ansible-vars 1.0.10__tar.gz → 1.0.11__tar.gz

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-vars
-Version: 1.0.10
+Version: 1.0.11
 Summary: Manage vaults and variable files for Ansible
 Project-URL: Homepage, https://github.com/xorwow/ansible-vars
 Project-URL: Issues, https://github.com/xorwow/ansible-vars/issues
@@ -107,7 +107,7 @@ You can disable automatic key detection by flagging `--no-encrypt-keys|-D`. Use
 
 #### Encryption salts
 
-Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>`. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
+Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>` or the environment. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
 
 ### Diff logging
 
@@ -123,7 +123,7 @@ As you cannot mix different encryption keys and/or plain logging in the same log
 # Create the variable file `./host_vars/my_host/main.yml` without full encryption and open it for editing
 ansible-vars create --make-parents --plain host_vars/my_host/main.yml
 # Short version (see `Tips` section to learn about vault search paths)
-ansible-vars create -mp h:my_host
+ansible-vars create -mp h:my_host/
 
 # Decrypt the vault file `./config/logging.yml` in-place
 ansible-vars decrypt file config/logging.yml
@@ -146,6 +146,7 @@ ansible-vars get --json g:database_hosts 'my_key' '[4]' '133'
 - When a command supports a `--json` flag, the command's help (`ansible-vars <command> -h`) will define the returned structure.
 - The directories `host_vars`, `group_vars`, and `vars` are common vault locations. When in their parent directory, you can use the prefixes `h:`, `g:`, and `v:` in any vault path you specify, followed by a path relative to them. Wherever a directory is not expected as a path, supplying a directory path will also append a `main.yml` to the path automatically. In summary, this lets you type `h:my_host` when you actually mean `./host_vars/my_host/main.yml`. Shell completion for these prefixed paths is provided.
     - These three directories are also default sources for the `file-daemon` command.
+    - For vault creation with the `--make-parents` flag, a path like `h:my_host` would be ambiguous as to the expanded path being `./host_vars/my_host` or `./host_vars/my_host/main.yml`, since the directory does not exist yet. `ansible-vars` will assume the first case, unless you end your search path with a / like `h:my_host/`.
 - When referencing vault traversal keys, you can specify numbers to access lists and number-indexed dictionaries. However, just specifying `2` as a key segment will resolve into the string `'2'`. Instead, you should write `[2]` to mark it as a number index. If you need to specify the string `'[2]'` for some reason, you can escape it by adding another set of brackets (and so on).
 
 ### Commands
@@ -200,15 +201,15 @@ Compares two vaults or variable files and prints a tree structure showing differ
 
 #### file-daemon
 
-Starts a daemon which mirrors the decrypted contents of one or multiple vault or variable file(s)/directories to a target directory. By default, this includes the directories `./host_vars`, `./group_vars`, and `./vars`. Changes to the source files are reflected in the decrypted targets. Changes to the target files are ignored. For added security, consider syncing the files to a mounted ramdisk.
+Starts a daemon which mirrors the decrypted contents of one or multiple vault or variable files/directories to a target directory. By default, this includes the directories `./host_vars`, `./group_vars`, and `./vars`. Changes to the source files are reflected in the decrypted targets. Changes to the target files are ignored. For added security, consider syncing the files to a mounted ramdisk.
 
 #### get
 
-Displays the (decrypted) value of a specified key in a vault or variable file. Supports dictionary and list traversal, and JSON output.
+Displays the (optionally recursively decrypted) value of a specified key in a vault or variable file. Supports dictionary and list traversal, and JSON output.
 
 #### set, del (experimental)
 
-Creates, updates, or deletes a key-value pair from a vault or variable file. When setting a value, you may provide a YAML string which will be parsed into the corresponding objects. Note that these are experimental features, as the current parser has difficulty preserving the metadata for programmatic variable changes. Comments and Jinja2 blocks between the affected key and the next key in the file may be lost.
+Creates, updates, or deletes a key-value pair from a vault or variable file. When setting a value, you may provide a YAML string which will be parsed into the corresponding objects. When the `--encrypt` flag is set, the object's leaf string values will be encrypted. Note that these are experimental features, as the current parser has difficulty preserving the metadata for programmatic variable changes. Comments and Jinja2 blocks between the affected key and the next key in the file may be lost.
 
 ### Environment variables
 
@@ -276,6 +277,7 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
     - Ansible only directly supports encrypted string values (although you can work around this with the `from_yaml` filter).
     - Ansible-encrypted strings must include a newline between the envelope and the cipher.
     - Ansible vault and variable file roots must be a dictionary.
+        - Due to parsing limitations in `ansible-vars`, a file with explicit JSON style '{}' as the outermost level is currently not supported.
 - `grep` command:
     - Will ignore files which cannot be parsed as an Ansible YAML file.
 - `file-daemon` command:

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/README.md

@@ -85,7 +85,7 @@ You can disable automatic key detection by flagging `--no-encrypt-keys|-D`. Use
 
 #### Encryption salts
 
-Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>`. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
+Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>` or the environment. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
 
 ### Diff logging
 
@@ -101,7 +101,7 @@ As you cannot mix different encryption keys and/or plain logging in the same log
 # Create the variable file `./host_vars/my_host/main.yml` without full encryption and open it for editing
 ansible-vars create --make-parents --plain host_vars/my_host/main.yml
 # Short version (see `Tips` section to learn about vault search paths)
-ansible-vars create -mp h:my_host
+ansible-vars create -mp h:my_host/
 
 # Decrypt the vault file `./config/logging.yml` in-place
 ansible-vars decrypt file config/logging.yml
@@ -124,6 +124,7 @@ ansible-vars get --json g:database_hosts 'my_key' '[4]' '133'
 - When a command supports a `--json` flag, the command's help (`ansible-vars <command> -h`) will define the returned structure.
 - The directories `host_vars`, `group_vars`, and `vars` are common vault locations. When in their parent directory, you can use the prefixes `h:`, `g:`, and `v:` in any vault path you specify, followed by a path relative to them. Wherever a directory is not expected as a path, supplying a directory path will also append a `main.yml` to the path automatically. In summary, this lets you type `h:my_host` when you actually mean `./host_vars/my_host/main.yml`. Shell completion for these prefixed paths is provided.
     - These three directories are also default sources for the `file-daemon` command.
+    - For vault creation with the `--make-parents` flag, a path like `h:my_host` would be ambiguous as to the expanded path being `./host_vars/my_host` or `./host_vars/my_host/main.yml`, since the directory does not exist yet. `ansible-vars` will assume the first case, unless you end your search path with a / like `h:my_host/`.
 - When referencing vault traversal keys, you can specify numbers to access lists and number-indexed dictionaries. However, just specifying `2` as a key segment will resolve into the string `'2'`. Instead, you should write `[2]` to mark it as a number index. If you need to specify the string `'[2]'` for some reason, you can escape it by adding another set of brackets (and so on).
 
 ### Commands
@@ -178,15 +179,15 @@ Compares two vaults or variable files and prints a tree structure showing differ
 
 #### file-daemon
 
-Starts a daemon which mirrors the decrypted contents of one or multiple vault or variable file(s)/directories to a target directory. By default, this includes the directories `./host_vars`, `./group_vars`, and `./vars`. Changes to the source files are reflected in the decrypted targets. Changes to the target files are ignored. For added security, consider syncing the files to a mounted ramdisk.
+Starts a daemon which mirrors the decrypted contents of one or multiple vault or variable files/directories to a target directory. By default, this includes the directories `./host_vars`, `./group_vars`, and `./vars`. Changes to the source files are reflected in the decrypted targets. Changes to the target files are ignored. For added security, consider syncing the files to a mounted ramdisk.
 
 #### get
 
-Displays the (decrypted) value of a specified key in a vault or variable file. Supports dictionary and list traversal, and JSON output.
+Displays the (optionally recursively decrypted) value of a specified key in a vault or variable file. Supports dictionary and list traversal, and JSON output.
 
 #### set, del (experimental)
 
-Creates, updates, or deletes a key-value pair from a vault or variable file. When setting a value, you may provide a YAML string which will be parsed into the corresponding objects. Note that these are experimental features, as the current parser has difficulty preserving the metadata for programmatic variable changes. Comments and Jinja2 blocks between the affected key and the next key in the file may be lost.
+Creates, updates, or deletes a key-value pair from a vault or variable file. When setting a value, you may provide a YAML string which will be parsed into the corresponding objects. When the `--encrypt` flag is set, the object's leaf string values will be encrypted. Note that these are experimental features, as the current parser has difficulty preserving the metadata for programmatic variable changes. Comments and Jinja2 blocks between the affected key and the next key in the file may be lost.
 
