diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py index 3b83d2989e9..5ed2ad4559b 100644 --- a/lib/ansible/utils/vault.py +++ b/lib/ansible/utils/vault.py @@ -181,6 +181,35 @@ class VaultEditor(object): self.password = password self.filename = filename + def _edit_file_helper(self, existing_data=None, cipher=None): + # make sure the umask is set to a sane value + old_umask = os.umask(0077) + + # Create a tempfile + _, tmp_path = tempfile.mkstemp() + + if existing_data: + self.write_data(data, tmp_path) + + # drop the user into an editor on the tmp file + call(self._editor_shell_command(tmp_path)) + tmpdata = self.read_data(tmp_path) + + # create new vault + this_vault = VaultLib(self.password) + if cipher: + this_vault.cipher_name = cipher + + # encrypt new data and write out to tmp + enc_data = this_vault.encrypt(tmpdata) + self.write_data(enc_data, tmp_path) + + # shuffle tmp file into place + self.shuffle_files(tmp_path, self.filename) + + # and restore umask + os.umask(old_umask) + def create_file(self): """ create a new encrypted file """ @@ -190,15 +219,8 @@ class VaultEditor(object): if os.path.isfile(self.filename): raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename) - # drop the user into vim on file - old_umask = os.umask(0077) - call(self._editor_shell_command(self.filename)) - tmpdata = self.read_data(self.filename) - this_vault = VaultLib(self.password) - this_vault.cipher_name = self.cipher_name - enc_data = this_vault.encrypt(tmpdata) - self.write_data(enc_data, self.filename) - os.umask(old_umask) + # Let the user specify contents and save file + self._edit_file_helper(cipher=self.cipher_name) def decrypt_file(self): @@ -207,7 +229,7 @@ class VaultEditor(object): if not os.path.isfile(self.filename): raise errors.AnsibleError("%s does not exist" % self.filename) - + tmpdata = self.read_data(self.filename) this_vault = VaultLib(self.password) if this_vault.is_encrypted(tmpdata): @@ -224,35 +246,17 @@ class VaultEditor(object): if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) - # make sure the umask is set to a sane value - old_mask = os.umask(0077) - # decrypt to tmpfile tmpdata = self.read_data(self.filename) this_vault = VaultLib(self.password) dec_data = this_vault.decrypt(tmpdata) - _, tmp_path = tempfile.mkstemp() - self.write_data(dec_data, tmp_path) - - # drop the user into vim on the tmp file - call(self._editor_shell_command(tmp_path)) - new_data = self.read_data(tmp_path) - - # create new vault - new_vault = VaultLib(self.password) - # we want the cipher to default to AES256 - #new_vault.cipher_name = this_vault.cipher_name + # let the user edit the data and save + self._edit_file_helper(existing_data=dec_data) + ###we want the cipher to default to AES256 (get rid of files + # encrypted with the AES cipher) + #self._edit_file_helper(existing_data=dec_data, cipher=this_vault.cipher_name) - # encrypt new data a write out to tmp - enc_data = new_vault.encrypt(new_data) - self.write_data(enc_data, tmp_path) - - # shuffle tmp file into place - self.shuffle_files(tmp_path, self.filename) - - # and restore the old umask - os.umask(old_mask) def view_file(self): @@ -277,7 +281,7 @@ class VaultEditor(object): if not os.path.isfile(self.filename): raise errors.AnsibleError("%s does not exist" % self.filename) - + tmpdata = self.read_data(self.filename) this_vault = VaultLib(self.password) this_vault.cipher_name = self.cipher_name