vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases

9 years ago · 00bc74404a
parent 35bedd1190
commit 00bc74404a
2 changed files with 20 additions and 5 deletions
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@ -86,6 +86,9 @@ class VaultCLI(CLI):
        super(VaultCLI, self).run()
        loader = DataLoader()

+        # set default restrictive umask
+        old_umask = os.umask(0o077)
+
        if self.options.vault_password_file:
            # read vault_pass from a file
            self.vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader)
@ -108,6 +111,9 @@ class VaultCLI(CLI):

        self.execute()

+        # and restore umask
+        os.umask(old_umask)
+
    def execute_encrypt(self):

        if len(self.args) == 0 and sys.stdin.isatty():
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@ -221,8 +221,6 @@ class VaultEditor:
        self.vault = VaultLib(password)

    def _edit_file_helper(self, filename, existing_data=None, force_save=False):
-        # make sure the umask is set to a sane value
-        old_umask = os.umask(0o077)

        # Create a tempfile
        _, tmp_path = tempfile.mkstemp()
@ -246,9 +244,6 @@ class VaultEditor:
        # shuffle tmp file into place
        self.shuffle_files(tmp_path, filename)

-        # and restore umask
-        os.umask(old_umask)
-
    def encrypt_file(self, filename, output_file=None):

        check_prereqs()
@ -303,13 +298,19 @@ class VaultEditor:

        check_prereqs()

+        prev = os.stat(filename)
        ciphertext = self.read_data(filename)
        plaintext = self.vault.decrypt(ciphertext)

        new_vault = VaultLib(new_password)
        new_ciphertext = new_vault.encrypt(plaintext)
+
        self.write_data(new_ciphertext, filename)

+        # preserve permitions
+        os.chmod(filename, prev.st_mode)
+        os.chown(filename, prev.st_uid, prev.st_gid)
+
    def read_data(self, filename):
        try:
            if filename == '-':
@ -333,11 +334,19 @@ class VaultEditor:
                fh.write(bytes)

    def shuffle_files(self, src, dest):
+        prev = None
        # overwrite dest with src
        if os.path.isfile(dest):
+            prev = os.stat(dest)
            os.remove(dest)
        shutil.move(src, dest)

+        # reset permissions if needed
+        if prev is not None:
+            #TODO: selinux, ACLs, xattr?
+            os.chmod(dest, prev.st_mode)
+            os.chown(dest, prev.st_uid, prev.st_gid)
+
    def _editor_shell_command(self, filename):
        EDITOR = os.environ.get('EDITOR','vim')
        editor = shlex.split(EDITOR)