 ### Environment variables
 
@@ -254,6 +255,7 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
     - Ansible only directly supports encrypted string values (although you can work around this with the `from_yaml` filter).
     - Ansible-encrypted strings must include a newline between the envelope and the cipher.
     - Ansible vault and variable file roots must be a dictionary.
+        - Due to parsing limitations in `ansible-vars`, a file with explicit JSON style '{}' as the outermost level is currently not supported.
 - `grep` command:
     - Will ignore files which cannot be parsed as an Ansible YAML file.
 - `file-daemon` command:

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "ansible-vars"
-version = "1.0.10"
+version = "1.0.11"
 authors = [
   { name="xorwow", email="pip@xorwow.de" },
 ]

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/src/ansible_vars/cli.py

@@ -72,8 +72,9 @@ tips:
 - When a command asks for a vault file path it actually accepts multiple kinds of search path:
   - You can specify a full or relative path to a vault file just as usual. This path will always be tried first.
   - If you specify `h:<path>`, `g:<path>`, or `v:<path>`, it looks in `./host_vars`, `./group_vars`, or `./vars`, respectively.
-  - If a resolved path is a directory instead of a file, it looks for a `main.yml` in that directory.
+  - If a resolved path is a directory instead of a file, it looks for or creates a `main.yml` in that directory.
   - For example, to open the file `/ansible/host_vars/my_host/main.yml`, you may run the command in `/ansible` and specify `h:my_host`.
+  - For vault creation with the `--make-parents` flag, `<path>` will create the file `<path>`, while `<path>/` will create `<path>/main.yml`.
 - Data keys are split into segments (e.g. `root['my_key'][0]` would become `'my_key', 0`) for easier parsing.
     - When specifying a key segment which is a number (e.g. a list index), surround it in brackets (`[2]`) to differentiate it from a string.
     - If you need to actually use the string `[2]`, add a set of brackets to escape it (`[[2]]` -> `'[2]'`, `[[[2]]]` -> `'[[2]]'`, ...).
@@ -182,14 +183,14 @@ The sync works as long as the command is running, after which the target root di
 ''',
     'cmd_get': '''
 Looks up the value of a key in a vault and displays it if it exists.
-If the key resolves to a leaf value, the value is decrypted and displayed.
+If the key resolves to a leaf value, the value is recursively decrypted and displayed.
 For a list or dictionary, the full YAML code is printed, but child values are not automatically decrypted.
 
 JSON mode formatting:
 - [ ... ] or { ... } for lists/dictionaries, "<value>" for strings, <value> for numbers
 ''',
     'cmd_set': '''
-Creates or updates a node in a vault with a YAML value, optionally encrypting the value first using the configured encryption key.
+Creates or updates a node in a vault with a YAML value, optionally encrypting the value('s string leaves) first using the configured encryption key.
 For creating a new list entry, the last specified key segment has to equal the largest index of the list plus one (e.g. `[5]` for a list of length 5).
 The value is interpreted as YAML code.
 
@@ -410,7 +411,7 @@ cmd_daemon.add_argument('--no-default-dirs', '-N', action='store_false', dest='i
 cmd_daemon.add_argument('--force', '-f', action='store_true', help='if the target root already exists and is not empty, delete its contents')
 
 cmd_get = commands.add_parser(
-    'get', help='get a key\'s (decrypted) value if it exists', description=HELP['cmd_get'],
+    'get', help='get a key\'s (recursively decrypted) value if it exists', description=HELP['cmd_get'],
     formatter_class=RawDescriptionHelpFormatter
 )
 cmd_get.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to get value from') \
@@ -429,7 +430,7 @@ cmd_set.add_argument('vault_path', type=str, metavar='<vault path>', help='path
     .completer = _prefixed_path_completer # type: ignore
 cmd_set.add_argument('value', type=str, metavar='<value>', help='value to set (will be loaded as YAML)')
 cmd_set.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
-cmd_set.add_argument('--encrypt', '-e', action='store_true', dest='encrypt_value', help='encrypt the value if it is\'t encrypted yet')
+cmd_set.add_argument('--encrypt', '-e', action='store_true', dest='encrypt_value', help='recursively encrypt the value(\'s leaves) if it is\'t encrypted yet')
 
