Don't pass the cipher around so much
It's unused and unnecessary; VaultLib can decide for itself what cipher to use when encrypting. There's no need (and no provision) for the user to override the cipher via options, so there's no need for code to see if that has been done either.
This commit is contained in:
Abhijit Menon-Sen
parent
017566a2d9
commit
f91ad3dabe
|
|
@ -30,7 +30,6 @@ class VaultCLI(CLI):
|
||||||
""" Vault command line class """
|
""" Vault command line class """
|
||||||
|
|
||||||
VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view")
|
VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view")
|
||||||
CIPHER = 'AES256'
|
|
||||||
|
|
||||||
def __init__(self, args, display=None):
|
def __init__(self, args, display=None):
|
||||||
|
|
||||||
|
|
@ -91,15 +90,13 @@ class VaultCLI(CLI):
|
||||||
if len(self.args) > 1:
|
if len(self.args) > 1:
|
||||||
raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
|
raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
|
||||||
|
|
||||||
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
this_editor = VaultEditor(self.vault_pass, self.args[0])
|
||||||
this_editor = VaultEditor(cipher, self.vault_pass, self.args[0])
|
|
||||||
this_editor.create_file()
|
this_editor.create_file()
|
||||||
|
|
||||||
def execute_decrypt(self):
|
def execute_decrypt(self):
|
||||||
|
|
||||||
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(cipher, self.vault_pass, f)
|
this_editor = VaultEditor(self.vault_pass, f)
|
||||||
this_editor.decrypt_file()
|
this_editor.decrypt_file()
|
||||||
|
|
||||||
self.display.display("Decryption successful")
|
self.display.display("Decryption successful")
|
||||||
|
|
@ -107,20 +104,19 @@ class VaultCLI(CLI):
|
||||||
def execute_edit(self):
|
def execute_edit(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(None, self.vault_pass, f)
|
this_editor = VaultEditor(self.vault_pass, f)
|
||||||
this_editor.edit_file()
|
this_editor.edit_file()
|
||||||
|
|
||||||
def execute_view(self):
|
def execute_view(self):
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(None, self.vault_pass, f)
|
this_editor = VaultEditor(self.vault_pass, f)
|
||||||
this_editor.view_file()
|
this_editor.view_file()
|
||||||
|
|
||||||
def execute_encrypt(self):
|
def execute_encrypt(self):
|
||||||
|
|
||||||
cipher = getattr(self.options, 'cipher', self.CIPHER)
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(cipher, self.vault_pass, f)
|
this_editor = VaultEditor(self.vault_pass, f)
|
||||||
this_editor.encrypt_file()
|
this_editor.encrypt_file()
|
||||||
|
|
||||||
self.display.display("Encryption successful")
|
self.display.display("Encryption successful")
|
||||||
|
|
@ -136,7 +132,7 @@ class VaultCLI(CLI):
|
||||||
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(None, self.vault_pass, f)
|
this_editor = VaultEditor(self.vault_pass, f)
|
||||||
this_editor.rekey_file(new_password)
|
this_editor.rekey_file(new_password)
|
||||||
|
|
||||||
self.display.display("Rekey successful")
|
self.display.display("Rekey successful")
|
||||||
|
|
|
||||||
|
|
@ -230,13 +230,11 @@ class VaultEditor:
|
||||||
# file I/O, ditto read_file(self, filename) and launch_editor(self, filename)
|
# file I/O, ditto read_file(self, filename) and launch_editor(self, filename)
|
||||||
# ... "Don't Repeat Yourself", etc.
|
# ... "Don't Repeat Yourself", etc.
|
||||||
|
|
||||||
def __init__(self, cipher_name, password, filename):
|
def __init__(self, password, filename):
|
||||||
# instantiates a member variable for VaultLib
|
|
||||||
self.cipher_name = cipher_name
|
|
||||||
self.password = password
|
self.password = password
|
||||||
self.filename = filename
|
self.filename = filename
|
||||||
|
|
||||||
def _edit_file_helper(self, existing_data=None, cipher=None, force_save=False):
|
def _edit_file_helper(self, existing_data=None, force_save=False):
|
||||||
# make sure the umask is set to a sane value
|
# make sure the umask is set to a sane value
|
||||||
old_umask = os.umask(0o077)
|
old_umask = os.umask(0o077)
|
||||||
|
|
||||||
|
|
@ -257,8 +255,6 @@ class VaultEditor:
|
||||||
|
|
||||||
# create new vault
|
# create new vault
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
if cipher:
|
|
||||||
this_vault.cipher_name = cipher
|
|
||||||
|
|
||||||
# encrypt new data and write out to tmp
|
# encrypt new data and write out to tmp
|
||||||
enc_data = this_vault.encrypt(tmpdata)
|
enc_data = this_vault.encrypt(tmpdata)
|
||||||
|
|
@ -279,7 +275,7 @@ class VaultEditor:
|
||||||
raise AnsibleError("%s exists, please use 'edit' instead" % self.filename)
|
raise AnsibleError("%s exists, please use 'edit' instead" % self.filename)
|
||||||
|
|
||||||
# Let the user specify contents and save file
|
# Let the user specify contents and save file
|
||||||
self._edit_file_helper(cipher=self.cipher_name)
|
self._edit_file_helper()
|
||||||
|
|
||||||
def decrypt_file(self):
|
def decrypt_file(self):
|
||||||
|
|
||||||
|
|
@ -311,9 +307,9 @@ class VaultEditor:
|
||||||
# let the user edit the data and save
|
# let the user edit the data and save
|
||||||
if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
|
if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
|
||||||
# we want to get rid of files encrypted with the AES cipher
|
# we want to get rid of files encrypted with the AES cipher
|
||||||
self._edit_file_helper(existing_data=dec_data, cipher=None, force_save=True)
|
self._edit_file_helper(existing_data=dec_data, force_save=True)
|
||||||
else:
|
else:
|
||||||
self._edit_file_helper(existing_data=dec_data, cipher=this_vault.cipher_name, force_save=False)
|
self._edit_file_helper(existing_data=dec_data, force_save=False)
|
||||||
|
|
||||||
def view_file(self):
|
def view_file(self):
|
||||||
|
|
||||||
|
|
@ -339,7 +335,6 @@ class VaultEditor:
|
||||||
|
|
||||||
tmpdata = self.read_data(self.filename)
|
tmpdata = self.read_data(self.filename)
|
||||||
this_vault = VaultLib(self.password)
|
this_vault = VaultLib(self.password)
|
||||||
this_vault.cipher_name = self.cipher_name
|
|
||||||
if not this_vault.is_encrypted(tmpdata):
|
if not this_vault.is_encrypted(tmpdata):
|
||||||
enc_data = this_vault.encrypt(tmpdata)
|
enc_data = this_vault.encrypt(tmpdata)
|
||||||
self.write_data(enc_data, self.filename)
|
self.write_data(enc_data, self.filename)
|
||||||
|
|
@ -358,9 +353,6 @@ class VaultEditor:
|
||||||
# create new vault
|
# create new vault
|
||||||
new_vault = VaultLib(new_password)
|
new_vault = VaultLib(new_password)
|
||||||
|
|
||||||
# we want to force cipher to the default
|
|
||||||
#new_vault.cipher_name = this_vault.cipher_name
|
|
||||||
|
|
||||||
# re-encrypt data and re-write file
|
# re-encrypt data and re-write file
|
||||||
enc_data = new_vault.encrypt(dec_data)
|
enc_data = new_vault.encrypt(dec_data)
|
||||||
self.write_data(enc_data, self.filename)
|
self.write_data(enc_data, self.filename)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue