ansible-role-luks/library/luks_decrypt.py

54 lines
1.4 KiB
Python
Raw Normal View History

2021-09-12 21:58:11 +00:00
#!/usr/bin/python3
2019-03-16 22:51:50 +00:00
from ansible.module_utils.basic import *
import subprocess
import os
class LuksDecrypt:
def __init__(self, name, device):
self.name = name
self.device = device
def is_luks(self):
if subprocess.call(['cryptsetup', 'isLuks', self.device]) == 0:
return True
else:
return False
def is_decrypted(self):
return os.path.exists('/dev/mapper/{}'.format(self.name))
def decrypt(self, key):
p = subprocess.Popen(
[
'cryptsetup', '-q', 'open', '-d', '-', self.device, self.name
], stdin=subprocess.PIPE
)
2021-09-12 21:58:11 +00:00
p.stdin.write(key.encode())
2019-03-16 22:51:50 +00:00
p.communicate()[0]
p.stdin.close()
if p.returncode != 0:
raise ValueError('Error during the decrypt of device {}'.format(self.device))
def main():
fields = {
'name': { 'type': 'str', 'required': True },
'device': { 'type': 'str', 'required': True },
2021-09-12 22:13:15 +00:00
'key': { 'type': 'str', 'required': True, 'no_log': True }
2019-03-16 22:51:50 +00:00
}
module = AnsibleModule(argument_spec=fields)
changed = False
luks = LuksDecrypt(module.params['name'], module.params['device'])
if not luks.is_luks():
raise ValueError('Error the device {} is not a LUKS device'.format(module.params['device']))
elif not luks.is_decrypted():
luks.decrypt(module.params['key'])
changed = True
module.exit_json(changed=changed)
if __name__ == '__main__':
main()