ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases

Browse source
This commit is contained in:
Brian Coca 2015-10-31 13:56:14 -04:00
parent 35bedd1190
commit 00bc74404a
2 changed files with 20 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/ansible/cli/vault.py
View file

@ -86,6 +86,9 @@ class VaultCLI(CLI):
super(VaultCLI, self).run() super(VaultCLI, self).run()
loader = DataLoader() loader = DataLoader()
# set default restrictive umask
old_umask = os.umask(0o077)
if self.options.vault_password_file: if self.options.vault_password_file:
# read vault_pass from a file # read vault_pass from a file
self.vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader) self.vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader)
@ -108,6 +111,9 @@ class VaultCLI(CLI):
self.execute() self.execute()
# and restore umask
os.umask(old_umask)
def execute_encrypt(self): def execute_encrypt(self):
if len(self.args) == 0 and sys.stdin.isatty(): if len(self.args) == 0 and sys.stdin.isatty():

19
lib/ansible/parsing/vault/__init__.py
View file

@ -221,8 +221,6 @@ class VaultEditor:
self.vault = VaultLib(password) self.vault = VaultLib(password)
def _edit_file_helper(self, filename, existing_data=None, force_save=False): def _edit_file_helper(self, filename, existing_data=None, force_save=False):
# make sure the umask is set to a sane value
old_umask = os.umask(0o077)
# Create a tempfile # Create a tempfile
_, tmp_path = tempfile.mkstemp() _, tmp_path = tempfile.mkstemp()
@ -246,9 +244,6 @@ class VaultEditor:
# shuffle tmp file into place # shuffle tmp file into place
self.shuffle_files(tmp_path, filename) self.shuffle_files(tmp_path, filename)
# and restore umask
os.umask(old_umask)
def encrypt_file(self, filename, output_file=None): def encrypt_file(self, filename, output_file=None):
check_prereqs() check_prereqs()
@ -303,13 +298,19 @@ class VaultEditor:
check_prereqs() check_prereqs()
prev = os.stat(filename)
ciphertext = self.read_data(filename) ciphertext = self.read_data(filename)
plaintext = self.vault.decrypt(ciphertext) plaintext = self.vault.decrypt(ciphertext)
new_vault = VaultLib(new_password) new_vault = VaultLib(new_password)
new_ciphertext = new_vault.encrypt(plaintext) new_ciphertext = new_vault.encrypt(plaintext)
self.write_data(new_ciphertext, filename) self.write_data(new_ciphertext, filename)
# preserve permitions
os.chmod(filename, prev.st_mode)
os.chown(filename, prev.st_uid, prev.st_gid)
def read_data(self, filename): def read_data(self, filename):
try: try:
if filename == '-': if filename == '-':
@ -333,11 +334,19 @@ class VaultEditor:
fh.write(bytes) fh.write(bytes)
def shuffle_files(self, src, dest): def shuffle_files(self, src, dest):
prev = None
# overwrite dest with src # overwrite dest with src
if os.path.isfile(dest): if os.path.isfile(dest):
prev = os.stat(dest)
os.remove(dest) os.remove(dest)
shutil.move(src, dest) shutil.move(src, dest)
# reset permissions if needed
if prev is not None:
#TODO: selinux, ACLs, xattr?
os.chmod(dest, prev.st_mode)
os.chown(dest, prev.st_uid, prev.st_gid)
def _editor_shell_command(self, filename): def _editor_shell_command(self, filename):
EDITOR = os.environ.get('EDITOR','vim') EDITOR = os.environ.get('EDITOR','vim')
editor = shlex.split(EDITOR) editor = shlex.split(EDITOR)