def callback(self, args):
file_prefix = os.path.splitext(args.private_key_file)[0]
args.vault_password_file = args.vault_password_file or \
"{}.vault_password".format(file_prefix)
if os.path.exists(args.vault_password_file):
with open(args.vault_password_file, "r") as f:
vault_password = f.read().strip()
if vault_password is None:
raise YBOpsRuntimeError("Unable to read {}".format(
args.vault_password_file))
else:
raise YBOpsRuntimeError("Vault password file doesn't exists.")
if args.vault_file is None:
args.vault_file = "{}.vault".format(file_prefix)
vault = Vault(vault_password)
data = vault.load(open(args.vault_file).read())
if args.has_sudo_password:
if not YB_SUDO_PASS:
raise YBOpsRuntimeError("Did not find sudo password.")
data['ansible_become_pass'] = YB_SUDO_PASS
vault.dump(data, open(args.vault_file, 'w'))
print(
json.dumps({
"vault_file": args.vault_file,
"vault_password": args.vault_password_file
}))
def decrypt_file(path, password_file, newpath=None):
'''Decrypts an Ansible Vault YAML file and returns a dict. Set newpath to
write the result somewhere.'''
# log.debug('decrypt_file({}, {}, {})'.format(path, password_file, newpath))
if is_file_secret(path):
# log.debug('file is fully encrypted')
with open(password_file) as f:
vault = Vault(f.read().strip())
# log.debug('vault fetched with password file: {}'.format(password_file))
with open(path) as f:
r = vault.load(f.read())
# log.debug('loaded file: {}'.format(r))
else:
r = parse_yaml(path)
for s in find_yaml_secrets(r):
v = get_dict_value(r, s)
plaintext = v.decrypt(open(password_file).read().strip())
put_dict_value(r, s, plaintext)
if not r:
raise ValueError(
'The Vault library extracted nothing from the file. Is it actually encrypted?'
)
if newpath:
if not os.path.isdir(os.path.dirname(newpath)):
os.makedirs(os.path.dirname(newpath))
with open(newpath, 'w+') as f:
f.write(yaml.dump(r))
return r
def combine_vault_with_playbook(self, data, content):
"""Combines the vault data with the playbook data
Args:
data (dict)
content (dict)
Returns:
dict
"""
vault = Vault(config.settings['common']['vault_enc_key'])
secrets = vault.load(base64.b64decode(data['vault']))
for k, v in content[0]['tasks'][1]['param_pusher'][
'parameters'].iteritems():
if ('VAULT' in v) and (
k in content[0]['tasks'][1]['param_pusher']['parameters']):
if "VAULT_{}".format(k) in secrets:
content[0]['tasks'][1]['param_pusher']['parameters'][
k] = secrets["VAULT_" + k]
else:
print v
print "VAULT_{}".format(k)
print secrets
content[0]['tasks'][1]['param_pusher']['parameters'][
k] = "KEY NAME MISMATCH"
return content[0]['tasks'][1]['param_pusher']['parameters']
def decrypt(vault_string, vault_pass):
"""Decrypt a VaultString object with a specified Vault pass."""
if not isinstance(vault_string, VaultString):
raise TypeError('vault_string must be an instance of VaultString')
vault = Vault(vault_pass)
return vault.load(vault_string.value)
def write_group_vars(settings):
vault_secret = open("ansible/.vault_pass.txt", "r").read().rstrip("\n")
vault = Vault(vault_secret)
secret_keywords = [
"user", "pass", "access_key", "secret_key", "token", "ansible_user",
"ansible_become_pass"
]
for k, v in settings.items():
secrets = dict()
options = dict()
for i in v:
if i in secret_keywords:
secrets[i] = v[i]
else:
if i != "host":
options[i] = v[i]
vault.dump(secrets,
open("ansible/group_vars/{}/vault.yml".format(k), "wb"))
if options:
with open("ansible/group_vars/{}/options.yml".format(k),
"w") as infile:
yaml.dump(options, infile)
def encrypt_file(path, password_file, newpath=None, secrets=None):
'''Encrypts an Ansible Vault YAML file. Returns encrypted data. Set newpath to
write the result somewhere. Set secrets to specify inline secret addresses.'''
log.debug('Reading decrypted data from {}...'.format(path))
data = parse_yaml(path)
if not data:
raise ValueError('The YAML file "{}" could not be parsed'.format(path))
else:
log.debug('Got vars: {}'.format(data))
with open(password_file) as f:
p = f.read().strip()
log.debug('Read pass from {}: {}'.format(password_file, p))
if secrets:
# newdata = data.copy()
secrets = list(secrets)
log.debug('Received {} secrets: {}'.format(len(secrets), secrets))
for address in secrets:
plaintext = get_dict_value(data, address)
log.debug('Re-encrypting "{}" at {} with new password...'.format(
plaintext, address))
put_dict_value(
data, address,
VaultString.encrypt(plaintext=plaintext, password=p))
if newpath:
log.debug('Writing {} to {}...'.format(data, newpath, p))
write_yaml(newpath, data)
return data
else:
vault = Vault(p)
encrypted = vault.dump(data)
with open(newpath, 'w') as f:
f.write(encrypted)
return encrypted
def get_yaml_vault_data():
"""Gets data from vault and prints it."""
vault_pass_file = open(ARGS.vault_password_file, "r")
vault_password = vault_pass_file.read()
vault = Vault(vault_password.rstrip())
vault_data = vault.load(open(ARGS.vaultfile).read())
myoutput = vault_data.get(ARGS.yaml_key)
return myoutput
def _set_secret(self, var, value):
# No effort is made to preserve the original YAML format (comments, etc.),
# and no edge cases are handled (e.g. vault does not exist, etc.)
data = self._get_vault_variables() or {}
data[var] = value
vault = Vault(self._get_ansible_vault_password())
with open(self.vault_file_path, 'wb') as vf:
vault.dump(data, vf)
self._get_vault_variables.reset_cache(self)
def callback(self, args):
file_prefix = os.path.splitext(args.private_key_file)[0]
try:
if args.vault_password_file is None:
vault_password = generate_random_password()
args.vault_password_file = "{}.vault_password".format(
file_prefix)
with open(args.vault_password_file, "w") as f:
f.write(vault_password)
elif os.path.exists(args.vault_password_file):
with open(args.vault_password_file, "r") as f:
vault_password = f.read().strip()
if vault_password is None:
raise YBOpsRuntimeError("Unable to read {}".format(
args.vault_password_file))
else:
raise YBOpsRuntimeError("Vault password file doesn't exist.")
if args.vault_file is None:
args.vault_file = "{}.vault".format(file_prefix)
rsa_key = validated_key_file(args.private_key_file)
except Exception:
self._cleanup_dir(os.path.dirname(args.private_key_file))
raise
# TODO: validate if the file provided is actually a private key file or not.
public_key = format_rsa_key(rsa_key, public_key=True)
private_key = format_rsa_key(rsa_key, public_key=False)
self.cluster_vault.update(id_rsa=private_key,
id_rsa_pub=public_key,
authorized_keys=public_key)
# These are saved for itest specific improvements.
aws_access_key = os.environ.get('AWS_ACCESS_KEY_ID', "")
aws_secret = os.environ.get('AWS_SECRET_ACCESS_KEY', "")
if aws_access_key and aws_secret:
self.cluster_vault.update(
AWS_ACCESS_KEY_ID=os.environ['AWS_ACCESS_KEY_ID'],
AWS_SECRET_ACCESS_KEY=os.environ['AWS_SECRET_ACCESS_KEY'])
vault_data = dict(cluster_server_vault=self.cluster_vault)
if args.has_sudo_password:
sudo_password = getpass.getpass("SUDO Password: "******"ansible_become_pass": sudo_password})
vault = Vault(vault_password)
vault.dump(vault_data, open(args.vault_file, 'w'))
print(
json.dumps({
"vault_file": args.vault_file,
"vault_password": args.vault_password_file
}))
def main():
home = expanduser("~")
failed = False
fields = {
"file": {
"required": True,
"type": "str"
},
"region": {
"required": True,
"type": "str"
},
"roles": {
"required": True,
"type": "list"
},
}
module = AnsibleModule(argument_spec=fields)
try:
file = open(home + "/" + module.params['file'], "r")
access_key = file.readline().rstrip('\n')
secret_key = file.readline().rstrip('\n')
file.close()
file = open(home + "/" + "passwd/ansible-passwd", "r")
data = {
"region": module.params['region'],
"access_key": access_key,
"secret_key": secret_key
}
vault = Vault(file.readline().rstrip('\n'))
awsconffile = open(home + "/" + ".aws/credentials", "w")
awsconffile.write('[default]\n')
awsconffile.write('aws_access_key_id = ' + access_key + '\n')
awsconffile.write('aws_secret_access_key= ' + secret_key + '\n')
awsconffile.close()
awsconffile = open(home + "/" + ".aws/config", "w")
awsconffile.write('[default]\n')
awsconffile.write('region = ' + module.params['region'] + '\n')
awsconffile.close()
for role in module.params['roles']:
vault.dump(data, open("./roles/" + role + "/vars/vault.yml", "w"))
response = "Done"
except:
response = "Error"
failed = True
module.exit_json(changed=False, meta=response, failed=failed)
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass",
"r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
settings = mgmt.tm.gtm.global_settings.metrics.load()
assert settings.defaultProbeLimit == 10
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
tg = mgmt.tm.cm.traffic_groups.traffic_group.load(name="my_traffic_group")
assert tg.name == "my_traffic_group"
assert tg.description == "My traffic group"
def convert(yaml_file, vault_pass, out_file=None):
if not out_file:
out_file = yaml_file
vault = Vault(vault_pass)
unencrypted_data = vault.load(open(yaml_file).read())
encrypted_data = encrypt_values(unencrypted_data,
vault_pass)
yaml.safe_dump(encrypted_data,
open(out_file, 'w'),
default_style='|',
default_flow_style=False)
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass",
"r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
partition = mgmt.tm.auth.partitions.partition.load(name="my_partition")
assert partition.name == "my_partition"
assert partition.description == "My partition"
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass",
"r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
td = mgmt.tm.cm.trust_domains.trust_domain.load(name="Root")
assert td.name == "Root"
assert hasattr(td, "caDevices") is False
def setup_roles(args, tags=None):
'''Used to assign and execute a role on a server'''
vpass = args.get('vault_pass', None)
vault_content = args.get('vault_content', None)
if vpass:
from ansible_vault import Vault
vault = Vault(vpass)
data = vault.load(vault_content)
return runplay(config.get('books', 'setup'),
args['servername'],
args=args,
tags=tags)
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
dc = mgmt.tm.gtm.datacenters.datacenter.load(name="my_datacenter")
assert dc.name == "my_datacenter"
assert dc.description == "My datacenter"
assert dc.contact == "admin@localhost"
assert dc.location == "Somewhere"
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass",
"r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
monitor = mgmt.tm.gtm.monitor.tcps.tcp.load(name="my_tcp_monitor",
partition="Common")
assert monitor.name == "my_tcp_monitor"
assert monitor.partition == "Common"
assert monitor.description == "My tcp monitor"
def get_vault_variables(self):
# try unencrypted first for tests
with open(self.paths.vault_yml, 'r') as f:
vault_vars = yaml.load(f)
if isinstance(vault_vars, dict):
return vault_vars
while True:
try:
vault = Vault(self.get_ansible_vault_password())
with open(self.paths.vault_yml, 'r') as vf:
return vault.load(vf.read())
except AnsibleVaultError:
print('incorrect password')
self.get_ansible_vault_password.reset_cache(self)
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
listener = mgmt.tm.gtm.listeners.listener.load(
name="my_listener", partition="Common"
)
assert listener.name == "my_listener"
assert listener.partition == "Common"
assert listener.description == "My listener"
assert listener.address == "10.10.1.1"
class AnsibleVaultSearch(object):
def __init__(self, vault_password, vault_path):
try:
self.vault = Vault(vault_password)
self.data = self.vault.load(open(vault_path).read())
except Exception as e:
raise e
def search(self, query, raw_structure):
obj = None
last_attr = None
for attr in query.split("."):
try:
if not obj:
last_attr = attr
obj = self.data[attr]
else:
last_attr = attr
obj = obj[attr]
except (TypeError, KeyError):
# Type not dictionary, so fail as not implemented
obj = getattr(obj, attr)
if raw_structure:
print obj
else:
json_obj = json.dumps({last_attr: obj})
print json_obj
def get_creds_vault(vault_file,vault_password):
try:
vault = Vault(vault_password)
secrets = vault.load(open(vault_file).read())
except:
err=f"can't decode {vault_file}"
print(err)
logging.debug(f"ERROR: {err}")
sys.exit()
#####HACK for ansible version https://github.com/tomoh1r/ansible-vault/pull/34
#vault = VaultLib([(DEFAULT_VAULT_ID_MATCH, VaultSecret(vault_password.encode()))])
#secrets = yaml.safe_load(vault.decrypt(open(vault_file).read()))
#####
# print(secrets)
return secrets
def decrypt_keyfile_data(keyfile_data: bytes, password: str = None) -> bytes:
""" Decrypts passed keyfile data using ansible vault.
