diff options
Diffstat (limited to 'lib/ansible')
-rw-r--r-- | lib/ansible/cli/galaxy.py | 9 | ||||
-rw-r--r-- | lib/ansible/modules/system/service.py | 18 | ||||
-rw-r--r-- | lib/ansible/parsing/vault/__init__.py | 144 | ||||
-rw-r--r-- | lib/ansible/playbook/base.py | 11 | ||||
-rw-r--r-- | lib/ansible/playbook/play.py | 15 | ||||
-rw-r--r-- | lib/ansible/playbook/role/definition.py | 7 | ||||
-rw-r--r-- | lib/ansible/playbook/role/include.py | 2 | ||||
-rw-r--r-- | lib/ansible/playbook/role/requirement.py | 50 | ||||
-rw-r--r-- | lib/ansible/plugins/action/__init__.py | 24 | ||||
-rw-r--r-- | lib/ansible/plugins/action/service.py | 5 |
10 files changed, 17 insertions, 268 deletions
diff --git a/lib/ansible/cli/galaxy.py b/lib/ansible/cli/galaxy.py index 5a83c90723..fceb36eb38 100644 --- a/lib/ansible/cli/galaxy.py +++ b/lib/ansible/cli/galaxy.py @@ -358,14 +358,7 @@ class GalaxyCLI(CLI): msg = "Unable to load data from the include requirements file: %s %s" raise AnsibleError(msg % (role_file, e)) else: - display.deprecated("going forward only the yaml format will be supported", version="2.6") - # roles listed in a file, one per line - for rline in f.readlines(): - if rline.startswith("#") or rline.strip() == '': - continue - display.debug('found role %s in text file' % str(rline)) - role = RoleRequirement.role_yaml_parse(rline.strip()) - roles_left.append(GalaxyRole(self.galaxy, **role)) + raise AnsibleError("Invalid role requirements file") f.close() except (IOError, OSError) as e: raise AnsibleError('Unable to open %s: %s' % (role_file, str(e))) diff --git a/lib/ansible/modules/system/service.py b/lib/ansible/modules/system/service.py index dce8c7f2fd..b388b0aba4 100644 --- a/lib/ansible/modules/system/service.py +++ b/lib/ansible/modules/system/service.py @@ -36,7 +36,7 @@ options: and enabled are required.) Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally. - choices: [ reloaded, restarted, running, started, stopped ] + choices: [ reloaded, restarted, started, stopped ] sleep: description: - If the service is being C(restarted) then sleep this many seconds @@ -49,7 +49,7 @@ options: - If the service does not respond to the status command, name a substring to look for as would be found in the output of the I(ps) command as a stand-in for a status result. If the string is found, - the service will be assumed to be running. + the service will be assumed to be started. version_added: "0.7" enabled: description: @@ -75,12 +75,12 @@ notes: ''' EXAMPLES = ''' -- name: Start service httpd, if not running +- name: Start service httpd, if not started service: name: httpd state: started -- name: Stop service httpd, if running +- name: Stop service httpd, if started service: name: httpd state: stopped @@ -95,7 +95,7 @@ EXAMPLES = ''' name: httpd state: reloaded -- name: Enable service httpd, and not touch the running state +- name: Enable service httpd, and not touch the state service: name: httpd enabled: yes @@ -316,7 +316,7 @@ class Service(object): if self.state and self.running is None: self.module.fail_json(msg="failed determining service state, possible typo of service name?") # Find out if state has changed - if not self.running and self.state in ["reloaded", "running", "started"]: + if not self.running and self.state in ["reloaded", "started"]: self.svc_change = True elif self.running and self.state in ["reloaded", "stopped"]: self.svc_change = True @@ -330,7 +330,7 @@ class Service(object): # Only do something if state will change if self.svc_change: # Control service - if self.state in ['running', 'started']: + if self.state in ['started']: self.action = "start" elif not self.running and self.state == 'reloaded': self.action = "start" @@ -1518,7 +1518,7 @@ def main(): module = AnsibleModule( argument_spec=dict( name=dict(type='str', required=True), - state=dict(type='str', choices=['running', 'started', 'stopped', 'reloaded', 'restarted']), + state=dict(type='str', choices=['started', 'stopped', 'reloaded', 'restarted']), sleep=dict(type='int'), pattern=dict(type='str'), enabled=dict(type='bool'), @@ -1597,7 +1597,7 @@ def main(): else: # as we may have just bounced the service the service command may not # report accurate state at this moment so just show what we ran - if service.module.params['state'] in ['reloaded', 'restarted', 'running', 'started']: + if service.module.params['state'] in ['reloaded', 'restarted', 'started']: result['state'] = 'started' else: result['state'] = 'stopped' diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index 6e71724050..d5ef4fca49 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -30,9 +30,6 @@ import warnings from binascii import hexlify from binascii import unhexlify from binascii import Error as BinasciiError -from hashlib import md5 -from hashlib import sha256 -from io import BytesIO HAS_CRYPTOGRAPHY = False HAS_PYCRYPTO = False @@ -1107,146 +1104,6 @@ class VaultEditor: # CIPHERS # ######################################## -class VaultAES: - - # this version has been obsoleted by the VaultAES256 class - # which uses encrypt-then-mac (fixing order) and also improving the KDF used - # code remains for upgrade purposes only - # http://stackoverflow.com/a/16761459 - - # Note: strings in this class should be byte strings by default. - - def __init__(self): - if not HAS_CRYPTOGRAPHY and not HAS_PYCRYPTO: - raise AnsibleError(NEED_CRYPTO_LIBRARY) - - @staticmethod - def _aes_derive_key_and_iv(b_password, b_salt, key_length, iv_length): - - """ Create a key and an initialization vector """ - - b_d = b_di = b'' - while len(b_d) < key_length + iv_length: - b_text = b''.join([b_di, b_password, b_salt]) - b_di = to_bytes(md5(b_text).digest(), errors='strict') - b_d += b_di - - b_key = b_d[:key_length] - b_iv = b_d[key_length:key_length + iv_length] - - return b_key, b_iv - - @staticmethod - def encrypt(b_plaintext, b_password, key_length=32): - - """ Read plaintext data from in_file and write encrypted to out_file """ - - raise AnsibleError("Encryption disabled for deprecated VaultAES class") - - @staticmethod - def _parse_plaintext_envelope(b_envelope): - # split out sha and verify decryption - b_split_data = b_envelope.split(b"\n", 1) - b_this_sha = b_split_data[0] - b_plaintext = b_split_data[1] - b_test_sha = to_bytes(sha256(b_plaintext).hexdigest()) - - return b_plaintext, b_this_sha, b_test_sha - - @classmethod - def _decrypt_cryptography(cls, b_salt, b_ciphertext, b_password, key_length): - - bs = algorithms.AES.block_size // 8 - b_key, b_iv = cls._aes_derive_key_and_iv(b_password, b_salt, key_length, bs) - cipher = C_Cipher(algorithms.AES(b_key), modes.CBC(b_iv), CRYPTOGRAPHY_BACKEND).decryptor() - unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() - - try: - b_plaintext_envelope = unpadder.update( - cipher.update(b_ciphertext) + cipher.finalize() - ) + unpadder.finalize() - except ValueError: - # In VaultAES, ValueError: invalid padding bytes can mean bad - # password was given - raise AnsibleError("Decryption failed") - - b_plaintext, b_this_sha, b_test_sha = cls._parse_plaintext_envelope(b_plaintext_envelope) - - if b_this_sha != b_test_sha: - raise AnsibleError("Decryption failed") - - return b_plaintext - - @classmethod - def _decrypt_pycrypto(cls, b_salt, b_ciphertext, b_password, key_length): - in_file = BytesIO(b_ciphertext) - in_file.seek(0) - out_file = BytesIO() - - bs = AES_pycrypto.block_size - - b_key, b_iv = cls._aes_derive_key_and_iv(b_password, b_salt, key_length, bs) - cipher = AES_pycrypto.new(b_key, AES_pycrypto.MODE_CBC, b_iv) - b_next_chunk = b'' - finished = False - - while not finished: - b_chunk, b_next_chunk = b_next_chunk, cipher.decrypt(in_file.read(1024 * bs)) - if len(b_next_chunk) == 0: - if PY3: - padding_length = b_chunk[-1] - else: - padding_length = ord(b_chunk[-1]) - - b_chunk = b_chunk[:-padding_length] - finished = True - - out_file.write(b_chunk) - out_file.flush() - - # reset the stream pointer to the beginning - out_file.seek(0) - b_plaintext_envelope = out_file.read() - out_file.close() - - b_plaintext, b_this_sha, b_test_sha = cls._parse_plaintext_envelope(b_plaintext_envelope) - - if b_this_sha != b_test_sha: - raise AnsibleError("Decryption failed") - - return b_plaintext - - @classmethod - def decrypt(cls, b_vaulttext, secret, key_length=32): - - """ Decrypt the given data and return it - :arg b_data: A byte string containing the encrypted data - :arg b_password: A byte string containing the encryption password - :arg key_length: Length of the key - :returns: A byte string containing the decrypted data - """ - - display.deprecated(u'The VaultAES format is insecure and has been ' - 'deprecated since Ansible-1.5. Use vault rekey FILENAME to ' - 'switch to the newer VaultAES256 