def test_format_vaulttext_envelope(self): cipher_name = "TEST" b_ciphertext = b"ansible" b_vaulttext = vault.format_vaulttext_envelope(b_ciphertext, cipher_name, version=self.v.b_version, vault_id='default') b_lines = b_vaulttext.split(b'\n') self.assertGreater(len(b_lines), 1, msg="failed to properly add header") b_header = b_lines[0] # self.assertTrue(b_header.endswith(b';TEST'), msg="header does not end with cipher name") b_header_parts = b_header.split(b';') self.assertEqual(len(b_header_parts), 4, msg="header has the wrong number of parts") self.assertEqual(b_header_parts[0], b'$ANSIBLE_VAULT', msg="header does not start with $ANSIBLE_VAULT") self.assertEqual(b_header_parts[1], self.v.b_version, msg="header version is incorrect") self.assertEqual(b_header_parts[2], b'TEST', msg="header does not end with cipher name") # And just to verify, lets parse the results and compare b_ciphertext2, b_version2, cipher_name2, vault_id2 = \ vault.parse_vaulttext_envelope(b_vaulttext) self.assertEqual(b_ciphertext, b_ciphertext2) self.assertEqual(self.v.b_version, b_version2) self.assertEqual(cipher_name, cipher_name2) self.assertEqual('default', vault_id2)
def render_POST(self, request): request.setHeader("Content-Type", "application/json; charset=utf-8") version, cipher, vault_id = '1.1', 'AES256', '' is_source_encrypted = True try: body = json.loads(request.content.read()) except: request.setResponseCode(400) return json.dumps({"value": "bad input object"}).encode('utf-8') if body.get("password"): secret = VaultSecret( to_bytes(body["password"], "utf-8", errors='strict')) source = body.get("source", "") source = to_bytes(source, "utf-8", errors='strict') try: (payload, version, cipher, vault) = parse_vaulttext_envelope(source) except ansible.errors.AnsibleError: # maybe not encrypted is_source_encrypted = False payload = source try: this_cipher = CIPHER_MAPPING[cipher]() except Exception as e: request.setResponseCode(400) response_text = e.message return json.dumps({ "value": "error in %s" % response_text }).encode('utf-8') try: if is_source_encrypted: response_text = this_cipher.decrypt(payload, secret=secret) else: response_text = format_vaulttext_envelope( this_cipher.encrypt(payload, secret=secret), cipher, version, vault_id).strip() except ansible.errors.AnsibleError as e: request.setResponseCode(400) response_text = e.message return json.dumps({"value": response_text}).encode('utf-8') else: request.setResponseCode(400) response_text = b"password not specified" return json.dumps({ "value": response_text.decode('utf-8') }).encode('utf-8')