mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Make vault use a mapping of cipher name to classes instead of formatting the name for safety.
This commit is contained in:
parent
14c80b8a04
commit
b23a083776
1 changed files with 13 additions and 5 deletions
|
@ -80,6 +80,8 @@ CRYPTO_UPGRADE = "ansible-vault requires a newer version of pycrypto than the on
|
||||||
b_HEADER = b'$ANSIBLE_VAULT'
|
b_HEADER = b'$ANSIBLE_VAULT'
|
||||||
CIPHER_WHITELIST = frozenset((u'AES', u'AES256'))
|
CIPHER_WHITELIST = frozenset((u'AES', u'AES256'))
|
||||||
CIPHER_WRITE_WHITELIST=frozenset((u'AES256',))
|
CIPHER_WRITE_WHITELIST=frozenset((u'AES256',))
|
||||||
|
# See also CIPHER_MAPPING at the bottom of the file which maps cipher strings
|
||||||
|
# (used in VaultFile header) to a cipher class
|
||||||
|
|
||||||
|
|
||||||
def check_prereqs():
|
def check_prereqs():
|
||||||
|
@ -123,12 +125,11 @@ class VaultLib:
|
||||||
if not self.cipher_name or self.cipher_name not in CIPHER_WRITE_WHITELIST:
|
if not self.cipher_name or self.cipher_name not in CIPHER_WRITE_WHITELIST:
|
||||||
self.cipher_name = u"AES256"
|
self.cipher_name = u"AES256"
|
||||||
|
|
||||||
cipher_class_name = u'Vault{0}'.format(self.cipher_name)
|
try:
|
||||||
if cipher_class_name in globals():
|
Cipher = CIPHER_MAPPING[self.cipher_name]
|
||||||
Cipher = globals()[cipher_class_name]
|
except KeyError:
|
||||||
this_cipher = Cipher()
|
|
||||||
else:
|
|
||||||
raise AnsibleError(u"{0} cipher could not be found".format(self.cipher_name))
|
raise AnsibleError(u"{0} cipher could not be found".format(self.cipher_name))
|
||||||
|
this_cipher = Cipher()
|
||||||
|
|
||||||
# encrypt data
|
# encrypt data
|
||||||
b_enc_data = this_cipher.encrypt(b_data, self.b_password)
|
b_enc_data = this_cipher.encrypt(b_data, self.b_password)
|
||||||
|
@ -613,3 +614,10 @@ class VaultAES256:
|
||||||
result |= ord(x) ^ ord(y)
|
result |= ord(x) ^ ord(y)
|
||||||
return result == 0
|
return result == 0
|
||||||
|
|
||||||
|
|
||||||
|
# Keys could be made bytes later if the code that gets the data is more
|
||||||
|
# naturally byte-oriented
|
||||||
|
CIPHER_MAPPING = {
|
||||||
|
u'AES': VaultAES,
|
||||||
|
u'AES256': VaultAES256,
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue