1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Make vault use a mapping of cipher name to classes instead of formatting the name for safety.

This commit is contained in:
Toshio Kuratomi 2015-10-16 10:04:37 -07:00
parent 14c80b8a04
commit b23a083776

View file

@ -80,6 +80,8 @@ CRYPTO_UPGRADE = "ansible-vault requires a newer version of pycrypto than the on
b_HEADER = b'$ANSIBLE_VAULT' b_HEADER = b'$ANSIBLE_VAULT'
CIPHER_WHITELIST = frozenset((u'AES', u'AES256')) CIPHER_WHITELIST = frozenset((u'AES', u'AES256'))
CIPHER_WRITE_WHITELIST=frozenset((u'AES256',)) CIPHER_WRITE_WHITELIST=frozenset((u'AES256',))
# See also CIPHER_MAPPING at the bottom of the file which maps cipher strings
# (used in VaultFile header) to a cipher class
def check_prereqs(): def check_prereqs():
@ -123,12 +125,11 @@ class VaultLib:
if not self.cipher_name or self.cipher_name not in CIPHER_WRITE_WHITELIST: if not self.cipher_name or self.cipher_name not in CIPHER_WRITE_WHITELIST:
self.cipher_name = u"AES256" self.cipher_name = u"AES256"
cipher_class_name = u'Vault{0}'.format(self.cipher_name) try:
if cipher_class_name in globals(): Cipher = CIPHER_MAPPING[self.cipher_name]
Cipher = globals()[cipher_class_name] except KeyError:
this_cipher = Cipher()
else:
raise AnsibleError(u"{0} cipher could not be found".format(self.cipher_name)) raise AnsibleError(u"{0} cipher could not be found".format(self.cipher_name))
this_cipher = Cipher()
# encrypt data # encrypt data
b_enc_data = this_cipher.encrypt(b_data, self.b_password) b_enc_data = this_cipher.encrypt(b_data, self.b_password)
@ -613,3 +614,10 @@ class VaultAES256:
result |= ord(x) ^ ord(y) result |= ord(x) ^ ord(y)
return result == 0 return result == 0
# Keys could be made bytes later if the code that gets the data is more
# naturally byte-oriented
CIPHER_MAPPING = {
u'AES': VaultAES,
u'AES256': VaultAES256,
}