From f91ad3dabe5e5eb20f6b6b5ee875b4a8da3db5ea Mon Sep 17 00:00:00 2001 From: Abhijit Menon-Sen Date: Wed, 26 Aug 2015 18:20:57 +0530 Subject: [PATCH] Don't pass the cipher around so much It's unused and unnecessary; VaultLib can decide for itself what cipher to use when encrypting. There's no need (and no provision) for the user to override the cipher via options, so there's no need for code to see if that has been done either. --- lib/ansible/cli/vault.py | 16 ++++++---------- lib/ansible/parsing/vault/__init__.py | 18 +++++------------- 2 files changed, 11 insertions(+), 23 deletions(-) diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py index 393bbdd50b0..c68e620a183 100644 --- a/lib/ansible/cli/vault.py +++ b/lib/ansible/cli/vault.py @@ -30,7 +30,6 @@ class VaultCLI(CLI): """ Vault command line class """ VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view") - CIPHER = 'AES256' def __init__(self, args, display=None): @@ -91,15 +90,13 @@ class VaultCLI(CLI): if len(self.args) > 1: raise AnsibleOptionsError("ansible-vault create can take only one filename argument") - cipher = getattr(self.options, 'cipher', self.CIPHER) - this_editor = VaultEditor(cipher, self.vault_pass, self.args[0]) + this_editor = VaultEditor(self.vault_pass, self.args[0]) this_editor.create_file() def execute_decrypt(self): - cipher = getattr(self.options, 'cipher', self.CIPHER) for f in self.args: - this_editor = VaultEditor(cipher, self.vault_pass, f) + this_editor = VaultEditor(self.vault_pass, f) this_editor.decrypt_file() self.display.display("Decryption successful") @@ -107,20 +104,19 @@ class VaultCLI(CLI): def execute_edit(self): for f in self.args: - this_editor = VaultEditor(None, self.vault_pass, f) + this_editor = VaultEditor(self.vault_pass, f) this_editor.edit_file() def execute_view(self): for f in self.args: - this_editor = VaultEditor(None, self.vault_pass, f) + this_editor = VaultEditor(self.vault_pass, f) this_editor.view_file() def execute_encrypt(self): - cipher = getattr(self.options, 'cipher', self.CIPHER) for f in self.args: - this_editor = VaultEditor(cipher, self.vault_pass, f) + this_editor = VaultEditor(self.vault_pass, f) this_editor.encrypt_file() self.display.display("Encryption successful") @@ -136,7 +132,7 @@ class VaultCLI(CLI): __, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True) for f in self.args: - this_editor = VaultEditor(None, self.vault_pass, f) + this_editor = VaultEditor(self.vault_pass, f) this_editor.rekey_file(new_password) self.display.display("Rekey successful") diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index b12e11816e2..9e49e134042 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -230,13 +230,11 @@ class VaultEditor: # file I/O, ditto read_file(self, filename) and launch_editor(self, filename) # ... "Don't Repeat Yourself", etc. - def __init__(self, cipher_name, password, filename): - # instantiates a member variable for VaultLib - self.cipher_name = cipher_name + def __init__(self, password, filename): self.password = password self.filename = filename - def _edit_file_helper(self, existing_data=None, cipher=None, force_save=False): + def _edit_file_helper(self, existing_data=None, force_save=False): # make sure the umask is set to a sane value old_umask = os.umask(0o077) @@ -257,8 +255,6 @@ class VaultEditor: # create new vault this_vault = VaultLib(self.password) - if cipher: - this_vault.cipher_name = cipher # encrypt new data and write out to tmp enc_data = this_vault.encrypt(tmpdata) @@ -279,7 +275,7 @@ class VaultEditor: raise AnsibleError("%s exists, please use 'edit' instead" % self.filename) # Let the user specify contents and save file - self._edit_file_helper(cipher=self.cipher_name) + self._edit_file_helper() def decrypt_file(self): @@ -311,9 +307,9 @@ class VaultEditor: # let the user edit the data and save if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST: # we want to get rid of files encrypted with the AES cipher - self._edit_file_helper(existing_data=dec_data, cipher=None, force_save=True) + self._edit_file_helper(existing_data=dec_data, force_save=True) else: - self._edit_file_helper(existing_data=dec_data, cipher=this_vault.cipher_name, force_save=False) + self._edit_file_helper(existing_data=dec_data, force_save=False) def view_file(self): @@ -339,7 +335,6 @@ class VaultEditor: tmpdata = self.read_data(self.filename) this_vault = VaultLib(self.password) - this_vault.cipher_name = self.cipher_name if not this_vault.is_encrypted(tmpdata): enc_data = this_vault.encrypt(tmpdata) self.write_data(enc_data, self.filename) @@ -358,9 +353,6 @@ class VaultEditor: # create new vault new_vault = VaultLib(new_password) - # we want to force cipher to the default - #new_vault.cipher_name = this_vault.cipher_name - # re-encrypt data and re-write file enc_data = new_vault.encrypt(dec_data) self.write_data(enc_data, self.filename)