feat(ansible): credentials — SSH key, become, vault, host-key checking (task 548)
Global Ansible credentials, applied to every run (manual + alert-triggered): - core/settings.py: ansible.ssh_private_key / become_password / vault_password (plaintext at rest, masked in UI — encryption tracked in #580) + host_key_checking (default off); surfaced via to_ansible_cfg into app.config[ANSIBLE] - executor.py: pure build_credentials() materializes creds into a 0600 temp dir (--private-key, --vault-password-file, become via -e @vars-file so the password never hits argv) cleaned up in finally; pure ansible_env() sets ANSIBLE_HOST_KEY_CHECKING. build_ansible_command stays param-only - settings/routes.py + ansible.html: admin-only Credentials section, masked-update (blank keeps current, explicit Clear checkbox), reload app config on save - tests: unit (build_credentials per cred + none; ansible_env toggle); integration vault round-trip (ansible-vault encrypt a vars file, run via executor with the vault password, assert it decrypted) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -170,7 +170,43 @@ async def _ansible_sources_partial(sources: list[dict]):
|
||||
@require_role(UserRole.admin)
|
||||
async def ansible():
|
||||
sources = await _get_ansible_sources()
|
||||
return await render_template("settings/ansible.html", sources=sources)
|
||||
async with current_app.db_sessionmaker() as db:
|
||||
settings = await get_all_settings(db)
|
||||
return await render_template(
|
||||
"settings/ansible.html",
|
||||
sources=sources,
|
||||
ssh_key_set=bool(settings.get("ansible.ssh_private_key")),
|
||||
become_set=bool(settings.get("ansible.become_password")),
|
||||
vault_set=bool(settings.get("ansible.vault_password")),
|
||||
host_key_checking=settings.get("ansible.host_key_checking", False),
|
||||
)
|
||||
|
||||
|
||||
@settings_bp.post("/ansible/credentials")
|
||||
@require_role(UserRole.admin)
|
||||
async def ansible_save_credentials():
|
||||
"""Save global Ansible credentials (masked-update: blank keeps the current value)."""
|
||||
form = await request.form
|
||||
async with current_app.db_sessionmaker() as db:
|
||||
async with db.begin():
|
||||
for field, key in (
|
||||
("ssh_private_key", "ansible.ssh_private_key"),
|
||||
("become_password", "ansible.become_password"),
|
||||
("vault_password", "ansible.vault_password"),
|
||||
):
|
||||
if f"clear_{field}" in form:
|
||||
await set_setting(db, key, "")
|
||||
continue
|
||||
raw = form.get(field, "") or ""
|
||||
# Preserve PEM whitespace for the key; trim passwords.
|
||||
val = raw.strip("\n") if field == "ssh_private_key" else raw.strip()
|
||||
if val:
|
||||
await set_setting(db, key, val)
|
||||
await set_setting(db, "ansible.host_key_checking", "host_key_checking" in form)
|
||||
await _reload_app_config()
|
||||
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
|
||||
"settings.saved", detail={"section": "ansible.credentials"})
|
||||
return redirect(url_for("settings.ansible"))
|
||||
|
||||
|
||||
@settings_bp.post("/ansible/sources/add")
|
||||
|
||||
Reference in New Issue
Block a user