def execute_decrypt(self):
cipher = getattr(self.options, 'cipher', self.CIPHER)
for f in self.args:
this_editor = VaultEditor(cipher, self.vault_pass, f)
this_editor.decrypt_file()
self.display.display("Decryption successful")
def execute_rekey(self):
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
for f in self.args:
this_editor = VaultEditor(None, self.vault_pass, f)
this_editor.rekey_file(new_password)
self.display.display("Rekey successful")
def test_methods_exist(self):
v = VaultEditor(None, None, None)
slots = [
'create_file', 'decrypt_file', 'edit_file', 'encrypt_file',
'rekey_file', 'read_data', 'write_data', 'shuffle_files'
]
for slot in slots:
self.assertTrue(hasattr(v, slot),
"VaultLib is missing the %s method" % slot)
def execute_create(self):
if len(self.args) > 1:
raise AnsibleOptionsError(
"ansible-vault create can take only one filename argument")
cipher = getattr(self.options, 'cipher', self.CIPHER)
this_editor = VaultEditor(cipher, self.vault_pass, self.args[0])
this_editor.create_file()
def encrypt_value(value, passcode):
secret = VaultSecret(bytes(passcode.encode('ascii')))
editor = VaultEditor()
if not is_encrypted(value):
vaultCode = editor.encrypt_bytes(value, secret).decode('ascii')
else:
vaultCode = value
encrypted_val = '!vault |\n' + (vaultCode)
return encrypted_val
def _saveToVault(path, obj, yaml=None, encoding=None, fd=None):
vaultExt = path.endswith(".vault")
if vaultExt or encoding == "vault":
assert yaml and yaml.representer.vault
vault = VaultEditor(yaml.representer.vault)
f = io.BytesIO()
vpath = path[:-len(".vault")] if vaultExt else path
_dump(obj, f, vpath, yaml, encoding)
b_vaulttext = yaml.representer.vault.encrypt(f.getvalue())
vault.write_data(b_vaulttext, fd or path)
return True
return False
def execute_rekey(self):
for f in self.args:
if not (os.path.isfile(f)):
raise AnsibleError(f + " does not exist")
__, new_password = self.ask_vault_passwords(ask_vault_pass=False,
ask_new_vault_pass=True,
confirm_new=True)
for f in self.args:
this_editor = VaultEditor(None, self.vault_pass, f)
this_editor.rekey_file(new_password)
self.display.display("Rekey successful")
def test_create_file(self, mock_editor_shell_command):
def sc_side_effect(filename):
return ['touch', filename]
mock_editor_shell_command.side_effect = sc_side_effect
tmp_file = tempfile.NamedTemporaryFile()
os.unlink(tmp_file.name)
ve = VaultEditor(None, "ansible", tmp_file.name)
ve.create_file()
self.assertTrue(os.path.exists(tmp_file.name))
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
if self.options.vault_password_file:
# read vault_pass from a file
self.b_vault_pass = CLI.read_vault_password_file(
self.options.vault_password_file, loader)
if self.options.new_vault_password_file:
# for rekey only
self.b_new_vault_pass = CLI.read_vault_password_file(
self.options.new_vault_password_file, loader)
if not self.b_vault_pass or self.options.ask_vault_pass:
# the 'read' options dont need to ask for password confirmation.
# 'edit' is read/write, but the decrypt will confirm.
if self.action in ['decrypt', 'edit', 'view', 'rekey']:
self.b_vault_pass = self.ask_vault_passwords()
else:
self.b_vault_pass = self.ask_new_vault_passwords()
if not self.b_vault_pass:
raise AnsibleOptionsError(
"A password is required to use Ansible's Vault")
if self.action == 'rekey':
if not self.b_new_vault_pass:
self.b_new_vault_pass = self.ask_new_vault_passwords()
if not self.b_new_vault_pass:
raise AnsibleOptionsError(
"A password is required to rekey Ansible's Vault")
if self.action == 'encrypt_string':
if self.options.encrypt_string_prompt:
self.encrypt_string_prompt = True
self.editor = VaultEditor(self.b_vault_pass)
self.execute()
# and restore umask
os.umask(old_umask)
def test_rekey_migration(self):
"""
Skip testing rekeying files if we don't have access to AES, KDF or
Counter, or we are running on python3 since VaultAES hasn't been backported.