format', version='2.3') - # http://stackoverflow.com/a/14989032 - - b_vaultdata = _unhexlify(b_vaulttext) - b_salt = b_vaultdata[len(b'Salted__'):16] - b_ciphertext = b_vaultdata[16:] - - b_password = secret.bytes - - if HAS_CRYPTOGRAPHY: - b_plaintext = cls._decrypt_cryptography(b_salt, b_ciphertext, b_password, key_length) - elif HAS_PYCRYPTO: - b_plaintext = cls._decrypt_pycrypto(b_salt, b_ciphertext, b_password, key_length) - else: - raise AnsibleError(NEED_CRYPTO_LIBRARY + ' (Late detection)') - - return b_plaintext - - class VaultAES256: """ @@ -1470,6 +1327,5 @@ class VaultAES256: # Keys could be made bytes later if the code that gets the data is more # naturally byte-oriented CIPHER_MAPPING = { - u'AES': VaultAES, u'AES256': VaultAES256, } diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py index daaa7c1065..6ac2c86c47 100644 --- a/lib/ansible/playbook/base.py +++ b/lib/ansible/playbook/base.py @@ -382,18 +382,11 @@ class FieldAttributeBase(with_metaclass(BaseMeta, object)): if isinstance(value, string_types) and '%' in value: value = value.replace('%', '') value = float(value) - elif attribute.isa in ('list', 'barelist'): + elif attribute.isa == 'list': if value is None: value = [] elif not isinstance(value, list): - if isinstance(value, string_types) and attribute.isa == 'barelist': - display.deprecated( - "Using comma separated values for a list has been deprecated. " - "You should instead use the correct YAML syntax for lists. " - ) - value = value.split(',') - else: - value = [value] + value = [value] if attribute.listof is not None: for item in value: if not isinstance(item, attribute.listof): diff --git a/lib/ansible/playbook/play.py b/lib/ansible/playbook/play.py index 0bcb2526b3..3457a2281f 100644 --- a/lib/ansible/playbook/play.py +++ b/lib/ansible/playbook/play.py @@ -59,7 +59,7 @@ class Play(Base, Taggable, Become): # Facts _fact_path = FieldAttribute(isa='string', default=None) _gather_facts = FieldAttribute(isa='bool', default=None, always_post_validate=True) - _gather_subset = FieldAttribute(isa='barelist', default=None, always_post_validate=True) + _gather_subset = FieldAttribute(isa='list', default=None, always_post_validate=True) _gather_timeout = FieldAttribute(isa='int', default=None, always_post_validate=True) # Variable Attributes @@ -203,18 +203,7 @@ class Play(Base, Taggable, Become): if new_ds is not None: for prompt_data in new_ds: if 'name' not in prompt_data: - display.deprecated("Using the 'short form' for vars_prompt has been deprecated", version="2.7") - for vname, prompt in prompt_data.items(): - vars_prompts.append(dict( - name=vname, - prompt=prompt, - default=None, - private=None, - confirm=None, - encrypt=None, - salt_size=None, - salt=None, - )) + raise AnsibleParserError("Invalid vars_prompt data structure", obj=ds) else: vars_prompts.append(prompt_data) return vars_prompts diff --git a/lib/ansible/playbook/role/definition.py b/lib/ansible/playbook/role/definition.py index dddda27d80..658749c271 100644 --- a/lib/ansible/playbook/role/definition.py +++ b/lib/ansible/playbook/role/definition.py @@ -204,12 +204,7 @@ class RoleDefinition(Base, Become, Conditional, Taggable): # other mechanism where we exclude certain kinds of field attributes, # or make this list more automatic in some way so we don't have to # remember to update it manually. - if key not in base_attribute_names or key in ('connection', 'port', 'remote_user'): - if key in ('connection', 'port', 'remote_user'): - display.deprecated("Using '%s' as a role param has been deprecated. " % key + - "In the future, these values should be entered in the `vars:` " + - "section for roles, but for now we'll store it as both a param and an attribute.", version="2.7") - role_def[key] = value + if key not in base_attribute_names: # this key does not match a field attribute, so it must be a role param role_params[key] = value else: diff --git a/lib/ansible/playbook/role/include.py b/lib/ansible/playbook/role/include.py index 578e47ec9e..ddcdf80997 100644 --- a/lib/ansible/playbook/role/include.py +++ b/lib/ansible/playbook/role/include.py @@ -53,7 +53,7 @@ class RoleInclude(RoleDefinition): raise AnsibleParserError("Invalid role definition: %s" % to_native(data)) if isinstance(data, string_types) and ',' in data: - data = RoleRequirement.role_spec_parse(data) + raise AnsibleError("Invalid old style role