def test_ensure_type_with_vaulted_str(self, value_type):
class MockVault:
def decrypt(self, value):
return value
vault_var = AnsibleVaultEncryptedUnicode(b"vault text")
vault_var.vault = MockVault()
actual_value = ensure_type(vault_var, value_type)
assert actual_value == "vault text"
def test_entry_as_vault_var(self):
class MockVault:
def decrypt(self, value, filename=None, obj=None):
return value
vault_var = AnsibleVaultEncryptedUnicode(b"vault text")
vault_var.vault = MockVault()
actual_value, actual_origin = self.manager._loop_entries({'name': vault_var}, [{'name': 'name'}])
assert actual_value == "vault text"
assert actual_origin == "name"
def _decode_map(self, value):
if value.get('__ansible_unsafe', False):
value = wrap_var(value.get('__ansible_unsafe'))
elif value.get('__ansible_vault', False):
value = AnsibleVaultEncryptedUnicode(value.get('__ansible_vault'))
if self._vaults:
value.vault = self._vaults['default']
else:
for k in value:
if isinstance(value[k], Mapping):
value[k] = self._decode_map(value[k])
return value
def object_hook(self, pairs):
for key in pairs:
value = pairs[key]
if key == '__ansible_vault':
value = AnsibleVaultEncryptedUnicode(value)
if self._vaults:
value.vault = self._vaults['default']
return value
elif key == '__ansible_unsafe':
return wrap_var(value)
return pairs
def construct_vault_encrypted_unicode(self, node):
value = self.construct_scalar(node)
ciphertext_data = to_bytes(value)
if self._vault_password is None:
raise ConstructorError(None, None,
"found vault but no vault password provided", node.start_mark)
# could pass in a key id here to choose the vault to associate with
vault = self._vaults['default']
ret = AnsibleVaultEncryptedUnicode(ciphertext_data)
ret.vault = vault
return ret
def _decode_map(self, value):
if value.get('__ansible_unsafe', False):
value = wrap_var(value.get('__ansible_unsafe'))
elif value.get('__ansible_vault', False):
value = AnsibleVaultEncryptedUnicode(value.get('__ansible_vault'))
if self._vaults:
value.vault = self._vaults['default']
else:
for k in value:
if isinstance(value[k], Mapping):
value[k] = self._decode_map(value[k])
return value
def construct_vault_encrypted_unicode(self, node):
value = self.construct_scalar(node)
b_ciphertext_data = to_bytes(value)
# could pass in a key id here to choose the vault to associate with
# TODO/FIXME: plugin vault selector
vault = self._vaults['default']
if vault.secrets is None:
raise ConstructorError(context=None, context_mark=None,
problem="found !vault but no vault password provided",
problem_mark=node.start_mark,
note=None)
ret = AnsibleVaultEncryptedUnicode(b_ciphertext_data)
ret.vault = vault
return ret
def construct_vault_encrypted_unicode(self, node):
value = self.construct_scalar(node)
b_ciphertext_data = to_bytes(value)
# could pass in a key id here to choose the vault to associate with
# TODO/FIXME: plugin vault selector
vault = self._vaults['default']
if vault.secrets is None:
raise ConstructorError(context=None, context_mark=None,
problem="found !vault but no vault password provided",
problem_mark=node.start_mark,
note=None)
ret = AnsibleVaultEncryptedUnicode(b_ciphertext_data)
ret.vault = vault
return ret
def test_embedded_vault_from_dump(self):
avu = AnsibleVaultEncryptedUnicode.from_plaintext(
'setec astronomy', self.vault, self.vault_secret)
blip = {
'stuff1': [{
'a dict key': 24
}, {
'shhh-ssh-secrets': avu,
'nothing to see here': 'move along'
}],
'another key':
24.1
}
blip = ['some string', 'another string', avu]
stream = NameStringIO()
self._dump_stream(blip, stream, dumper=AnsibleDumper)
stream.seek(0)
stream.seek(0)
loader = self._loader(stream)
data_from_yaml = loader.get_data()
stream2 = NameStringIO(u'')
# verify we can dump the object again
self._dump_stream(data_from_yaml, stream2, dumper=AnsibleDumper)
def do_vault(data,
secret,
salt=None,
vaultid='filter_default',
wrap_object=False):
if not isinstance(secret, (string_types, binary_type, Undefined)):
raise AnsibleFilterTypeError(
"Secret passed is required to be a string, instead we got: %s" %
type(secret))
if not isinstance(data, (string_types, binary_type, Undefined)):
raise AnsibleFilterTypeError(
"Can only vault strings, instead we got: %s" % type(data))
vault = ''
vs = VaultSecret(to_bytes(secret))
vl = VaultLib()
try:
vault = vl.encrypt(to_bytes(data), vs, vaultid, salt)
except UndefinedError:
raise
except Exception as e:
raise AnsibleFilterError("Unable to encrypt: %s" % to_native(e),
orig_exc=e)
if wrap_object:
vault = AnsibleVaultEncryptedUnicode(vault)
else:
vault = to_native(vault)
return vault
def test_embedded_vault_from_dump(self):
avu = AnsibleVaultEncryptedUnicode.from_plaintext('setec astronomy', vault=self.vault)
blip = {'stuff1': [{'a dict key': 24},
{'shhh-ssh-secrets': avu,
'nothing to see here': 'move along'}],
'another key': 24.1}
blip = ['some string', 'another string', avu]
stream = NameStringIO()
self._dump_stream(blip, stream, dumper=AnsibleDumper)
print(stream.getvalue())
stream.seek(0)
stream.seek(0)
loader = self._loader(stream)
data_from_yaml = loader.get_data()
stream2 = NameStringIO(u'')
# verify we can dump the object again
self._dump_stream(data_from_yaml, stream2, dumper=AnsibleDumper)
def test_dump_load_cycle(self):
avu = AnsibleVaultEncryptedUnicode.from_plaintext('The plaintext for test_dump_load_cycle.', self.vault, self.vault_secret)
self._dump_load_cycle(avu)
def test_dump_load_cycle(self):
avu = AnsibleVaultEncryptedUnicode.from_plaintext('The plaintext for test_dump_load_cycle.', vault=self.vault)
self._dump_load_cycle(avu)
@pytest.mark.parametrize('value', ([None], (None,), ['one', None]))
def test_play_none_hosts(value):
with pytest.raises(AnsibleParserError, match="Hosts list cannot contain values of 'None'"):
Play.load({'hosts': value})
@pytest.mark.parametrize(
'value',
(
{'one': None},
{'one': 'two'},
True,
1,
1.75,
AnsibleVaultEncryptedUnicode('secret'),
)
)
def test_play_invalid_hosts_sequence(value):
with pytest.raises(AnsibleParserError, match='Hosts list must be a sequence or string'):
Play.load({'hosts': value})
@pytest.mark.parametrize(
'value',
(
[[1, 'two']],
[{'one': None}],
[set((None, 'one'))],
['one', 'two', {'three': None}],
['one', 'two', {'three': 'four'}],