"""
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or sys.version > '3':
raise SkipTest
v10_file = tempfile.NamedTemporaryFile(delete=False)
with v10_file as f:
f.write(to_bytes(v10_data))
ve = VaultEditor(None, "ansible", v10_file.name)
# make sure the password functions for the cipher
error_hit = False
try:
ve.rekey_file('ansible2')
except errors.AnsibleError:
error_hit = True
# verify decrypted content
f = open(v10_file.name, "rb")
fdata = f.read()
f.close()
self.assertFalse(error_hit, "error rekeying 1.0 file to 1.1")
# ensure filedata can be decrypted, is 1.1 and is AES256
vl = VaultLib("ansible2")
dec_data = None
error_hit = False
try:
dec_data = vl.decrypt(fdata)
except errors.AnsibleError as e:
error_hit = True
os.unlink(v10_file.name)
self.assertEqual(
vl.cipher_name, "AES256",
"wrong cipher name set after rekey: %s" % vl.cipher_name)
self.assertFalse(error_hit, "error decrypting migrated 1.0 file")
self.assertEqual(
dec_data.strip(), "foo",
"incorrect decryption of rekeyed/migrated file: %s" % dec_data)
def run(self):
loader = DataLoader()
vault_ids = self.options.vault_ids
default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
vault_ids = default_vault_ids + vault_ids
encrypt_vault_id = None
vault_secrets = self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
vault_pass=self.options.vault_pass)
encrypt_secret = match_encrypt_secret(vault_secrets,
encrypt_vault_id=encrypt_vault_id)
self.encrypt_vault_id = encrypt_secret[0]
self.encrypt_secret = encrypt_secret[1]
loader.set_vault_secrets(vault_secrets)
vault = VaultLib(vault_secrets)
self.editor = VaultEditor(vault)
def _ansible_vault_encrpyt(self, data):
'''
while True :
vault_tempfile = tempdir + '/vault' + random_str(ranlen=20) + '_' + str(int(time.time()))
result = write_file(vault_tempfile, 'w', data)
if result[0] :
break
'''
result = write_random_file(data)
if not result[0]:
return result
vault_tempfile = result[1]
ansible_vault = VaultEditor(self.password)
ansible_vault.decrypt_file(vault_tempfile)
result = read_file(vault_tempfile)
os.remove(vault_tempfile)
return result
def encrypt_credentials_file(passcode, deployment_name):
yaml.add_constructor(u'!vault', vault_constructor)
if os.path.isfile(deployment_name):
credentials_file = deployment_name
elif os.path.isdir(deployment_name):
credentials_file = os.path.join(deployment_name, 'credentials.yml')
else:
credentials_file = os.path.join(DEPLOYMENT_DIR, deployment_name,
'credentials.yml')
with open(credentials_file, 'r') as file:
credentials = yaml.load(file.read().decode("utf-8"),
Loader=yaml.Loader)
with open('schemas/credentials.json') as credentials_schema:
data = yaml.load(credentials_schema.read().decode("utf-8"),
Loader=yaml.Loader)
props = data['items']['properties']
do_not_encrypt_list = []
for k, v in props.items():
if ('encrypt' in v) and (not v['encrypt']):
do_not_encrypt_list.append(k)
if credentials is not None:
for cred_set in credentials:
for cred in list(cred_set.keys()):
if cred not in do_not_encrypt_list:
secret = VaultSecret(passcode)
editor = VaultEditor()
if not is_encrypted(cred_set[cred]):
vaultCode = editor.encrypt_bytes(
cred_set[cred], secret)
else:
vaultCode = cred_set[cred]
cred_set[cred] = '!vault |\n' + (vaultCode)
gen_example = ExampleFileGenerator(False, True)
example_lines = gen_example.generate_example_from_schema(
'schemas/credentials.json')
template = jinja2.Template(example_lines)
credentials = template.render(credentials=credentials)
with open(credentials_file, 'w') as file:
file.write(credentials.encode("utf-8"))
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
if self.options.vault_password_file:
# read vault_pass from a file
self.vault_pass = CLI.read_vault_password_file(
self.options.vault_password_file, loader)
if self.options.new_vault_password_file:
# for rekey only
self.new_vault_pass = CLI.read_vault_password_file(
self.options.new_vault_password_file, loader)
if not self.vault_pass or self.options.ask_vault_pass:
self.vault_pass = self.ask_vault_passwords()
if not self.vault_pass:
raise AnsibleOptionsError(
"A password is required to use Ansible's Vault")
if self.action == 'rekey':
