ansible-vars 1.0.6__py3-none-any.whl → 1.0.8__py3-none-any.whl

ansible_vars/cli.py

@@ -39,7 +39,7 @@ from .vault import VaultFile, EncryptedVar, ProtoEncryptedVar
 from .vault_crypt import VaultKey, VaultKeyring
 from .util import DiffFileLogger, VaultDaemon
 from .constants import Unset, MatchLocation, SENTINEL_KEY
-from .errors import YAMLFormatError
+from .errors import YAMLFormatError, UnsupportedGenericFileOperation
 
 ## CLI argument parsing
 
@@ -84,6 +84,10 @@ Specify vault keys to load for en-/decryption. Not required for vars files with
 A key is a combination of an identifier (can be a vault ID or anything else, ideally unique) and a passphrase.
 By default, available keys are auto-detected if your current directory contains an Ansible config and appended to the ones you supplied.
 If no explicit encryption key is specified, the first supplied/available key is used.
+
+[!] When editing a hybrid vault file, changing even a single variable will change all variables' ciphers, as salts are generated randomly.
+You can prevent this by passing a fixed salt via `-S <salt>`, which will result in any plaintext always resolving to the same cipher.
+For Ansible's AES-256, a length of at least 32 characters is recommended.
 ''',
     'log_args': '''
 Log a diff of any vault changes performed with this program to an encrypted or plain logfile, creating it if necessary.
@@ -198,6 +202,7 @@ DEFAULT_EDITOR: str = os.environ.get('EDITOR', 'notepad.exe' if os.name == 'nt'
 DEFAULT_COLOR_MODE: str = os.environ.get('AV_COLOR_MODE', '256' if sys.stdout.isatty() else 'none')
 DEFAULT_TEMP_DIR: str = os.environ.get('AV_TEMP_DIR', gettempdir())
 DEFAULT_CREATE_PLAIN: bool = os.environ.get('AV_CREATE_PLAIN', 'no').lower() in [ 'yes', 'y', 'true', 't', '1' ]
+DEFAULT_SALT: str | None = os.environ.get('AV_SALT', None)
 
 args: ArgumentParser = ArgumentParser(
     prog = 'ansible-vars',
@@ -243,6 +248,10 @@ key_args.add_argument(
 )
 key_args.add_argument('--no-detect-keys', '-D', action='store_false', dest='detect_keys', help='disable automatic key detection')
 key_args.add_argument('--encryption-key', '-K', type=str, metavar='<identifier>', help='which of the loaded keys to use for encryption')
+key_args.add_argument(
+    '--fixed-salt', '-S', type=str, metavar='<salt>', default=DEFAULT_SALT,
+    help='a fixed salt to use for encryption (should be 32+ chars!)'
+)
 
 log_args = args.add_argument_group('logging vault changes', description=HELP['log_args'])
 log_mutex = log_args.add_mutually_exclusive_group()
@@ -253,11 +262,17 @@ log_args.add_argument('--logging-key', '-Q', type=str, metavar='<identifier>', h
 # Commands
 commands = args.add_subparsers(dest='command', metavar='<command>', required=True)
 
-cmd_keyring = commands.add_parser('keyring', help='show available vault keys and their passphrases', description=HELP['cmd_keyring'])
+cmd_keyring = commands.add_parser(
+    'keyring', help='show available vault keys and their passphrases', description=HELP['cmd_keyring'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_keyring.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the vault keys as JSON and nothing else')
 cmd_keyring.add_argument('--keys-only', '-o', action='store_false', dest='show_passphrases', help='show only the vault keys, not the passphrases')
 
-cmd_create = commands.add_parser('create', help='create a new vault', description=HELP['cmd_create'])
+cmd_create = commands.add_parser(
+    'create', help=f"create a new vault ({ 'hybrid/plain' if DEFAULT_CREATE_PLAIN else 'fully encrypted' } by default)",
+    description=HELP['cmd_create'], formatter_class=RawDescriptionHelpFormatter
+)
 cmd_create.add_argument('vault_path', type=str, metavar='<vault path>', help='path to create a new vault at') \
     .completer = _prefixed_path_completer # type: ignore
 # Invert flag if the user wants plain mode by default
@@ -266,50 +281,74 @@ if DEFAULT_CREATE_PLAIN:
 else:
     cmd_create.add_argument('--plain', '-p', action='store_false', dest='encrypt_vault', help='create without full file encryption')
 cmd_create.add_argument('--make-parents', '-m', action='store_true', help='create all directories in the given path')
-cmd_mutex = cmd_create.add_mutually_exclusive_group()
-cmd_mutex.add_argument('--no-edit', '-n', action='store_false', dest='open_edit_mode', help='just create the file, don\'t open it for editing')
-cmd_mutex.add_argument(
+create_mutex = cmd_create.add_mutually_exclusive_group()
+create_mutex.add_argument('--no-edit', '-n', action='store_false', dest='open_edit_mode', help='just create the file, don\'t open it for editing')
+create_mutex.add_argument(
     '--edit-command', '-e', type=str, default=DEFAULT_EDITOR, help=f"editor command to use (runs as <command> <some path>) (default: { DEFAULT_EDITOR })"
 )
 
