Commit graph

10 commits

Author SHA1 Message Date
Adrian Likins
e396d5d508 Implement vault encrypted yaml variables. (#16274)
Make !vault-encrypted create a AnsibleVaultUnicode
yaml object that can be used as a regular string object.

This allows a playbook to include a encrypted vault
blob for the value of a yaml variable. A 'secret_password'
variable can have it's value encrypted instead of having
to vault encrypt an entire vars file.

Add __ENCRYPTED__ to the vault yaml types so
template.Template can treat it similar
to __UNSAFE__ flags.

vault.VaultLib api changes:
    - Split VaultLib.encrypt to encrypt and encrypt_bytestring

    - VaultLib.encrypt() previously accepted the plaintext data
      as either a byte string or a unicode string.
      Doing the right thing based on the input type would fail
      on py3 if given a arg of type 'bytes'. To simplify the
      API, vaultlib.encrypt() now assumes input plaintext is a
      py2 unicode or py3 str. It will encode to utf-8 then call
      the new encrypt_bytestring(). The new methods are less
      ambiguous.

    - moved VaultLib.is_encrypted logic to vault module scope
      and split to is_encrypted() and is_encrypted_file().

Add a test/unit/mock/yaml_helper.py
It has some helpers for testing parsing/yaml

Integration tests added as roles test_vault and test_vault_embedded
2016-08-23 20:03:11 -04:00
Marius Gedminas
ec3ada1cda Fix test on Python 3: vault code expects bytes
(All tests now succeed on Python 3.5)
2015-10-16 09:13:46 +03:00
Marius Gedminas
5c70f932bd Fix test on Python 3: vault code expects bytes
(Third failing test out of four.)
2015-10-16 09:12:49 +03:00
Marius Gedminas
a1d95536f9 Fix test on Python 3: vault code expects bytes
(Different test than the last commit.)
2015-10-16 09:11:34 +03:00
Marius Gedminas
f58f0c62e1 Fix test on Python 3: vault code expects bytes 2015-10-16 09:10:25 +03:00
Abhijit Menon-Sen
4f3a98eff6 Update Vault tests to make sure AES decryption works
Note that this test was broken in devel because it was really just
duplicating the AES256 test because setting v.cipher_name to 'AES'
no longer selected AES after it was de-write-whitelisted.

Now that we've removed the VaultAES encryption code, we embed static
output from an earlier version and test that we can decrypt it.
2015-08-27 18:36:05 +05:30
Abhijit Menon-Sen
b84053019a Make the filename the first argument to rekey_file 2015-08-26 19:54:59 +05:30
Abhijit Menon-Sen
c4b2540ecc Update tests for VaultEditor API changes 2015-08-26 19:52:20 +05:30
Toshio Kuratomi
a3fd4817ef Unicode and other fixes for vault 2015-08-25 12:43:09 -07:00
James Cammarata
ce3ef7f4c1 Making the switch to v2 2015-05-03 21:47:26 -05:00