diff options
Diffstat (limited to 'lib/ansible/parsing/vault/__init__.py')
-rw-r--r-- | lib/ansible/parsing/vault/__init__.py | 30 |
1 files changed, 9 insertions, 21 deletions
diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index b3b1c5a4..8ac22d4c 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -55,7 +55,7 @@ except ImportError: from ansible.errors import AnsibleError, AnsibleAssertionError from ansible import constants as C from ansible.module_utils.six import binary_type -from ansible.module_utils.common.text.converters import to_bytes, to_text, to_native +from ansible.module_utils._text import to_bytes, to_text, to_native from ansible.utils.display import Display from ansible.utils.path import makedirs_safe, unfrackpath @@ -658,10 +658,7 @@ class VaultLib: b_vaulttext = to_bytes(vaulttext, errors='strict', encoding='utf-8') if self.secrets is None: - msg = "A vault password must be specified to decrypt data" - if filename: - msg += " in file %s" % to_native(filename) - raise AnsibleVaultError(msg) + raise AnsibleVaultError("A vault password must be specified to decrypt data") if not is_encrypted(b_vaulttext): msg = "input is not vault encrypted data. " @@ -787,13 +784,13 @@ class VaultEditor: passes = 3 with open(tmp_path, "wb") as fh: - for dummy in range(passes): + for _ in range(passes): fh.seek(0, 0) # get a random chunk of data, each pass with other length chunk_len = random.randint(max_chunk_len // 2, max_chunk_len) data = os.urandom(chunk_len) - for dummy in range(0, file_len // chunk_len): + for _ in range(0, file_len // chunk_len): fh.write(data) fh.write(data[:file_len % chunk_len]) @@ -1044,10 +1041,10 @@ class VaultEditor: since in the plaintext case, the original contents can be of any text encoding or arbitrary binary data. - When used to write the result of vault encryption, the value of the 'data' arg - should be a utf-8 encoded byte string and not a text type. + When used to write the result of vault encryption, the val of the 'data' arg + should be a utf-8 encoded byte string and not a text typ and not a text type.. - When used to write the result of vault decryption, the value of the 'data' arg + When used to write the result of vault decryption, the val of the 'data' arg should be a byte string and not a text type. :arg data: the byte string (bytes) data @@ -1077,8 +1074,6 @@ class VaultEditor: output = getattr(sys.stdout, 'buffer', sys.stdout) output.write(b_file_data) else: - if not os.access(os.path.dirname(thefile), os.W_OK): - raise AnsibleError("Destination '%s' not writable" % (os.path.dirname(thefile))) # file names are insecure and prone to race conditions, so remove and create securely if os.path.isfile(thefile): if shred: @@ -1128,7 +1123,7 @@ class VaultEditor: os.chown(dest, prev.st_uid, prev.st_gid) def _editor_shell_command(self, filename): - env_editor = C.config.get_config_value('EDITOR') + env_editor = os.environ.get('EDITOR', 'vi') editor = shlex.split(env_editor) editor.append(filename) @@ -1201,20 +1196,13 @@ class VaultAES256: return to_bytes(hexlify(b_hmac), errors='surrogate_or_strict'), hexlify(b_ciphertext) @classmethod - def _get_salt(cls): - custom_salt = C.config.get_config_value('VAULT_ENCRYPT_SALT') - if not custom_salt: - custom_salt = os.urandom(32) - return to_bytes(custom_salt) - - @classmethod def encrypt(cls, b_plaintext, secret, salt=None): if secret is None: raise AnsibleVaultError('The secret passed to encrypt() was None') if salt is None: - b_salt = cls._get_salt() + b_salt = os.urandom(32) elif not salt: raise AnsibleVaultError('Empty or invalid salt passed to encrypt()') else: |