def backup(path, password_file=None):
"""
Replaces the contents of a file with its decrypted counterpart, storing the
original encrypted version and a hash of the file contents for later
retrieval.
"""
vault = VaultLib(get_vault_password(password_file))
with open(path, 'r') as f:
encrypted_data = f.read()
# Normally we'd just try and catch the exception, but the
# exception raised here is not very specific (just
# `AnsibleError`), so this feels safer to avoid suppressing
# other things that might go wrong.
if vault.is_encrypted(encrypted_data):
decrypted_data = vault.decrypt(encrypted_data)
# Create atk vault files
atk_path = os.path.join(ATK_VAULT, path)
mkdir_p(atk_path)
# ... encrypted
with open(os.path.join(atk_path, 'encrypted'), 'wb') as f:
f.write(encrypted_data)
# ... hash
with open(os.path.join(atk_path, 'hash'), 'wb') as f:
f.write(hashlib.sha1(decrypted_data).hexdigest())
# Replace encrypted file with decrypted one
with open(path, 'wb') as f:
f.write(decrypted_data)
def backup(path, password_file=None):
"""
Replaces the contents of a file with its decrypted counterpart, storing the
original encrypted version and a hash of the file contents for later
retrieval.
"""
vault = VaultLib(get_vault_password(password_file))
with open(path, 'r') as f:
encrypted_data = f.read()
# Normally we'd just try and catch the exception, but the
# exception raised here is not very specific (just
# `AnsibleError`), so this feels safer to avoid suppressing
# other things that might go wrong.
if vault.is_encrypted(encrypted_data):
decrypted_data = vault.decrypt(encrypted_data)
# Create atk vault files
atk_path = os.path.join(ATK_VAULT, path)
mkdir_p(atk_path)
# ... encrypted
with open(os.path.join(atk_path, 'encrypted'), 'wb') as f:
f.write(encrypted_data)
# ... hash
with open(os.path.join(atk_path, 'hash'), 'wb') as f:
f.write(hashlib.sha1(decrypted_data).hexdigest())
# Replace encrypted file with decrypted one
with open(path, 'wb') as f:
f.write(decrypted_data)
def decrypt_diff(diff_part, password_file=None):
"""
Diff part is a string in the format:
diff --git a/group_vars/foo b/group_vars/foo
index c09080b..0d803bb 100644
--- a/group_vars/foo
+++ b/group_vars/foo
@@ -1,32 +1,33 @@
$ANSIBLE_VAULT;1.1;AES256
-61316662363730313230626432303662316330323064373866616436623565613033396539366263
-383632656663356364656531653039333965
+30393563383639396563623339383936613866326332383162306532653239636166633162323236
+62376161626137626133
Returns a tuple of decrypted old contents and decrypted new contents.
"""
vault = VaultLib(get_vault_password(password_file))
old_contents, new_contents = get_contents(diff_part)
if vault.is_encrypted(old_contents):
old_contents = vault.decrypt(old_contents)
if vault.is_encrypted(new_contents):
new_contents = vault.decrypt(new_contents)
return old_contents, new_contents
def test_is_encrypted(self):
v = VaultLib(None)
assert not v.is_encrypted("foobar"), "encryption check on plaintext failed"
data = "$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify("ansible")
assert v.is_encrypted(data), "encryption check on headered text failed"
def test_is_encrypted(self):
v = VaultLib(None)
assert not v.is_encrypted("foobar"), "encryption check on plaintext failed"
data = "$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify("ansible")
assert v.is_encrypted(data), "encryption check on headered text failed"
# expand any user home dir specifier
dest = self.runner._remote_expand_user(conn, dest, tmp_path)
vault = VaultLib(password=self.runner.vault_pass)
for source_full, source_rel in source_files:
vault_temp_file = None
data = None
try:
data = open(source_full).read()
except IOError:
raise errors.AnsibleError("file could not read: %s" % source_full)
if vault.is_encrypted(data):
# if the file is encrypted and no password was specified,
# the decrypt call would throw an error, but we check first
# since the decrypt function doesn't know the file name
if self.runner.vault_pass is None:
raise errors.AnsibleError("A vault password must be specified to decrypt %s" % source_full)
data = vault.decrypt(data)
# Make a temp file
vault_temp_file = self._create_content_tempfile(data)
source_full = vault_temp_file;
# Generate a hash of the local file.
local_checksum = utils.checksum(source_full)
# If local_checksum is not defined we can't find the file so we should fail out.