feat(ansible): credentials — SSH key, become, vault, host-key checking (task 548)
CI / lint (push) Successful in 2s
CI / unit (push) Successful in 7s
CI / integration (push) Successful in 2m24s

Global Ansible credentials, applied to every run (manual + alert-triggered):
- core/settings.py: ansible.ssh_private_key / become_password / vault_password
  (plaintext at rest, masked in UI — encryption tracked in #580) + host_key_checking
  (default off); surfaced via to_ansible_cfg into app.config[ANSIBLE]
- executor.py: pure build_credentials() materializes creds into a 0600 temp dir
  (--private-key, --vault-password-file, become via -e @vars-file so the password
  never hits argv) cleaned up in finally; pure ansible_env() sets
  ANSIBLE_HOST_KEY_CHECKING. build_ansible_command stays param-only
- settings/routes.py + ansible.html: admin-only Credentials section, masked-update
  (blank keeps current, explicit Clear checkbox), reload app config on save
- tests: unit (build_credentials per cred + none; ansible_env toggle); integration
  vault round-trip (ansible-vault encrypt a vars file, run via executor with the
  vault password, assert it decrypted)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-02 18:41:58 -04:00
parent 0a36a57901
commit 0bf007173b
6 changed files with 295 additions and 3 deletions
+37 -1
View File
@@ -170,7 +170,43 @@ async def _ansible_sources_partial(sources: list[dict]):
@require_role(UserRole.admin)
async def ansible():
sources = await _get_ansible_sources()
return await render_template("settings/ansible.html", sources=sources)
async with current_app.db_sessionmaker() as db:
settings = await get_all_settings(db)
return await render_template(
"settings/ansible.html",
sources=sources,
ssh_key_set=bool(settings.get("ansible.ssh_private_key")),
become_set=bool(settings.get("ansible.become_password")),
vault_set=bool(settings.get("ansible.vault_password")),
host_key_checking=settings.get("ansible.host_key_checking", False),
)
@settings_bp.post("/ansible/credentials")
@require_role(UserRole.admin)
async def ansible_save_credentials():
"""Save global Ansible credentials (masked-update: blank keeps the current value)."""
form = await request.form
async with current_app.db_sessionmaker() as db:
async with db.begin():
for field, key in (
("ssh_private_key", "ansible.ssh_private_key"),
("become_password", "ansible.become_password"),
("vault_password", "ansible.vault_password"),
):
if f"clear_{field}" in form:
await set_setting(db, key, "")
continue
raw = form.get(field, "") or ""
# Preserve PEM whitespace for the key; trim passwords.
val = raw.strip("\n") if field == "ssh_private_key" else raw.strip()
if val:
await set_setting(db, key, val)
await set_setting(db, "ansible.host_key_checking", "host_key_checking" in form)
await _reload_app_config()
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
"settings.saved", detail={"section": "ansible.credentials"})
return redirect(url_for("settings.ansible"))
@settings_bp.post("/ansible/sources/add")