Add first stab at decrypt command

CHANGELOG.rst

@@ -1,3 +1,12 @@
+Autonomic 0.0.5 (2020-04-13)
+============================
+
+Features
+--------
+
+- Add CoopHost decrypt command. (#5)
+
+
 Autonomic 0.0.4 (2020-04-12)
 ============================
 

autonomic/command/coophost.py

@@ -3,6 +3,7 @@
 from os import chdir, mkdir
 from os.path import basename, exists
 from pathlib import Path
+from socket import gethostname
 
 import click
 
@@ -12,6 +13,7 @@ from autonomic.settings import add, get
 from autonomic.utils import (
     ensure_config_dir,
     ensure_deploy_d_dir,
+    exit,
     input_ask,
     pass_ask,
     question_ask,
@@ -20,40 +22,86 @@ from autonomic.utils import (
     yaml_load,
 )
 
+hostname = gethostname()
+
 
 @click.command()
 @click.pass_context
 def coophost(ctx):
     """Manage CoopHost resources."""
     ensure_config_dir()
-
-    choices = ["encrypt"]
-    operation = question_ask("operation", "Which operation?", choices)
-
-    if operation == "encrypt":
-        encrypt()
-
-
-def encrypt():
-    """Encrypt a secret for a CoopHost package."""
     ensure_deploy_d_dir()
 
     app_dir = Path(".").absolute()
-
+    app = basename(app_dir)
-    app = basename(Path(".").absolute())
     log.info("Auto-detected the {} application".format(app))
 
+    choices = ["encrypt", "decrypt"]
+    operation = question_ask("operation", "Which operation?", choices)
+
+    if operation == "encrypt":
+        encrypt(app, app_dir)
+    elif operation == "decrypt":
+        decrypt(app, app_dir)
+
+
+def get_vault_pass(app):
+    """Retrieve or set the app vault password."""
     app_settings = get(app)
+
     if app_settings is not None and "vault-password" in app_settings:
         log.info("Using app vault password stored in {}".format(CONFIG_YAML))
-        vault_password = app_settings["vault-password"]
+        return app_settings["vault-password"]
-    else:
-        log.info("No app vault password configured")
-        vault_password = pass_ask("Vault password?")
 
-        log.info("App vault password stored in {}".format(CONFIG_YAML))
+    log.info("No app vault password configured")
-        add({app: {"vault-password": vault_password}})
+    vault_password = pass_ask("Vault password?")
 
+    log.info("App vault password stored in {}".format(CONFIG_YAML))
+    add({app: {"vault-password": vault_password}})
+
+    return vault_password
+
+
+def decrypt(app, app_dir):
+    """Decrypt a secret."""
+    vault_password = get_vault_pass(app)
+    name = input_ask("Which variable do you want to decrypt?")
+
+    vault_path = (Path(".") / "deploy.d" / "vault").absolute()
+    var_path = (vault_path / "{}.yml".format(name)).absolute()
+
+    if not exists(var_path):
+        exit("{}.yml is missing?".format(name))
+
+    cmd = [
+        ".venv/bin/ansible",
+        hostname,
+        "--inventory",
+        "{},".format(hostname),
+        "-m",
+        "debug",
+        "-a",
+        "var='{}'".format(name),
+        "-e @{}".format(var_path),
+        "--ask-vault-pass",
+        "-e",
+        "ansible_user={}".format(get("username")),
+    ]
+
+    decrypted = run(
+        cmd,
+        cwd=INFRA_DIR,
+        output=True,
+        pexpect=True,
+        pexpected={"(?i)vault password:": vault_password},
+    )
+
+    log.info(decrypted)
+
+
+def encrypt(app, app_dir):
+    """Encrypt a secret for a CoopHost package."""
+    vault_password = get_vault_pass(app)
     name = input_ask("Which variable do you want to encrypt?")
     value = pass_ask("Variable value to encrypt?")
 
@@ -74,7 +122,7 @@ def encrypt():
     )
 
     chdir(app_dir)
-    log.info("Changed directory back to to {}".format(app_dir))
+    log.info("Changed directory back to {}".format(app_dir))
 
     vault_path = (Path(".") / "deploy.d" / "vault").absolute()
     if not exists(vault_path):