requirement: %s" % data) ri = RoleInclude(play=play, role_basedir=current_role_path, variable_manager=variable_manager, loader=loader) return ri.load_data(data, variable_manager=variable_manager, loader=loader) diff --git a/lib/ansible/playbook/role/requirement.py b/lib/ansible/playbook/role/requirement.py index 0790404b2f..764d0c591f 100644 --- a/lib/ansible/playbook/role/requirement.py +++ b/lib/ansible/playbook/role/requirement.py @@ -78,53 +78,6 @@ class RoleRequirement(RoleDefinition): return trailing_path @staticmethod - def role_spec_parse(role_spec): - # takes a repo and a version like - # git+http://git.example.com/repos/repo.git,v1.0 - # and returns a list of properties such as: - # { - # 'scm': 'git', - # 'src': 'http://git.example.com/repos/repo.git', - # 'version': 'v1.0', - # 'name': 'repo' - # } - display.deprecated("The comma separated role spec format, use the yaml/explicit format instead. Line that trigger this: %s" % role_spec, - version="2.7") - - default_role_versions = dict(git='master', hg='tip') - - role_spec = role_spec.strip() - role_version = '' - if role_spec == "" or role_spec.startswith("#"): - return (None, None, None, None) - - tokens = [s.strip() for s in role_spec.split(',')] - - # assume https://github.com URLs are git+https:// URLs and not - # tarballs unless they end in '.zip' - if 'github.com/' in tokens[0] and not tokens[0].startswith("git+") and not tokens[0].endswith('.tar.gz'): - tokens[0] = 'git+' + tokens[0] - - if '+' in tokens[0]: - (scm, role_url) = tokens[0].split('+') - else: - scm = None - role_url = tokens[0] - - if len(tokens) >= 2: - role_version = tokens[1] - - if len(tokens) == 3: - role_name = tokens[2] - else: - role_name = RoleRequirement.repo_url_to_role_name(tokens[0]) - - if scm and not role_version: - role_version = default_role_versions.get(scm, '') - - return dict(scm=scm, src=role_url, version=role_version, name=role_name) - - @staticmethod def role_yaml_parse(role): if isinstance(role, string_types): @@ -152,8 +105,7 @@ class RoleRequirement(RoleDefinition): if 'role' in role: name = role['role'] if ',' in name: - # Old style: {role: "galaxy.role,version,name", other_vars: "here" } - role = RoleRequirement.role_spec_parse(role['role']) + raise AnsibleError("Invalid old style role requirement: %s" % name) else: del role['role'] role['name'] = name diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 9f55f299aa..4af91a480a 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -377,30 +377,6 @@ class ActionBase(with_metaclass(ABCMeta, object)): return remote_path - def _fixup_perms(self, remote_path, remote_user=None, execute=True, recursive=True): - """ - We need the files we upload to be readable (and sometimes executable) - by the user being sudo'd to but we want to limit other people's access - (because the files could contain passwords or other private - information. - - Deprecated in favor of _fixup_perms2. Ansible code has been updated to - use _fixup_perms2. This code is maintained to provide partial support - for custom actions (non-recursive mode only). - - """ - if remote_user is None: - remote_user = self._play_context.remote_user - - display.deprecated('_fixup_perms is deprecated. Use _fixup_perms2 instead.', version='2.4', removed=False) - - if recursive: - raise AnsibleError('_fixup_perms with recursive=True (the default) is no longer supported. ' + - 'Use _fixup_perms2 if support for previous releases is not required. ' - 'Otherwise use fixup_perms with recursive=False.') - - return self._fixup_perms2([remote_path], remote_user, execute) - def _fixup_perms2(self, remote_paths, remote_user=None, execute=True): """ We need the files we upload to be readable (and sometimes executable) diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py index fc084194c1..c07113c06b 100644 --- a/lib/ansible/plugins/action/service.py +++ b/lib/ansible/plugins/action/service.py @@ -65,11 +65,6 @@ class ActionModule(ActionBase): if 'use' in new_module_args: del new_module_args['use'] - # for backwards compatibility - if 'state' in new_module_args and new_module_args['state'] == 'running': - self._display.deprecated(msg="state=running is deprecated. Please use state=started", version="2.7") - new_module_args['state'] = 'started' - if module in self.UNUSED_PARAMS: for unused in self.UNUSED_PARAMS[module]: if unused in new_module_args: |