def test_ensure_type_with_vaulted_str(self, value_type): class MockVault: def decrypt(self, value): return value vault_var = AnsibleVaultEncryptedUnicode(b"vault text") vault_var.vault = MockVault() actual_value = ensure_type(vault_var, value_type) assert actual_value == "vault text"
def test_entry_as_vault_var(self): class MockVault: def decrypt(self, value, filename=None, obj=None): return value vault_var = AnsibleVaultEncryptedUnicode(b"vault text") vault_var.vault = MockVault() actual_value, actual_origin = self.manager._loop_entries({'name': vault_var}, [{'name': 'name'}]) assert actual_value == "vault text" assert actual_origin == "name"
def _decode_map(self, value): if value.get('__ansible_unsafe', False): value = wrap_var(value.get('__ansible_unsafe')) elif value.get('__ansible_vault', False): value = AnsibleVaultEncryptedUnicode(value.get('__ansible_vault')) if self._vaults: value.vault = self._vaults['default'] else: for k in value: if isinstance(value[k], Mapping): value[k] = self._decode_map(value[k]) return value
def object_hook(self, pairs): for key in pairs: value = pairs[key] if key == '__ansible_vault': value = AnsibleVaultEncryptedUnicode(value) if self._vaults: value.vault = self._vaults['default'] return value elif key == '__ansible_unsafe': return wrap_var(value) return pairs
def construct_vault_encrypted_unicode(self, node): value = self.construct_scalar(node) ciphertext_data = to_bytes(value) if self._vault_password is None: raise ConstructorError(None, None, "found vault but no vault password provided", node.start_mark) # could pass in a key id here to choose the vault to associate with vault = self._vaults['default'] ret = AnsibleVaultEncryptedUnicode(ciphertext_data) ret.vault = vault return ret
def construct_vault_encrypted_unicode(self, node): value = self.construct_scalar(node) b_ciphertext_data = to_bytes(value) # could pass in a key id here to choose the vault to associate with # TODO/FIXME: plugin vault selector vault = self._vaults['default'] if vault.secrets is None: raise ConstructorError(context=None, context_mark=None, problem="found !vault but no vault password provided", problem_mark=node.start_mark, note=None) ret = AnsibleVaultEncryptedUnicode(b_ciphertext_data) ret.vault = vault return ret
def test_embedded_vault_from_dump(self): avu = AnsibleVaultEncryptedUnicode.from_plaintext( 'setec astronomy', self.vault, self.vault_secret) blip = { 'stuff1': [{ 'a dict key': 24 }, { 'shhh-ssh-secrets': avu, 'nothing to see here': 'move along' }], 'another key': 24.1 } blip = ['some string', 'another string', avu] stream = NameStringIO() self._dump_stream(blip, stream, dumper=AnsibleDumper) stream.seek(0) stream.seek(0) loader = self._loader(stream) data_from_yaml = loader.get_data() stream2 = NameStringIO(u'') # verify we can dump the object again self._dump_stream(data_from_yaml, stream2, dumper=AnsibleDumper)
def do_vault(data, secret, salt=None, vaultid='filter_default', wrap_object=False): if not isinstance(secret, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Secret passed is required to be a string, instead we got: %s" % type(secret)) if not isinstance(data, (string_types, binary_type, Undefined)): raise AnsibleFilterTypeError( "Can only vault strings, instead we got: %s" % type(data)) vault = '' vs = VaultSecret(to_bytes(secret)) vl = VaultLib() try: vault = vl.encrypt(to_bytes(data), vs, vaultid, salt) except UndefinedError: raise except Exception as e: raise AnsibleFilterError("Unable to encrypt: %s" % to_native(e), orig_exc=e) if wrap_object: vault = AnsibleVaultEncryptedUnicode(vault) else: vault = to_native(vault) return vault
def test_embedded_vault_from_dump(self): avu = AnsibleVaultEncryptedUnicode.from_plaintext('setec astronomy', vault=self.vault) blip = {'stuff1': [{'a dict key': 24}, {'shhh-ssh-secrets': avu, 'nothing to see here': 'move along'}], 'another key': 24.1} blip = ['some string', 'another string', avu] stream = NameStringIO() self._dump_stream(blip, stream, dumper=AnsibleDumper) print(stream.getvalue()) stream.seek(0) stream.seek(0) loader = self._loader(stream) data_from_yaml = loader.get_data() stream2 = NameStringIO(u'') # verify we can dump the object again self._dump_stream(data_from_yaml, stream2, dumper=AnsibleDumper)
def test_dump_load_cycle(self): avu = AnsibleVaultEncryptedUnicode.from_plaintext('The plaintext for test_dump_load_cycle.', self.vault, self.vault_secret) self._dump_load_cycle(avu)
def test_dump_load_cycle(self): avu = AnsibleVaultEncryptedUnicode.from_plaintext('The plaintext for test_dump_load_cycle.', vault=self.vault) self._dump_load_cycle(avu)
@pytest.mark.parametrize('value', ([None], (None,), ['one', None])) def test_play_none_hosts(value): with pytest.raises(AnsibleParserError, match="Hosts list cannot contain values of 'None'"): Play.load({'hosts': value}) @pytest.mark.parametrize( 'value', ( {'one': None}, {'one': 'two'}, True, 1, 1.75, AnsibleVaultEncryptedUnicode('secret'), ) ) def test_play_invalid_hosts_sequence(value): with pytest.raises(AnsibleParserError, match='Hosts list must be a sequence or string'): Play.load({'hosts': value}) @pytest.mark.parametrize( 'value', ( [[1, 'two']], [{'one': None}], [set((None, 'one'))], ['one', 'two', {'three': None}], ['one', 'two', {'three': 'four'}],