Don't pass the cipher around so much

It's unused and unnecessary; VaultLib can decide for itself what cipher to use when encrypting. There's no need (and no provision) for the user to override the cipher via options, so there's no need for code to see if that has been done either.
2015-08-26 18:20:57 +05:30 · 2015-08-26 18:20:57 +05:30 · f91ad3dabe
commit f91ad3dabe
parent 017566a2d9
2 changed files with 11 additions and 23 deletions
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@ -30,7 +30,6 @@ class VaultCLI(CLI):
    """ Vault command line class """

    VALID_ACTIONS = ("create", "decrypt", "edit", "encrypt", "rekey", "view")
-    CIPHER = 'AES256'

    def __init__(self, args, display=None):

@ -91,15 +90,13 @@ class VaultCLI(CLI):
        if len(self.args) > 1:
            raise AnsibleOptionsError("ansible-vault create can take only one filename argument")

-        cipher = getattr(self.options, 'cipher', self.CIPHER)
-        this_editor = VaultEditor(cipher, self.vault_pass, self.args[0])
+        this_editor = VaultEditor(self.vault_pass, self.args[0])
        this_editor.create_file()

    def execute_decrypt(self):

-        cipher = getattr(self.options, 'cipher', self.CIPHER)
        for f in self.args:
-            this_editor = VaultEditor(cipher, self.vault_pass, f)
+            this_editor = VaultEditor(self.vault_pass, f)
            this_editor.decrypt_file()

        self.display.display("Decryption successful")
@ -107,20 +104,19 @@ class VaultCLI(CLI):
    def execute_edit(self):

        for f in self.args:
-            this_editor = VaultEditor(None, self.vault_pass, f)
+            this_editor = VaultEditor(self.vault_pass, f)
            this_editor.edit_file()

    def execute_view(self):

        for f in self.args:
-            this_editor = VaultEditor(None, self.vault_pass, f)
+            this_editor = VaultEditor(self.vault_pass, f)
            this_editor.view_file()

    def execute_encrypt(self):

-        cipher = getattr(self.options, 'cipher', self.CIPHER)
        for f in self.args:
-            this_editor = VaultEditor(cipher, self.vault_pass, f)
+            this_editor = VaultEditor(self.vault_pass, f)
            this_editor.encrypt_file()

        self.display.display("Encryption successful")
@ -136,7 +132,7 @@ class VaultCLI(CLI):
            __, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)

        for f in self.args:
-            this_editor = VaultEditor(None, self.vault_pass, f)
+            this_editor = VaultEditor(self.vault_pass, f)
            this_editor.rekey_file(new_password)

        self.display.display("Rekey successful")
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@ -230,13 +230,11 @@ class VaultEditor:
    # file I/O, ditto read_file(self, filename) and launch_editor(self, filename)
    # ... "Don't Repeat Yourself", etc.

-    def __init__(self, cipher_name, password, filename):
-        # instantiates a member variable for VaultLib
-        self.cipher_name = cipher_name
+    def __init__(self, password, filename):
        self.password = password
        self.filename = filename

-    def _edit_file_helper(self, existing_data=None, cipher=None, force_save=False):
+    def _edit_file_helper(self, existing_data=None, force_save=False):
        # make sure the umask is set to a sane value
        old_umask = os.umask(0o077)

@ -257,8 +255,6 @@ class VaultEditor:

        # create new vault
        this_vault = VaultLib(self.password)
-        if cipher:
-            this_vault.cipher_name = cipher

        # encrypt new data and write out to tmp
        enc_data = this_vault.encrypt(tmpdata)
@ -279,7 +275,7 @@ class VaultEditor:
            raise AnsibleError("%s exists, please use 'edit' instead" % self.filename)

        # Let the user specify contents and save file
-        self._edit_file_helper(cipher=self.cipher_name)
+        self._edit_file_helper()

    def decrypt_file(self):

@ -311,9 +307,9 @@ class VaultEditor:
        # let the user edit the data and save
        if this_vault.cipher_name not in CIPHER_WRITE_WHITELIST:
            # we want to get rid of files encrypted with the AES cipher
-            self._edit_file_helper(existing_data=dec_data, cipher=None, force_save=True)
+            self._edit_file_helper(existing_data=dec_data, force_save=True)
        else:
-            self._edit_file_helper(existing_data=dec_data, cipher=this_vault.cipher_name, force_save=False)
+            self._edit_file_helper(existing_data=dec_data, force_save=False)

    def view_file(self):

@ -339,7 +335,6 @@ class VaultEditor:

        tmpdata = self.read_data(self.filename)
        this_vault = VaultLib(self.password)
-        this_vault.cipher_name = self.cipher_name
        if not this_vault.is_encrypted(tmpdata):
            enc_data = this_vault.encrypt(tmpdata)
            self.write_data(enc_data, self.filename)
@ -358,9 +353,6 @@ class VaultEditor:
        # create new vault
        new_vault = VaultLib(new_password)

-        # we want to force cipher to the default
-        #new_vault.cipher_name = this_vault.cipher_name
-
        # re-encrypt data and re-write file
        enc_data = new_vault.encrypt(dec_data)
        self.write_data(enc_data, self.filename)