def backup(path, password_file=None):
"""
Replaces the contents of a file with its decrypted counterpart, storing the
original encrypted version and a hash of the file contents for later
retrieval.
"""
vault = VaultLib(get_vault_password(password_file))
with open(path, 'r') as f:
encrypted_data = f.read()
# Normally we'd just try and catch the exception, but the
# exception raised here is not very specific (just
# `AnsibleError`), so this feels safer to avoid suppressing
# other things that might go wrong.
if vault.is_encrypted(encrypted_data):
decrypted_data = vault.decrypt(encrypted_data)
# Create atk vault files
atk_path = os.path.join(ATK_VAULT, path)
mkdir_p(atk_path)
# ... encrypted
with open(os.path.join(atk_path, 'encrypted'), 'wb') as f:
f.write(encrypted_data)
# ... hash
with open(os.path.join(atk_path, 'hash'), 'wb') as f:
f.write(hashlib.sha1(decrypted_data).hexdigest())
# Replace encrypted file with decrypted one
with open(path, 'wb') as f:
f.write(decrypted_data)
def restore(path, password_file=None):
"""
Retrieves a file from the atk vault and restores it to its original
location, re-encrypting it if it has changed.
:param path: path to original file
"""
vault = VaultLib(get_vault_password(password_file))
atk_path = os.path.join(ATK_VAULT, path)
# Load stored data
with open(os.path.join(atk_path, 'encrypted'), 'rb') as f:
old_data = f.read()
with open(os.path.join(atk_path, 'hash'), 'rb') as f:
old_hash = f.read()
# Load new data
with open(path, 'rb') as f:
new_data = f.read()
new_hash = hashlib.sha1(new_data).hexdigest()
# Determine whether to re-encrypt
if old_hash != new_hash:
new_data = vault.encrypt(new_data)
else:
new_data = old_data
# Update file
with open(path, 'wb') as f:
f.write(new_data)
# Clean atk vault
os.remove(os.path.join(atk_path, 'encrypted'))
os.remove(os.path.join(atk_path, 'hash'))
def decrypt_diff(diff_part, password_file=None):
"""
Diff part is a string in the format:
diff --git a/group_vars/foo b/group_vars/foo
index c09080b..0d803bb 100644
--- a/group_vars/foo
+++ b/group_vars/foo
@@ -1,32 +1,33 @@
$ANSIBLE_VAULT;1.1;AES256
-61316662363730313230626432303662316330323064373866616436623565613033396539366263
-383632656663356364656531653039333965
+30393563383639396563623339383936613866326332383162306532653239636166633162323236
+62376161626137626133
Returns a tuple of decrypted old contents and decrypted new contents.
"""
vault = VaultLib(get_vault_password(password_file))
old_contents, new_contents = get_contents(diff_part)
if vault.is_encrypted(old_contents):
old_contents = vault.decrypt(old_contents)
if vault.is_encrypted(new_contents):
new_contents = vault.decrypt(new_contents)
return old_contents, new_contents
