def rekey(self, data, new_password):
result = self._handle_ciphertext(data=data)
if not result[0]:
if not result[1]:
return (False, result[2])
else:
# 这是一个ansible-vault加密的数据,使用ansible-vault进行处理
result = self._ansible_vault_encrpyt(result[2])
if result[0]:
this_cipher = Using_AES256(new_password,
self.b_vault_header)
data = result[1]
self.logger.info(
'修改ansible加密数据的vault密码成功,注:使用ansible2.3版本方法')
return this_cipher.encrypt(data)
else:
self.logger.error('修改ansible加密数据的vault密码失败,原因:' +
result[1] + ',注:使用ansible2.3版本方法')
return result
else:
result = self.cipher.rekey(result[2], new_password)
if result[0]:
self.logger.info('修改ansible数据的vault密码成功,注:使用本系统自定义方法')
else:
self.logger.error('修改ansible数据的vault密码失败,原因:' + result[1] +
',注:使用本系统自定义方法')
return result
def encryp_dict(self,
username,
vault_password,
data,
vault_list,
isverify=True):
'''
对用户的数据字典中的某些字段进行加密
'''
encryp_api = Using_AES256(vault_password, vault_header)
if isverify:
vault_result = self.verify_vaultpassword(username, vault_password)
if not vault_result[0]:
self.logger.error('加密用户' + username +
'的指定数据时失败,原因:输入的vault密码与数据库中vault密码不匹配')
return (False, '输入的vault密码与数据库中vault密码不匹配')
if not vault_list:
vault_list = data.keys()
encryp_dict = {}
for key, value in data.items():
if not value:
encryp_dict[key] = value
if key in vault_list:
result = encryp_api.encrypt(value)
if result[0]:
encryp_dict[key] = result[1]
else:
self.logger.error('加密用户' + username + '的指定数据时失败,键名' + key +
'的值加密失败,原因:' + result[1])
return (False, '加密用户' + username + '的指定数据时失败,键名' + key +
'的值加密失败,' + result[1])
else:
if value == 'False':
value = False
if value == 'True':
value = True
isdigit = True
if isinstance(value, str):
for t in value:
if t not in '0123456789':
isdigit = False
if isdigit:
try:
value = int(value)
except:
pass
encryp_dict[key] = value
# content = '加密用户' + username + '的指定数据成功'
# self.logger.info(content)
return (True, encryp_dict)
def __init__(self, password):
self.logger = logging.getLogger("ansible")
self.password = password
from library.config.security import vault_header
tmp_header = vault_header + ';date:' + str(time.time())
self.vault_header = tmp_header
result = obj2bytes(tmp_header)
if result[0]:
temp_header = result[1]
else:
temp_header = string2bytes(tmp_header)
self.b_vault_header = temp_header
self.cipher = Using_AES256(self.password, self.b_vault_header)
def decryp_dict(self,
username,
vault_password,
data,
vault_list,
isverify=True):
'''
对用户的数据字典中的某些字段进行解密
'''
encryp_api = Using_AES256(vault_password, vault_header)
if isverify:
vault_result = self.verify_vaultpassword(username, vault_password)
if not vault_result[0]:
self.logger.error('解密用户' + username +
'的指定数据时失败,原因:输入的vault密码与数据库中vault密码不匹配')
return (False, '输入的vault密码与数据库中vault密码不匹配')
if not vault_list:
vault_list = data.keys()
decryp_dict = {}
for key, value in data.items():
if not value:
decryp_dict[key] = value
if key in vault_list:
result = encryp_api.decrypt(value)
if result[0]:
decryp_dict[key] = result[1]
else:
self.logger.error('解密用户' + username + '的指定数据时失败,键名' + key +
'的值加密失败,原因:' + result[1])
return (False, '解密用户' + username + '的指定数据时失败,键名' + key +
'的值加密失败,' + result[1])
else:
if value == 'False':
value = False
if value == 'True':
value = True
decryp_dict[key] = value
# content = '解密用户' + username + '的指定数据成功'
# self.logger.info(content)
return (True, decryp_dict)
def decryp_string(self, username, vault_password, data, isverify=True):
'''
对用户的数据进行解密
'''
decryp_api = Using_AES256(vault_password, vault_header)
if isverify :
vault_result = self.verify_vaultpassword(username, vault_password)
if not vault_result[0] :
self.logger.error('解密用户' + username + '数据时失败,原因:输入的vault密码与数据库中vault密码不匹配')
return (False, '解密用户' + username + '数据时失败,输入的vault密码与数据库中vault密码不匹配')
result = decryp_api.decrypt(data)
if result[0] :
# content = '解密用户' + username + '数据成功'
# self.logger.info(content)
return (True, result[1])
else :
self.logger.error('解密用户' + username + '数据失败,原因:' + result[1])
return (False, result[1])
def __init__(self, username, vault_passwd=None, mongoclient=None):
self.logger = logging.getLogger("ansible")
self.yaml_mongocollect = username + '.ansible.yaml'
self.temp_basedir = '/dev/shm/devops/ansible/yaml/'
self.username = username
self.vault_passwd = vault_passwd
if mongoclient is None :
self.mongoclient = Op_Mongo()
self.logger.warn('无法继承,需要初始化mongodb连接')
else :
self.mongoclient = mongoclient
if vault_passwd is None or not vault_passwd :
self.this_cipher = None
# self.logger.warn('没有提供vault密码,不加载加解密模块')
else :
self.logger.warn('提供vault密码,加载加解密模块')
self.this_cipher = Using_AES256(vault_passwd, vault_header)
self.vault_header = vault_header