1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Commit graph

83 commits

Author SHA1 Message Date
Eric Feliksik
946b82bef7 shred ansible-vault tmp_file. Also when editor is interruped. 2015-12-30 18:21:34 +01:00
Abhijit Menon-Sen
7caefa5cd9 Fix typo 2015-11-03 10:57:48 +05:30
Brian Coca
00bc74404a vault noe preserves permissions on edit and rekey and sets a restricitve default umask for all other cases 2015-10-31 14:13:03 -04:00
James Cammarata
86de1429e5 Cleaning up FIXMEs 2015-10-22 16:03:50 -04:00
Toshio Kuratomi
b23a083776 Make vault use a mapping of cipher name to classes instead of formatting the name for safety. 2015-10-16 10:05:27 -07:00
Toshio Kuratomi
baa309309d Bundle a new version of python-six for compatibility along with some code to make it easy for distributions to override the bunndled copy if they have a new enough version. 2015-10-16 08:21:28 -07:00
Marius Gedminas
98958ec990 Simplify join expression 2015-10-16 17:39:27 +03:00
Marius Gedminas
56184a3d8c Python 3: avoid %-formatting of byte strings
This is needed for Python 3.4 compatibility; Python 3.5 can use
`b'%s\n' bytestring` again.
2015-10-16 17:18:35 +03:00
Abhijit Menon-Sen
0bb34fd076 Make «ansible-vault view» not write plaintext to a tempfile
CLI already provides a pager() method that feeds $PAGER on stdin, so we
just feed that the plaintext from the vault file. We can also eliminate
the redundant and now-unused shell_pager_command method in VaultEditor.
2015-09-30 22:13:36 +05:30
Toshio Kuratomi
86b2982005 Merge pull request #12112 from amenonsen/vault-stdio
Implement cat-like filtering behaviour for encrypt/decrypt
2015-08-27 11:26:48 -07:00
Abhijit Menon-Sen
090cfc9e03 More helpful prompts from ansible-vault encrypt/decrypt
Now we issue a "Reading … from stdin" prompt if our input isatty(), as
gpg does. We also suppress the "x successful" confirmation message at
the end if we're part of a pipeline.

(The latter requires that we not close sys.stdout in VaultEditor, and
for symmetry we do the same for sys.stdin, though it doesn't matter in
that case.)
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e7eebb6954 Implement cat-like filtering behaviour for encrypt/decrypt
This allows the following invocations:

    # Interactive use, like gpg
    ansible-vault encrypt --output x

    # Non-interactive, for scripting
    echo plaintext|ansible-vault encrypt --output x

    # Separate input and output files
    ansible-vault encrypt input.yml --output output.yml

    # Existing usage (in-place encryption) unchanged
    ansible-vault encrypt inout.yml

…and the analogous cases for ansible-vault decrypt as well.

In all cases, the input and output files can be '-' to read from stdin
or write to stdout. This permits sensitive data to be encrypted and
decrypted without ever hitting disk.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
8fc8bf9439 Simplify VaultEditor methods
We don't need to keep creating VaultLibs everywhere, and we don't need
to keep checking for errors because VaultLib does it already.
2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
e99395f0c0 Don't create a VaultLib in each method; do it in __init__ instead 2015-08-27 22:04:18 +05:30
Abhijit Menon-Sen
159887a6c9 Remove deprecated and unused VaultAES encryption code
Now that VaultLib always decides to use AES256 to encrypt, we don't need
this broken code any more. We need to be able to decrypt this format for
a while longer, but encryption support can be safely dropped.
2015-08-27 16:54:39 +05:30
Abhijit Menon-Sen
b84053019a Make the filename the first argument to rekey_file 2015-08-26 19:54:59 +05:30
Abhijit Menon-Sen
20fd9224bb Pass the filename to the individual VaultEditor methods, not __init__
Now we don't have to recreate VaultEditor objects for each file, and so
on. It also paves the way towards specifying separate input and output
files later.
2015-08-26 19:17:37 +05:30
Abhijit Menon-Sen
a27c5741a1 Remove inaccurate outdated comment 2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
f91ad3dabe Don't pass the cipher around so much
It's unused and unnecessary; VaultLib can decide for itself what cipher
to use when encrypting. There's no need (and no provision) for the user
to override the cipher via options, so there's no need for code to see
if that has been done either.
2015-08-26 18:31:45 +05:30
Abhijit Menon-Sen
017566a2d9 Use AES256 if the cipher is not write-whitelisted 2015-08-26 18:09:21 +05:30
Abhijit Menon-Sen
47bcdf5952 Remove incorrect copy-pasted comment 2015-08-26 18:09:21 +05:30
Toshio Kuratomi
d2c948dd6a Remove decrypted vault temp_file mistakenly left from patch making vault edit idempotent
This bug was introduced in commit f8bf2ba on July 27.  Hasn't gone out
in a release yet.
2015-08-25 14:51:32 -07:00
Toshio Kuratomi
a3fd4817ef Unicode and other fixes for vault 2015-08-25 12:43:09 -07:00
Vilmos Nebehaj
58cccce384 Use PBKDF2HMAC() from cryptography for vault keys.
When stretching the key for vault files, use PBKDF2HMAC() from the
cryptography package instead of pycrypto. This will speed up the opening
of vault files by ~10x.

The problem is here in lib/ansible/utils/vault.py:

    hash_function = SHA256

    # make two keys and one iv
    pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

    derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
                        count=10000, prf=pbkdf2_prf)

`PBKDF2()` calls a Python callback function (`pbkdf2_pr()`) 10000 times.
If one has several vault files, this will cause excessive start times
with `ansible` or `ansible-playbook` (we experience ~15 second startup
times).

Testing the original implementation in 1.9.2 with a vault file:

In [2]: %timeit v.decrypt(encrypted_data)
1 loops, best of 3: 265 ms per loop

Having a recent OpenSSL version and using the vault.py changes in this commit:

In [2]: %timeit v.decrypt(encrypted_data)
10 loops, best of 3: 23.2 ms per loop
2015-07-28 14:51:36 +02:00
Pablo Figue
f8bf2ba1bd Encrypt the vault file after editing only if the contents changed 2015-07-26 14:41:34 +05:30
Brian Coca
e4097ed279 simplified ansible errors, moved md5 hash import with notes to be more prominent 2015-07-11 14:24:00 -04:00
Toshio Kuratomi
ddac6fa9f3 Update exception handling to be python3 compat 2015-07-08 08:59:42 -07:00
Toshio Kuratomi
49e17b8ff6 Get rid of an unused import so that we don't have circular imports 2015-07-06 14:19:13 -07:00
Brian Coca
b76dbb01cc generalized prereqs check
added vaultfile class for action and lookup plugin usage
2015-06-16 09:20:15 -04:00
Toshio Kuratomi
c3caff5eeb Fix for six version 1.1.0 (rhel6). 2015-06-03 10:25:07 -07:00
Toshio Kuratomi
d8c8ca11cf Add compatibility for old version of six (present on rhel7) 2015-06-03 08:45:36 -07:00
Toshio Kuratomi
3a87b2727d Fix format strings for python2.6 2015-05-08 13:11:04 -07:00
James Cammarata
ce3ef7f4c1 Making the switch to v2 2015-05-03 21:47:26 -05:00