def restore(path, password_file=None): """ Retrieves a file from the atk vault and restores it to its original location, re-encrypting it if it has changed. :param path: path to original file """ vault = VaultLib(get_vault_password(password_file)) atk_path = os.path.join(ATK_VAULT, path) # Load stored data with open(os.path.join(atk_path, 'encrypted'), 'rb') as f: old_data = f.read() with open(os.path.join(atk_path, 'hash'), 'rb') as f: old_hash = f.read() # Load new data with open(path, 'rb') as f: new_data = f.read() new_hash = hashlib.sha1(new_data).hexdigest() # Determine whether to re-encrypt if old_hash != new_hash: new_data = vault.encrypt(new_data) else: new_data = old_data # Update file with open(path, 'wb') as f: f.write(new_data) # Clean atk vault os.remove(os.path.join(atk_path, 'encrypted')) os.remove(os.path.join(atk_path, 'hash'))
def test_encrypt_decrypt_aes256(self): if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: raise SkipTest v = VaultLib('ansible') v.cipher_name = 'AES256' enc_data = v.encrypt("foobar") dec_data = v.decrypt(enc_data) assert enc_data != "foobar", "encryption failed" assert dec_data == "foobar", "decryption failed"
def test_encyrpt_decrypt(self): if not HAS_AES: raise SkipTest v = VaultLib('ansible') v.cipher_name = 'AES' enc_data = v.encrypt("foobar") dec_data = v.decrypt(enc_data) assert enc_data != "foobar", "encryption failed" assert dec_data == "foobar", "decryption failed"
def test_cipher_not_set(self): if not HAS_AES: raise SkipTest v = VaultLib('ansible') data = "ansible" error_hit = False try: enc_data = v.encrypt(data) except errors.AnsibleError, e: error_hit = True
def test_encrypt_encrypted(self): if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: raise SkipTest v = VaultLib('ansible') v.cipher_name = 'AES' data = "$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify("ansible") error_hit = False try: enc_data = v.encrypt(data) except errors.AnsibleError, e: error_hit = True
def test_cipher_not_set(self): # not setting the cipher should default to AES256 if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: raise SkipTest v = VaultLib('ansible') data = "ansible" error_hit = False try: enc_data = v.encrypt(data) except errors.AnsibleError, e: error_hit = True
def test_encrypt_decrypt_aes(self): if self._is_fips(): raise SkipTest('MD5 not available on FIPS enabled systems') if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: raise SkipTest v = VaultLib('ansible') v.cipher_name = 'AES' enc_data = v.encrypt("foobar") dec_data = v.decrypt(enc_data) assert enc_data != "foobar", "encryption failed" assert dec_data == "foobar", "decryption failed"
class Vault(object): '''R/W an ansible-vault yaml file''' def __init__(self, password): self.password = password self.vault = VaultLib(password) def load(self, stream): '''read vault steam and return python object''' return yaml.load(self.vault.decrypt(stream)) def dump(self, data, stream=None): '''encrypt data and print stdout or write to stream''' yaml_text = yaml.dump(data, default_flow_style=False, allow_unicode=True) encrypted = self.vault.encrypt(yaml_text) if stream: stream.write(encrypted) else: return encrypted
class Vault(object): '''R/W an ansible-vault yaml file''' def __init__(self, password): self.password = password self.vault = VaultLib(password) def load(self, stream): '''read vault steam and return python object''' return yaml.load(self.vault.decrypt(stream)) def dump(self, data, stream=None): '''encrypt data and print stdout or write to stream''' yaml_text = yaml.dump( data, default_flow_style=False, allow_unicode=True) encrypted = self.vault.encrypt(yaml_text) if stream: stream.write(encrypted) else: return encrypted