def restore(path, password_file=None):
"""
Retrieves a file from the atk vault and restores it to its original
location, re-encrypting it if it has changed.
:param path: path to original file
"""
vault = VaultLib(get_vault_password(password_file))
atk_path = os.path.join(ATK_VAULT, path)
# Load stored data
with open(os.path.join(atk_path, 'encrypted'), 'rb') as f:
old_data = f.read()
with open(os.path.join(atk_path, 'hash'), 'rb') as f:
old_hash = f.read()
# Load new data
with open(path, 'rb') as f:
new_data = f.read()
new_hash = hashlib.sha1(new_data).hexdigest()
# Determine whether to re-encrypt
if old_hash != new_hash:
new_data = vault.encrypt(new_data)
else:
new_data = old_data
# Update file
with open(path, 'wb') as f:
f.write(new_data)
# Clean atk vault
os.remove(os.path.join(atk_path, 'encrypted'))
os.remove(os.path.join(atk_path, 'hash'))
def restore(path, password_file=None):
"""
Retrieves a file from the atk vault and restores it to its original
location, re-encrypting it if it has changed.
:param path: path to original file
"""
vault = VaultLib(get_vault_password(password_file))
atk_path = os.path.join(ATK_VAULT, path)
# Load stored data
with open(os.path.join(atk_path, 'encrypted'), 'rb') as f:
old_data = f.read()
with open(os.path.join(atk_path, 'hash'), 'rb') as f:
old_hash = f.read()
# Load new data
with open(path, 'rb') as f:
new_data = f.read()
new_hash = hashlib.sha1(new_data).hexdigest()
# Determine whether to re-encrypt
if old_hash != new_hash:
new_data = vault.encrypt(new_data)
else:
new_data = old_data
# Update file
with open(path, 'wb') as f:
f.write(new_data)
# Clean atk vault
os.remove(os.path.join(atk_path, 'encrypted'))
os.remove(os.path.join(atk_path, 'hash'))
def test_encrypt_decrypt_aes256(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES256'
enc_data = v.encrypt("foobar")
dec_data = v.decrypt(enc_data)
assert enc_data != "foobar", "encryption failed"
assert dec_data == "foobar", "decryption failed"
def test_encyrpt_decrypt(self):
if not HAS_AES:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES'
enc_data = v.encrypt("foobar")
dec_data = v.decrypt(enc_data)
assert enc_data != "foobar", "encryption failed"
assert dec_data == "foobar", "decryption failed"
def test_encrypt_decrypt_aes256(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES256'
enc_data = v.encrypt("foobar")
dec_data = v.decrypt(enc_data)
assert enc_data != "foobar", "encryption failed"
assert dec_data == "foobar", "decryption failed"
def test_cipher_not_set(self):
if not HAS_AES:
raise SkipTest
v = VaultLib('ansible')
data = "ansible"
error_hit = False
try:
enc_data = v.encrypt(data)
except errors.AnsibleError, e:
error_hit = True
def test_encrypt_encrypted(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES'
data = "$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify("ansible")
error_hit = False
try:
enc_data = v.encrypt(data)
except errors.AnsibleError, e:
error_hit = True
def test_cipher_not_set(self):
# not setting the cipher should default to AES256
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
data = "ansible"
error_hit = False
try:
enc_data = v.encrypt(data)
except errors.AnsibleError, e:
error_hit = True
def test_encrypt_decrypt_aes(self):
if self._is_fips():
raise SkipTest('MD5 not available on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES'
enc_data = v.encrypt("foobar")
dec_data = v.decrypt(enc_data)
assert enc_data != "foobar", "encryption failed"
assert dec_data == "foobar", "decryption failed"
def test_cipher_not_set(self):
# not setting the cipher should default to AES256
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
data = "ansible"
error_hit = False
try:
enc_data = v.encrypt(data)
except errors.AnsibleError, e:
error_hit = True
def test_encrypt_encrypted(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES'
data = "$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify("ansible")
error_hit = False
try:
enc_data = v.encrypt(data)
except errors.AnsibleError, e:
error_hit = True
def test_encrypt_decrypt_aes(self):
if self._is_fips():
raise SkipTest('MD5 not available on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
v = VaultLib('ansible')
v.cipher_name = 'AES'
enc_data = v.encrypt("foobar")
dec_data = v.decrypt(enc_data)
assert enc_data != "foobar", "encryption failed"
assert dec_data == "foobar", "decryption failed"
class Vault(object):
'''R/W an ansible-vault yaml file'''
def __init__(self, password):
self.password = password
self.vault = VaultLib(password)
def load(self, stream):
'''read vault steam and return python object'''
return yaml.load(self.vault.decrypt(stream))
def dump(self, data, stream=None):
'''encrypt data and print stdout or write to stream'''
yaml_text = yaml.dump(data,
default_flow_style=False,
allow_unicode=True)
encrypted = self.vault.encrypt(yaml_text)
if stream:
stream.write(encrypted)
else:
return encrypted
class Vault(object):
'''R/W an ansible-vault yaml file'''
def __init__(self, password):
self.password = password
self.vault = VaultLib(password)
def load(self, stream):
'''read vault steam and return python object'''
return yaml.load(self.vault.decrypt(stream))
def dump(self, data, stream=None):
'''encrypt data and print stdout or write to stream'''
yaml_text = yaml.dump(
data,
default_flow_style=False,
allow_unicode=True)
encrypted = self.vault.encrypt(yaml_text)
if stream:
stream.write(encrypted)
else:
return encrypted
