@ -556,12 +556,40 @@ def match_best_secret(secrets, target_vault_ids):
return None
return None
def match_encrypt_secret ( secrets ) :
def match_encrypt_vault_id_secret ( secrets , encrypt_vault_id = None ) :
# See if the --encrypt-vault-id matches a vault-id
display . vvvv ( ' encrypt_vault_id= %s ' % encrypt_vault_id )
if encrypt_vault_id is None :
raise AnsibleError ( ' match_encrypt_vault_id_secret requires a non None encrypt_vault_id ' )
encrypt_vault_id_matchers = [ encrypt_vault_id ]
encrypt_secret = match_best_secret ( secrets , encrypt_vault_id_matchers )
# return the best match for --encrypt-vault-id
if encrypt_secret :
return encrypt_secret
# If we specified a encrypt_vault_id and we couldn't find it, dont
# fallback to using the first/best secret
raise AnsibleVaultError ( ' Did not find a match for --encrypt-vault-id= %s in the known vault-ids %s ' % ( encrypt_vault_id ,
[ _v for _v , _vs in secrets ] ) )
def match_encrypt_secret ( secrets , encrypt_vault_id = None ) :
''' Find the best/first/only secret in secrets to use for encrypting '''
''' Find the best/first/only secret in secrets to use for encrypting '''
display . vvvv ( ' encrypt_vault_id= %s ' % encrypt_vault_id )
# See if the --encrypt-vault-id matches a vault-id
if encrypt_vault_id :
return match_encrypt_vault_id_secret ( secrets ,
encrypt_vault_id = encrypt_vault_id )
# Find the best/first secret from secrets since we didnt specify otherwise
# ie, consider all of the available secrets as matches
# ie, consider all of the available secrets as matches
_vault_id_matchers = [ _vault_id for _vault_id , dummy in secrets ]
_vault_id_matchers = [ _vault_id for _vault_id , dummy in secrets ]
best_secret = match_best_secret ( secrets , _vault_id_matchers )
best_secret = match_best_secret ( secrets , _vault_id_matchers )
# can be empty list sans any tuple
# can be empty list sans any tuple
return best_secret
return best_secret
@ -625,7 +653,11 @@ class VaultLib:
raise AnsibleError ( u " {0} cipher could not be found " . format ( self . cipher_name ) )
raise AnsibleError ( u " {0} cipher could not be found " . format ( self . cipher_name ) )
# encrypt data
# encrypt data
display . vvvvv ( ' Encrypting with vault secret %s ' % secret )
if vault_id :
display . vvvvv ( ' Encrypting with vault_id " %s " and vault secret %s ' % ( vault_id , secret ) )
else :
display . vvvvv ( ' Encrypting without a vault_id using vault secret %s ' % secret )
b_ciphertext = this_cipher . encrypt ( b_plaintext , secret )
b_ciphertext = this_cipher . encrypt ( b_plaintext , secret )
# format the data for output to the file
# format the data for output to the file
@ -725,7 +757,10 @@ class VaultLib:
b_plaintext = this_cipher . decrypt ( b_vaulttext , vault_secret )
b_plaintext = this_cipher . decrypt ( b_vaulttext , vault_secret )
if b_plaintext is not None :
if b_plaintext is not None :
vault_id_used = vault_secret_id
vault_id_used = vault_secret_id
display . vvvvv ( ' decrypt successful with secret= %s and vault_id= %s ' % ( vault_secret , vault_secret_id ) )
file_slug = ' '
if filename :
file_slug = ' of " %s " ' % filename
display . vvvvv ( ' Decrypt %s successful with secret= %s and vault_id= %s ' % ( file_slug , vault_secret , vault_secret_id ) )
break
break
except AnsibleVaultFormatError as exc :
except AnsibleVaultFormatError as exc :
msg = " There was a vault format error "
msg = " There was a vault format error "
@ -963,7 +998,7 @@ class VaultEditor:
vaulttext = to_text ( b_vaulttext )
vaulttext = to_text ( b_vaulttext )
try :
try :
plaintext = self . vault . decrypt ( vaulttext )
plaintext = self . vault . decrypt ( vaulttext , filename = filename )
return plaintext
return plaintext
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleVaultError ( " %s for %s " % ( to_bytes ( e ) , to_bytes ( filename ) ) )
raise AnsibleVaultError ( " %s for %s " % ( to_bytes ( e ) , to_bytes ( filename ) ) )
@ -978,8 +1013,10 @@ class VaultEditor:
b_vaulttext = self . read_data ( filename )
b_vaulttext = self . read_data ( filename )
vaulttext = to_text ( b_vaulttext )
vaulttext = to_text ( b_vaulttext )
display . vvvvv ( ' Rekeying file " %s " to with new vault-id " %s " and vault secret %s ' %
( filename , new_vault_id , new_vault_secret ) )
try :
try :
plaintext = self . vault . decrypt ( vaulttext )
plaintext , vault_id_used = self . vault . decrypt _and_get_vault_id ( vaulttext )
except AnsibleError as e :
except AnsibleError as e :
raise AnsibleError ( " %s for %s " % ( to_bytes ( e ) , to_bytes ( filename ) ) )
raise AnsibleError ( " %s for %s " % ( to_bytes ( e ) , to_bytes ( filename ) ) )
@ -1004,6 +1041,9 @@ class VaultEditor:
os . chmod ( filename , prev . st_mode )
os . chmod ( filename , prev . st_mode )
os . chown ( filename , prev . st_uid , prev . st_gid )
os . chown ( filename , prev . st_uid , prev . st_gid )
display . vvvvv ( ' Rekeyed file " %s " (decrypted with vault id " %s " ) was encrypted with new vault-id " %s " and vault secret %s ' %
( filename , vault_id_used , new_vault_id , new_vault_secret ) )
def read_data ( self , filename ) :
def read_data ( self , filename ) :
try :
try :