def _assert_file_is_encrypted(self, vault_editor, src_file_path, src_contents): new_src_file = open(src_file_path, 'rb') new_src_file_contents = new_src_file.read() # TODO: assert that it is encrypted self.assertTrue(vault.is_encrypted(new_src_file_contents)) src_file_plaintext = vault_editor.vault.decrypt(new_src_file_contents) # the plaintext should not be encrypted self.assertFalse(vault.is_encrypted(src_file_plaintext)) # and the new plaintext should match the original self.assertEqual(src_file_plaintext, src_contents)
def _get_file_contents(self, file_name): ''' Reads the file contents from the given file name, and will decrypt them if they are found to be vault-encrypted. ''' if not file_name or not isinstance(file_name, string_types): raise AnsibleParserError("Invalid filename: '%s'" % str(file_name)) b_file_name = to_bytes(file_name) if not self.path_exists(b_file_name) or not self.is_file(b_file_name): raise AnsibleFileNotFound("the file_name '%s' does not exist, or is not readable" % file_name) show_content = True try: with open(b_file_name, 'rb') as f: data = f.read() if is_encrypted(data): data = self._vault.decrypt(data, filename=b_file_name) show_content = False data = to_text(data, errors='surrogate_or_strict') return (data, show_content) except (IOError, OSError) as e: raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (file_name, str(e)))
def _get_file_contents(self, file_name): ''' Reads the file contents from the given file name, and will decrypt them if they are found to be vault-encrypted. ''' if not file_name or not isinstance(file_name, (binary_type, text_type)): raise AnsibleParserError("Invalid filename: '%s'" % str(file_name)) b_file_name = to_bytes(self.path_dwim(file_name)) # This is what we really want but have to fix unittests to make it pass # if not os.path.exists(b_file_name) or not os.path.isfile(b_file_name): if not self.path_exists(b_file_name) or not self.is_file(b_file_name): raise AnsibleFileNotFound("Unable to retrieve file contents", file_name=file_name) show_content = True try: with open(b_file_name, 'rb') as f: data = f.read() if is_encrypted(data): data = b"\n" show_content = False return (data, show_content) except (IOError, OSError) as e: raise AnsibleParserError("an error occurred while trying to read " "the file '%s': %s" % (file_name, str(e)))
def _get_file_contents(self, file_name): ''' Reads the file contents from the given file name, and will decrypt them if they are found to be vault-encrypted. ''' if not file_name or not isinstance(file_name, string_types): raise AnsibleParserError("Invalid filename: '%s'" % str(file_name)) b_file_name = to_bytes(file_name) if not self.path_exists(b_file_name) or not self.is_file(b_file_name): raise AnsibleFileNotFound( "the file_name '%s' does not exist, or is not readable" % file_name) show_content = True try: with open(b_file_name, 'rb') as f: data = f.read() if is_encrypted(data): data = self._vault.decrypt(data, filename=b_file_name) show_content = False return (data, show_content) except (IOError, OSError) as e: raise AnsibleParserError( "an error occurred while trying to read the file '%s': %s" % (file_name, str(e)))
def do_unvault(vault, secret, vaultid='filter_default'): if not isinstance(secret, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Secret passed is required to be as string, instead we got: %s" % type(secret)) if not isinstance( vault, (string_types, binary_type, AnsibleVaultEncryptedUnicode, Undefined)): raise AnsibleFilterTypeError( "Vault should be in the form of a string, instead we got: %s" % type(vault)) data = '' vs = VaultSecret(to_bytes(secret)) vl = VaultLib([(vaultid, vs)]) if isinstance(vault, AnsibleVaultEncryptedUnicode): vault.vault = vl data = vault.data elif is_encrypted(vault): try: data = vl.decrypt(vault) except UndefinedError: raise except Exception as e: raise AnsibleFilterError("Unable to decrypt: %s" % to_native(e), orig_exc=e) else: data = vault return to_native(data)
