Pass the filename to the individual VaultEditor methods, not __init__

Now we don't have to recreate VaultEditor objects for each file, and so
on. It also paves the way towards specifying separate input and output
files later.
pull/12106/head
Abhijit Menon-Sen 9 years ago
parent a27c5741a1
commit 20fd9224bb

@ -83,6 +83,8 @@ class VaultCLI(CLI):
if not self.vault_pass: if not self.vault_pass:
raise AnsibleOptionsError("A password is required to use Ansible's Vault") raise AnsibleOptionsError("A password is required to use Ansible's Vault")
self.editor = VaultEditor(self.vault_pass)
self.execute() self.execute()
def execute_create(self): def execute_create(self):
@ -90,36 +92,30 @@ class VaultCLI(CLI):
if len(self.args) > 1: if len(self.args) > 1:
raise AnsibleOptionsError("ansible-vault create can take only one filename argument") raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
this_editor = VaultEditor(self.vault_pass, self.args[0]) self.editor.create_file(self.args[0])
this_editor.create_file()
def execute_decrypt(self): def execute_decrypt(self):
for f in self.args: for f in self.args:
this_editor = VaultEditor(self.vault_pass, f) self.editor.decrypt_file(f)
this_editor.decrypt_file()
self.display.display("Decryption successful") self.display.display("Decryption successful", stderr=True)
def execute_edit(self): def execute_edit(self):
for f in self.args: for f in self.args:
this_editor = VaultEditor(self.vault_pass, f) self.editor.edit_file(f)
this_editor.edit_file()
def execute_view(self): def execute_view(self):
for f in self.args: for f in self.args:
this_editor = VaultEditor(self.vault_pass, f) self.editor.view_file(f)
this_editor.view_file()
def execute_encrypt(self): def execute_encrypt(self):
for f in self.args: for f in self.args:
this_editor = VaultEditor(self.vault_pass, f) self.editor.encrypt_file(f)
this_editor.encrypt_file()
self.display.display("Encryption successful") self.display.display("Encryption successful", stderr=True)
def execute_rekey(self): def execute_rekey(self):
for f in self.args: for f in self.args:
@ -132,7 +128,6 @@ class VaultCLI(CLI):
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True) __, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
for f in self.args: for f in self.args:
this_editor = VaultEditor(self.vault_pass, f) self.editor.rekey_file(new_password, f)
this_editor.rekey_file(new_password)
self.display.display("Rekey successful") self.display.display("Rekey successful", stderr=True)

@ -226,11 +226,10 @@ class VaultLib:
class VaultEditor: class VaultEditor:
def __init__(self, password, filename): def __init__(self, password):
self.password = password self.password = password
self.filename = filename
def _edit_file_helper(self, existing_data=None, force_save=False): def _edit_file_helper(self, filename, existing_data=None, force_save=False):
# make sure the umask is set to a sane value # make sure the umask is set to a sane value
old_umask = os.umask(0o077) old_umask = os.umask(0o077)
@ -257,62 +256,62 @@ class VaultEditor:
self.write_data(enc_data, tmp_path) self.write_data(enc_data, tmp_path)
# shuffle tmp file into place # shuffle tmp file into place
self.shuffle_files(tmp_path, self.filename) self.shuffle_files(tmp_path, filename)
# and restore umask # and restore umask
os.umask(old_umask) os.umask(old_umask)
def create_file(self): def create_file(self, filename):
""" create a new encrypted file """ """ create a new encrypted file """
check_prereqs() check_prereqs()
if os.path.isfile(self.filename): if os.path.isfile(filename):
raise AnsibleError("%s exists, please use 'edit' instead" % self.filename) raise AnsibleError("%s exists, please use 'edit' instead" % filename)
# Let the user specify contents and save file # Let the user specify contents and save file
self._edit_file_helper() self._edit_file_helper(filename)
def decrypt_file(self): def decrypt_file(self, filename):
check_prereqs() check_prereqs()
if not os.path.isfile(self.filename): if not os.path.isfile(filename):
raise AnsibleError("%s does not exist" % self.filename) raise AnsibleError("%s does not exist" % filename)
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
if this_vault.is_encrypted(tmpdata): if this_vault.is_encrypted(tmpdata):
dec_data = this_vault.decrypt(tmpdata) dec_data = this_vault.decrypt(tmpdata)
if dec_data is None: if dec_data is None:
raise AnsibleError("Decryption failed") raise AnsibleError("Decryption failed")
else: else:
self.write_data(dec_data, self.filename) self.write_data(dec_data, filename)
else: else:
raise AnsibleError("%s is not encrypted" % self.filename) raise AnsibleError("%s is not encrypted" % filename)
def edit_file(self): def edit_file(self, filename):
check_prereqs() check_prereqs()
# decrypt to tmpfile # decrypt to tmpfile
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
dec_data = this_vault.decrypt(tmpdata) dec_data = this_vault.decrypt(tmpdata)
# let the user edit the data and save # let the user edit the data and save
if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST: if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
# we want to get rid of files encrypted with the AES cipher # we want to get rid of files encrypted with the AES cipher
self._edit_file_helper(existing_data=dec_data, force_save=True) self._edit_file_helper(filename, existing_data=dec_data, force_save=True)
else: else:
self._edit_file_helper(existing_data=dec_data, force_save=False) self._edit_file_helper(filename, existing_data=dec_data, force_save=False)
def view_file(self): def view_file(self, filename):
check_prereqs() check_prereqs()
# decrypt to tmpfile # decrypt to tmpfile
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
dec_data = this_vault.decrypt(tmpdata) dec_data = this_vault.decrypt(tmpdata)
_, tmp_path = tempfile.mkstemp() _, tmp_path = tempfile.mkstemp()
@ -322,27 +321,27 @@ class VaultEditor:
call(self._pager_shell_command(tmp_path)) call(self._pager_shell_command(tmp_path))
os.remove(tmp_path) os.remove(tmp_path)
def encrypt_file(self): def encrypt_file(self, filename):
check_prereqs() check_prereqs()
if not os.path.isfile(self.filename): if not os.path.isfile(filename):
raise AnsibleError("%s does not exist" % self.filename) raise AnsibleError("%s does not exist" % filename)
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
if not this_vault.is_encrypted(tmpdata): if not this_vault.is_encrypted(tmpdata):
enc_data = this_vault.encrypt(tmpdata) enc_data = this_vault.encrypt(tmpdata)
self.write_data(enc_data, self.filename) self.write_data(enc_data, filename)
else: else:
raise AnsibleError("%s is already encrypted" % self.filename) raise AnsibleError("%s is already encrypted" % filename)
def rekey_file(self, new_password): def rekey_file(self, new_password, filename):
check_prereqs() check_prereqs()
# decrypt # decrypt
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
dec_data = this_vault.decrypt(tmpdata) dec_data = this_vault.decrypt(tmpdata)
@ -351,7 +350,7 @@ class VaultEditor:
# re-encrypt data and re-write file # re-encrypt data and re-write file
enc_data = new_vault.encrypt(dec_data) enc_data = new_vault.encrypt(dec_data)
self.write_data(enc_data, self.filename) self.write_data(enc_data, filename)
def read_data(self, filename): def read_data(self, filename):
f = open(filename, "rb") f = open(filename, "rb")

Loading…
Cancel
Save