Add support for using a vault password script

[technowhizz]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @technowhizz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the flexibility and security of Ansible Vault password management by introducing support for vault password scripts. Users can now provide an executable script that dynamically generates the vault password, which is then used to set the KAYOBE_VAULT_PASSWORD environment variable. This change is integrated into both the command-line argument parsing and the environment setup script generation, offering a robust alternative to static password files.

Highlights

• New Feature: Vault Password Script Support: Introduced a new command-line option, --vault-password-script, allowing users to specify an executable script that prints the Ansible Vault password to stdout. This provides a more dynamic and secure way to manage vault passwords.
• Mutually Exclusive Arguments: The --vault-password-script option has been made mutually exclusive with the existing --vault-password-file option for both the create and run subcommands, ensuring that only one method of providing the vault password is used at a time.
• Dynamic Password Retrieval: The set_vault_password function now includes logic to execute the provided vault password script and capture its output, setting it as the KAYOBE_VAULT_PASSWORD environment variable.
• Environment Script Generation Update: The create_env_vars_script function has been updated to correctly incorporate the vault password from either a file or a script into the generated env-vars.sh script, ensuring seamless integration with the Kayobe environment.
• Developer Experience Improvement: Added .vscode to the .gitignore file, preventing VS Code specific configuration and temporary files from being committed to the repository.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for using a script to provide the Ansible Vault password, in addition to a password file. The changes correctly use argparse to make the two options mutually exclusive. However, I've found two critical issues. One is a command injection vulnerability in the execution of the password script due to the use of shell=True. The other is in the generation of the env-vars.sh helper script, which contains both a syntax error and a command injection vulnerability from not escaping user-provided script paths. I've provided suggestions to fix these critical issues.