def load_yaml(yaml_file, vault_secret=None): """ Load a YAML file into a python dictionary. The YAML file can be fully encrypted by Ansible-Vault or can contain multiple inline Ansible-Vault encrypted values. Ansible Vault encryption is ideal to store passwords or encrypt the entire file with sensitive data if required. """ vault = VaultLib() if vault_secret: secret_file = get_file_vault_secret(filename=vault_secret, loader=DataLoader()) secret_file.load() vault.secrets = [('default', secret_file)] # YAML ENV VAR # name: !ENV env_var('FOO')/bar yaml.add_implicit_resolver("!ENV", ENV_VAR_PATTERN) yaml.add_constructor('!ENV', env_var_constructor) data = None if os.path.isfile(yaml_file): with open(yaml_file, 'r') as stream: # Render environment variables using jinja templates contents = stream.read() template = Template(contents) stream = StringIO(template.render(env_var=os.environ)) try: if is_encrypted_file(stream): file_data = stream.read() data = yaml.load(vault.decrypt(file_data, None)) else: file_data = stream.read() data = yaml.load(file_data, Loader=yaml.Loader) ''' Commenting code below for posterity. We are not using ansible functionality but yaml load should follow the same code path regardless of the file encryption state. ''' #loader = AnsibleLoader(stream, None, vault.secrets) #try: # data = loader.get_single_data() #except Exception as exc: # raise Exception(f'Error when loading YAML config at {yaml_file} {exc}') from exc #finally: # loader.dispose() except yaml.YAMLError as exc: raise Exception(f'Error when loading YAML config at {yaml_file} {exc}') from exc else: LOGGER.debug('No file at %s', yaml_file) return data
def vault_encrypt(plaintext, secret): """ Vault encrypt a piece of data. """ try: vault = VaultLib() secret_file = get_file_vault_secret(filename=secret, loader=DataLoader()) secret_file.load() vault.secrets = [('default', secret_file)] return vault.encrypt(plaintext) except AnsibleError as exc: LOGGER.critical('Cannot encrypt string: %s', exc) sys.exit(1)
def vault_encrypt(plaintext, secret): ''' Vault encrypt a piece of data. ''' try: vault = VaultLib() secret_file = get_file_vault_secret(filename=secret, loader=DataLoader()) secret_file.load() vault.secrets = [('default', secret_file)] return vault.encrypt(plaintext) except AnsibleError as e: logger.critical(f"Cannot encrypt string: {e}") sys.exit(1)
def load_yaml(yaml_file, vault_secret=None): """ Load a YAML file into a python dictionary. The YAML file can be fully encrypted by Ansible-Vault or can contain multiple inline Ansible-Vault encrypted values. Ansible Vault encryption is ideal to store passwords or encrypt the entire file with sensitive data if required. """ vault = VaultLib() if vault_secret: secret_file = get_file_vault_secret(filename=vault_secret, loader=DataLoader()) secret_file.load() vault.secrets = [('default', secret_file)] data = None if os.path.isfile(yaml_file): with open(yaml_file, 'r', encoding='utf-8') as stream: # Render environment variables using jinja templates contents = stream.read() template = Template(contents) stream = StringIO(template.render(env_var=os.environ)) try: if is_encrypted_file(stream): file_data = stream.read() data = yaml.load(vault.decrypt(file_data, None)) else: loader = AnsibleLoader(stream, None, vault.secrets) try: data = loader.get_single_data() except Exception as exc: raise Exception( f'Error when loading YAML config at {yaml_file} {exc}' ) from exc finally: loader.dispose() except yaml.YAMLError as exc: raise Exception( f'Error when loading YAML config at {yaml_file} {exc}' ) from exc else: LOGGER.debug('No file at %s', yaml_file) if isinstance(data, AnsibleMapping): data = dict(data) return data
def vault_encrypt(plaintext, secret): """ Vault encrypt a piece of data. """ try: vault = VaultLib() secret_file = get_file_vault_secret(filename=secret, loader=DataLoader()) secret_file.load() vault.secrets = [("default", secret_file)] return vault.encrypt(plaintext) except AnsibleError as e: logger.critical("Cannot encrypt string: {}".format(e)) sys.exit(1)
def load_yaml(yaml_file, vault_secret=None): ''' Load a YAML file into a python dictionary. The YAML file can be fully encrypted by Ansible-Vault or can contain multiple inline Ansible-Vault encrypted values. Ansible Vault encryption is ideal to store passwords or encrypt the entire file with sensitive data if required. ''' vault = VaultLib() if vault_secret: secret_file = get_file_vault_secret(filename=vault_secret, loader=DataLoader()) secret_file.load() vault.secrets = [('default', secret_file)] data = None if os.path.isfile(yaml_file): with open(yaml_file, 'r') as stream: try: if is_encrypted_file(stream): file_data = stream.read() data = yaml.load(vault.decrypt(file_data, None)) else: loader = AnsibleLoader(stream, None, vault.secrets) try: data = loader.get_single_data() except Exception as exc: raise Exception( "Error when loading YAML config at {} {}".format( yaml_file, exc)) finally: loader.dispose() except yaml.YAMLError as exc: raise Exception( "Error when loading YAML config at {} {}".format( yaml_file, exc)) else: logger.debug("No file at {}".format(yaml_file)) return data