-cmd_edit = commands.add_parser('edit', help='edit a vault', description=HELP['cmd_edit'])
+cmd_edit = commands.add_parser(
+    'edit', help='edit a vault', description=HELP['cmd_edit'], formatter_class=RawDescriptionHelpFormatter
+)
 cmd_edit.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to edit') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_edit.add_argument(
     '--edit-command', '-e', type=str, default=DEFAULT_EDITOR, help=f"editor command to use (runs as <command> <some path>) (default: { DEFAULT_EDITOR })"
 )
 
-cmd_view = commands.add_parser('view', help='show the decrypted contents of a vault')
+cmd_view = commands.add_parser(
+    'view', help='show the decrypted contents of a vault', formatter_class=RawDescriptionHelpFormatter
+)
 cmd_view.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to dump') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_view.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the vault data as JSON and nothing else')
 
-cmd_info = commands.add_parser('info', help='show information about a vault\'s variables', description=HELP['cmd_info'])
+cmd_info = commands.add_parser(
+    'info', help='show information about a vault\'s variables', description=HELP['cmd_info'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_info.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to analyze') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_info.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the information as JSON and nothing else')
 
-cmd_encrypt = commands.add_parser('encrypt', help='encrypt a file in-place or a string with the encryption key', description=HELP['cmd_encrypt'])
+cmd_encrypt = commands.add_parser(
+    'encrypt', help='encrypt a file in-place or a string with the encryption key', description=HELP['cmd_encrypt'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_encrypt.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_encrypt.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to encrypt') \
     .completer = _prefixed_path_completer # type: ignore
+cmd_encrypt.add_argument('--quiet', '-q', action='store_true', help='only output the encrypted value (ignored in file mode)')
 
-cmd_decrypt = commands.add_parser('decrypt', help='decrypt a file in-place or a string', description=HELP['cmd_decrypt'])
+cmd_decrypt = commands.add_parser(
+    'decrypt', help='decrypt a file in-place or a string', description=HELP['cmd_decrypt'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_decrypt.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_decrypt.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to decrypt') \
     .completer = _prefixed_path_completer # type: ignore
+cmd_decrypt.add_argument('--quiet', '-q', action='store_true', help='only output the decrypted value (ignored in file mode)')
 
-cmd_is_enc = commands.add_parser('is-encrypted', help='check if a file or string is vault-encrypted', description=HELP['cmd_is_enc'])
+cmd_is_enc = commands.add_parser(
+    'is-encrypted', help='check if a file or string is vault-encrypted', description=HELP['cmd_is_enc'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_is_enc.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_is_enc.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to check') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_is_enc.add_argument('--quiet', '-q', action='store_true', help='no output, only set the rc to 0 if encrypted or 100 if unencrypted')
 
-cmd_convert = commands.add_parser('convert', help='switch vault between outer (file) and inner (vars) encryption', description=HELP['cmd_convert'])
+cmd_convert = commands.add_parser(
+    'convert', help='switch vault between outer (file) and inner (vars) encryption', description=HELP['cmd_convert'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_convert.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to convert') \
     .completer = _prefixed_path_completer # type: ignore
 
-cmd_grep = commands.add_parser('grep', help='search a file or folder for a pattern', description=HELP['cmd_grep'])
+cmd_grep = commands.add_parser(
+    'grep', help='search a file or folder for a pattern', description=HELP['cmd_grep'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_grep.add_argument('query', type=str, metavar='<pattern>', help='regex query to match with targets')
 cmd_grep.add_argument('targets', type=str, nargs='+', metavar='[<target> ...]', help='file(s) or folder(s) to search recursively') \
     .completer = _prefixed_path_completer # type: ignore
@@ -324,21 +363,30 @@ grep_mutex_type.add_argument('--multiline', '-m', action='store_true', help='mak
 cmd_grep.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the matches as JSON and nothing else')
 cmd_grep.add_argument('--quiet', '-q', action='store_true', help='no output, only set the rc to 0 if any matches found or 100 if none found')
 
-cmd_diff = commands.add_parser('diff', help='show line differences between two vaults', description=HELP['cmd_diff'])
+cmd_diff = commands.add_parser(
+    'diff', help='show line differences between two vaults', description=HELP['cmd_diff'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_diff.add_argument('old_vault', type=str, metavar='<old vault vault path>', help='path of "old"/base vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_diff.add_argument('new_vault', type=str, metavar='<new vault vault path>', help='path of "new"/changed vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_diff.add_argument('--context-lines', '-c', type=int, metavar='<amount>', default=3, help='show <amount> lines of context around changed lines (default: 3)')
 
-cmd_changes = commands.add_parser('changes', help='show var changes between vaults', description=HELP['cmd_changes'])
+cmd_changes = commands.add_parser(
+    'changes', help='show var changes between vaults', description=HELP['cmd_changes'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_changes.add_argument('old_vault', type=str, metavar='<old vault vault path>', help='path of "old"/base vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_changes.add_argument('new_vault', type=str, metavar='<new vault vault path>', help='path of "new"/changed vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_changes.add_argument('--json', '-j', action='store_true', dest='as_json', help='print added/changed/removed/decrypted vars as JSON and nothing else')
 
-cmd_daemon = commands.add_parser('file-daemon', help='sync decrypted vault copies into a folder', description=HELP['cmd_daemon'])
+cmd_daemon = commands.add_parser(
+    'file-daemon', help='sync decrypted vault copies into a folder', description=HELP['cmd_daemon'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_daemon.add_argument('target_root', type=str, metavar='<target root path>', help='root folder the decrypted files and folders should be synced into (non-existent or empty)') \
     .completer = _prefixed_path_completer # type: ignore
 # This arg can be repeated (results in [ [source, rel_target], ... ])
@@ -350,7 +398,10 @@ cmd_daemon.add_argument('--no-recurse', '-n', action='store_false', dest='recurs
 cmd_daemon.add_argument('--no-default-dirs', '-N', action='store_false', dest='include_default_dirs', help='don\'t include default sync sources')
 cmd_daemon.add_argument('--force', '-f', action='store_true', help='if the target root already exists and is not empty, delete its contents')
 
-cmd_get = commands.add_parser('get', help='get a key\'s (decrypted) value if it exists', description=HELP['cmd_get'])
+cmd_get = commands.add_parser(
+    'get', help='get a key\'s (decrypted) value if it exists', description=HELP['cmd_get'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_get.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to get value from') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_get.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
@@ -359,14 +410,20 @@ get_mutex_format = cmd_get.add_mutually_exclusive_group()
 get_mutex_format.add_argument('--quiet', '-q', action='store_true', help='only output the raw YAML value or set the rc to 100 if the key doesn\'t exist')
 get_mutex_format.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the value as JSON or set the rc to 100 if the key doesn\'t exist')
 
-cmd_set = commands.add_parser('set', help='update a key\'s value or add a new key (experimental!)', description=HELP['cmd_set'])
+cmd_set = commands.add_parser(
+    'set', help='update a key\'s value or add a new key (experimental!)', description=HELP['cmd_set'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_set.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to set value in') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_set.add_argument('value', type=str, metavar='<value>', help='value to set (will be loaded as YAML)')
 cmd_set.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
 cmd_set.add_argument('--encrypt', '-e', action='store_true', dest='encrypt_value', help='encrypt the value if it is\'t encrypted yet')
 
-cmd_del = commands.add_parser('del', help='delete a key and its value if they exist (experimental!)', description=HELP['cmd_del'])
+cmd_del = commands.add_parser(
+    'del', help='delete a key and its value if they exist (experimental!)', description=HELP['cmd_del'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_del.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to delete key from') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_del.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
@@ -517,7 +574,7 @@ sys.excepthook = _exc_hook
 # Load vault keys
 
 _explicit_keys: list[VaultKey] = [ VaultKey(passphrase, vault_id=id) for id, passphrase in config.keys ]
-keyring = VaultKeyring(_explicit_keys.copy(), detect_available_keys=config.detect_keys)
+keyring = VaultKeyring(_explicit_keys.copy(), detect_available_keys=config.detect_keys, default_salt=config.fixed_salt)
 
 if config.encryption_key:
     keyring.default_encryption_key = keyring.key_by_id(config.encryption_key)
@@ -527,6 +584,8 @@ try:
     debug(f"Encryption key: { keyring.encryption_key.id }")
 except:
     debug('Encryption key: unavailable')
+if config.fixed_salt:
+    debug(f"Using fixed encryption salt: { config.fixed_salt }")
 
 # Set up logging
 
@@ -582,7 +641,30 @@ if config.command in [ 'create', 'edit' ]:
         vault = VaultFile.create(vault_path, full_encryption=config.encrypt_vault, permissions=0o600, keyring=keyring)
         print(f"Created { 'encrypted' if vault.full_encryption else 'plain' } vault at { vault_path }", Color.GOOD)
     else:
-        vault = VaultFile(vault_path, keyring=keyring)
+        try:
+            vault = VaultFile(vault_path, keyring=keyring)
+        except YAMLFormatError:
+            print('Invalid vault format, will be treated as a generic file', Color.MEH)
+            with NamedTemporaryFile(mode='w+', dir=config.temp_dir, prefix='vaultlike_') as edit_file:
+                with open(vault_path, 'r+') as file:
+                    # Load and decrypt file
+                    content: str = file.read()
+                    if (is_enc := VaultKey.is_encrypted(content)):
+                        content = keyring.decrypt(content)
+                    # Let user edit the content in a temporary file
+                    edit_file.write(content)
+                    edit_file.flush()
+                    sys_command(f"{ config.edit_command } { edit_file.name }", shell=True)
+                    edit_file.seek(0)
+                    # Encrypt the new content and write it back
+                    new_content: str = edit_file.read()
+                    if is_enc:
+                        new_content = keyring.encrypt(new_content)
+                    file.seek(0)
+                    file.truncate()
+                    file.write(new_content)
+                    print(f"Saved changes!", Color.GOOD)
+            exit()
     # Open vault for edit mode
     if getattr(config, 'open_edit_mode', True):
         print(f"Editing vault at { vault_path }")
@@ -591,6 +673,7 @@ if config.command in [ 'create', 'edit' ]:
             # Write vault contents to temp file
             editable: str = vault.as_editable()
             edit_file.write(editable)
+            edit_file.flush()
             while True:
                 # Open editor and wait for it to close
                 edit_file.seek(0)
@@ -613,18 +696,22 @@ if config.command in [ 'create', 'edit' ]:
                             break
                     new_vault.save()
                     print(f"Saved changes!", Color.GOOD)
-                    # Warn about decrypted variables
-                    if (changes := new_vault.changes(vault))[0]:
-                        print(f"\n[!] The following vars have been decrypted in this edit:", Color.MEH)
-                        print('\n'.join([ f"- { format_key_path(path) }" for path in changes[0] ]))
-                    # Inform about new plain leaf variables
+                    decrypted_vars:   list[tuple[Hashable, ...]] = []
                     new_plain_leaves: list[tuple[Hashable, ...]] = []
                     def _find_new_plain_vars(path: tuple[Hashable, ...], value: Any) -> Any:
                         if path != ( SENTINEL_KEY, ) and type(value) is not EncryptedVar:
-                            if vault.get(path, default=Unset) != value:
-                                new_plain_leaves.append(path)
+                            if (old_value := vault.get(path, default=Unset)) != value:
+                                if type(old_value) is EncryptedVar:
+                                    decrypted_vars.append(path)
+                                else:
+                                    new_plain_leaves.append(path)
                         return value
                     vault._transform_leaves(new_vault._data, _find_new_plain_vars, tuple())
+                    # Warn about decrypted variables
+                    if decrypted_vars:
+                        print(f"\n[!] The following vars have been decrypted in this edit:", Color.MEH)
+                        print('\n'.join([ f"- { format_key_path(path) }" for path in decrypted_vars ]))
+                    # Warn about new plain leaf variables
                     if not new_vault.full_encryption and new_plain_leaves:
                         print(f"\n[!] The following plain vars have been added in this edit:", Color.MEH)
                         print('\n'.join([ f"- { format_key_path(path) }" for path in new_plain_leaves ]))
@@ -639,11 +726,18 @@ if config.command in [ 'create', 'edit' ]:
 
 if config.command == 'view':
     vault_path: str = resolve_vault_path(config.vault_path)
-    vault = VaultFile(vault_path, keyring=keyring)
-    if config.as_json:
-        print_json(vault.as_json())
-    else:
-        print_yaml(vault.as_plain())
+    try:
+        vault = VaultFile(vault_path, keyring=keyring)
+        if config.as_json:
+            print_json(vault.as_json())
+        else:
+            print_yaml(vault.as_plain())
+    except YAMLFormatError:
+        if config.as_json:
+            raise UnsupportedGenericFileOperation(operation='--json')
+        with open(vault_path) as file:
+            content: str = file.read()
+            print(keyring.decrypt(content) if VaultKey.is_encrypted(content) else content)
 
 # Info command
 
@@ -684,27 +778,53 @@ if config.command in [ 'encrypt', 'decrypt', 'is-encrypted' ]:
     # File target
     if config.target_type == 'file':
         vault_path: str = resolve_vault_path(config.target)
-        vault = VaultFile(vault_path, keyring=keyring)
+        is_generic: bool = False
+        try:
+            vault = VaultFile(vault_path, keyring=keyring)
+            is_enc: bool = vault.full_encryption
+        except YAMLFormatError as e:
+            print('Invalid vault format, will be treated as a generic file', Color.MEH)
+            with open(vault_path) as file:
+                is_enc = VaultKey.is_encrypted(file.read())
+            is_generic = True
         if config.command in [ 'encrypt', 'decrypt' ]:
-            if vault.full_encryption == (config.command == 'encrypt'):
-                print(f"Vault is already { 'en' if vault.full_encryption else 'de' }crypted.")
+            if is_enc == (config.command == 'encrypt'):
+                print(f"Vault is already { 'en' if is_enc else 'de' }crypted.", Color.GOOD)
             else:
-                vault.full_encryption = (config.command == 'encrypt')
-                vault.save()
-                print(f"Vault { 'en' if vault.full_encryption else 'de' }crypted.", Color.GOOD)
+                is_enc = (config.command == 'encrypt')
+                # Generic file
+                if is_generic:
+                    with open(vault_path, 'r+') as file:
+                        content: str = file.read()
+                        file.seek(0)
+                        file.truncate()
+                        file.write(keyring.encrypt(content) if is_enc else keyring.decrypt(content))
+                # Vault file
+                else:
+                    vault.full_encryption = is_enc # type: ignore
+                    vault.save() # type: ignore
+                print(f"Vault { 'en' if is_enc else 'de' }crypted.", Color.GOOD)
         else:
             if config.quiet:
-                exit(0 if vault.full_encryption else 100)
+                exit(0 if is_enc else 100)
             else:
-                print(f"Vault is { 'encrypted' if vault.full_encryption else 'plain or hybrid' }.", Color.GOOD if vault.full_encryption else Color.MEH)
+                print(f"Vault is { 'fully encrypted' if is_enc else 'plain or hybrid' }.", Color.GOOD if is_enc else Color.MEH)
     # String target
     else:
         is_encrypted: bool = VaultKey.is_encrypted(config.target)
+        # The key may not be passed properly, in which case we auto-convert literal '\n' to newlines
+        # We can assume an encrypted value should not contain any literal backslashes
+        if is_encrypted:
+            config.target = config.target.replace('\\n', '\n')
         if config.command in [ 'encrypt', 'decrypt' ]:
             if is_encrypted == (config.command == 'encrypt'):
-                print(f"Value is already { 'en' if is_encrypted else 'de' }crypted.")
+                if not config.quiet:
+                    print(f"Value is already { 'en' if is_encrypted else 'de' }crypted.", Color.GOOD)
+                else:
+                    print(config.target)
             else:
-                print(f"{ 'En' if not is_encrypted else 'De' }crypted value:", Color.GOOD)
+                if not config.quiet:
+                    print(f"{ 'En' if not is_encrypted else 'De' }crypted value:", Color.GOOD)
                 print(keyring.encrypt(config.target) if (config.command == 'encrypt') else keyring.decrypt(config.target))
         else:
             if config.quiet:
@@ -732,7 +852,7 @@ if config.command == 'convert':
         vault.save()
         print(f"Vault converted to { 'outer' if vault.full_encryption else 'inner' } encryption.", Color.GOOD)
         if not vault.full_encryption:
-            print('Please check the vault to make sure all secrets have been encrypted', Color.MEH)
+            print('Please check the vault to make sure all secrets have been encrypted!', Color.MEH)
     _convert()
 
 # Grep command

ansible_vars/errors.py

@@ -2,6 +2,14 @@
 
 # YAML parsing
 
+class UnsupportedGenericFileOperation(Exception):
+    '''The requested operation or flag is not available for generic (i.e. non-YAML-dictionary) files.'''
+
+    def __init__(self, *args: object, operation: str | None = None) -> None:
+        super().__init__(
+            f"The requested operation or flag is not available for generic files{ f': { operation }' * bool(operation) }", *args
+        )
+
 class YAMLFormatError(Exception):
     '''The supplied content is not a valid Ansible YAML file. Supports passing the triggering parent exception.'''
     

ansible_vars/util.py

@@ -282,7 +282,7 @@ class VaultDaemon(FileSystemEventHandler):
                     content: str = src.read()
                 with open(target_path, 'w') as tgt:
                     try:
-                        tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                        tgt.write(Vault(content, keyring=self.keyring).as_plain())
                         self.debug(f"Created/Updated file { target_path } from vault contents")
                     except:
                         tgt.write(content)
@@ -338,7 +338,7 @@ class VaultDaemon(FileSystemEventHandler):
                         content: str = src.read()
                     with open(self.target_file, 'w') as tgt:
                         try:
-                            tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                            tgt.write(Vault(content, keyring=self.keyring).as_plain())
                             self.debug(f"Created/Updated file { self.target_file } from vault contents")
                         except:
                             tgt.write(content)
@@ -373,7 +373,7 @@ class VaultDaemon(FileSystemEventHandler):
                 content: str = src.read()
             with open(target_path, 'w') as tgt:
                 try:
-                    tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                    tgt.write(Vault(content, keyring=self.keyring).as_plain())
                     self.debug(f"Created/Updated file { target_path } from vault contents")
                 except:
                     tgt.write(content)

ansible_vars/vault.py

@@ -6,16 +6,14 @@ from io import StringIO
 from functools import reduce
 from typing import Type, Hashable, Callable, Any
 from types import MappingProxyType
-from collections import OrderedDict
 from difflib import unified_diff
 
 # External library imports
 from ruamel.yaml import YAML
 from ruamel.yaml.nodes import ScalarNode
-from ruamel.yaml.parser import CommentToken
 from ruamel.yaml.representer import Representer
 from ruamel.yaml.constructor import Constructor
-from ruamel.yaml.comments import CommentedMap, CommentedSeq
+from ruamel.yaml.comments import CommentedMap
 
 # Internal module imports
 from .constants import ThrowError, octal, Indexable, ChangeList, MatchLocation, SENTINEL_KEY, EDIT_MODE_HEADER, ENCRYPTED_VAR_TAG
@@ -53,7 +51,7 @@ class EncryptedVar():
         cipher: Any = constructor.construct_scalar(node)
         if not isinstance(cipher, str):
             raise TypeError(f"Expected encrypted value to be a str, but got { type(cipher) }")
-        return EncryptedVar(str(cipher), name=node.id)
+        return EncryptedVar(cipher, name=node.id)
 
 class ProtoEncryptedVar():
     '''A variable marked to be encrypted in a `Vault` editable.'''
@@ -77,14 +75,14 @@ class ProtoEncryptedVar():
 
     @classmethod
     def to_yaml(ProtoEncryptedVar: Type['ProtoEncryptedVar'], representer: Representer, var: 'ProtoEncryptedVar') -> Any:
-        return representer.represent_scalar(ENCRYPTED_VAR_TAG, var.plaintext, style='\'')
+        return representer.represent_scalar(ENCRYPTED_VAR_TAG, var.plaintext, style=('|' if '\n' in var.plaintext else ''))
 
     @classmethod
     def from_yaml(ProtoEncryptedVar: Type['ProtoEncryptedVar'], constructor: Constructor, node: ScalarNode) -> 'ProtoEncryptedVar':
         plaintext: Any = constructor.construct_scalar(node)
         if not isinstance(plaintext, str):
             raise TypeError(f"Expected decrypted value to be a str, but got { type(plaintext) }")
-        return ProtoEncryptedVar(str(plaintext).rstrip('\n'), name=node.id)
+        return ProtoEncryptedVar(plaintext.rstrip('\n'), name=node.id)
 
 class Vault():
     '''
@@ -205,7 +203,7 @@ class Vault():
         A read-only dictionary of the vault's variables, with any EncryptedVars already decrypted.
         Note that the state is frozen whenever you access this property, and not updated when the vault changes.
         '''
-        copy: dict = self._data.copy()
+        copy: dict = Vault._copy_data(self._data)
         copy.pop(SENTINEL_KEY, None)
         def _traverse_and_decrypt(root: Any) -> Any:
             if isinstance(root, dict):
@@ -495,7 +493,7 @@ class Vault():
 
     def as_plain(self) -> str:
         '''Returns the vault in fully decrypted form as Jinja2 YAML code with the original metadata.'''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         #copy.pop(SENTINEL_KEY, None) # <-- would break a file containing only metadata and the sentinel key
         def _decrypt_leaf(_: tuple[Hashable, ...], value: Any) -> Any:
             '''Transforms EncryptedVar leaves into decrypted strings.'''
@@ -510,7 +508,7 @@ class Vault():
         Returns the vault as Jinja2 YAML code with the original metadata.
         It is prepared for editing and later re-encryption with YAML tags and a static explanatory header.
         '''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         def _convert_to_proto(path: tuple[Hashable, ...], value: Any) -> Any:
             '''Marks encrypted leaves for encryption after editing.'''
             if type(value) is not EncryptedVar:
@@ -526,7 +524,7 @@ class Vault():
 
     def as_encrypted(self) -> str:
         '''Returns the vault as Jinja2 YAML code with the original metadata, with encrypted variables and full encryption if enabled.'''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         yaml_content: str = self._dump_to_str(copy)
         yaml_content = Vault._remove_sentinel(yaml_content)
         if self.full_encryption:
@@ -567,6 +565,23 @@ class Vault():
         self._parser.dump(data, builder)
         return builder.getvalue().strip('\n') + '\n'
 
+    @staticmethod
+    def _copy_data(data: Any) -> Any:
+        '''
+        Create a deep copy of any data, using the object's `copy()` method for dicts and lists.
+        Parser dicts and lists contain special data, and their copy function will preserve that.
+        The built-in `copy.deepcopy()` would require a `__deepcopy__` method for this to work.
+        Copying works for dicts and lists. Everything else is referenced normally.
+        Not thread-safe.
+        '''
+        if (is_dict := isinstance(data, dict)) or isinstance(data, list):
+            copy = data.copy()
+            keys = copy.keys() if is_dict else range(len(copy)) # type: ignore
+            for key in keys:
+                copy[key] = Vault._copy_data(copy[key])
+            return copy
+        return data
+
     # Comparing to older versions of this vault
 
     def diff(self, prev_vault: 'Vault', context_lines: int = 3, show_filenames: bool = True) -> str:
@@ -653,7 +668,7 @@ class Vault():
     def copy(self) -> 'Vault':
         '''Create a copy of this `Vault` instance.'''
         copy = Vault('', self.keyring)
-        copy._data = self._data.copy()
+        copy._data = Vault._copy_data(self._data)
         copy.full_encryption = self.full_encryption
         copy.keyring = self.keyring
         copy._parser = self._parser
@@ -804,7 +819,7 @@ class VaultFile(Vault):
     def copy(self) -> 'VaultFile':
         '''Create a copy of this `VaultFile` instance.'''
         copy: VaultFile = self.from_editable(self, '')
-        copy._data = self._data.copy()
+        copy._data = VaultFile._copy_data(self._data)
         copy.full_encryption = self.full_encryption
         copy.keyring = self.keyring
         copy._parser = self._parser

ansible_vars/vault_crypt.py

@@ -54,12 +54,12 @@ class VaultKey():
         '''
         return VaultLib.is_encrypted(VaultKey._strip_vault_tag(test_me))
 
-    def encrypt(self, plain: str) -> str:
-        '''Encrypts a string using this `VaultKey`'s secret.'''
+    def encrypt(self, plain: str, salt: str | None = None) -> str:
+        '''Encrypts a string using this `VaultKey`'s secret. You can specify an optional fixed salt (ideally 32+ chars).'''
         # Pass our secret directly to the encrypt call to skip expensive secret matching
         # Beware: the encrypt function takes a `secret`, but means just the VaultSecret and not a tuple of (vault_id, VaultSecret)
         # In other calls, `secret` or `secrets` may refer to the tuple(s)
-        return self._vaultlib.encrypt(plain, secret=self.secret, vault_id=self.id).decode('utf-8').strip()
+        return self._vaultlib.encrypt(plain, secret=self.secret, vault_id=self.id, salt=salt).decode('utf-8').strip()
 
     def decrypt(self, vault_cipher: str) -> str:
         '''
@@ -70,7 +70,7 @@ class VaultKey():
         vault_cipher = VaultKey._strip_vault_tag(vault_cipher)
         try:
             decrypted: bytes = self._vaultlib.decrypt(vault_cipher)
-            return decrypted.decode('utf-8').strip()
+            return decrypted.decode('utf-8')
         except AnsibleVaultError as e:
             if e.message.startswith('Decryption failed (no vault secrets were found that could decrypt)'):
                 raise VaultKeyMatchError(f"Could not match cipher with { self }")
@@ -96,6 +96,7 @@ class VaultKeyring():
             self,
             keys: list[VaultKey] | None = None,
             default_encryption_key: VaultKey | None = None,
+            default_salt: str | None = None,
             detect_available_keys: bool = True
         ) -> None:
         '''
@@ -107,9 +108,13 @@ class VaultKeyring():
         
         When encrypting data, you can specify an explicit `VaultKey` to use. If none is specified, `default_encryption_key` is used.
         If no explicit or default keys are available, the first key of the `keys` parameter is used.
+
+        You can also set a fixed salt to use for encryption tasks, either passing it to the `encrypt` function directly
+        or as a `default_salt` here. A length of at least 32 chars is recommended for Ansible's AES-256.
         '''
         self.keys: list[VaultKey] = keys or []
         self.default_encryption_key: VaultKey | None = default_encryption_key
+        self.default_salt: str | None = default_salt
         if detect_available_keys:
             self.keys.extend(VaultKeyring.load_cli_secrets())
     
@@ -124,16 +129,15 @@ class VaultKeyring():
             raise NoVaultKeysError('No vault keys available for encryption')
         return self.default_encryption_key or self.keys[0]
 
-    def encrypt(self, plain: str, key: VaultKey | None = None) -> str:
+    def encrypt(self, plain: str, key: VaultKey | None = None, salt: str | None = None) -> str:
         '''
         Encrypts the given vault data using the supplied `VaultKey`.
         If no key is supplied, the `VaultKeyring`'s `default_encryption_key` is used.
         If that key is also unset, the first key of the `VaultKeyring`'s `keys` is used.
+        You can specify an optional fixed salt for encrypting (ideally 32+ chars).
         '''
         # If no key is provided, use the default encryption key or first key in `keys`
-        if not key:
-            key = self.encryption_key
-        return key.encrypt(plain)
+        return (key or self.encryption_key).encrypt(plain, salt=(salt or self.default_salt))
 
     def decrypt(self, vault_cipher: str, key: VaultKey | None = None) -> str:
         '''
@@ -143,7 +147,7 @@ class VaultKeyring():
 
         Expects a cipher with optional YAML tag preamble (`!vault | $ANSIBLE_VAULT;<options>\\n<cipher>`).
         '''
-        if not key and not self.keys:
+        if not (key or self.keys):
             raise NoVaultKeysError('No vault keys available for decryption')
         if key:
             return key.decrypt(vault_cipher)

{ansible_vars-1.0.6.dist-info → ansible_vars-1.0.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-vars
-Version: 1.0.6
+Version: 1.0.8
 Summary: Manage vaults and variable files for Ansible
 Project-URL: Homepage, https://github.com/xorwow/ansible-vars
 Project-URL: Issues, https://github.com/xorwow/ansible-vars/issues
@@ -105,6 +105,10 @@ By default, the first loaded key is used for all encryption tasks. Note that aut
 
 You can disable automatic key detection by flagging `--no-encrypt-keys|-D`. Use `ansible-vars keyring` to view all available keys.
 
+#### Encryption salts
+
+Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>`. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
+
 ### Diff logging
 
 **TL;DR:** You can use `-l <log directory>` to log changes to edited vaults to a vault-encrypted log file.
@@ -220,6 +224,10 @@ Set the tempfile/staging root as you would with `-T <path>`.
 
 Invert the default creation mode for files: If unset or `no`, files are created with full encryption unless specified otherwise via the `--plain|-p` flag. This behavior mirrors that of `ansible-vault`. When set to `yes`, the behavior and flag are inverted as files are created without encryption by default unless specified otherwise via the `--no-plain|-P` flag.
 
+#### AV_SALT
+
+Set a fixed salt as you would with `-S <salt>`.
+
 ### Python library
 
 When using `ansible-vars` as a library, import any of these modules from the `ansible_vars` module.
@@ -254,21 +262,22 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
 
 ## Known issues and limitations
 
-- YAML round-trip parser
+- YAML round-trip parser:
     - Trailing comments and Jinja2 blocks may be misaligned and a trailing newline may be inserted/removed when switching between folded (`|`, `>`) and non-foldes values.
     - The `set` and `del` commands may remove trailing comments and Jinja2 blocks.
     - Explicit start/end markers (`---`, `...`) are not preserved.
     - Supports lists, dictionaries, and scalar values.
     - Does not support custom YAML tags (`!tag`).
-- Ansible
+- Ansible:
     - Ansible only directly supports encrypted string values (although you can work around this with the `from_yaml` filter).
     - Ansible-encrypted strings must include a newline between the envelope and the cipher.
     - Ansible vault and variable file roots must be a dictionary.
-- `grep` command
+- `grep` command:
     - Will ignore files which cannot be parsed as an Ansible YAML file.
-- `file-daemon` command
+- `file-daemon` command:
     - Changes to file metadata (permissions, ...) are not mirrored.
-- `ansible-vars` cannot operate on files which are not (Jinja2) YAML dictionaries.
+- `ansible-vars` does not support files which are not (Jinja2) YAML dictionaries, except for limited support in these commands:
+    - `edit`, `view` (without `--json` support), `encrypt`, `decrypt`, `is-encrypted`
 
 ## Extension plans
 

ansible_vars-1.0.8.dist-info/RECORD

@@ -0,0 +1,12 @@
+ansible_vars/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ansible_vars/cli.py,sha256=TFPSuUmOTWjX6FF5aAd2PnJkyftSur9DfccYwzjQe6A,63959
+ansible_vars/constants.py,sha256=Nd3sIuSoOvyfUfHfnsnJBDGMW7eNzbMm1NAvEQio9hE,1624
+ansible_vars/errors.py,sha256=6dzyksPKWira9O2-Ir3MIOwr4XjN9MSBiRp5e6siY6Q,1256
+ansible_vars/util.py,sha256=UwGPBT19pee7lBpWuBzLPAvcrHUBAn6i1MrJvzM9OQ4,21265
+ansible_vars/vault.py,sha256=cMvFdtc3bw6yf-aChUEP34k2yafWS2UuubFO84De_rA,46383
+ansible_vars/vault_crypt.py,sha256=nh2k686nTI3yERIp-qzx5iDE1kZKg10YG019QeZDnLM,10019
+ansible_vars-1.0.8.dist-info/METADATA,sha256=KSO8y8E4DZeGzYjXKrnuj-aW8ni3TEAh1upcwGPdlL0,17967
+ansible_vars-1.0.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+ansible_vars-1.0.8.dist-info/entry_points.txt,sha256=RrhkEH0MbfRzflguVrfYfthsFC5V2fkFnizUG3uHMtQ,55
+ansible_vars-1.0.8.dist-info/licenses/LICENSE,sha256=ocyJHLG5wD12qB4uam2pqWTHIJmzloiyNyTex6Q2DKo,1062
+ansible_vars-1.0.8.dist-info/RECORD,,

ansible_vars-1.0.6.dist-info/RECORD

@@ -1,12 +0,0 @@
-ansible_vars/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-ansible_vars/cli.py,sha256=Mp-J_1Tz6vz2uPhTQ_OWdWeZp_Zfc5qDHk2SnIjOo2U,59045
-ansible_vars/constants.py,sha256=Nd3sIuSoOvyfUfHfnsnJBDGMW7eNzbMm1NAvEQio9hE,1624
-ansible_vars/errors.py,sha256=VnViEBMR3rIeioMj460DgdBA5S5FYiDObaDDhG2FMBs,857
-ansible_vars/util.py,sha256=BzS7n3UzaKqVZ3W78HVkJtdVCYofprqQDtU8wYH1d0Q,21325
-ansible_vars/vault.py,sha256=_dp1K5_UAFGgcg6iO4on4-L_BaJO2cHP6My3EU6enA4,45593
-ansible_vars/vault_crypt.py,sha256=JcFc6dTZ6EqhKXv_C5ofggTpBK8hWG3ZwrBrDNYcEIg,9501
-ansible_vars-1.0.6.dist-info/METADATA,sha256=G4q4OqsOTJ6R9cUyoh9odAn5ZmWR59i5knWHPalQROs,17198
-ansible_vars-1.0.6.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-ansible_vars-1.0.6.dist-info/entry_points.txt,sha256=RrhkEH0MbfRzflguVrfYfthsFC5V2fkFnizUG3uHMtQ,55
-ansible_vars-1.0.6.dist-info/licenses/LICENSE,sha256=ocyJHLG5wD12qB4uam2pqWTHIJmzloiyNyTex6Q2DKo,1062
-ansible_vars-1.0.6.dist-info/RECORD,,