).exists() else None
+ creds = app.config.get("ANSIBLE", {})
+ # Materialize credentials into a private temp dir; removed in finally.
+ tmpdir = tempfile.mkdtemp(prefix="steward-ansible-")
+ os.chmod(tmpdir, 0o700)
try:
+ cred_args, cred_files = build_credentials(creds, tmpdir)
+ for cred_path, content in cred_files:
+ with open(cred_path, "w", encoding="utf-8") as cf:
+ cf.write(content)
+ os.chmod(cred_path, 0o600)
+
proc = await asyncio.create_subprocess_exec(
- *cmd,
+ *cmd, *cred_args,
stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.STDOUT,
cwd=cwd,
+ env=ansible_env(creds, os.environ),
)
assert proc.stdout is not None
@@ -152,6 +207,8 @@ async def start_run(
except Exception:
logger.exception("Ansible run %s failed with exception", run_id)
final_status = "failed"
+ finally:
+ shutil.rmtree(tmpdir, ignore_errors=True)
await _flush(final_status)
_broadcast(run_id, _Done(status=final_status))
diff --git a/steward/core/settings.py b/steward/core/settings.py
index 5acc0d1..a1e055a 100644
--- a/steward/core/settings.py
+++ b/steward/core/settings.py
@@ -51,6 +51,12 @@ DEFAULTS: dict[str, Any] = {
"webhook.url": "",
"webhook.template": _DEFAULT_WEBHOOK_TEMPLATE,
"ansible.sources": [],
+ # Ansible credentials — global, used by every run (manual + alert-triggered).
+ # Plaintext at rest, masked in the UI (encryption-at-rest tracked separately).
+ "ansible.ssh_private_key": "",
+ "ansible.become_password": "",
+ "ansible.vault_password": "",
+ "ansible.host_key_checking": False,
"ping.threshold.good_ms": 50,
"ping.threshold.warn_ms": 200,
"plugins.index_url": "https://git.fabledsword.com/bvandeusen/Steward-plugins/raw/branch/main/index.yaml",
@@ -152,7 +158,13 @@ def to_webhook_cfg(settings: dict[str, Any]) -> dict:
def to_ansible_cfg(settings: dict[str, Any]) -> dict:
- return {"sources": settings.get("ansible.sources", [])}
+ return {
+ "sources": settings.get("ansible.sources", []),
+ "ssh_private_key": settings.get("ansible.ssh_private_key", ""),
+ "become_password": settings.get("ansible.become_password", ""),
+ "vault_password": settings.get("ansible.vault_password", ""),
+ "host_key_checking": settings.get("ansible.host_key_checking", False),
+ }
def to_oidc_cfg(settings: dict[str, Any]) -> dict:
diff --git a/steward/settings/routes.py b/steward/settings/routes.py
index f2740a4..4414031 100644
--- a/steward/settings/routes.py
+++ b/steward/settings/routes.py
@@ -170,7 +170,43 @@ async def _ansible_sources_partial(sources: list[dict]):
@require_role(UserRole.admin)
async def ansible():
sources = await _get_ansible_sources()
- return await render_template("settings/ansible.html", sources=sources)
+ async with current_app.db_sessionmaker() as db:
+ settings = await get_all_settings(db)
+ return await render_template(
+ "settings/ansible.html",
+ sources=sources,
+ ssh_key_set=bool(settings.get("ansible.ssh_private_key")),
+ become_set=bool(settings.get("ansible.become_password")),
+ vault_set=bool(settings.get("ansible.vault_password")),
+ host_key_checking=settings.get("ansible.host_key_checking", False),
+ )
+
+
+@settings_bp.post("/ansible/credentials")
+@require_role(UserRole.admin)
+async def ansible_save_credentials():
+ """Save global Ansible credentials (masked-update: blank keeps the current value)."""
+ form = await request.form
+ async with current_app.db_sessionmaker() as db:
+ async with db.begin():
+ for field, key in (
+ ("ssh_private_key", "ansible.ssh_private_key"),
+ ("become_password", "ansible.become_password"),
+ ("vault_password", "ansible.vault_password"),
+ ):
+ if f"clear_{field}" in form:
+ await set_setting(db, key, "")
+ continue
+ raw = form.get(field, "") or ""
+ # Preserve PEM whitespace for the key; trim passwords.
+ val = raw.strip("\n") if field == "ssh_private_key" else raw.strip()
+ if val:
+ await set_setting(db, key, val)
+ await set_setting(db, "ansible.host_key_checking", "host_key_checking" in form)
+ await _reload_app_config()
+ await log_audit(current_app, session.get("user_id"), session.get("username", ""),
+ "settings.saved", detail={"section": "ansible.credentials"})
+ return redirect(url_for("settings.ansible"))
@settings_bp.post("/ansible/sources/add")
diff --git a/steward/templates/settings/ansible.html b/steward/templates/settings/ansible.html
index f0b1d4a..64aa5a2 100644
--- a/steward/templates/settings/ansible.html
+++ b/steward/templates/settings/ansible.html
@@ -15,5 +15,53 @@
cloned automatically. Add as many as you need; each can be browsed and run independently.
{% include "settings/_ansible_sources.html" %}
+
+ {# ── Credentials ──────────────────────────────────────────────────────────── #}
+ {% set cfg_badge = '(configured)' %}
+ {% set not_set_badge = '(not set)' %}
+
+
Credentials
+
+ Used by every playbook run (manual and alert-triggered). Stored on the server and
+ never shown again after saving — leave a field blank to keep the current value.
+
+
+
{% endblock %}
diff --git a/tests/integration/test_ansible_credentials.py b/tests/integration/test_ansible_credentials.py
new file mode 100644
index 0000000..c24f2e6
--- /dev/null
+++ b/tests/integration/test_ansible_credentials.py
@@ -0,0 +1,82 @@
+"""Integration: the executor wires a configured vault password into a real run (task 548).
+
+Encrypts a vars file with ansible-vault, then runs a playbook through
+executor.start_run with the matching vault_password in app config, and asserts
+the executor's --vault-password-file decrypted it. (SSH-key/become auth need a
+remote host, so they're covered by the unit-level flag construction.)
+"""
+from __future__ import annotations
+
+import asyncio
+import os
+import subprocess
+import textwrap
+import uuid
+
+import pytest
+
+pytestmark = pytest.mark.integration
+
+_NEEDS_DB = pytest.mark.skipif(
+ not os.environ.get("STEWARD_DATABASE_URL"),
+ reason="integration test needs a live Postgres (STEWARD_DATABASE_URL)",
+)
+
+
+@pytest.fixture
+def app():
+ if not os.environ.get("STEWARD_DATABASE_URL"):
+ pytest.skip("needs Postgres")
+ from steward.app import create_app
+ return create_app(testing=False)
+
+
+@_NEEDS_DB
+def test_vault_password_decrypts_a_run(app, tmp_path):
+ from sqlalchemy import select
+ from steward.ansible import executor
+ from steward.models.ansible import AnsibleRun, AnsibleRunStatus
+
+ vault_pw = "test-vault-pw"
+ pwfile = tmp_path / "pw"
+ pwfile.write_text(vault_pw + "\n")
+
+ secret = tmp_path / "secret.yml"
+ secret.write_text("vaulted_value: hello-from-vault\n")
+ subprocess.run(
+ ["ansible-vault", "encrypt", str(secret), "--vault-password-file", str(pwfile)],
+ check=True, capture_output=True,
+ )
+
+ (tmp_path / "play.yml").write_text(textwrap.dedent("""\
+ - hosts: localhost
+ connection: local
+ gather_facts: false
+ vars_files:
+ - secret.yml
+ tasks:
+ - debug:
+ msg: "VAULT-{{ vaulted_value }}"
+ """))
+ (tmp_path / "inv.ini").write_text("localhost ansible_connection=local\n")
+
+ # Executor reads credentials from app.config["ANSIBLE"].
+ app.config["ANSIBLE"] = {"vault_password": vault_pw, "host_key_checking": False}
+
+ run_id = str(uuid.uuid4())
+
+ async def _go():
+ async with app.db_sessionmaker() as s:
+ async with s.begin():
+ s.add(AnsibleRun(
+ id=run_id, playbook_path="play.yml", inventory_path="inv.ini",
+ source_name="t", triggered_by=None, status=AnsibleRunStatus.running,
+ ))
+ await executor.start_run(app, run_id, "play.yml", "inv.ini", str(tmp_path))
+ async with app.db_sessionmaker() as s:
+ return (await s.execute(
+ select(AnsibleRun).where(AnsibleRun.id == run_id))).scalar_one()
+
+ run = asyncio.run(_go())
+ assert run.status == AnsibleRunStatus.success, run.output
+ assert "VAULT-hello-from-vault" in (run.output or "") # vault password decrypted it
diff --git a/tests/test_ansible_credentials.py b/tests/test_ansible_credentials.py
new file mode 100644
index 0000000..5481f67
--- /dev/null
+++ b/tests/test_ansible_credentials.py
@@ -0,0 +1,57 @@
+"""Unit tests for Ansible credential argv/env construction (task 548)."""
+import json
+
+from steward.ansible.executor import ansible_env, build_credentials
+
+
+def test_no_creds_is_empty():
+ assert build_credentials({}, "/td") == ([], [])
+ assert build_credentials(None, "/td") == ([], [])
+
+
+def test_ssh_key_via_file():
+ args, files = build_credentials({"ssh_private_key": "KEYDATA"}, "/td")
+ assert args == ["--private-key", "/td/id_key"]
+ assert files == [("/td/id_key", "KEYDATA\n")]
+
+
+def test_ssh_key_keeps_existing_trailing_newline():
+ _, files = build_credentials({"ssh_private_key": "KEY\n"}, "/td")
+ assert files == [("/td/id_key", "KEY\n")]
+
+
+def test_vault_password_via_file():
+ args, files = build_credentials({"vault_password": "vpw"}, "/td")
+ assert args == ["--vault-password-file", "/td/vault_pass"]
+ assert files == [("/td/vault_pass", "vpw\n")]
+
+
+def test_become_password_uses_vars_file_not_argv():
+ pw = "p@ss word"
+ args, files = build_credentials({"become_password": pw}, "/td")
+ assert args == ["-e", "@/td/become.yml"]
+ assert files[0][0] == "/td/become.yml"
+ assert files[0][1] == "ansible_become_password: " + json.dumps(pw) + "\n"
+ # The password must never appear on the command line.
+ assert pw not in " ".join(args)
+
+
+def test_all_three_combined():
+ args, files = build_credentials(
+ {"ssh_private_key": "K", "vault_password": "V", "become_password": "B"}, "/td")
+ assert "--private-key" in args
+ assert "--vault-password-file" in args
+ assert "-e" in args
+ assert len(files) == 3
+
+
+def test_ansible_env_host_key_checking_toggle():
+ assert ansible_env({"host_key_checking": True}, {})["ANSIBLE_HOST_KEY_CHECKING"] == "True"
+ assert ansible_env({"host_key_checking": False}, {})["ANSIBLE_HOST_KEY_CHECKING"] == "False"
+ assert ansible_env({}, {})["ANSIBLE_HOST_KEY_CHECKING"] == "False"
+ assert ansible_env(None, {})["ANSIBLE_HOST_KEY_CHECKING"] == "False"
+
+
+def test_ansible_env_preserves_base():
+ env = ansible_env({}, {"FOO": "bar"})
+ assert env["FOO"] == "bar"