ansible-vars 1.0.6__tar.gz → 1.0.7__tar.gz

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-vars
-Version: 1.0.6
+Version: 1.0.7
 Summary: Manage vaults and variable files for Ansible
 Project-URL: Homepage, https://github.com/xorwow/ansible-vars
 Project-URL: Issues, https://github.com/xorwow/ansible-vars/issues
@@ -254,21 +254,23 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
 
 ## Known issues and limitations
 
-- YAML round-trip parser
+- YAML round-trip parser:
     - Trailing comments and Jinja2 blocks may be misaligned and a trailing newline may be inserted/removed when switching between folded (`|`, `>`) and non-foldes values.
     - The `set` and `del` commands may remove trailing comments and Jinja2 blocks.
     - Explicit start/end markers (`---`, `...`) are not preserved.
     - Supports lists, dictionaries, and scalar values.
     - Does not support custom YAML tags (`!tag`).
-- Ansible
+- Ansible:
     - Ansible only directly supports encrypted string values (although you can work around this with the `from_yaml` filter).
     - Ansible-encrypted strings must include a newline between the envelope and the cipher.
     - Ansible vault and variable file roots must be a dictionary.
-- `grep` command
+- `grep` command:
     - Will ignore files which cannot be parsed as an Ansible YAML file.
-- `file-daemon` command
+- `file-daemon` command:
     - Changes to file metadata (permissions, ...) are not mirrored.
-- `ansible-vars` cannot operate on files which are not (Jinja2) YAML dictionaries.
+- `ansible-vars` does not support files which are not (Jinja2) YAML dictionaries, except for limited support in these commands:
+    - `edit`, `view` (without `--json` support), `encrypt`, `decrypt`, `is-encrypted`
+- When a vault is modified, all of its ciphers will change due to new salts, even if only one encrypted variable has been changed.
 
 ## Extension plans
 

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/README.md

@@ -232,21 +232,23 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
 
 ## Known issues and limitations
 
-- YAML round-trip parser
+- YAML round-trip parser:
     - Trailing comments and Jinja2 blocks may be misaligned and a trailing newline may be inserted/removed when switching between folded (`|`, `>`) and non-foldes values.
     - The `set` and `del` commands may remove trailing comments and Jinja2 blocks.
     - Explicit start/end markers (`---`, `...`) are not preserved.
     - Supports lists, dictionaries, and scalar values.
     - Does not support custom YAML tags (`!tag`).
-- Ansible
+- Ansible:
     - Ansible only directly supports encrypted string values (although you can work around this with the `from_yaml` filter).
     - Ansible-encrypted strings must include a newline between the envelope and the cipher.
     - Ansible vault and variable file roots must be a dictionary.
-- `grep` command
+- `grep` command:
     - Will ignore files which cannot be parsed as an Ansible YAML file.
-- `file-daemon` command
+- `file-daemon` command:
     - Changes to file metadata (permissions, ...) are not mirrored.
-- `ansible-vars` cannot operate on files which are not (Jinja2) YAML dictionaries.
+- `ansible-vars` does not support files which are not (Jinja2) YAML dictionaries, except for limited support in these commands:
+    - `edit`, `view` (without `--json` support), `encrypt`, `decrypt`, `is-encrypted`
+- When a vault is modified, all of its ciphers will change due to new salts, even if only one encrypted variable has been changed.
 
 ## Extension plans
 

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "ansible-vars"
-version = "1.0.6"
+version = "1.0.7"
 authors = [
   { name="xorwow", email="pip@xorwow.de" },
 ]

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/src/ansible_vars/cli.py

@@ -39,7 +39,7 @@ from .vault import VaultFile, EncryptedVar, ProtoEncryptedVar
 from .vault_crypt import VaultKey, VaultKeyring
 from .util import DiffFileLogger, VaultDaemon
 from .constants import Unset, MatchLocation, SENTINEL_KEY
-from .errors import YAMLFormatError
+from .errors import YAMLFormatError, UnsupportedGenericFileOperation
 
 ## CLI argument parsing
 
@@ -253,11 +253,17 @@ log_args.add_argument('--logging-key', '-Q', type=str, metavar='<identifier>', h
 # Commands
 commands = args.add_subparsers(dest='command', metavar='<command>', required=True)
 
-cmd_keyring = commands.add_parser('keyring', help='show available vault keys and their passphrases', description=HELP['cmd_keyring'])
+cmd_keyring = commands.add_parser(
+    'keyring', help='show available vault keys and their passphrases', description=HELP['cmd_keyring'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_keyring.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the vault keys as JSON and nothing else')
 cmd_keyring.add_argument('--keys-only', '-o', action='store_false', dest='show_passphrases', help='show only the vault keys, not the passphrases')
 
-cmd_create = commands.add_parser('create', help='create a new vault', description=HELP['cmd_create'])
+cmd_create = commands.add_parser(
+    'create', help=f"create a new vault ({ 'hybrid/plain' if DEFAULT_CREATE_PLAIN else 'fully encrypted' } by default)",
+    description=HELP['cmd_create'], formatter_class=RawDescriptionHelpFormatter
+)
 cmd_create.add_argument('vault_path', type=str, metavar='<vault path>', help='path to create a new vault at') \
     .completer = _prefixed_path_completer # type: ignore
 # Invert flag if the user wants plain mode by default
@@ -266,50 +272,74 @@ if DEFAULT_CREATE_PLAIN:
 else:
     cmd_create.add_argument('--plain', '-p', action='store_false', dest='encrypt_vault', help='create without full file encryption')
 cmd_create.add_argument('--make-parents', '-m', action='store_true', help='create all directories in the given path')
-cmd_mutex = cmd_create.add_mutually_exclusive_group()
-cmd_mutex.add_argument('--no-edit', '-n', action='store_false', dest='open_edit_mode', help='just create the file, don\'t open it for editing')
-cmd_mutex.add_argument(
+create_mutex = cmd_create.add_mutually_exclusive_group()
+create_mutex.add_argument('--no-edit', '-n', action='store_false', dest='open_edit_mode', help='just create the file, don\'t open it for editing')
+create_mutex.add_argument(
     '--edit-command', '-e', type=str, default=DEFAULT_EDITOR, help=f"editor command to use (runs as <command> <some path>) (default: { DEFAULT_EDITOR })"
 )
 
-cmd_edit = commands.add_parser('edit', help='edit a vault', description=HELP['cmd_edit'])
+cmd_edit = commands.add_parser(
+    'edit', help='edit a vault', description=HELP['cmd_edit'], formatter_class=RawDescriptionHelpFormatter
+)
 cmd_edit.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to edit') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_edit.add_argument(
     '--edit-command', '-e', type=str, default=DEFAULT_EDITOR, help=f"editor command to use (runs as <command> <some path>) (default: { DEFAULT_EDITOR })"
 )
 
-cmd_view = commands.add_parser('view', help='show the decrypted contents of a vault')
+cmd_view = commands.add_parser(
+    'view', help='show the decrypted contents of a vault', formatter_class=RawDescriptionHelpFormatter
+)
 cmd_view.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to dump') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_view.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the vault data as JSON and nothing else')
 
-cmd_info = commands.add_parser('info', help='show information about a vault\'s variables', description=HELP['cmd_info'])
+cmd_info = commands.add_parser(
+    'info', help='show information about a vault\'s variables', description=HELP['cmd_info'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_info.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to analyze') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_info.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the information as JSON and nothing else')
 
-cmd_encrypt = commands.add_parser('encrypt', help='encrypt a file in-place or a string with the encryption key', description=HELP['cmd_encrypt'])
+cmd_encrypt = commands.add_parser(
+    'encrypt', help='encrypt a file in-place or a string with the encryption key', description=HELP['cmd_encrypt'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_encrypt.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_encrypt.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to encrypt') \
     .completer = _prefixed_path_completer # type: ignore
+cmd_encrypt.add_argument('--quiet', '-q', action='store_true', help='only output the encrypted value (ignored in file mode)')
 
-cmd_decrypt = commands.add_parser('decrypt', help='decrypt a file in-place or a string', description=HELP['cmd_decrypt'])
+cmd_decrypt = commands.add_parser(
+    'decrypt', help='decrypt a file in-place or a string', description=HELP['cmd_decrypt'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_decrypt.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_decrypt.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to decrypt') \
     .completer = _prefixed_path_completer # type: ignore
+cmd_decrypt.add_argument('--quiet', '-q', action='store_true', help='only output the decrypted value (ignored in file mode)')
 
-cmd_is_enc = commands.add_parser('is-encrypted', help='check if a file or string is vault-encrypted', description=HELP['cmd_is_enc'])
+cmd_is_enc = commands.add_parser(
+    'is-encrypted', help='check if a file or string is vault-encrypted', description=HELP['cmd_is_enc'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_is_enc.add_argument('target_type', type=str, choices=['file', 'string'], help='select if target is a file path or a string')
 cmd_is_enc.add_argument('target', type=str, metavar='<vault path | string>', help='path of vault or string value to check') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_is_enc.add_argument('--quiet', '-q', action='store_true', help='no output, only set the rc to 0 if encrypted or 100 if unencrypted')
 
-cmd_convert = commands.add_parser('convert', help='switch vault between outer (file) and inner (vars) encryption', description=HELP['cmd_convert'])
+cmd_convert = commands.add_parser(
+    'convert', help='switch vault between outer (file) and inner (vars) encryption', description=HELP['cmd_convert'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_convert.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to convert') \
     .completer = _prefixed_path_completer # type: ignore
 
-cmd_grep = commands.add_parser('grep', help='search a file or folder for a pattern', description=HELP['cmd_grep'])
+cmd_grep = commands.add_parser(
+    'grep', help='search a file or folder for a pattern', description=HELP['cmd_grep'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_grep.add_argument('query', type=str, metavar='<pattern>', help='regex query to match with targets')
 cmd_grep.add_argument('targets', type=str, nargs='+', metavar='[<target> ...]', help='file(s) or folder(s) to search recursively') \
     .completer = _prefixed_path_completer # type: ignore
@@ -324,21 +354,30 @@ grep_mutex_type.add_argument('--multiline', '-m', action='store_true', help='mak
 cmd_grep.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the matches as JSON and nothing else')
 cmd_grep.add_argument('--quiet', '-q', action='store_true', help='no output, only set the rc to 0 if any matches found or 100 if none found')
 
-cmd_diff = commands.add_parser('diff', help='show line differences between two vaults', description=HELP['cmd_diff'])
+cmd_diff = commands.add_parser(
+    'diff', help='show line differences between two vaults', description=HELP['cmd_diff'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_diff.add_argument('old_vault', type=str, metavar='<old vault vault path>', help='path of "old"/base vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_diff.add_argument('new_vault', type=str, metavar='<new vault vault path>', help='path of "new"/changed vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_diff.add_argument('--context-lines', '-c', type=int, metavar='<amount>', default=3, help='show <amount> lines of context around changed lines (default: 3)')
 
-cmd_changes = commands.add_parser('changes', help='show var changes between vaults', description=HELP['cmd_changes'])
+cmd_changes = commands.add_parser(
+    'changes', help='show var changes between vaults', description=HELP['cmd_changes'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_changes.add_argument('old_vault', type=str, metavar='<old vault vault path>', help='path of "old"/base vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_changes.add_argument('new_vault', type=str, metavar='<new vault vault path>', help='path of "new"/changed vault') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_changes.add_argument('--json', '-j', action='store_true', dest='as_json', help='print added/changed/removed/decrypted vars as JSON and nothing else')
 
-cmd_daemon = commands.add_parser('file-daemon', help='sync decrypted vault copies into a folder', description=HELP['cmd_daemon'])
+cmd_daemon = commands.add_parser(
+    'file-daemon', help='sync decrypted vault copies into a folder', description=HELP['cmd_daemon'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_daemon.add_argument('target_root', type=str, metavar='<target root path>', help='root folder the decrypted files and folders should be synced into (non-existent or empty)') \
     .completer = _prefixed_path_completer # type: ignore
 # This arg can be repeated (results in [ [source, rel_target], ... ])
@@ -350,7 +389,10 @@ cmd_daemon.add_argument('--no-recurse', '-n', action='store_false', dest='recurs
 cmd_daemon.add_argument('--no-default-dirs', '-N', action='store_false', dest='include_default_dirs', help='don\'t include default sync sources')
 cmd_daemon.add_argument('--force', '-f', action='store_true', help='if the target root already exists and is not empty, delete its contents')
 
-cmd_get = commands.add_parser('get', help='get a key\'s (decrypted) value if it exists', description=HELP['cmd_get'])
+cmd_get = commands.add_parser(
+    'get', help='get a key\'s (decrypted) value if it exists', description=HELP['cmd_get'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_get.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to get value from') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_get.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
@@ -359,14 +401,20 @@ get_mutex_format = cmd_get.add_mutually_exclusive_group()
 get_mutex_format.add_argument('--quiet', '-q', action='store_true', help='only output the raw YAML value or set the rc to 100 if the key doesn\'t exist')
 get_mutex_format.add_argument('--json', '-j', action='store_true', dest='as_json', help='print the value as JSON or set the rc to 100 if the key doesn\'t exist')
 
-cmd_set = commands.add_parser('set', help='update a key\'s value or add a new key (experimental!)', description=HELP['cmd_set'])
+cmd_set = commands.add_parser(
+    'set', help='update a key\'s value or add a new key (experimental!)', description=HELP['cmd_set'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_set.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to set value in') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_set.add_argument('value', type=str, metavar='<value>', help='value to set (will be loaded as YAML)')
 cmd_set.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
 cmd_set.add_argument('--encrypt', '-e', action='store_true', dest='encrypt_value', help='encrypt the value if it is\'t encrypted yet')
 
-cmd_del = commands.add_parser('del', help='delete a key and its value if they exist (experimental!)', description=HELP['cmd_del'])
+cmd_del = commands.add_parser(
+    'del', help='delete a key and its value if they exist (experimental!)', description=HELP['cmd_del'],
+    formatter_class=RawDescriptionHelpFormatter
+)
 cmd_del.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to delete key from') \
     .completer = _prefixed_path_completer # type: ignore
 cmd_del.add_argument('key_segments', type=str, nargs='+', metavar='<key segment> [<key segment> ...]', help='segment(s) of the key to look up (`[<num>]` for numbers)')
@@ -582,7 +630,30 @@ if config.command in [ 'create', 'edit' ]:
         vault = VaultFile.create(vault_path, full_encryption=config.encrypt_vault, permissions=0o600, keyring=keyring)
         print(f"Created { 'encrypted' if vault.full_encryption else 'plain' } vault at { vault_path }", Color.GOOD)
     else:
-        vault = VaultFile(vault_path, keyring=keyring)
+        try:
+            vault = VaultFile(vault_path, keyring=keyring)
+        except YAMLFormatError:
+            print('Invalid vault format, will be treated as a generic file', Color.MEH)
+            with NamedTemporaryFile(mode='w+', dir=config.temp_dir, prefix='vaultlike_') as edit_file:
+                with open(vault_path, 'r+') as file:
+                    # Load and decrypt file
+                    content: str = file.read()
+                    if (is_enc := VaultKey.is_encrypted(content)):
+                        content = keyring.decrypt(content)
+                    # Let user edit the content in a temporary file
+                    edit_file.write(content)
+                    edit_file.flush()
+                    sys_command(f"{ config.edit_command } { edit_file.name }", shell=True)
+                    edit_file.seek(0)
+                    # Encrypt the new content and write it back
+                    new_content: str = edit_file.read()
+                    if is_enc:
+                        new_content = keyring.encrypt(new_content)
+                    file.seek(0)
+                    file.truncate()
+                    file.write(new_content)
+                    print(f"Saved changes!", Color.GOOD)
+            exit()
     # Open vault for edit mode
     if getattr(config, 'open_edit_mode', True):
         print(f"Editing vault at { vault_path }")
@@ -591,6 +662,7 @@ if config.command in [ 'create', 'edit' ]:
             # Write vault contents to temp file
             editable: str = vault.as_editable()
             edit_file.write(editable)
+            edit_file.flush()
             while True:
                 # Open editor and wait for it to close
                 edit_file.seek(0)
@@ -613,18 +685,23 @@ if config.command in [ 'create', 'edit' ]:
                             break
                     new_vault.save()
                     print(f"Saved changes!", Color.GOOD)
-                    # Warn about decrypted variables
-                    if (changes := new_vault.changes(vault))[0]:
-                        print(f"\n[!] The following vars have been decrypted in this edit:", Color.MEH)
-                        print('\n'.join([ f"- { format_key_path(path) }" for path in changes[0] ]))
-                    # Inform about new plain leaf variables
+                    decrypted_vars:   list[tuple[Hashable, ...]] = []
                     new_plain_leaves: list[tuple[Hashable, ...]] = []
                     def _find_new_plain_vars(path: tuple[Hashable, ...], value: Any) -> Any:
                         if path != ( SENTINEL_KEY, ) and type(value) is not EncryptedVar:
-                            if vault.get(path, default=Unset) != value:
-                                new_plain_leaves.append(path)
+                            if (old_value := vault.get(path, default=Unset)) != value:
+                                std_print(path[-1], type(old_value), type(value))
+                                if type(old_value) is EncryptedVar:
+                                    decrypted_vars.append(path)
+                                else:
+                                    new_plain_leaves.append(path)
                         return value
                     vault._transform_leaves(new_vault._data, _find_new_plain_vars, tuple())
+                    # Warn about decrypted variables
+                    if decrypted_vars:
+                        print(f"\n[!] The following vars have been decrypted in this edit:", Color.MEH)
+                        print('\n'.join([ f"- { format_key_path(path) }" for path in decrypted_vars ]))
+                    # Warn about new plain leaf variables
                     if not new_vault.full_encryption and new_plain_leaves:
                         print(f"\n[!] The following plain vars have been added in this edit:", Color.MEH)
                         print('\n'.join([ f"- { format_key_path(path) }" for path in new_plain_leaves ]))
@@ -639,11 +716,18 @@ if config.command in [ 'create', 'edit' ]:
 
 if config.command == 'view':
     vault_path: str = resolve_vault_path(config.vault_path)
-    vault = VaultFile(vault_path, keyring=keyring)
-    if config.as_json:
-        print_json(vault.as_json())
-    else:
-        print_yaml(vault.as_plain())
+    try:
+        vault = VaultFile(vault_path, keyring=keyring)
+        if config.as_json:
+            print_json(vault.as_json())
+        else:
+            print_yaml(vault.as_plain())
+    except YAMLFormatError:
+        if config.as_json:
+            raise UnsupportedGenericFileOperation(operation='--json')
+        with open(vault_path) as file:
+            content: str = file.read()
+            print(keyring.decrypt(content) if VaultKey.is_encrypted(content) else content)
 
 # Info command
 
@@ -684,27 +768,53 @@ if config.command in [ 'encrypt', 'decrypt', 'is-encrypted' ]:
     # File target
     if config.target_type == 'file':
         vault_path: str = resolve_vault_path(config.target)
-        vault = VaultFile(vault_path, keyring=keyring)
+        is_generic: bool = False
+        try:
+            vault = VaultFile(vault_path, keyring=keyring)
+            is_enc: bool = vault.full_encryption
+        except YAMLFormatError as e:
+            print('Invalid vault format, will be treated as a generic file', Color.MEH)
+            with open(vault_path) as file:
+                is_enc = VaultKey.is_encrypted(file.read())
+            is_generic = True
         if config.command in [ 'encrypt', 'decrypt' ]:
-            if vault.full_encryption == (config.command == 'encrypt'):
-                print(f"Vault is already { 'en' if vault.full_encryption else 'de' }crypted.")
+            if is_enc == (config.command == 'encrypt'):
+                print(f"Vault is already { 'en' if is_enc else 'de' }crypted.", Color.GOOD)
             else:
-                vault.full_encryption = (config.command == 'encrypt')
-                vault.save()
-                print(f"Vault { 'en' if vault.full_encryption else 'de' }crypted.", Color.GOOD)
+                is_enc = (config.command == 'encrypt')
+                # Generic file
+                if is_generic:
+                    with open(vault_path, 'r+') as file:
+                        content: str = file.read()
+                        file.seek(0)
+                        file.truncate()
+                        file.write(keyring.encrypt(content) if is_enc else keyring.decrypt(content))
+                # Vault file
+                else:
+                    vault.full_encryption = is_enc # type: ignore
+                    vault.save() # type: ignore
+                print(f"Vault { 'en' if is_enc else 'de' }crypted.", Color.GOOD)
         else:
             if config.quiet:
-                exit(0 if vault.full_encryption else 100)
+                exit(0 if is_enc else 100)
             else:
-                print(f"Vault is { 'encrypted' if vault.full_encryption else 'plain or hybrid' }.", Color.GOOD if vault.full_encryption else Color.MEH)
+                print(f"Vault is { 'fully encrypted' if is_enc else 'plain or hybrid' }.", Color.GOOD if is_enc else Color.MEH)
     # String target
     else:
         is_encrypted: bool = VaultKey.is_encrypted(config.target)
+        # The key may not be passed properly, in which case we auto-convert literal '\n' to newlines
+        # We can assume an encrypted value should not contain any literal backslashes
+        if is_encrypted:
+            config.target = config.target.replace('\\n', '\n')
         if config.command in [ 'encrypt', 'decrypt' ]:
             if is_encrypted == (config.command == 'encrypt'):
-                print(f"Value is already { 'en' if is_encrypted else 'de' }crypted.")
+                if not config.quiet:
+                    print(f"Value is already { 'en' if is_encrypted else 'de' }crypted.", Color.GOOD)
+                else:
+                    print(config.target)
             else:
-                print(f"{ 'En' if not is_encrypted else 'De' }crypted value:", Color.GOOD)
+                if not config.quiet:
+                    print(f"{ 'En' if not is_encrypted else 'De' }crypted value:", Color.GOOD)
                 print(keyring.encrypt(config.target) if (config.command == 'encrypt') else keyring.decrypt(config.target))
         else:
             if config.quiet:
@@ -732,7 +842,7 @@ if config.command == 'convert':
         vault.save()
         print(f"Vault converted to { 'outer' if vault.full_encryption else 'inner' } encryption.", Color.GOOD)
         if not vault.full_encryption:
-            print('Please check the vault to make sure all secrets have been encrypted', Color.MEH)
+            print('Please check the vault to make sure all secrets have been encrypted!', Color.MEH)
     _convert()
 
 # Grep command

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/src/ansible_vars/errors.py

@@ -2,6 +2,14 @@
 
 # YAML parsing
 
+class UnsupportedGenericFileOperation(Exception):
+    '''The requested operation or flag is not available for generic (i.e. non-YAML-dictionary) files.'''
+
+    def __init__(self, *args: object, operation: str | None = None) -> None:
+        super().__init__(
+            f"The requested operation or flag is not available for generic files{ f': { operation }' * bool(operation) }", *args
+        )
+
 class YAMLFormatError(Exception):
     '''The supplied content is not a valid Ansible YAML file. Supports passing the triggering parent exception.'''
     

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/src/ansible_vars/util.py

@@ -282,7 +282,7 @@ class VaultDaemon(FileSystemEventHandler):
                     content: str = src.read()
                 with open(target_path, 'w') as tgt:
                     try:
-                        tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                        tgt.write(Vault(content, keyring=self.keyring).as_plain())
                         self.debug(f"Created/Updated file { target_path } from vault contents")
                     except:
                         tgt.write(content)

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/src/ansible_vars/vault.py

@@ -6,16 +6,14 @@ from io import StringIO
 from functools import reduce
 from typing import Type, Hashable, Callable, Any
 from types import MappingProxyType
-from collections import OrderedDict
 from difflib import unified_diff
 
 # External library imports
 from ruamel.yaml import YAML
 from ruamel.yaml.nodes import ScalarNode
-from ruamel.yaml.parser import CommentToken
 from ruamel.yaml.representer import Representer
 from ruamel.yaml.constructor import Constructor
-from ruamel.yaml.comments import CommentedMap, CommentedSeq
+from ruamel.yaml.comments import CommentedMap
 
 # Internal module imports
 from .constants import ThrowError, octal, Indexable, ChangeList, MatchLocation, SENTINEL_KEY, EDIT_MODE_HEADER, ENCRYPTED_VAR_TAG
@@ -53,7 +51,7 @@ class EncryptedVar():
         cipher: Any = constructor.construct_scalar(node)
         if not isinstance(cipher, str):
             raise TypeError(f"Expected encrypted value to be a str, but got { type(cipher) }")
-        return EncryptedVar(str(cipher), name=node.id)
+        return EncryptedVar(cipher, name=node.id)
 
 class ProtoEncryptedVar():
     '''A variable marked to be encrypted in a `Vault` editable.'''
@@ -77,14 +75,14 @@ class ProtoEncryptedVar():
 
