Remove deprecated and unused VaultAES encryption code

Now that VaultLib always decides to use AES256 to encrypt, we don't need this broken code any more. We need to be able to decrypt this format for a while longer, but encryption support can be safely dropped.
9 years ago · 159887a6c9
parent 5ba3452b7e
commit 159887a6c9
1 changed files with 1 additions and 33 deletions
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@ -465,39 +465,7 @@ class VaultAES:

        """ Read plaintext data from in_file and write encrypted to out_file """

-        # combine sha + data
-        this_sha = to_bytes(sha256(data).hexdigest())
-        tmp_data = this_sha + b"\n" + data
-
-        in_file = BytesIO(tmp_data)
-        in_file.seek(0)
-        out_file = BytesIO()
-
-        bs = AES.block_size
-
-        # Get a block of random data. EL does not have Crypto.Random.new()
-        # so os.urandom is used for cross platform purposes
-        salt = os.urandom(bs - len(b'Salted__'))
-
-        key, iv = self.aes_derive_key_and_iv(password, salt, key_length, bs)
-        cipher = AES.new(key, AES.MODE_CBC, iv)
-        full = to_bytes(b'Salted__' + salt)
-        out_file.write(full)
-        finished = False
-        while not finished:
-            chunk = in_file.read(1024 * bs)
-            if len(chunk) == 0 or len(chunk) % bs != 0:
-                padding_length = (bs - len(chunk) % bs) or bs
-                chunk += to_bytes(padding_length * chr(padding_length), errors='strict', encoding='ascii')
-                finished = True
-            out_file.write(cipher.encrypt(chunk))
-
-        out_file.seek(0)
-        enc_data = out_file.read()
-        tmp_data = hexlify(enc_data)
-
-        return tmp_data
-
+        raise AnsibleError("Encryption disabled for deprecated VaultAES class")

    def decrypt(self, data, password, key_length=32):