ansible-vault 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/README.md +11 -1
- data/lib/ansible/vault.rb +46 -10
- data/lib/ansible/vault/error.rb +1 -0
- data/lib/ansible/vault/file_reader.rb +14 -1
- data/lib/ansible/vault/file_writer.rb +1 -4
- data/lib/ansible/vault/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1561653af6b72805f9ee3b499283f31ebe7707b1
|
|
4
|
+
data.tar.gz: 5825d44806493f47c5d65c5b7861e90a498288cb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a7b7efd82f58ffd4787e01a0abb89be74b61d5442d7a8a754f0fc4217915dc4b3d00879b5c8658b5e466fedcdec5473275d6e4bb0300dfd6759974a1343b1ae8
|
|
7
|
+
data.tar.gz: 08aab745f2914dcde6eda24c5f713d6c7577512c8758248d93cdd0a95ae89126bfa96aa9e2a47ff25c00cdcb952abd0d4c2559207627734fea9153ed4bccd046
|
data/CHANGELOG.md
ADDED
data/README.md
CHANGED
|
@@ -68,8 +68,18 @@ release a new version, update the version number in `version.rb`, and then run
|
|
|
68
68
|
git commits and tags, and push the `.gem` file to
|
|
69
69
|
[rubygems.org](https://rubygems.org).
|
|
70
70
|
|
|
71
|
+
|
|
71
72
|
## Contributing
|
|
72
73
|
|
|
73
74
|
Bug reports and pull requests are welcome on GitHub at
|
|
74
|
-
https://github.com/tpickett66/ansible-vault-rb.
|
|
75
|
+
https://github.com/tpickett66/ansible-vault-rb. This project is intended to be
|
|
76
|
+
a safe, welcoming space for collaboration, and contributors are expected to
|
|
77
|
+
adhere to the [Contributor Covenant](http://contributor-covenant.org) code of
|
|
78
|
+
conduct.
|
|
79
|
+
|
|
80
|
+
|
|
81
|
+
## License
|
|
82
|
+
|
|
83
|
+
The gem is available as open source under the terms of the
|
|
84
|
+
[MIT License](http://opensource.org/licenses/MIT).
|
|
75
85
|
|
data/lib/ansible/vault.rb
CHANGED
|
@@ -10,34 +10,56 @@ require 'ansible/vault/version'
|
|
|
10
10
|
module Ansible
|
|
11
11
|
# The top level class for interacting with Vault files.
|
|
12
12
|
class Vault
|
|
13
|
-
#
|
|
13
|
+
# The standard header for Ansible's current vault format
|
|
14
|
+
FILE_HEADER = "$ANSIBLE_VAULT;1.1;AES256".freeze
|
|
15
|
+
|
|
16
|
+
# Indicate if the file at the supplied path appeard to be encrypted by
|
|
17
|
+
# Ansible Vault
|
|
18
|
+
#
|
|
19
|
+
# @param path [String, Pathname]
|
|
20
|
+
def self.encrypted?(path)
|
|
21
|
+
FileReader.new(path.to_s).encrypted?
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Read and decrypt, if necessary, the contents of a vault
|
|
25
|
+
#
|
|
26
|
+
# If the file does not appear to be encrypted the file is simply read.
|
|
14
27
|
#
|
|
15
|
-
# @param path [String] The path to the file to read
|
|
28
|
+
# @param path [String, Pathname] The path to the file to read
|
|
16
29
|
# @param password [String] The password for the file
|
|
30
|
+
# @param options [Hash] Additional options, see {#initialize} for details
|
|
17
31
|
# @return [String] The plaintext contents of the vault, this is marked for
|
|
18
32
|
# zeroing before the GC reaps the object. Any data extracted/parsed from
|
|
19
33
|
# this string should be similarly wiped from memory when no longer used.
|
|
20
|
-
def self.read(path:, password
|
|
21
|
-
new(path: path, password: password).read
|
|
34
|
+
def self.read(path:, password:, **options)
|
|
35
|
+
new(path: path, password: password, **options).read
|
|
22
36
|
end
|
|
23
37
|
|
|
24
38
|
# Encrypt plaintext using the supplied and write it to the specified location
|
|
25
39
|
#
|
|
26
|
-
# @param path [String] The path to the file to write, truncated
|
|
40
|
+
# @param path [String, Pathname] The path to the file to write, truncated
|
|
41
|
+
# before writing
|
|
27
42
|
# @param password [String] The password for the file
|
|
28
43
|
# @param plaintext [String] The secrets to be protected
|
|
44
|
+
# @param options [Hash] Additional options, see {#initialize} for details
|
|
29
45
|
# @return [File] The closed file handle the vault was written to
|
|
30
|
-
def self.write(path:, password:, plaintext
|
|
31
|
-
new(path: path, password: password, plaintext: plaintext).write
|
|
46
|
+
def self.write(path:, password:, plaintext:, **options)
|
|
47
|
+
new(path: path, password: password, plaintext: plaintext, **options).write
|
|
32
48
|
end
|
|
33
49
|
|
|
34
50
|
# Build a new Vault
|
|
35
51
|
#
|
|
36
|
-
# @param path [String] The path to the file to read
|
|
52
|
+
# @param path [String, Pathname] The path to the file to read
|
|
37
53
|
# @param password [String] The password for the file
|
|
38
|
-
|
|
54
|
+
# @param options [Hash] Additional options
|
|
55
|
+
# @param plaintext [String] The plaintext of the file to be written when
|
|
56
|
+
# encrypting
|
|
57
|
+
# @option options [Boolean] :allow_blank_password Allow nil and empty string
|
|
58
|
+
# passwords, defaults to false.
|
|
59
|
+
def initialize(path:, password:, plaintext: :none, **options)
|
|
60
|
+
@path = path.to_s
|
|
39
61
|
@path = path
|
|
40
|
-
@password = password.shred_later
|
|
62
|
+
@password = validate_password(password, options).shred_later
|
|
41
63
|
@plaintext = plaintext
|
|
42
64
|
@plaintext.shred_later if String === @plaintext
|
|
43
65
|
end
|
|
@@ -64,13 +86,27 @@ module Ansible
|
|
|
64
86
|
|
|
65
87
|
# Extract the plaintext from a previously written vault file
|
|
66
88
|
#
|
|
89
|
+
# If the file does not appear to be encrypted the raw contents will be
|
|
90
|
+
# returned.
|
|
91
|
+
#
|
|
67
92
|
# @return [String] The plaintext contents of the vault, this is marked for
|
|
68
93
|
# zeroing before the GC reaps the object. Any data extracted/parsed from
|
|
69
94
|
# this string should be similarly wiped from memory when no longer used.
|
|
70
95
|
def read
|
|
71
96
|
file = FileReader.new(@path)
|
|
97
|
+
return File.read(@path) unless file.encrypted?
|
|
72
98
|
decryptor = Decryptor.new(password: @password, file: file)
|
|
73
99
|
decryptor.plaintext
|
|
74
100
|
end
|
|
101
|
+
|
|
102
|
+
private
|
|
103
|
+
|
|
104
|
+
def validate_password(password, options)
|
|
105
|
+
if !options[:allow_blank_password] && (password.nil? || password.strip.empty?)
|
|
106
|
+
raise BlankPassword, 'A nil or empty string password was supplied!' \
|
|
107
|
+
'If this is expected set the allow_blank_password option.'
|
|
108
|
+
end
|
|
109
|
+
password or ''
|
|
110
|
+
end
|
|
75
111
|
end
|
|
76
112
|
end
|
data/lib/ansible/vault/error.rb
CHANGED
|
@@ -46,10 +46,23 @@ module Ansible
|
|
|
46
46
|
@salt
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
+
# Indicates if the file is in the encrypted format or not
|
|
50
|
+
#
|
|
51
|
+
# @return [Boolean]
|
|
52
|
+
def encrypted?
|
|
53
|
+
decode_body unless defined?(@salt)
|
|
54
|
+
# The header not matching is a dead giveaway that the file isn't what
|
|
55
|
+
# we're expecting. That, however, probably isn't enough so we'll check
|
|
56
|
+
# the HMAC for presence and length since it's very unlikely that
|
|
57
|
+
# decoding the file body will result in multiple chunks AND the second
|
|
58
|
+
# one being the correct length for a SHA256 HMAC.
|
|
59
|
+
@header == FILE_HEADER && !@hmac.nil? && @hmac.bytesize == 64
|
|
60
|
+
end
|
|
61
|
+
|
|
49
62
|
private
|
|
50
63
|
|
|
51
64
|
def decode_body
|
|
52
|
-
salt, @hmac, ciphertext = BinASCII.unhexlify(@body).split("\n")
|
|
65
|
+
salt, @hmac, ciphertext = BinASCII.unhexlify(@body).split("\n", 3)
|
|
53
66
|
@ciphertext = BinASCII.unhexlify(ciphertext)
|
|
54
67
|
@salt = BinASCII.unhexlify(salt)
|
|
55
68
|
end
|
|
@@ -16,9 +16,6 @@ module Ansible
|
|
|
16
16
|
attr_reader :path
|
|
17
17
|
attr_accessor :ciphertext, :hmac, :salt
|
|
18
18
|
|
|
19
|
-
# The standard header for Ansible's current vault format
|
|
20
|
-
HEADER = "$ANSIBLE_VAULT;1.1;AES256\n".freeze
|
|
21
|
-
|
|
22
19
|
# Construct a new FileWriter
|
|
23
20
|
#
|
|
24
21
|
# @param [String] path The path to write the file out to.
|
|
@@ -31,7 +28,7 @@ module Ansible
|
|
|
31
28
|
# @return [File] The closed file handle used to write the data out.
|
|
32
29
|
def write
|
|
33
30
|
File.open(path, 'w') { |file|
|
|
34
|
-
file.write(
|
|
31
|
+
file.write(FILE_HEADER + "\n")
|
|
35
32
|
file.write(encoded_body)
|
|
36
33
|
}
|
|
37
34
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ansible-vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tyler Pickett
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-04-
|
|
11
|
+
date: 2016-04-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: oroku_saki
|
|
@@ -119,6 +119,7 @@ files:
|
|
|
119
119
|
- ".gitignore"
|
|
120
120
|
- ".rspec"
|
|
121
121
|
- ".travis.yml"
|
|
122
|
+
- CHANGELOG.md
|
|
122
123
|
- CODE_OF_CONDUCT.md
|
|
123
124
|
- Gemfile
|
|
124
125
|
- Guardfile
|