Commit Graph

10 Commits (300d6482d1dd29ef8a2fb5743d38c8035770cb87)

Author SHA1 Message Date
Adrian Likins e396d5d508 Implement vault encrypted yaml variables. (#16274)
Make !vault-encrypted create a AnsibleVaultUnicode
yaml object that can be used as a regular string object.

This allows a playbook to include a encrypted vault
blob for the value of a yaml variable. A 'secret_password'
variable can have it's value encrypted instead of having
to vault encrypt an entire vars file.

Add __ENCRYPTED__ to the vault yaml types so
template.Template can treat it similar
to __UNSAFE__ flags.

vault.VaultLib api changes:
    - Split VaultLib.encrypt to encrypt and encrypt_bytestring

    - VaultLib.encrypt() previously accepted the plaintext data
      as either a byte string or a unicode string.
      Doing the right thing based on the input type would fail
      on py3 if given a arg of type 'bytes'. To simplify the
      API, vaultlib.encrypt() now assumes input plaintext is a
      py2 unicode or py3 str. It will encode to utf-8 then call
      the new encrypt_bytestring(). The new methods are less
      ambiguous.

    - moved VaultLib.is_encrypted logic to vault module scope
      and split to is_encrypted() and is_encrypted_file().

Add a test/unit/mock/yaml_helper.py
It has some helpers for testing parsing/yaml

Integration tests added as roles test_vault and test_vault_embedded
8 years ago
Marius Gedminas ec3ada1cda Fix test on Python 3: vault code expects bytes
(All tests now succeed on Python 3.5)
9 years ago
Marius Gedminas 5c70f932bd Fix test on Python 3: vault code expects bytes
(Third failing test out of four.)
9 years ago
Marius Gedminas a1d95536f9 Fix test on Python 3: vault code expects bytes
(Different test than the last commit.)
9 years ago
Marius Gedminas f58f0c62e1 Fix test on Python 3: vault code expects bytes 9 years ago
Abhijit Menon-Sen 4f3a98eff6 Update Vault tests to make sure AES decryption works
Note that this test was broken in devel because it was really just
duplicating the AES256 test because setting v.cipher_name to 'AES'
no longer selected AES after it was de-write-whitelisted.

Now that we've removed the VaultAES encryption code, we embed static
output from an earlier version and test that we can decrypt it.
9 years ago
Abhijit Menon-Sen b84053019a Make the filename the first argument to rekey_file 9 years ago
Abhijit Menon-Sen c4b2540ecc Update tests for VaultEditor API changes 9 years ago
Toshio Kuratomi a3fd4817ef Unicode and other fixes for vault 9 years ago
James Cammarata ce3ef7f4c1 Making the switch to v2 10 years ago