Allow pass renderer to work with complex yaml structures

Before, pass could only handle a 1 level dict with a value as the pass path (string). Greatly influenced by the GPG renderer, once again.
2024-11-08 01:18:58 +00:00 · 2016-10-24 16:25:33 -07:00 · 2016-10-24 16:25:33 -07:00 · 899a7642e5
commit 899a7642e5
parent cf0c14997c
1 changed files with 16 additions and 7 deletions
--- a/salt/renderers/pass.py
+++ b/salt/renderers/pass.py
@ -83,10 +83,24 @@ def _fetch_secret(pass_path):
        msg = 'Could not fetch secret: {0} {1}'.format(pass_data, pass_error)
        log.warn(msg)
        pass_data = pass_path
-
    return pass_data


+def _decrypt_object(obj):
+    """
+    Recursively try to find a pass path (string) that can be handed off to pass
+    """
+    if isinstance(obj, six.string_types):
+        return _fetch_secret(obj)
+    elif isinstance(obj, dict):
+        for pass_key, pass_path in six.iteritems(obj):
+            obj[pass_key] = _decrypt_object(pass_path)
+    elif isinstance(obj, list):
+        for pass_key, pass_path in enumerate(obj):
+            obj[pass_key] = _decrypt_object(pass_path)
+    return obj
+
+
 def render(pass_info, saltenv='base', sls='', argline='', **kwargs):
    """
    Fetch secret from pass based on pass_path
@ -99,9 +113,4 @@ def render(pass_info, saltenv='base', sls='', argline='', **kwargs):
    # Make sure environment variable HOME is set, since Pass looks for the
    # password-store under ~/.password-store.
    os.environ['HOME'] = expanduser('~')
-
-    for pass_key, pass_path in six.iteritems(pass_info):
-        secret = _fetch_secret(pass_path)
-        pass_info[pass_key] = secret
-
-    return pass_info
+    return _decrypt_object(pass_info)