def extract_from_vault(args):
vault_file = args.v
password = get_password(args.p)
editor = VaultEditor(args.c, password, vault_file)
vault_data = {}
if os.path.isfile(vault_file):
encrypted = is_encrypted(vault_file)
if encrypted:
editor.decrypt_file()
try:
with open(vault_file, 'r') as v:
vault_data = yaml.load(v)
for item in args.i:
key, file = item.split('=')
try:
if vault_data[key]:
with open(file, 'wb') as unpack:
unpack.write(base64.b64decode(vault_data[key]))
console('Extracted %s to %s' % (key, file))
except Exception, e:
console('Could not extract %s to %s, %s' % (key, file, e))
except:
if encrypted:
editor.encrypt_file()
def test_decrypt_1_0_newline(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()
filename = os.path.join(dirpath, "foo-ansible-1.0-ansible-newline-ansible.yml")
shutil.rmtree(dirpath)
shutil.copytree("vault_test_data", dirpath)
ve = VaultEditor(None, "ansible\nansible\n", filename)
# make sure the password functions for the cipher
error_hit = False
try:
ve.decrypt_file()
except errors.AnsibleError, e:
error_hit = True
def test_methods_exist(self):
v = VaultEditor(None, None, None)
slots = [
'create_file', 'decrypt_file', 'edit_file', 'encrypt_file',
'rekey_file', 'read_data', 'write_data', 'shuffle_files'
]
for slot in slots:
assert hasattr(v, slot), "VaultLib is missing the %s method" % slot
def test_decrypt_1_0(self):
if self._is_fips():
raise SkipTest('Vault-1.0 will not function on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()
filename = os.path.join(dirpath, "foo-ansible-1.0.yml")
shutil.rmtree(dirpath)
shutil.copytree("vault_test_data", dirpath)
ve = VaultEditor(None, "ansible", filename)
# make sure the password functions for the cipher
error_hit = False
try:
ve.decrypt_file()
except errors.AnsibleError, e:
error_hit = True
def test_decrypt_1_0(self):
if self._is_fips():
raise SkipTest(
'Vault-1.0 will not function on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()
filename = os.path.join(dirpath, "foo-ansible-1.0.yml")
shutil.rmtree(dirpath)
shutil.copytree("vault_test_data", dirpath)
ve = VaultEditor(None, "ansible", filename)
# make sure the password functions for the cipher
error_hit = False
try:
ve.decrypt_file()
except errors.AnsibleError, e:
error_hit = True
def extract_from_vault(args):
vault_file = args.v
password = get_password(args.p)
editor = VaultEditor(args.c, password, vault_file)
vault_data = {}
if os.path.isfile(vault_file):
encrypted = is_encrypted(vault_file)
if encrypted:
editor.decrypt_file()
try:
with open(vault_file, 'r') as v:
vault_data = yaml.load(v)
for item in args.i:
key, file = item.split('=')
try:
if vault_data[key]:
with open(file, 'wb') as unpack:
unpack.write(base64.b64decode(vault_data[key]))
console('Extracted %s to %s' % (key, file))
except Exception, e:
console('Could not extract %s to %s, %s' % (key, file, e))
except:
if encrypted:
editor.encrypt_file()
def create_ansible_vault():
'''
Create ansible vault with random passphrase and set SECRET_KEY.
'''
def generate_passphrase():
import random
import string
chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
return ''.join(random.choice(chars) for _ in range(20))
# write the ansible vault password to disk
passphrase = generate_passphrase()
with open('ansible/.vault_pass.txt', 'w') as vp_file:
vp_file.write('{}\n'.format(passphrase))
# create ansible vault
from ansible.utils.vault import VaultEditor
vault_path = 'ansible/group_vars/all/vault.yml'
vault_editor = VaultEditor('AES256', passphrase, vault_path)
data = '--- \nSECRET_KEY: {}'.format(generate_passphrase())
vault_editor.write_data(data, vault_path)
vault_editor.encrypt_file()
def decrypt_file(self, filename):
'''
Decrypt File
Args:
filename: Pass the filename to encrypt.
Returns:
No return.
'''
if not os.path.exists(filename):
print "Invalid filename %s. Does not exist" % filename
return
if self.vault_password is None:
print "ENV Variable PYANSI_VAULT_PASSWORD not set"
return
if not self.is_file_encrypted(filename):
# No need to do anything.
return
cipher = 'AES256'
vaulteditor = VaultEditor(cipher, self.vault_password, filename)
vaulteditor.decrypt_file()
def add_to_vault(args):
vault_file = args.v
password = get_password(args.p)
editor = VaultEditor(args.c, password, vault_file)
console("Adding entries to %s" % vault_file)
if args.t and os.path.isfile(vault_file):
os.remove(vault_file)
vault_data = {}
if os.path.isfile(vault_file):
if is_encrypted(vault_file):
editor.decrypt_file()
with open(vault_file, 'r') as v:
vault_data = yaml.load(v)
vault_args = parse_vault_args(args.i)
vault_data = dict(vault_data.items() + vault_args.items())
with open(vault_file, 'w') as v:
v.write( yaml.dump(vault_data, default_flow_style=False) )
editor.encrypt_file()
def add_to_vault(args):
vault_file = args.v
password = get_password(args.p)
editor = VaultEditor(args.c, password, vault_file)
console("Adding entries to %s" % vault_file)
if args.t and os.path.isfile(vault_file):
os.remove(vault_file)
vault_data = {}
if os.path.isfile(vault_file):
if is_encrypted(vault_file):
editor.decrypt_file()
with open(vault_file, 'r') as v:
vault_data = yaml.load(v)
vault_args = parse_vault_args(args.i)
vault_data = dict(vault_data.items() + vault_args.items())
with open(vault_file, 'w') as v:
v.write(yaml.dump(vault_data, default_flow_style=False))
editor.encrypt_file()