Args:
keyfile_data ( bytes, required ):
Bytes to validate
password ( bool, optional ):
It set, uses this password to decrypt data.
Returns:
decrypted_data (bytes):
Decrypted data.
Raises:
KeyFileError:
Raised if the file is corrupted or if the password is incorrect.
"""
password = getpass.getpass(
"Enter password to unlock key: ") if password == None else password
try:
password = getpass.getpass(
"Enter password to unlock key: ") if password == None else password
console = bittensor.__console__
with console.status(":key: Decrypting key..."):
# Ansible decrypt.
if keyfile_data_is_encrypted_ansible(keyfile_data):
vault = Vault(password)
decrypted_keyfile_data = vault.load(keyfile_data)
# Legacy decrypt.
elif keyfile_data_is_encrypted_legacy(keyfile_data):
__SALT = b"Iguesscyborgslikemyselfhaveatendencytobeparanoidaboutourorigins"
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
salt=__SALT,
length=32,
iterations=10000000,
backend=default_backend())
key = base64.urlsafe_b64encode(kdf.derive(password.encode()))
cipher_suite = Fernet(key)
decrypted_keyfile_data = cipher_suite.decrypt(keyfile_data)
# Unknown.
else:
raise KeyFileError(
"Keyfile data: {} is corrupt".format(keyfile_data))
except (InvalidSignature, InvalidKey, InvalidToken):
raise KeyFileError('Invalid password')
if not isinstance(decrypted_keyfile_data, bytes):
decrypted_keyfile_data = json.dumps(decrypted_keyfile_data).encode()
return decrypted_keyfile_data
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass",
"r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
dg = mgmt.tm.cm.device_groups.device_group.load(name="my_device_group")
assert dg.name == "my_device_group"
assert dg.description == "My device group"
devices = dg.devices_s.get_collection()
assert len(devices) == 1
decrypted_device_name = vault.load(vars["device_name"]["__ansible_vault"])
assert devices[0].name == decrypted_device_name
def _get_vault_variables(self):
# try unencrypted first for tests
with open(self.paths.vault_yml, 'r') as f:
vault_vars = yaml.safe_load(f)
if isinstance(vault_vars, dict):
return vault_vars
while True:
try:
vault = Vault(self._get_ansible_vault_password())
with open(self.paths.vault_yml, 'r') as vf:
return vault.load(vf.read())
except AnsibleVaultError:
if os.environ.get('ANSIBLE_VAULT_PASSWORD'):
raise
print('incorrect password')
self._get_ansible_vault_password.reset_cache(self)
def create_pool():
pooltype = request.form['pooltype']
poolname = request.form['poolname'].upper()
if pooltype == 'vmware':
vcname = request.form['vcname']
vcuser = request.form['vcuser']
vcpass = request.form['vcpass']
clustername = request.form['clustername']
networkname = request.form.get('networkname', None)
datastorename = request.form.get('datastorename', None)
datacentername = request.form.get('datacentername', None)
dbsession = db.get_session()
dbsession = db.get_session()
pooltable = db.get_pooltbl()
privatepool = db.get_privatepooltbl()
poolid = str(uuid.uuid4())
passwd = passgen()
#from Crypto.Cipher import AES
import base64
## Encryption
#encryption_suite = AES.new('BM^@Y5BENeX2qpw$rRRkfR1LQ5$jQtMf', AES.MODE_CBC, 'This is an IV456')
#passwd = encryption_suite.encrypt(passwd)
hashpass = base64.b64encode(passwd)
from ansible_vault import Vault
vault = Vault(passwd)
vault_content = vault.dump({'poolpass' : str(vcpass)})
hashcontent = base64.b64encode(vault_content)
try:
sys.path.append(ductrix_root)
dbsession.add(pooltable( poolname=poolname, pooltype=pooltype, poolid=poolid))
dbsession.add(privatepool(username=vcuser,password=hashpass, content=hashcontent, targetserver=vcname,
clusternm=clustername, poolid=poolid, networknm=networkname, storagenm=datastorename, datacenternm=datacentername))
dbsession.commit()
dbsession.close()
successmsg = "{0} Pool has been created sucessfully".format(poolname)
job_msg = gen_message("success", successmsg)
except Exception as inst:
error = inst
errormsg = "Error occured while connecting to {0} : {1} ".format(poolname, error)
job_msg = gen_message("danger", errormsg)
return redirect(url_for('pools', message=job_msg))
def _get_vault_variables(self):
# try unencrypted first for tests
with open(self.paths.vault_yml, 'r') as f:
vault_vars = yaml.safe_load(f)
if isinstance(vault_vars, dict):
return vault_vars
while True:
try:
vault = Vault(self._get_ansible_vault_password())
with open(self.paths.vault_yml, 'r') as vf:
return vault.load(vf.read())
except AnsibleVaultError:
if os.environ.get('ANSIBLE_VAULT_PASSWORD'):
raise
print('incorrect password')
self._get_ansible_vault_password.reset_cache(self)
def cli(token, url, login, password, vaultpass):
""" Tool for storing secrets
Client side encryption using ansible vault.
"""
global ts
ts = pillbox.secrets(url, login, password, token)
ts.vault = Vault(vaultpass)
def get_stack_password():
if IS_CW == 0:
vault = Vault(ANSIBLE_VAULT)
#try:
urllib3.contrib.pyopenssl.inject_into_urllib3()
urllib3.disable_warnings()
user_agent = {'user-agent': 'Mozilla/5.0 (Windows NT 6.3; rv:36.0) ..'}
http = urllib3.PoolManager(10, headers=user_agent)
url = 'https://api.github.com/repos/SplunkStorm/stax/contents/wormhole/secure_vars/tag_Stack_'+STACK+'/secure.yml?access_token='+TOKEN
result = http.request("GET",url)
if result.status == 200:
req = json.loads(result.data)
content = base64.decodestring(req['content'])
_pass = vault.load(content)['stack_password']
return _pass
else:
return "ERROR_404" #stack not found
#except:
# return "ERROR"
else:
return "ERROR_CW"
def test_default(host):
vars = host.ansible.get_variables()
vault_pass = open("../../molecule/.vault_pass", "r").read().replace("\n", "")
vault = Vault(vault_pass)
decrypted_host = vault.load(vars["ansible_host"]["__ansible_vault"])
decrypted_user = vault.load(vars["http_user"]["__ansible_vault"])
decrypted_pass = vault.load(vars["http_pass"]["__ansible_vault"])
mgmt = ManagementRoot(decrypted_host, decrypted_user, decrypted_pass)
user = mgmt.tm.auth.users.user.load(name="user1")
assert user.name == "user1"
assert user.description == "User 1"
partition_access = [
{"name": "Common", "role": "guest"},
{"name": "Test", "role": "operator"},
]
assert not DeepDiff(
partition_access,
user.partitionAccess,
exclude_regex_paths={r"root\[\d+\]\['nameReference'\]"},
)
class Vault():
@staticmethod
def to_encrypted_name(name):
return f'{name}.encrypted'
@staticmethod
def to_decrypted_name(name):
return '.'.join(name.split('.')[:-1])
def __init__(self, password):
self.ansible_vault = AnsibleVault(password)
self.fs = FileSystem()
def encrypt(self, src, dest=None):
srcs = self.fs.deserialize_name(src)
assert self.fs.is_file(srcs), 'src should be a file'
if not dest:
dests = srcs.copy()
dests[-1] = Vault.to_encrypted_name(srcs[-1])
dest = self.fs.serialize_name(dests)
with open(src, 'r') as input_file:
raw_data = input_file.read()
with open(dest, 'wb') as output_file:
self.ansible_vault.dump(raw_data, output_file)
def decrypt(self, src, dest=None):
srcs = self.fs.deserialize_name(src)
assert self.fs.is_file(srcs), 'src should be a file'
if not dest:
dests = srcs.copy()
dests[-1] = Vault.to_decrypted_name(srcs[-1])
dest = self.fs.serialize_name(dests)
with open(src, 'r') as input_file:
encrypted_data = input_file.read()
try:
decrypted_data = self.ansible_vault.load(encrypted_data)
except AnsibleVaultError as e:
raise Exception('Decrypt failed')
with open(dest, 'w') as output_file:
output_file.write(decrypted_data)
def openVaultFile(file):
vault = Vault(vaultpwd)
data = vault.load(open(vaultFile).read())
return data
def saveVaultFile(file, data):
vault = Vault(vaultpwd)
vault.dump(data, open(vaultFile, 'w'))