 cmd_del = commands.add_parser(
     'del', help='delete a key and its value if they exist (experimental!)', description=HELP['cmd_del'],
@@ -548,7 +549,8 @@ def resolve_vault_path(search_path: str, create_mode: bool = False, allow_dirs:
     - As an absolute path or a relative path from the PWD
     - As a relative path with prefix `h:` / `g:` / `v:` to be treated as a subpath into `./host_vars` / `./group_vars` / `./vars`
     - If the path is expected to be a file and the previous steps found a directory, append a `main.yml` to that path
-    If `create_mode` is set to True (i.e. the searched file doesn't exist yet), we test for option 2 first, then option 1 and option 3.
+    If `create_mode` is set to True (i.e. the searched file doesn't exist yet), we test for case 2 first, then cases 1 and 3.
+    Setting `create_mode` will also treat a path ending in a / as a folder to create a `main.yml` in.
     '''
     # Try the path as-is first
     abspath: str = os.path.abspath(search_path)
@@ -560,7 +562,7 @@ def resolve_vault_path(search_path: str, create_mode: bool = False, allow_dirs:
             if len(search_path) > 2:
                 abspath = os.path.join(abspath, search_path[2:].lstrip(os.path.sep))
     # Check for main.yml in directory
-    if not allow_dirs and os.path.isdir(abspath):
+    if (not allow_dirs and os.path.isdir(abspath)) or (create_mode and search_path.endswith('/')):
         abspath = os.path.join(abspath, 'main.yml')
     # Debug output
     debug(f"Resolved path { search_path } to { abspath }")
@@ -649,6 +651,8 @@ if config.command in [ 'create', 'edit' ]:
     if config.command == 'create':
         if config.make_parents:
             os.makedirs(os.path.dirname(vault_path), mode=0o700, exist_ok=True)
+            if not vault_path.endswith('.yml'):
+                print(f"Treating path as a file, append a / to create a directory containing a main.yml instead", Color.MEH)
         vault = VaultFile.create(vault_path, full_encryption=config.encrypt_vault, permissions=0o600, keyring=keyring)
         print(f"Created { 'encrypted' if vault.full_encryption else 'plain' } vault at { vault_path }", Color.GOOD)
     else:
@@ -1168,6 +1172,8 @@ if config.command in [ 'get', 'set', 'del' ]:
             # Set command
             if config.command == 'set':
                 value: Any = yaml.safe_load(config.value)
+                if type(value) is not str and config.encrypt_value:
+                    print('Only plain string leaves will be encrypted, not the entire object.', Color.MEH)
                 vault.set(key, value, overwrite=True, create_parents=True, encrypt=config.encrypt_value)
                 vault.save()
                 print('Value has been set.\n', Color.GOOD)

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/src/ansible_vars/constants.py

@@ -39,7 +39,7 @@ ENCRYPTED_VAR_TAG: str = u'!enc'
 # Will be searched for and removed on re-parsing
 EDIT_MODE_HEADER: str = f"""
 #~ DO NOT EDIT THIS HEADER
-#~ Variables which should be encrypted are formatted like '{ ENCRYPTED_VAR_TAG } <value>'.
+#~ Variables which should be encrypted are formatted as '{ ENCRYPTED_VAR_TAG } <value>'.
 #~ Do not remove this prefix unless you want to convert them to plain variables.
 #~ Add the prefix to any string variable you want to be encrypted.
 

{ansible_vars-1.0.10 → ansible_vars-1.0.11}/src/ansible_vars/vault.py

@@ -4,8 +4,7 @@
 import os, re, json
 from io import StringIO
 from functools import reduce
-from typing import Type, Hashable, Callable, Any
-from types import MappingProxyType
+from typing import Type, Hashable, Callable, Any, cast
 from difflib import unified_diff
 
 # External library imports
@@ -26,6 +25,7 @@ class EncryptedVar():
     The content should be a str, as Ansible does not directly support other data types in encrypted variables.
     As this class has no `VaultKeyring` access, decryption must be performed externally.
     Note that comparing `EncryptedVar` objects by their `cipher`s usually does not work, as Ansible ciphers contain a random salt.
+    This class should be treated as static. Do not change its values, replace it instead.
     '''
 
     def __init__(self, cipher: str, name: str | None = None) -> None:
@@ -54,7 +54,10 @@ class EncryptedVar():
         return EncryptedVar(cipher, name=node.id)
 
 class ProtoEncryptedVar():
-    '''A variable marked to be encrypted in a `Vault` editable.'''
+    '''
+    A variable marked to be encrypted in a `Vault` editable.
+    This class should be treated as static. Do not change its values, replace it instead.
+    '''
 
     def __init__(self, plaintext: str, name: str) -> None:
         '''Initialize a plaintext value marked for encryption with a name for internal representation.'''
@@ -198,21 +201,9 @@ class Vault():
     DictPath = Hashable | tuple[Hashable, ...]
 