if not self.new_vault_pass:
self.new_vault_pass = self.ask_new_vault_passwords()
if not self.new_vault_pass:
raise AnsibleOptionsError(
"A password is required to rekey Ansible's Vault")
if self.action == 'encrypt_string':
if self.options.encrypt_string_prompt:
self.encrypt_string_prompt = True
self.editor = VaultEditor(self.vault_pass)
self.execute()
# and restore umask
os.umask(old_umask)
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
if self.options.vault_password_file:
# read vault_pass from a file
self.vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader)
else:
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
if self.options.new_vault_password_file:
# for rekey only
self.new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file, loader)
if not self.vault_pass:
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
self.editor = VaultEditor(self.vault_pass)
self.execute()
def library_mode():
from ansible.parsing.vault import VaultEditor
from ansible.parsing.vault import VaultFile
vaultObject = VaultEditor(argv[2])
try:
if argv[3] == "encrypt":
vaultObject.encrypt_file(argv[1], argv[1] + ".tmp")
elif argv[3] == "decrypt":
vaultObject.decrypt_file(argv[1], argv[1] + ".tmp")
else:
print "Nothing to do"
exit(0)
os.rename(argv[1], argv[1] + ".bkp")
os.rename(argv[1] + ".tmp", argv[1])
os.remove(argv[1] + ".bkp")
print argv[3] + " " + argv[1] + ": OK"
except Exception, e:
print >> sys.stderr, "Exception: %s" % str(e)
exit(1)
def _save_to_vault(path: str,
obj: object,
yaml: Optional[ModuleType] = None,
encoding: Optional[str] = None,
fd: Union[str, int] = None) -> bool:
vaultExt = path.endswith(".vault")
if vaultExt or encoding == "vault":
assert yaml and yaml.representer.vault and yaml.representer.vault.secrets
vaultlib = yaml.representer.vault
vault = VaultEditor(vaultlib)
f = io.BytesIO()
vpath = path[:-len(".vault")] if vaultExt else path
dump(obj, f, vpath, yaml, encoding)
# the first vaultid is the most specific to the current project so encrypt with that one
vault_id, secret = vaultlib.secrets[0]
b_vaulttext = vaultlib.encrypt(f.getvalue(),
secret=secret,
vault_id=vault_id)
vault.write_data(b_vaulttext, fd or path)
return True
return False
def test_rekey_migration(self):
# Skip testing rekeying files if we don't have access to AES, KDF or Counter.
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v10_file = tempfile.NamedTemporaryFile(delete=False)
with v10_file as f:
f.write(to_bytes(v10_data))
ve = VaultEditor("ansible")
# make sure the password functions for the cipher
error_hit = False
try:
ve.rekey_file(v10_file.name, 'ansible2')
except errors.AnsibleError:
error_hit = True
# verify decrypted content
f = open(v10_file.name, "rb")
fdata = f.read()
f.close()
assert error_hit is False, "error rekeying 1.0 file to 1.1"
# ensure filedata can be decrypted, is 1.1 and is AES256
vl = VaultLib("ansible2")
dec_data = None
error_hit = False
try:
dec_data = vl.decrypt(fdata)
except errors.AnsibleError:
error_hit = True
os.unlink(v10_file.name)
assert vl.cipher_name == "AES256", "wrong cipher name set after rekey: %s" % vl.cipher_name
assert error_hit is False, "error decrypting migrated 1.0 file"
assert dec_data.strip(
) == b"foo", "incorrect decryption of rekeyed/migrated file: %s" % dec_data
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
if self.options.vault_password_file:
# read vault_pass from a file
self.vault_pass = CLI.read_vault_password_file(
self.options.vault_password_file, loader)
else:
newpass = False
rekey = False
if not self.options.new_vault_password_file:
newpass = (self.action in ['create', 'rekey', 'encrypt'])
rekey = (self.action == 'rekey')
self.vault_pass, self.new_vault_pass = self.ask_vault_passwords(
ask_new_vault_pass=newpass, rekey=rekey)
if self.options.new_vault_password_file:
# for rekey only
self.new_vault_pass = CLI.read_vault_password_file(
self.options.new_vault_password_file, loader)
if not self.vault_pass:
raise AnsibleOptionsError(
"A password is required to use Ansible's Vault")
self.editor = VaultEditor(self.vault_pass)
self.execute()
# and restore umask
os.umask(old_umask)
