Pass the filename to the individual VaultEditor methods, not __init__
Now we don't have to recreate VaultEditor objects for each file, and so on. It also paves the way towards specifying separate input and output files later.
This commit is contained in:
Abhijit Menon-Sen
parent
a27c5741a1
commit
20fd9224bb
2 changed files with 39 additions and 45 deletions
|
|
@ -83,6 +83,8 @@ class VaultCLI(CLI):
|
||||||
if not self.vault_pass:
|
if not self.vault_pass:
|
||||||
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
|
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
|
||||||
|
|
||||||
|
self.editor = VaultEditor(self.vault_pass)
|
||||||
|
|
||||||
self.execute()
|
self.execute()
|
||||||
|
|
||||||
def execute_create(self):
|
def execute_create(self):
|
||||||
|
|
@ -90,36 +92,30 @@ class VaultCLI(CLI):
|
||||||
if len(self.args) > 1:
|
if len(self.args) > 1:
|
||||||
raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
|
raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
|
||||||
|
|
||||||
this_editor = VaultEditor(self.vault_pass, self.args[0])
|
self.editor.create_file(self.args[0])
|
||||||
this_editor.create_file()
|
|
||||||
|
|
||||||
def execute_decrypt(self):
|
def execute_decrypt(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(self.vault_pass, f)
|
self.editor.decrypt_file(f)
|
||||||
this_editor.decrypt_file()
|
|
||||||
|
|
||||||
self.display.display("Decryption successful")
|
self.display.display("Decryption successful", stderr=True)
|
||||||
|
|
||||||
def execute_edit(self):
|
def execute_edit(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(self.vault_pass, f)
|
self.editor.edit_file(f)
|
||||||
this_editor.edit_file()
|
|
||||||
|
|
||||||
def execute_view(self):
|
def execute_view(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(self.vault_pass, f)
|
self.editor.view_file(f)
|
||||||
this_editor.view_file()
|
|
||||||
|
|
||||||
def execute_encrypt(self):
|
def execute_encrypt(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(self.vault_pass, f)
|
self.editor.encrypt_file(f)
|
||||||
this_editor.encrypt_file()
|
|
||||||
|
|
||||||
self.display.display("Encryption successful")
|
self.display.display("Encryption successful", stderr=True)
|
||||||
|
|
||||||
def execute_rekey(self):
|
def execute_rekey(self):
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
|
|
@ -132,7 +128,6 @@ class VaultCLI(CLI):
|
||||||
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(self.vault_pass, f)
|
self.editor.rekey_file(new_password, f)
|
||||||
this_editor.rekey_file(new_password)
|
|
||||||
|
|
||||||
self.display.display("Rekey successful")
|
self.display.display("Rekey successful", stderr=True)
|
||||||
|
|
|
||||||
|
|
@ -226,11 +226,10 @@ class VaultLib:
|
||||||
|
|
||||||
class VaultEditor:
|
class VaultEditor:
|
||||||
|
|
||||||
def __init__(self, password, filename):
|
def __init__(self, password):
|
||||||
self.password = password
|
self.password = password
|
||||||
self.filename = filename
|
|
||||||
|
|
||||||
def _edit_file_helper(self, existing_data=None, force_save=False):
|
def _edit_file_helper(self, filename, existing_data=None, force_save=False):
|
||||||
# make sure the umask is set to a sane value
|
# make sure the umask is set to a sane value
|
||||||
old_umask = os.umask(0o077)
|
old_umask = os.umask(0o077)
|
||||||
|
|
||||||
|
|
@ -257,62 +256,62 @@ class VaultEditor:
|
||||||
self.write_data(enc_data, tmp_path)
|
self.write_data(enc_data, tmp_path)
|
||||||
|
|
||||||
# shuffle tmp file into place
|
# shuffle tmp file into place
|
||||||
self.shuffle_files(tmp_path, self.filename)
|
self.shuffle_files(tmp_path, filename)
|
||||||
|
|
||||||
# and restore umask
|
# and restore umask
|
||||||
os.umask(old_umask)
|
os.umask(old_umask)
|
||||||
|
|
||||||
def create_file(self):
|
def create_file(self, filename):
|
||||||
""" create a new encrypted file """
|
""" create a new encrypted file """
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
if os.path.isfile(self.filename):
|
if os.path.isfile(filename):
|
||||||
raise AnsibleError("%s exists, please use 'edit' instead" % self.filename)
|
raise AnsibleError("%s exists, please use 'edit' instead" % filename)
|
||||||
|
|
||||||
# Let the user specify contents and save file
|
