@ -853,16 +853,17 @@ class VaultEditor:
fd , tmp_path = tempfile . mkstemp ( suffix = ext )
fd , tmp_path = tempfile . mkstemp ( suffix = ext )
os . close ( fd )
os . close ( fd )
cmd = self . _editor_shell_command ( tmp_path )
try :
try :
if existing_data :
if existing_data :
self . write_data ( existing_data , tmp_path , shred = False )
self . write_data ( existing_data , tmp_path , shred = False )
# drop the user into an editor on the tmp file
# drop the user into an editor on the tmp file
subprocess . call ( self . _editor_shell_ com man d( tmp_path ) )
subprocess . call ( cmd)
except :
except Exception as e :
# whatever happens, destroy the decrypted file
# whatever happens, destroy the decrypted file
self . _shred_file ( tmp_path )
self . _shred_file ( tmp_path )
raise
raise AnsibleError ( ' Unable to execute the command " %s " : %s ' % ( ' ' . join ( cmd ) , to_native ( e ) ) )
b_tmpdata = self . read_data ( tmp_path )
b_tmpdata = self . read_data ( tmp_path )
@ -917,7 +918,7 @@ class VaultEditor:
try :
try :
plaintext = self . vault . decrypt ( ciphertext , filename = filename )
plaintext = self . vault . decrypt ( ciphertext , filename = filename )
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleError ( " %s for %s " % ( to_ bytes( e ) , to_bytes ( filename ) ) )
raise AnsibleError ( " %s for %s " % ( to_ native( e ) , to_native ( filename ) ) )
self . write_data ( plaintext , output_file or filename , shred = False )
self . write_data ( plaintext , output_file or filename , shred = False )
def create_file ( self , filename , secret , vault_id = None ) :
def create_file ( self , filename , secret , vault_id = None ) :
@ -951,7 +952,7 @@ class VaultEditor:
# TODO: return the vault_id that worked?
# TODO: return the vault_id that worked?
plaintext , vault_id_used , vault_secret_used = self . vault . decrypt_and_get_vault_id ( vaulttext )
plaintext , vault_id_used , vault_secret_used = self . vault . decrypt_and_get_vault_id ( vaulttext )
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleError ( " %s for %s " % ( to_ bytes( e ) , to_bytes ( filename ) ) )
raise AnsibleError ( " %s for %s " % ( to_ native( e ) , to_native ( filename ) ) )
# Figure out the vault id from the file, to select the right secret to re-encrypt it
# Figure out the vault id from the file, to select the right secret to re-encrypt it
# (duplicates parts of decrypt, but alas...)
# (duplicates parts of decrypt, but alas...)
@ -980,7 +981,7 @@ class VaultEditor:
plaintext = self . vault . decrypt ( vaulttext , filename = filename )
plaintext = self . vault . decrypt ( vaulttext , filename = filename )
return plaintext
return plaintext
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleVaultError ( " %s for %s " % ( to_ bytes( e ) , to_bytes ( filename ) ) )
raise AnsibleVaultError ( " %s for %s " % ( to_ native( e ) , to_native ( filename ) ) )
# FIXME/TODO: make this use VaultSecret
# FIXME/TODO: make this use VaultSecret
def rekey_file ( self , filename , new_vault_secret , new_vault_id = None ) :
def rekey_file ( self , filename , new_vault_secret , new_vault_id = None ) :
@ -997,7 +998,7 @@ class VaultEditor:
try :
try :
plaintext , vault_id_used , _dummy = self . vault . decrypt_and_get_vault_id ( vaulttext )
plaintext , vault_id_used , _dummy = self . vault . decrypt_and_get_vault_id ( vaulttext )
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleError ( " %s for %s " % ( to_ bytes( e ) , to_bytes ( filename ) ) )
raise AnsibleError ( " %s for %s " % ( to_ native( e ) , to_native ( filename ) ) )
# This is more or less an assert, see #18247
# This is more or less an assert, see #18247
if new_vault_secret is None :
if new_vault_secret is None :