def rekey(self, data, new_password): result = self._handle_ciphertext(data=data) if not result[0]: if not result[1]: return (False, result[2]) else: # 这是一个ansible-vault加密的数据,使用ansible-vault进行处理 result = self._ansible_vault_encrpyt(result[2]) if result[0]: this_cipher = Using_AES256(new_password, self.b_vault_header) data = result[1] self.logger.info( '修改ansible加密数据的vault密码成功,注:使用ansible2.3版本方法') return this_cipher.encrypt(data) else: self.logger.error('修改ansible加密数据的vault密码失败,原因:' + result[1] + ',注:使用ansible2.3版本方法') return result else: result = self.cipher.rekey(result[2], new_password) if result[0]: self.logger.info('修改ansible数据的vault密码成功,注:使用本系统自定义方法') else: self.logger.error('修改ansible数据的vault密码失败,原因:' + result[1] + ',注:使用本系统自定义方法') return result
def encryp_dict(self, username, vault_password, data, vault_list, isverify=True): ''' 对用户的数据字典中的某些字段进行加密 ''' encryp_api = Using_AES256(vault_password, vault_header) if isverify: vault_result = self.verify_vaultpassword(username, vault_password) if not vault_result[0]: self.logger.error('加密用户' + username + '的指定数据时失败,原因:输入的vault密码与数据库中vault密码不匹配') return (False, '输入的vault密码与数据库中vault密码不匹配') if not vault_list: vault_list = data.keys() encryp_dict = {} for key, value in data.items(): if not value: encryp_dict[key] = value if key in vault_list: result = encryp_api.encrypt(value) if result[0]: encryp_dict[key] = result[1] else: self.logger.error('加密用户' + username + '的指定数据时失败,键名' + key + '的值加密失败,原因:' + result[1]) return (False, '加密用户' + username + '的指定数据时失败,键名' + key + '的值加密失败,' + result[1]) else: if value == 'False': value = False if value == 'True': value = True isdigit = True if isinstance(value, str): for t in value: if t not in '0123456789': isdigit = False if isdigit: try: value = int(value) except: pass encryp_dict[key] = value # content = '加密用户' + username + '的指定数据成功' # self.logger.info(content) return (True, encryp_dict)
def __init__(self, password): self.logger = logging.getLogger("ansible") self.password = password from library.config.security import vault_header tmp_header = vault_header + ';date:' + str(time.time()) self.vault_header = tmp_header result = obj2bytes(tmp_header) if result[0]: temp_header = result[1] else: temp_header = string2bytes(tmp_header) self.b_vault_header = temp_header self.cipher = Using_AES256(self.password, self.b_vault_header)
def decryp_dict(self, username, vault_password, data, vault_list, isverify=True): ''' 对用户的数据字典中的某些字段进行解密 ''' encryp_api = Using_AES256(vault_password, vault_header) if isverify: vault_result = self.verify_vaultpassword(username, vault_password) if not vault_result[0]: self.logger.error('解密用户' + username + '的指定数据时失败,原因:输入的vault密码与数据库中vault密码不匹配') return (False, '输入的vault密码与数据库中vault密码不匹配') if not vault_list: vault_list = data.keys() decryp_dict = {} for key, value in data.items(): if not value: decryp_dict[key] = value if key in vault_list: result = encryp_api.decrypt(value) if result[0]: decryp_dict[key] = result[1] else: self.logger.error('解密用户' + username + '的指定数据时失败,键名' + key + '的值加密失败,原因:' + result[1]) return (False, '解密用户' + username + '的指定数据时失败,键名' + key + '的值加密失败,' + result[1]) else: if value == 'False': value = False if value == 'True': value = True decryp_dict[key] = value # content = '解密用户' + username + '的指定数据成功' # self.logger.info(content) return (True, decryp_dict)
def decryp_string(self, username, vault_password, data, isverify=True): ''' 对用户的数据进行解密 ''' decryp_api = Using_AES256(vault_password, vault_header) if isverify : vault_result = self.verify_vaultpassword(username, vault_password) if not vault_result[0] : self.logger.error('解密用户' + username + '数据时失败,原因:输入的vault密码与数据库中vault密码不匹配') return (False, '解密用户' + username + '数据时失败,输入的vault密码与数据库中vault密码不匹配') result = decryp_api.decrypt(data) if result[0] : # content = '解密用户' + username + '数据成功' # self.logger.info(content) return (True, result[1]) else : self.logger.error('解密用户' + username + '数据失败,原因:' + result[1]) return (False, result[1])
def __init__(self, username, vault_passwd=None, mongoclient=None): self.logger = logging.getLogger("ansible") self.yaml_mongocollect = username + '.ansible.yaml' self.temp_basedir = '/dev/shm/devops/ansible/yaml/' self.username = username self.vault_passwd = vault_passwd if mongoclient is None : self.mongoclient = Op_Mongo() self.logger.warn('无法继承,需要初始化mongodb连接') else : self.mongoclient = mongoclient if vault_passwd is None or not vault_passwd : self.this_cipher = None # self.logger.warn('没有提供vault密码,不加载加解密模块') else : self.logger.warn('提供vault密码,加载加解密模块') self.this_cipher = Using_AES256(vault_passwd, vault_header) self.vault_header = vault_header