@ -226,11 +226,10 @@ class VaultLib:
class VaultEditor :
class VaultEditor :
def __init__ ( self , password , filename ):
def __init__ ( self , password ):
self . password = password
self . password = password
self . filename = filename
def _edit_file_helper ( self , existing_data= None , force_save = False ) :
def _edit_file_helper ( self , filename, existing_data= None , force_save = False ) :
# make sure the umask is set to a sane value
# make sure the umask is set to a sane value
old_umask = os . umask ( 0o077 )
old_umask = os . umask ( 0o077 )
@ -257,62 +256,62 @@ class VaultEditor:
self . write_data ( enc_data , tmp_path )
self . write_data ( enc_data , tmp_path )
# shuffle tmp file into place
# shuffle tmp file into place
self . shuffle_files ( tmp_path , self . filename )
self . shuffle_files ( tmp_path , filename )
# and restore umask
# and restore umask
os . umask ( old_umask )
os . umask ( old_umask )
def create_file ( self ):
def create_file ( self , filename ):
""" create a new encrypted file """
""" create a new encrypted file """
check_prereqs ( )
check_prereqs ( )
if os . path . isfile ( self . filename ) :
if os . path . isfile ( filename ) :
raise AnsibleError ( " %s exists, please use ' edit ' instead " % self . filename )
raise AnsibleError ( " %s exists, please use ' edit ' instead " % filename )
# Let the user specify contents and save file
# Let the user specify contents and save file
self . _edit_file_helper ( )
self . _edit_file_helper ( filename )
def decrypt_file ( self ):
def decrypt_file ( self , filename ):
check_prereqs ( )
check_prereqs ( )
if not os . path . isfile ( self . filename ) :
if not os . path . isfile ( filename ) :
raise AnsibleError ( " %s does not exist " % self . filename )
raise AnsibleError ( " %s does not exist " % filename )
tmpdata = self . read_data ( self . filename )
tmpdata = self . read_data ( filename )
this_vault = VaultLib ( self . password )
this_vault = VaultLib ( self . password )
if this_vault . is_encrypted ( tmpdata ) :
if this_vault . is_encrypted ( tmpdata ) :
dec_data = this_vault . decrypt ( tmpdata )
dec_data = this_vault . decrypt ( tmpdata )
if dec_data is None :
if dec_data is None :
raise AnsibleError ( " Decryption failed " )
raise AnsibleError ( " Decryption failed " )
else :
else :
self . write_data ( dec_data , self . filename )
self . write_data ( dec_data , filename )
else :
else :
raise AnsibleError ( " %s is not encrypted " % self . filename )
raise AnsibleError ( " %s is not encrypted " % filename )
def edit_file ( self ):
def edit_file ( self , filename ):
check_prereqs ( )
check_prereqs ( )
# decrypt to tmpfile
# decrypt to tmpfile
tmpdata = self . read_data ( self . filename )
tmpdata = self . read_data ( filename )
this_vault = VaultLib ( self . password )
this_vault = VaultLib ( self . password )
dec_data = this_vault . decrypt ( tmpdata )
dec_data = this_vault . decrypt ( tmpdata )
# let the user edit the data and save
# let the user edit the data and save
if this_vault . cipher_name not in CIPHER_WRITE_WHITELIST :
if this_vault . cipher_name not in CIPHER_WRITE_WHITELIST :
# we want to get rid of files encrypted with the AES cipher
# we want to get rid of files encrypted with the AES cipher
self . _edit_file_helper ( existing_data= dec_data , force_save = True )
self . _edit_file_helper ( filename, existing_data= dec_data , force_save = True )
else :
else :
self . _edit_file_helper ( existing_data= dec_data , force_save = False )
self . _edit_file_helper ( filename, existing_data= dec_data , force_save = False )
def view_file ( self ):
def view_file ( self , filename ):
check_prereqs ( )
check_prereqs ( )
# decrypt to tmpfile
# decrypt to tmpfile
tmpdata = self . read_data ( self . filename )
tmpdata = self . read_data ( filename )
this_vault = VaultLib ( self . password )
this_vault = VaultLib ( self . password )
dec_data = this_vault . decrypt ( tmpdata )
dec_data = this_vault . decrypt ( tmpdata )
_ , tmp_path = tempfile . mkstemp ( )
_ , tmp_path = tempfile . mkstemp ( )
@ -322,27 +321,27 @@ class VaultEditor:
call ( self . _pager_shell_command ( tmp_path ) )
call ( self . _pager_shell_command ( tmp_path ) )
os . remove ( tmp_path )
os . remove ( tmp_path )
def encrypt_file ( self ):
def encrypt_file ( self , filename ):
check_prereqs ( )
check_prereqs ( )
if not os . path . isfile ( self . filename ) :
if not os . path . isfile ( filename ) :
raise AnsibleError ( " %s does not exist " % self . filename )
raise AnsibleError ( " %s does not exist " % filename )
tmpdata = self . read_data ( self . filename )
tmpdata = self . read_data ( filename )
this_vault = VaultLib ( self . password )
this_vault = VaultLib ( self . password )
if not this_vault . is_encrypted ( tmpdata ) :
if not this_vault . is_encrypted ( tmpdata ) :
enc_data = this_vault . encrypt ( tmpdata )
enc_data = this_vault . encrypt ( tmpdata )
self . write_data ( enc_data , self . filename )
self . write_data ( enc_data , filename )
else :
else :
raise AnsibleError ( " %s is already encrypted " % self . filename )
raise AnsibleError ( " %s is already encrypted " % filename )
def rekey_file ( self , new_password ):
def rekey_file ( self , new_password , filename ):
check_prereqs ( )
check_prereqs ( )
# decrypt
# decrypt
tmpdata = self . read_data ( self . filename )
tmpdata = self . read_data ( filename )
this_vault = VaultLib ( self . password )
this_vault = VaultLib ( self . password )
dec_data = this_vault . decrypt ( tmpdata )
dec_data = this_vault . decrypt ( tmpdata )
@ -351,7 +350,7 @@ class VaultEditor:
# re-encrypt data and re-write file
# re-encrypt data and re-write file
enc_data = new_vault . encrypt ( dec_data )
enc_data = new_vault . encrypt ( dec_data )
self . write_data ( enc_data , self . filename )
self . write_data ( enc_data , filename )
def read_data ( self , filename ) :
def read_data ( self , filename ) :
f = open ( filename , " rb " )
f = open ( filename , " rb " )