# Let the user specify contents and save file
|
||||||
self._edit_file_helper()
|
self._edit_file_helper(filename)
|
||||||
|
|
||||||
def decrypt_file(self):
|
def decrypt_file(self, filename):
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
if not os.path.isfile(self.filename):
|
if not os.path.isfile(filename):
|
||||||
raise AnsibleError("%s does not exist" % self.filename)
|
raise AnsibleError("%s does not exist" % filename)
|
||||||
|
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
if this_vault.is_encrypted(tmpdata):
|
if this_vault.is_encrypted(tmpdata):
|
||||||
dec_data = this_vault.decrypt(tmpdata)
|
dec_data = this_vault.decrypt(tmpdata)
|
||||||
if dec_data is None:
|
if dec_data is None:
|
||||||
raise AnsibleError("Decryption failed")
|
raise AnsibleError("Decryption failed")
|
||||||
else:
|
else:
|
||||||
self.write_data(dec_data, self.filename)
|
self.write_data(dec_data, filename)
|
||||||
else:
|
else:
|
||||||
raise AnsibleError("%s is not encrypted" % self.filename)
|
raise AnsibleError("%s is not encrypted" % filename)
|
||||||
|
|
||||||
def edit_file(self):
|
def edit_file(self, filename):
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
# decrypt to tmpfile
|
# decrypt to tmpfile
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
dec_data = this_vault.decrypt(tmpdata)
|
dec_data = this_vault.decrypt(tmpdata)
|
||||||
|
|
||||||
# let the user edit the data and save
|
# let the user edit the data and save
|
||||||
if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
|
if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
|
||||||
# we want to get rid of files encrypted with the AES cipher
|
# we want to get rid of files encrypted with the AES cipher
|
||||||
self._edit_file_helper(existing_data=dec_data, force_save=True)
|
self._edit_file_helper(filename, existing_data=dec_data, force_save=True)
|
||||||
else:
|
else:
|
||||||
self._edit_file_helper(existing_data=dec_data, force_save=False)
|
self._edit_file_helper(filename, existing_data=dec_data, force_save=False)
|
||||||
|
|
||||||
def view_file(self):
|
def view_file(self, filename):
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
# decrypt to tmpfile
|
# decrypt to tmpfile
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
dec_data = this_vault.decrypt(tmpdata)
|
dec_data = this_vault.decrypt(tmpdata)
|
||||||
_, tmp_path = tempfile.mkstemp()
|
_, tmp_path = tempfile.mkstemp()
|
||||||
|
|
@ -322,27 +321,27 @@ class VaultEditor:
|
||||||
call(self._pager_shell_command(tmp_path))
|
call(self._pager_shell_command(tmp_path))
|
||||||
os.remove(tmp_path)
|
os.remove(tmp_path)
|
||||||
|
|
||||||
def encrypt_file(self):
|
def encrypt_file(self, filename):
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
if not os.path.isfile(self.filename):
|
if not os.path.isfile(filename):
|
||||||
raise AnsibleError("%s does not exist" % self.filename)
|
raise AnsibleError("%s does not exist" % filename)
|
||||||
|
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
if not this_vault.is_encrypted(tmpdata):
|
if not this_vault.is_encrypted(tmpdata):
|
||||||
enc_data = this_vault.encrypt(tmpdata)
|
enc_data = this_vault.encrypt(tmpdata)
|
||||||
self.write_data(enc_data, self.filename)
|
self.write_data(enc_data, filename)
|
||||||
else:
|
else:
|
||||||
raise AnsibleError("%s is already encrypted" % self.filename)
|
raise AnsibleError("%s is already encrypted" % filename)
|
||||||
|
|
||||||
def rekey_file(self, new_password):
|
def rekey_file(self, new_password, filename):
|
||||||
|
|
||||||
check_prereqs()
|
check_prereqs()
|
||||||
|
|
||||||
# decrypt
|
# decrypt
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
dec_data = this_vault.decrypt(tmpdata)
|
dec_data = this_vault.decrypt(tmpdata)
|
||||||
|
|
||||||
|
|
@ -351,7 +350,7 @@ class VaultEditor:
|
||||||
|
|
||||||
# re-encrypt data and re-write file
|
# re-encrypt data and re-write file
|
||||||
enc_data = new_vault.encrypt(dec_data)
|
enc_data = new_vault.encrypt(dec_data)
|
||||||
self.write_data(enc_data, self.filename)
|
self.write_data(enc_data, filename)
|
||||||
|
|
||||||
def read_data(self, filename):
|
def read_data(self, filename):
|
||||||
f = open(filename, "rb")
|
f = open(filename, "rb")
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue