Simplify VaultEditor methods

We don't need to keep creating VaultLibs everywhere, and we don't need
to keep checking for errors because VaultLib does it already.

lib/ansible/parsing/vault/__init__.py

@@ -130,7 +130,7 @@ class VaultLib:
         b_data = to_bytes(data, errors='strict', encoding='utf-8')
 
         if self.is_encrypted(b_data):
-            raise AnsibleError("data is already encrypted")
+            raise AnsibleError("input is already encrypted")
 
         if not self.cipher_name or self.cipher_name not in CIPHER_WRITE_WHITELIST:
             self.cipher_name = u"AES256"
@@ -162,7 +162,7 @@ class VaultLib:
             raise AnsibleError("A vault password must be specified to decrypt data")
 
         if not self.is_encrypted(b_data):
-            raise AnsibleError("data is not encrypted")
+            raise AnsibleError("input is not encrypted")
 
         # clean out header
         b_data = self._split_header(b_data)
@@ -258,97 +258,82 @@ class VaultEditor:
         # and restore umask
         os.umask(old_umask)
 
-    def create_file(self, filename):
+    def encrypt_file(self, filename):
-        """ create a new encrypted file """
 
         check_prereqs()
 
-        if os.path.isfile(filename):
+        plaintext = self.read_data(filename)
-            raise AnsibleError("%s exists, please use 'edit' instead" % filename)
+        ciphertext = self.vault.encrypt(plaintext)
-
+        self.write_data(ciphertext, filename)
-        # Let the user specify contents and save file
-        self._edit_file_helper(filename)
 
     def decrypt_file(self, filename):
 
         check_prereqs()
 
-        if not os.path.isfile(filename):
+        ciphertext = self.read_data(filename)
-            raise AnsibleError("%s does not exist" % filename)
+        plaintext = self.vault.decrypt(ciphertext)
+        self.write_data(plaintext, filename)
 
-        tmpdata = self.read_data(filename)
+    def create_file(self, filename):
-        if self.vault.is_encrypted(tmpdata):
+        """ create a new encrypted file """
-            dec_data = self.vault.decrypt(tmpdata)
+
-            if dec_data is None:
+        check_prereqs()
-                raise AnsibleError("Decryption failed")
+
-            else:
+        # FIXME: If we can raise an error here, we can probably just make it
-                self.write_data(dec_data, filename)
+        # behave like edit instead.
-        else:
+        if os.path.isfile(filename):
-            raise AnsibleError("%s is not encrypted" % filename)
+            raise AnsibleError("%s exists, please use 'edit' instead" % filename)
+
+        self._edit_file_helper(filename)
 
     def edit_file(self, filename):
 
         check_prereqs()
 
-        # decrypt to tmpfile
+        ciphertext = self.read_data(filename)
-        tmpdata = self.read_data(filename)
+        plaintext = self.vault.decrypt(ciphertext)
-        dec_data = self.vault.decrypt(tmpdata)
 
-        # let the user edit the data and save
         if self.vault.cipher_name not in CIPHER_WRITE_WHITELIST:
             # we want to get rid of files encrypted with the AES cipher
-            self._edit_file_helper(filename, existing_data=dec_data, force_save=True)
+            self._edit_file_helper(filename, existing_data=plaintext, force_save=True)
         else:
-            self._edit_file_helper(filename, existing_data=dec_data, force_save=False)
+            self._edit_file_helper(filename, existing_data=plaintext, force_save=False)
 
     def view_file(self, filename):
 
         check_prereqs()
 
-        # decrypt to tmpfile
+        # FIXME: Why write this to a temporary file at all? It would be safer
-        tmpdata = self.read_data(filename)
+        # to feed it to the PAGER on stdin.
-        dec_data = self.vault.decrypt(tmpdata)
         _, tmp_path = tempfile.mkstemp()
-        self.write_data(dec_data, tmp_path)
+        ciphertext = self.read_data(filename)
+        plaintext = self.vault.decrypt(ciphertext)
+        self.write_data(plaintext, tmp_path)
 
         # drop the user into pager on the tmp file
         call(self._pager_shell_command(tmp_path))
         os.remove(tmp_path)
 
-    def encrypt_file(self, filename):
-
-        check_prereqs()
-
-        if not os.path.isfile(filename):
-            raise AnsibleError("%s does not exist" % filename)
-
-        tmpdata = self.read_data(filename)
-        if not self.vault.is_encrypted(tmpdata):
-            enc_data = self.vault.encrypt(tmpdata)
-            self.write_data(enc_data, filename)
-        else:
-            raise AnsibleError("%s is already encrypted" % filename)
-
     def rekey_file(self, filename, new_password):
 
         check_prereqs()
 
-        # decrypt
+        ciphertext = self.read_data(filename)
-        tmpdata = self.read_data(filename)
+        plaintext = self.vault.decrypt(ciphertext)
-        dec_data = self.vault.decrypt(tmpdata)
 
-        # create new vault
         new_vault = VaultLib(new_password)
-
+        new_ciphertext = new_vault.encrypt(plaintext)
-        # re-encrypt data and re-write file
+        self.write_data(new_ciphertext, filename)
-        enc_data = new_vault.encrypt(dec_data)
-        self.write_data(enc_data, filename)
 
     def read_data(self, filename):
-        f = open(filename, "rb")
+        try:
-        tmpdata = f.read()
+            f = open(filename, "rb")
-        f.close()
+            data = f.read()
-        return tmpdata
+            f.close()
+        except Exception as e:
+            raise AnsibleError(str(e))
+
+        return data
 
     def write_data(self, data, filename):
         if os.path.isfile(filename):