def encryptedFile2String(self, fileName): data = file2String(fileName) was_encrypted = False if is_encrypted(data): was_encrypted = True data = self.vaultLib.decrypt(data) return data, was_encrypted
def encrypt_value(value, passcode): secret = VaultSecret(bytes(passcode.encode('ascii'))) editor = VaultEditor() if not is_encrypted(value): vaultCode = editor.encrypt_bytes(value, secret).decode('ascii') else: vaultCode = value encrypted_val = '!vault |\n' + (vaultCode) return encrypted_val
def _decrypt_if_vault_data(self, b_vault_data, b_file_name=None): '''Decrypt b_vault_data if encrypted and return b_data and the show_content flag''' if not is_encrypted(b_vault_data): show_content = True return b_vault_data, show_content b_ciphertext, b_version, cipher_name, vault_id = parse_vaulttext_envelope(b_vault_data) b_data = self._vault.decrypt(b_vault_data, filename=b_file_name) show_content = False return b_data, show_content
def decrypt_diff(diff_part, password_file=None): """ Diff part is a string in the format: diff --git a/group_vars/foo b/group_vars/foo index c09080b..0d803bb 100644 --- a/group_vars/foo +++ b/group_vars/foo @@ -1,32 +1,33 @@ $ANSIBLE_VAULT;1.1;AES256 -61316662363730313230626432303662316330323064373866616436623565613033396539366263 -383632656663356364656531653039333965 +30393563383639396563623339383936613866326332383162306532653239636166633162323236 +62376161626137626133 Returns a tuple of decrypted old contents and decrypted new contents. """ vault = VaultLib(get_vault_password(password_file)) old_contents, new_contents = get_contents(diff_part) if is_encrypted(old_contents): old_contents = vault.decrypt(old_contents) if is_encrypted(new_contents): new_contents = vault.decrypt(new_contents) return old_contents, new_contents
def encrypt_credentials_file(passcode, deployment_name): yaml.add_constructor(u'!vault', vault_constructor) if os.path.isfile(deployment_name): credentials_file = deployment_name elif os.path.isdir(deployment_name): credentials_file = os.path.join(deployment_name, 'credentials.yml') else: credentials_file = os.path.join(DEPLOYMENT_DIR, deployment_name, 'credentials.yml') with open(credentials_file, 'r') as file: credentials = yaml.load(file.read().decode("utf-8"), Loader=yaml.Loader) with open('schemas/credentials.json') as credentials_schema: data = yaml.load(credentials_schema.read().decode("utf-8"), Loader=yaml.Loader) props = data['items']['properties'] do_not_encrypt_list = [] for k, v in props.items(): if ('encrypt' in v) and (not v['encrypt']): do_not_encrypt_list.append(k) if credentials is not None: for cred_set in credentials: for cred in list(cred_set.keys()): if cred not in do_not_encrypt_list: secret = VaultSecret(passcode) editor = VaultEditor() if not is_encrypted(cred_set[cred]): vaultCode = editor.encrypt_bytes( cred_set[cred], secret) else: vaultCode = cred_set[cred] cred_set[cred] = '!vault |\n' + (vaultCode) gen_example = ExampleFileGenerator(False, True) example_lines = gen_example.generate_example_from_schema( 'schemas/credentials.json') template = jinja2.Template(example_lines) credentials = template.render(credentials=credentials) with open(credentials_file, 'w') as file: file.write(credentials.encode("utf-8"))
def _get_file_contents(self, file_name): ''' Reads the file contents from the given file name If the contents are vault-encrypted, it will decrypt them and return the decrypted data :arg file_name: The name of the file to read. If this is a relative path, it will be expanded relative to the basedir :raises AnsibleFileNotFOund: if the file_name does not refer to a file :raises AnsibleParserError: if we were unable to read the file :return: Returns a byte string of the file contents ''' if not file_name or not isinstance(file_name, (binary_type, text_type)): raise AnsibleParserError("Invalid filename: '%s'" % str(file_name)) b_file_name = to_bytes(self.path_dwim(file_name)) # This is what we really want but have to fix unittests to make it pass # if not os.path.exists(b_file_name) or not os.path.isfile(b_file_name): if not self.path_exists(b_file_name) or not self.is_file(b_file_name): raise AnsibleFileNotFound("Unable to retrieve file contents", file_name=file_name) show_content = True try: with open(b_file_name, 'rb') as f: data = f.read() if is_encrypted(data): # FIXME: plugin vault selector b_ciphertext, b_version, cipher_name, vault_id = parse_vaulttext_envelope( data) data = self._vault.decrypt(data, filename=b_file_name) show_content = False return (data, show_content) except (IOError, OSError) as e: raise AnsibleParserError( "an error occurred while trying to read the file '%s': %s" % (file_name, str(e)), orig_exc=e)
def _get_file_contents(self, file_name): ''' Reads the file contents from the given file name If the contents are vault-encrypted, it will decrypt them and return the decrypted data :arg file_name: The name of the file to read. If this is a relative path, it will be expanded relative to the basedir :raises AnsibleFileNotFOund: if the file_name does not refer to a file :raises AnsibleParserError: if we were unable to read the file :return: Returns a byte string of the file contents ''' if not file_name or not isinstance(file_name, (binary_type, text_type)): raise AnsibleParserError("Invalid filename: '%s'" % str(file_name)) b_file_name = to_bytes(self.path_dwim(file_name)) # This is what we really want but have to fix unittests to make it pass # if not os.path.exists(b_file_name) or not os.path.isfile(b_file_name): if not self.path_exists(b_file_name) or not self.is_file(b_file_name): raise AnsibleFileNotFound("Unable to retrieve file contents", file_name=file_name) show_content = True try: with open(b_file_name, 'rb') as f: data = f.read() if is_encrypted(data): # FIXME: plugin vault selector b_ciphertext, b_version, cipher_name, vault_id = parse_vaulttext_envelope(data) data = self._vault.decrypt(data, filename=b_file_name) show_content = False return (data, show_content) except (IOError, OSError) as e: raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (file_name, str(e)), orig_exc=e)
def test_text_encrypted(self): b_data = to_text(b"$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify(b"ansible")) self.assertTrue(vault.is_encrypted(b_data))
def test_invalid_text_not_ascii(self): data = u"$ANSIBLE_VAULT;9.9;TEST\n%s" % u"ァ ア ィ イ ゥ ウ ェ エ ォ オ カ ガ キ ギ ク グ ケ " self.assertFalse(vault.is_encrypted(data))
def test_bytes_not_encrypted(self): b_data = b"foobar" self.assertFalse(vault.is_encrypted(b_data))
def test_text_not_encrypted(self): b_data = to_text(b"foobar") self.assertFalse(vault.is_encrypted(b_data))
def test_unicode_is_encrypted_py2(self): if six.PY3: raise SkipTest() data = u"$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify(b"ansible") # THis works, but arguably shouldn't... self.assertTrue(vault.is_encrypted(data))
def is_encrypted(data): return is_encrypted(data)
def test_bytes_encrypted(self): b_data = b"$ANSIBLE_VAULT;9.9;TEST\n%s" + hexlify(b"ansible") self.assertTrue(vault.is_encrypted(b_data))
def test_unicode_not_encrypted_py2(self): if six.PY3: raise SkipTest() data = u"ァ ア ィ イ ゥ ウ ェ エ ォ オ カ ガ キ ギ ク グ ケ " # py2 will take a unicode string, but that should always fails self.assertFalse(vault.is_encrypted(data))
def test_utf8_encrypted(self): data = u"$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify(b"ansible") b_data = data.encode('utf8') self.assertTrue(vault.is_encrypted(b_data))
def test_invalid_bytes_not_ascii(self): data = u"$ANSIBLE_VAULT;9.9;TEST\n%s" % u"ァ ア ィ イ ゥ ウ ェ エ ォ オ カ ガ キ ギ ク グ ケ " b_data = to_bytes(data, encoding='utf-8') self.assertFalse(vault.is_encrypted(b_data))
def is_encrypted_vault(self, filename): return is_encrypted(utils.read_file_contents(filename))
def test_utf8_not_encrypted(self): b_data = "foobar".encode('utf8') self.assertFalse(vault.is_encrypted(b_data))