     @property
-    def decrypted_vars(self) -> MappingProxyType:
-        '''
-        A read-only dictionary of the vault's variables, with any EncryptedVars already decrypted.
-        Note that the state is frozen whenever you access this property, and not updated when the vault changes.
-        '''
-        copy: dict = Vault._copy_data(self._data)
-        copy.pop(SENTINEL_KEY, None)
-        def _traverse_and_decrypt(root: Any) -> Any:
-            if isinstance(root, dict):
-                return { k: _traverse_and_decrypt(v) for k, v in root.items() }
-            elif isinstance(root, list):
-                return [ _traverse_and_decrypt(v) for v in root ]
-            else:
-                return self.keyring.decrypt(root.cipher) if type(root) is EncryptedVar else root
-        return MappingProxyType(_traverse_and_decrypt(copy))
+    def decrypted_vars(self) -> dict:
+        '''A copy of the vault's variables, with any EncryptedVars already decrypted.'''
+        return self._decrypted_copy(remove_sentinel=True) # might not have correct YAML metadata, but the values are okay
 
     def has(self, path: DictPath) -> bool:
         '''Checks if the given key path is present in the vault's data.'''
@@ -222,23 +213,24 @@ class Vault():
 
     def get(
             self, path: DictPath, default: Any | Type[ThrowError] = ThrowError,
-            decrypt: bool = False, with_index: bool = False
+            decrypt: bool = False, with_index: bool = False, copy: bool = False
         ) -> Any | tuple[int, Any]:
         '''
-        Retrieves a value from the vault's variables by its key path, optionally decrypting it (but not its children).
+        Retrieves a value from the vault's variables by its key path, optionally decrypting it recursively.
         When `default` is set to `ThrowError`, a `KeyError` will be raised if the path does not exist.
         Else, the default value is returned if the path does not exist.
-        When `with_index` is set to True, a tuple `(index_in_parent, value)` is returned (-1 if defaulted).
+        When `with_index` is set to True, a tuple `(index_in_parent, value)` is returned (index is -1 if defaulted).
+        When `copy` or `decrypt` is set to True, a deep copy of the value will be returned.
         '''
         path = Vault._to_path(path)
         try:
-            value: Any = self._traverse(path, decrypt=decrypt)
+            value: Any = self._traverse(path, decrypt=decrypt, copy=copy)
             if with_index:
-                parent: Indexable = self._traverse(path[:-1], decrypt=False)
+                parent: Indexable = self._data if not path else self._traverse(path[:-1], decrypt=False)
                 if isinstance(parent, dict):
                     key_index: int = next(index for index, key in enumerate(parent) if key == path[-1])
                 else:
-                    key_index: int = path[-1] # type: ignore
+                    key_index = cast(int, path[-1])
                 return (key_index, value)
             return value
         except:
@@ -267,19 +259,22 @@ class Vault():
           - `True`: Create any nested dictionaries needed to traverse to the last key
           - `False`: Abort silently if any but the last key in the path do not exist, returning False
           - `ThrowError`: Raise a KeyError if any but the last key in the path do not exist
-        - `encrypt`: Controls if the value should be encrypted before storing it (value has to be a str)
-          - `True`: Attempt to convert the value into an `EncryptedVar` before storing it
+        - `encrypt`: Controls if the value should be recursively encrypted before storing it (only plain `str`s get encrypted)
+          - `True`: Attempt to copy and convert the value('s leaf values) into an `EncryptedVar` before storing it
           - `False`: Store the value as-is
         '''
         path = Vault._to_path(path)
-        # Convert value to EncryptedVar if neccessary
-        if encrypt and type(value) is not EncryptedVar:
-            if type(value) is not str:
-                raise TypeError(f"Ansible only supports encrypted str values, got { type(value) } for { '.'.join(map(str, path)) }")
-            if VaultKey.is_encrypted(value):
-                value = EncryptedVar(value, name=str(path[-1]))
-            else:
-                value = EncryptedVar(self.keyring.encrypt(value), name=str(path[-1]))
+        # Encrypt value if necessary
+        if encrypt:
+            value = Vault._copy_data(value)
+            def _encrypt_leaf(_: tuple[Hashable, ...], _value: Any) -> Any:
+                '''Transforms strings into `EncryptedVar`s.'''
+                if type(_value) is not str:
+                    return _value
+                if VaultKey.is_encrypted(_value):
+                    return EncryptedVar(_value, name=str(path[-1]))
+                return EncryptedVar(self.keyring.encrypt(_value), name=str(path[-1]))
+            Vault._transform_leaves(value, _encrypt_leaf, tuple()) if isinstance(value, dict | list) else _encrypt_leaf(tuple(), value)
         # Resolve chain and create parents if necessary, then set value for last item
         parent: Any = self._data
         par_path: str = ''
@@ -292,7 +287,7 @@ class Vault():
             if isinstance(parent, list) and type(segment) is not int:
                 raise TypeError(f"Type of list index has to be int, got { type(segment) } ({ par_path }[{ segment }])")
             # Check if the current segment has to be created in the parent
-            if (isinstance(parent, dict) and segment not in parent) or (isinstance(parent, list) and segment >= len(parent)): # type: ignore
+            if (isinstance(parent, dict) and segment not in parent) or (isinstance(parent, list) and cast(int, segment) >= len(parent)):
                 if not is_last:
                     if create_parents is ThrowError:
                         raise KeyError(f"Parents of { '.'.join(map(str, path)) } could not be resolved ({ segment } not in { par_path })")
@@ -467,18 +462,32 @@ class Vault():
             new_parent.ca.items[new_path[-1]] = old_parent.ca.items.pop(old_path[-1])
     """
 
-    def _traverse(self, path: DictPath, decrypt: bool = False) -> Any:
-        '''Gets the value of the specified key path from the `Vault`'s `_data`, optionally decrypting it.'''
-        path = Vault._to_path(path)
+    def _traverse(self, path: DictPath, decrypt: bool = False, copy: bool = False) -> Any:
+        '''
+        Gets the value of the specified key path from the `Vault`'s `_data`, optionally decrypting it.
+        When `copy` or `decrypt` is set to True, a deep copy of the value will be returned.
+        '''
+        path = cast(tuple[Hashable, ...], Vault._to_path(path))
+        data: dict = self._decrypted_copy() if decrypt else (Vault._copy_data(self._data) if copy else self._data)
         def _get_child(parent: Indexable, index: Hashable) -> Any:
             if not isinstance(parent, dict | list):
                 raise TypeError(f"Can only index into dict-like and list-like types, got { type(parent) } for index { index }")
             is_dict: bool = isinstance(parent, dict)
-            if (is_dict and index not in parent) or (not is_dict and index > len(parent)): # type: ignore
+            if (is_dict and index not in parent) or (not is_dict and cast(int, index) > len(parent)):
                 raise KeyError(f"Key '{ index }' of path '{ '.'.join(map(str, path)) }' could not be resolved")
             return parent[index] # type: ignore
-        leaf: Any = reduce(_get_child, path, self._data)
-        return self.keyring.decrypt(leaf.cipher) if (decrypt and type(leaf) is EncryptedVar) else leaf
+        return reduce(_get_child, path, data)
+
+    def _decrypted_copy(self, remove_sentinel: bool = False) -> dict:
+        '''Returns a recursively decrypted deep copy of the vault data. Removing the sentinel may break comments/Jinja2.'''
+        copy: CommentedMap = Vault._copy_data(self._data)
+        if remove_sentinel:
+            copy.pop(SENTINEL_KEY, None)
+        def _decrypt_leaf(_: tuple[Hashable, ...], value: Any) -> Any:
+            '''Transforms EncryptedVar leaves into decrypted strings.'''
+            return self.keyring.decrypt(value.cipher) if type(value) is EncryptedVar else value
+        Vault._transform_leaves(copy, _decrypt_leaf, tuple())
+        return copy
 
     @staticmethod
     def _to_path(path: DictPath) -> tuple[Hashable, ...]:
@@ -493,12 +502,7 @@ class Vault():
 
     def as_plain(self) -> str:
         '''Returns the vault in fully decrypted form as Jinja2 YAML code with the original metadata.'''
-        copy: CommentedMap = Vault._copy_data(self._data)
-        #copy.pop(SENTINEL_KEY, None) # <-- would break a file containing only metadata and the sentinel key
-        def _decrypt_leaf(_: tuple[Hashable, ...], value: Any) -> Any:
-            '''Transforms EncryptedVar leaves into decrypted strings.'''
-            return self.keyring.decrypt(value.cipher) if type(value) is EncryptedVar else value
-        Vault._transform_leaves(copy, _decrypt_leaf, tuple())
+        copy: dict = self._decrypted_copy()
         yaml_content: str = self._dump_to_str(copy)
         yaml_content = Vault._remove_sentinel(yaml_content)
         return yaml_content
@@ -537,12 +541,11 @@ class Vault():
         Runs the transform_fn on all leaves of the indexable object recursively, passing the current path and the leaf object as a tuple.
         The leaves are replaced by the result of the function call.
         '''
-        if isinstance(indexable, dict):
-            keys: list[Hashable] = list(indexable.keys())
-        else:
-            keys: list[Hashable] = list(range(len(indexable)))
+        if not isinstance(indexable, dict | list):
+            raise Exception(f"Calling _transform_leaves on a non-indexable object is not allowed, got { type(indexable) }")
+        keys: list[Hashable] = list(indexable.keys()) if isinstance(indexable, dict) else list(range(len(indexable)))
         for key in keys:
-            _curr_path = curr_path + ( key, ) # type: ignore
+            _curr_path: tuple[Hashable, ...] = curr_path + ( key, )
             if isinstance(indexable[key], dict | list): # type: ignore
                 Vault._transform_leaves(indexable[key], transform_fn, _curr_path) # type: ignore
             else:
@@ -575,8 +578,8 @@ class Vault():
         Not thread-safe.
         '''
         if (is_dict := isinstance(data, dict)) or isinstance(data, list):
-            copy = data.copy()
-            keys = copy.keys() if is_dict else range(len(copy)) # type: ignore
+            copy: Any = data.copy()
+            keys = cast(dict, copy).keys() if is_dict else range(len(copy))
             for key in keys:
                 copy[key] = Vault._copy_data(copy[key])
             return copy
@@ -653,11 +656,11 @@ class Vault():
                 _path: tuple[Hashable, ...] = path + ( key, )
                 # Check if a key has been added or removed
                 if (is_dict and key in old_node and key not in new_node) or \
-                   (not is_dict and key < len(old_node) and key >= len(new_node)): # type: ignore
+                   (not is_dict and cast(int, key) < len(old_node) and cast(int, key) >= len(new_node)):
                     removed_paths.append(_path)
                     continue
                 if (is_dict and key in new_node and key not in old_node) or \
-                   (not is_dict and key < len(new_node) and key >= len(old_node)): # type: ignore
+                   (not is_dict and cast(int, key) < len(new_node) and cast(int, key) >= len(old_node)):
                     added_paths.append(_path)
                     continue
                 # Traverse subtree of node
@@ -796,7 +799,7 @@ class VaultFile(Vault):
         if full_encryption and not keyring:
             raise NoVaultKeysError(f"No vault keys available to write encrypted content to { path }")
         with open(path, 'w') as file:
-            file.write(keyring.encrypt(content) if full_encryption else content) # type: ignore
+            file.write(cast(VaultKeyring, keyring).encrypt(content) if full_encryption else content)
         # Create VaultFile and write content to disk
         vaultfile = VaultFile(path, keyring=keyring)
         vaultfile.full_encryption = full_encryption
@@ -807,10 +810,10 @@ class VaultFile(Vault):
     def from_editable(VaultFile: Type['VaultFile'], prev_vault_file: 'VaultFile', edited_content: str) -> 'VaultFile':
         '''Converts a YAML vault edited from a `VaultFile.as_editable` template into a new `VaultFile`. Does not update the file on disk.'''
         # Create vault from editable, then wrap with our class and copy relevant attributes over
-        vault: Vault = Vault.from_editable(prev_vault_file, edited_content)
+        vault: VaultFile = cast(VaultFile, Vault.from_editable(prev_vault_file, edited_content))
         vault.__class__ = VaultFile
-        vault.vault_path = prev_vault_file.vault_path # type: ignore
-        return vault # type: ignore
+        vault.vault_path = prev_vault_file.vault_path
+        return vault
 
     def save(self) -> None:
         '''Saves the current `Vault` contents to the vault file attached to this `VaultFile`. '''