def _vault_editor(self, vault_secrets=None):
if vault_secrets is None:
vault_secrets = self._secrets(self.vault_password)
return VaultEditor(VaultLib(vault_secrets))
def init(self):
self.vault_editor = VaultEditor(self.vault_password)
self.vault_lib = VaultLib(self.vault_password)
def execute_create(self):
cipher = getattr(self.options, 'cipher', self.CIPHER)
this_editor = VaultEditor(cipher, self.vault_pass, self.args[0])
this_editor.create_file()
def execute_view(self):
for f in self.args:
this_editor = VaultEditor(None, self.vault_pass, f)
this_editor.view_file()
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
vault_ids = list(context.CLIARGS['vault_ids'])
# there are 3 types of actions, those that just 'read' (decrypt, view) and only
# need to ask for a password once, and those that 'write' (create, encrypt) that
# ask for a new password and confirm it, and 'read/write (rekey) that asks for the
# old password, then asks for a new one and confirms it.
default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
vault_ids = default_vault_ids + vault_ids
action = context.CLIARGS['action']
# TODO: instead of prompting for these before, we could let VaultEditor
# call a callback when it needs it.
if action in ['decrypt', 'view', 'rekey', 'edit']:
vault_secrets = self.setup_vault_secrets(loader, vault_ids=vault_ids,
vault_password_files=list(context.CLIARGS['vault_password_files']),
ask_vault_pass=context.CLIARGS['ask_vault_pass'])
if not vault_secrets:
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
if action in ['encrypt', 'encrypt_string', 'create']:
encrypt_vault_id = None
# no --encrypt-vault-id context.CLIARGS['encrypt_vault_id'] for 'edit'
if action not in ['edit']:
encrypt_vault_id = context.CLIARGS['encrypt_vault_id'] or C.DEFAULT_VAULT_ENCRYPT_IDENTITY
vault_secrets = None
vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=list(context.CLIARGS['vault_password_files']),
ask_vault_pass=context.CLIARGS['ask_vault_pass'],
create_new_password=True)
if len(vault_secrets) > 1 and not encrypt_vault_id:
raise AnsibleOptionsError("The vault-ids %s are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-id" %
','.join([x[0] for x in vault_secrets]))
if not vault_secrets:
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
encrypt_secret = match_encrypt_secret(vault_secrets,
encrypt_vault_id=encrypt_vault_id)
# only one secret for encrypt for now, use the first vault_id and use its first secret
# TODO: exception if more than one?
self.encrypt_vault_id = encrypt_secret[0]
self.encrypt_secret = encrypt_secret[1]
if action in ['rekey']:
encrypt_vault_id = context.CLIARGS['encrypt_vault_id'] or C.DEFAULT_VAULT_ENCRYPT_IDENTITY
# print('encrypt_vault_id: %s' % encrypt_vault_id)
# print('default_encrypt_vault_id: %s' % default_encrypt_vault_id)
# new_vault_ids should only ever be one item, from
# load the default vault ids if we are using encrypt-vault-id
new_vault_ids = []
if encrypt_vault_id:
new_vault_ids = default_vault_ids
if context.CLIARGS['new_vault_id']:
new_vault_ids.append(context.CLIARGS['new_vault_id'])
new_vault_password_files = []
if context.CLIARGS['new_vault_password_file']:
new_vault_password_files.append(context.CLIARGS['new_vault_password_file'])
new_vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=new_vault_ids,
vault_password_files=new_vault_password_files,
ask_vault_pass=context.CLIARGS['ask_vault_pass'],
create_new_password=True)
if not new_vault_secrets:
raise AnsibleOptionsError("A new vault password is required to use Ansible's Vault rekey")
# There is only one new_vault_id currently and one new_vault_secret, or we
# use the id specified in --encrypt-vault-id
new_encrypt_secret = match_encrypt_secret(new_vault_secrets,
encrypt_vault_id=encrypt_vault_id)
self.new_encrypt_vault_id = new_encrypt_secret[0]
self.new_encrypt_secret = new_encrypt_secret[1]
loader.set_vault_secrets(vault_secrets)
# FIXME: do we need to create VaultEditor here? its not reused
vault = VaultLib(vault_secrets)
self.editor = VaultEditor(vault)
context.CLIARGS['func']()
# and restore umask
os.umask(old_umask)
def run(self):
super(VaultCLI, self).run()
loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
vault_ids = self.options.vault_ids
# there are 3 types of actions, those that just 'read' (decrypt, view) and only
# need to ask for a password once, and those that 'write' (create, encrypt) that
# ask for a new password and confirm it, and 'read/write (rekey) that asks for the
# old password, then asks for a new one and confirms it.
default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
vault_ids = default_vault_ids + vault_ids
# TODO: instead of prompting for these before, we could let VaultEditor
# call a callback when it needs it.
if self.action in ['decrypt', 'view', 'rekey', 'edit']:
vault_secrets = self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass)
if not vault_secrets:
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
if self.action in ['encrypt', 'encrypt_string', 'create']:
if len(vault_ids) > 1:
raise AnsibleOptionsError("Only one --vault-id can be used for encryption")
vault_secrets = None
vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if not vault_secrets:
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
encrypt_secret = match_encrypt_secret(vault_secrets)
# only one secret for encrypt for now, use the first vault_id and use its first secret
# self.encrypt_vault_id = list(vault_secrets.keys())[0]
# self.encrypt_secret = vault_secrets[self.encrypt_vault_id][0]
self.encrypt_vault_id = encrypt_secret[0]
self.encrypt_secret = encrypt_secret[1]
if self.action in ['rekey']:
new_vault_ids = []
if self.options.new_vault_id:
new_vault_ids.append(self.options.new_vault_id)
new_vault_secrets = \
self.setup_vault_secrets(loader,
vault_ids=new_vault_ids,
vault_password_files=self.options.new_vault_password_files,
ask_vault_pass=self.options.ask_vault_pass,
create_new_password=True)
if not new_vault_secrets:
raise AnsibleOptionsError("A new vault password is required to use Ansible's Vault rekey")
# There is only one new_vault_id currently and one new_vault_secret
new_encrypt_secret = match_encrypt_secret(new_vault_secrets)
self.new_encrypt_vault_id = new_encrypt_secret[0]
self.new_encrypt_secret = new_encrypt_secret[1]
loader.set_vault_secrets(vault_secrets)
# FIXME: do we need to create VaultEditor here? its not reused
vault = VaultLib(vault_secrets)
self.editor = VaultEditor(vault)
self.execute()
# and restore umask
os.umask(old_umask)
def get_editor(secret):
return VaultEditor(VaultLib([(DEFAULT_VAULT_ID_MATCH, secret)]))
def init(self):
self.vault_editor = VaultEditor(self.vault_password)
decryptor = cipher.decryptor()
unpadder = padding.PKCS7(128).unpadder()
plaintext = decryptor.update(cipher_text) #+ decryptor.finalize()
print(default_backend())
print("Without padding")
print(plaintext)
print plaintext
plaintext = aes._decrypt_cryptography(cipher_text, crypted_hmac, key1, key2,
iv)
print plaintext
b_hmac, b_cipher_text = VaultAES256._encrypt_cryptography(
plaintext, key1, key2, iv)
print b_hmac
print b_cipher_text
cipher = C_Cipher(algorithms.AES(key1), modes.CTR(iv), default_backend())
encryptor = cipher.encryptor()
cipher_text = encryptor.update(plaintext)
cipher_text += encryptor.finalize()
print hexlify(cipher_text)
#aes.
padder = padding.PKCS7(algorithms.AES.block_size).padder()
padded_text = padder.update(plaintext) + padder.finalize()
print "'" + padded_text + "'"
editor = VaultEditor(lib)
#editor.decrypt_file(filename)
