|
|
@ -51,18 +51,18 @@ class TestUnhexlify(unittest.TestCase):
|
|
|
|
def test_odd_length(self):
|
|
|
|
def test_odd_length(self):
|
|
|
|
b_data = b'123456789abcdefghijklmnopqrstuvwxyz'
|
|
|
|
b_data = b'123456789abcdefghijklmnopqrstuvwxyz'
|
|
|
|
|
|
|
|
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultFormatError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultFormatError,
|
|
|
|
'.*Vault format unhexlify error.*',
|
|
|
|
'.*Vault format unhexlify error.*',
|
|
|
|
vault._unhexlify,
|
|
|
|
vault._unhexlify,
|
|
|
|
b_data)
|
|
|
|
b_data)
|
|
|
|
|
|
|
|
|
|
|
|
def test_nonhex(self):
|
|
|
|
def test_nonhex(self):
|
|
|
|
b_data = b'6z36316566653264333665333637623064303639353237620a636366633565663263336335656532'
|
|
|
|
b_data = b'6z36316566653264333665333637623064303639353237620a636366633565663263336335656532'
|
|
|
|
|
|
|
|
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultFormatError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultFormatError,
|
|
|
|
'.*Vault format unhexlify error.*Non-hexadecimal digit found',
|
|
|
|
'.*Vault format unhexlify error.*Non-hexadecimal digit found',
|
|
|
|
vault._unhexlify,
|
|
|
|
vault._unhexlify,
|
|
|
|
b_data)
|
|
|
|
b_data)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestParseVaulttext(unittest.TestCase):
|
|
|
|
class TestParseVaulttext(unittest.TestCase):
|
|
|
@ -91,10 +91,10 @@ class TestParseVaulttext(unittest.TestCase):
|
|
|
|
|
|
|
|
|
|
|
|
b_vaulttext_envelope = to_bytes(vaulttext_envelope, errors='strict', encoding='utf-8')
|
|
|
|
b_vaulttext_envelope = to_bytes(vaulttext_envelope, errors='strict', encoding='utf-8')
|
|
|
|
b_vaulttext, b_version, cipher_name, vault_id = vault.parse_vaulttext_envelope(b_vaulttext_envelope)
|
|
|
|
b_vaulttext, b_version, cipher_name, vault_id = vault.parse_vaulttext_envelope(b_vaulttext_envelope)
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultFormatError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultFormatError,
|
|
|
|
'.*Vault format unhexlify error.*Non-hexadecimal digit found',
|
|
|
|
'.*Vault format unhexlify error.*Non-hexadecimal digit found',
|
|
|
|
vault.parse_vaulttext,
|
|
|
|
vault.parse_vaulttext,
|
|
|
|
b_vaulttext_envelope)
|
|
|
|
b_vaulttext_envelope)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestVaultSecret(unittest.TestCase):
|
|
|
|
class TestVaultSecret(unittest.TestCase):
|
|
|
@ -133,18 +133,18 @@ class TestPromptVaultSecret(unittest.TestCase):
|
|
|
|
@patch('ansible.parsing.vault.display.prompt', side_effect=EOFError)
|
|
|
|
@patch('ansible.parsing.vault.display.prompt', side_effect=EOFError)
|
|
|
|
def test_prompt_eoferror(self, mock_display_prompt):
|
|
|
|
def test_prompt_eoferror(self, mock_display_prompt):
|
|
|
|
secret = vault.PromptVaultSecret(vault_id='test_id')
|
|
|
|
secret = vault.PromptVaultSecret(vault_id='test_id')
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultError,
|
|
|
|
'EOFError.*test_id',
|
|
|
|
'EOFError.*test_id',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
@patch('ansible.parsing.vault.display.prompt', side_effect=['first_password', 'second_password'])
|
|
|
|
@patch('ansible.parsing.vault.display.prompt', side_effect=['first_password', 'second_password'])
|
|
|
|
def test_prompt_passwords_dont_match(self, mock_display_prompt):
|
|
|
|
def test_prompt_passwords_dont_match(self, mock_display_prompt):
|
|
|
|
secret = vault.PromptVaultSecret(vault_id='test_id',
|
|
|
|
secret = vault.PromptVaultSecret(vault_id='test_id',
|
|
|
|
prompt_formats=['Vault password: ',
|
|
|
|
prompt_formats=['Vault password: ',
|
|
|
|
'Confirm Vault password: '])
|
|
|
|
'Confirm Vault password: '])
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'Passwords do not match',
|
|
|
|
'Passwords do not match',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestFileVaultSecret(unittest.TestCase):
|
|
|
|
class TestFileVaultSecret(unittest.TestCase):
|
|
|
@ -200,9 +200,9 @@ class TestFileVaultSecret(unittest.TestCase):
|
|
|
|
fake_loader = DictDataLoader({tmp_file.name: ''})
|
|
|
|
fake_loader = DictDataLoader({tmp_file.name: ''})
|
|
|
|
|
|
|
|
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=tmp_file.name)
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=tmp_file.name)
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultPasswordError,
|
|
|
|
'Invalid vault password was provided from file.*%s' % tmp_file.name,
|
|
|
|
'Invalid vault password was provided from file.*%s' % tmp_file.name,
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
os.unlink(tmp_file.name)
|
|
|
|
os.unlink(tmp_file.name)
|
|
|
|
|
|
|
|
|
|
|
@ -241,9 +241,9 @@ class TestFileVaultSecret(unittest.TestCase):
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
|
|
|
|
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=filename)
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=filename)
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'.*Could not read vault password file.*/dev/null/foobar.*Not a directory',
|
|
|
|
'.*Could not read vault password file.*/dev/null/foobar.*Not a directory',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
def test_file_not_found(self):
|
|
|
|
def test_file_not_found(self):
|
|
|
|
tmp_file = tempfile.NamedTemporaryFile()
|
|
|
|
tmp_file = tempfile.NamedTemporaryFile()
|
|
|
@ -253,9 +253,9 @@ class TestFileVaultSecret(unittest.TestCase):
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
|
|
|
|
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=filename)
|
|
|
|
secret = vault.FileVaultSecret(loader=fake_loader, filename=filename)
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'.*Could not read vault password file.*%s.*' % filename,
|
|
|
|
'.*Could not read vault password file.*%s.*' % filename,
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestScriptVaultSecret(unittest.TestCase):
|
|
|
|
class TestScriptVaultSecret(unittest.TestCase):
|
|
|
@ -285,9 +285,9 @@ class TestScriptVaultSecret(unittest.TestCase):
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultPasswordError,
|
|
|
|
'Invalid vault password was provided from script',
|
|
|
|
'Invalid vault password was provided from script',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
def test_read_file_os_error(self, mock_popen):
|
|
|
|
def test_read_file_os_error(self, mock_popen):
|
|
|
@ -296,9 +296,9 @@ class TestScriptVaultSecret(unittest.TestCase):
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'Problem running vault password script.*',
|
|
|
|
'Problem running vault password script.*',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
def test_read_file_not_executable(self, mock_popen):
|
|
|
|
def test_read_file_not_executable(self, mock_popen):
|
|
|
@ -306,9 +306,9 @@ class TestScriptVaultSecret(unittest.TestCase):
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
secret = vault.ScriptVaultSecret()
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=False)
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=False)
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultError,
|
|
|
|
'The vault password script .* was not executable',
|
|
|
|
'The vault password script .* was not executable',
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
@patch('ansible.parsing.vault.subprocess.Popen')
|
|
|
|
def test_read_file_non_zero_return_code(self, mock_popen):
|
|
|
|
def test_read_file_non_zero_return_code(self, mock_popen):
|
|
|
@ -319,9 +319,9 @@ class TestScriptVaultSecret(unittest.TestCase):
|
|
|
|
secret = vault.ScriptVaultSecret(filename='/dev/null/some_vault_secret')
|
|
|
|
secret = vault.ScriptVaultSecret(filename='/dev/null/some_vault_secret')
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
with patch.object(secret, 'loader') as mock_loader:
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
mock_loader.is_executable = MagicMock(return_value=True)
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
r'Vault password script.*returned non-zero \(%s\): %s' % (rc, stderr),
|
|
|
|
r'Vault password script.*returned non-zero \(%s\): %s' % (rc, stderr),
|
|
|
|
secret.load)
|
|
|
|
secret.load)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestScriptIsClient(unittest.TestCase):
|
|
|
|
class TestScriptIsClient(unittest.TestCase):
|
|
|
@ -382,11 +382,11 @@ class TestGetFileVaultSecret(unittest.TestCase):
|
|
|
|
filename = '/dev/null/foobar'
|
|
|
|
filename = '/dev/null/foobar'
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
|
|
|
|
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'.*The vault password file %s was not found.*' % filename,
|
|
|
|
'.*The vault password file %s was not found.*' % filename,
|
|
|
|
vault.get_file_vault_secret,
|
|
|
|
vault.get_file_vault_secret,
|
|
|
|
filename=filename,
|
|
|
|
filename=filename,
|
|
|
|
loader=fake_loader)
|
|
|
|
loader=fake_loader)
|
|
|
|
|
|
|
|
|
|
|
|
def test_file_not_found(self):
|
|
|
|
def test_file_not_found(self):
|
|
|
|
tmp_file = tempfile.NamedTemporaryFile()
|
|
|
|
tmp_file = tempfile.NamedTemporaryFile()
|
|
|
@ -395,11 +395,11 @@ class TestGetFileVaultSecret(unittest.TestCase):
|
|
|
|
|
|
|
|
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
|
|
|
|
|
|
|
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'.*The vault password file %s was not found.*' % filename,
|
|
|
|
'.*The vault password file %s was not found.*' % filename,
|
|
|
|
vault.get_file_vault_secret,
|
|
|
|
vault.get_file_vault_secret,
|
|
|
|
filename=filename,
|
|
|
|
filename=filename,
|
|
|
|
loader=fake_loader)
|
|
|
|
loader=fake_loader)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestVaultIsEncrypted(unittest.TestCase):
|
|
|
|
class TestVaultIsEncrypted(unittest.TestCase):
|
|
|
@ -645,10 +645,10 @@ class TestVaultLib(unittest.TestCase):
|
|
|
|
v = vault.VaultLib(vault_secrets)
|
|
|
|
v = vault.VaultLib(vault_secrets)
|
|
|
|
|
|
|
|
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultError,
|
|
|
|
'.*A vault password must be specified to encrypt data.*',
|
|
|
|
'.*A vault password must be specified to encrypt data.*',
|
|
|
|
v.encrypt,
|
|
|
|
v.encrypt,
|
|
|
|
plaintext)
|
|
|
|
plaintext)
|
|
|
|
|
|
|
|
|
|
|
|
def test_format_vaulttext_envelope(self):
|
|
|
|
def test_format_vaulttext_envelope(self):
|
|
|
|
cipher_name = "TEST"
|
|
|
|
cipher_name = "TEST"
|
|
|
@ -712,10 +712,10 @@ class TestVaultLib(unittest.TestCase):
|
|
|
|
v_none = vault.VaultLib(None)
|
|
|
|
v_none = vault.VaultLib(None)
|
|
|
|
# so set secrets None explicitly
|
|
|
|
# so set secrets None explicitly
|
|
|
|
v_none.secrets = None
|
|
|
|
v_none.secrets = None
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultError,
|
|
|
|
'.*A vault password must be specified to decrypt data.*',
|
|
|
|
'.*A vault password must be specified to decrypt data.*',
|
|
|
|
v_none.decrypt,
|
|
|
|
v_none.decrypt,
|
|
|
|
b_vaulttext)
|
|
|
|
b_vaulttext)
|
|
|
|
|
|
|
|
|
|
|
|
def test_encrypt_decrypt_aes256_empty_secrets(self):
|
|
|
|
def test_encrypt_decrypt_aes256_empty_secrets(self):
|
|
|
|
vault_secrets = self._vault_secrets_from_password('default', 'ansible')
|
|
|
|
vault_secrets = self._vault_secrets_from_password('default', 'ansible')
|
|
|
@ -727,10 +727,10 @@ class TestVaultLib(unittest.TestCase):
|
|
|
|
vault_secrets_empty = []
|
|
|
|
vault_secrets_empty = []
|
|
|
|
v_none = vault.VaultLib(vault_secrets_empty)
|
|
|
|
v_none = vault.VaultLib(vault_secrets_empty)
|
|
|
|
|
|
|
|
|
|
|
|
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
|
|
|
self.assertRaisesRegex(vault.AnsibleVaultError,
|
|
|
|
'.*Attempting to decrypt but no vault secrets found.*',
|
|
|
|
'.*Attempting to decrypt but no vault secrets found.*',
|
|
|
|
v_none.decrypt,
|
|
|
|
v_none.decrypt,
|
|
|
|
b_vaulttext)
|
|
|
|
b_vaulttext)
|
|
|
|
|
|
|
|
|
|
|
|
def test_encrypt_decrypt_aes256_multiple_secrets_all_wrong(self):
|
|
|
|
def test_encrypt_decrypt_aes256_multiple_secrets_all_wrong(self):
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
@ -740,11 +740,11 @@ class TestVaultLib(unittest.TestCase):
|
|
|
|
('wrong-password', TextVaultSecret('wrong-password'))]
|
|
|
|
('wrong-password', TextVaultSecret('wrong-password'))]
|
|
|
|
|
|
|
|
|
|
|
|
v_multi = vault.VaultLib(vault_secrets)
|
|
|
|
v_multi = vault.VaultLib(vault_secrets)
|
|
|
|
self.assertRaisesRegexp(errors.AnsibleError,
|
|
|
|
self.assertRaisesRegex(errors.AnsibleError,
|
|
|
|
'.*Decryption failed.*',
|
|
|
|
'.*Decryption failed.*',
|
|
|
|
v_multi.decrypt,
|
|
|
|
v_multi.decrypt,
|
|
|
|
b_vaulttext,
|
|
|
|
b_vaulttext,
|
|
|
|
filename='/dev/null/fake/filename')
|
|
|
|
filename='/dev/null/fake/filename')
|
|
|
|
|
|
|
|
|
|
|
|
def test_encrypt_decrypt_aes256_multiple_secrets_one_valid(self):
|
|
|
|
def test_encrypt_decrypt_aes256_multiple_secrets_one_valid(self):
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
|
plaintext = u'Some text to encrypt in a café'
|
|
|
|