     @classmethod
     def to_yaml(ProtoEncryptedVar: Type['ProtoEncryptedVar'], representer: Representer, var: 'ProtoEncryptedVar') -> Any:
-        return representer.represent_scalar(ENCRYPTED_VAR_TAG, var.plaintext, style='\'')
+        return representer.represent_scalar(ENCRYPTED_VAR_TAG, var.plaintext, style=('|' if '\n' in var.plaintext else ''))
 
     @classmethod
     def from_yaml(ProtoEncryptedVar: Type['ProtoEncryptedVar'], constructor: Constructor, node: ScalarNode) -> 'ProtoEncryptedVar':
         plaintext: Any = constructor.construct_scalar(node)
         if not isinstance(plaintext, str):
             raise TypeError(f"Expected decrypted value to be a str, but got { type(plaintext) }")
-        return ProtoEncryptedVar(str(plaintext).rstrip('\n'), name=node.id)
+        return ProtoEncryptedVar(plaintext.rstrip('\n'), name=node.id)
 
 class Vault():
     '''
@@ -205,7 +203,7 @@ class Vault():
         A read-only dictionary of the vault's variables, with any EncryptedVars already decrypted.
         Note that the state is frozen whenever you access this property, and not updated when the vault changes.
         '''
-        copy: dict = self._data.copy()
+        copy: dict = Vault._copy_data(self._data)
         copy.pop(SENTINEL_KEY, None)
         def _traverse_and_decrypt(root: Any) -> Any:
             if isinstance(root, dict):
@@ -495,7 +493,7 @@ class Vault():
 
     def as_plain(self) -> str:
         '''Returns the vault in fully decrypted form as Jinja2 YAML code with the original metadata.'''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         #copy.pop(SENTINEL_KEY, None) # <-- would break a file containing only metadata and the sentinel key
         def _decrypt_leaf(_: tuple[Hashable, ...], value: Any) -> Any:
             '''Transforms EncryptedVar leaves into decrypted strings.'''
@@ -510,7 +508,7 @@ class Vault():
         Returns the vault as Jinja2 YAML code with the original metadata.
         It is prepared for editing and later re-encryption with YAML tags and a static explanatory header.
         '''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         def _convert_to_proto(path: tuple[Hashable, ...], value: Any) -> Any:
             '''Marks encrypted leaves for encryption after editing.'''
             if type(value) is not EncryptedVar:
@@ -526,7 +524,7 @@ class Vault():
 
     def as_encrypted(self) -> str:
         '''Returns the vault as Jinja2 YAML code with the original metadata, with encrypted variables and full encryption if enabled.'''
-        copy: CommentedMap = self._data.copy()
+        copy: CommentedMap = Vault._copy_data(self._data)
         yaml_content: str = self._dump_to_str(copy)
         yaml_content = Vault._remove_sentinel(yaml_content)
         if self.full_encryption:
@@ -567,6 +565,23 @@ class Vault():
         self._parser.dump(data, builder)
         return builder.getvalue().strip('\n') + '\n'
 
+    @staticmethod
+    def _copy_data(data: Any) -> Any:
+        '''
+        Create a deep copy of any data, using the object's `copy()` method for dicts and lists.
+        Parser dicts and lists contain special data, and their copy function will preserve that.
+        The built-in `copy.deepcopy()` would require a `__deepcopy__` method for this to work.
+        Copying works for dicts and lists. Everything else is referenced normally.
+        Not thread-safe.
+        '''
+        if (is_dict := isinstance(data, dict)) or isinstance(data, list):
+            copy = data.copy()
+            keys = copy.keys() if is_dict else range(len(copy)) # type: ignore
+            for key in keys:
+                copy[key] = Vault._copy_data(copy[key])
+            return copy
+        return data
+
     # Comparing to older versions of this vault
 
     def diff(self, prev_vault: 'Vault', context_lines: int = 3, show_filenames: bool = True) -> str:
@@ -653,7 +668,7 @@ class Vault():
     def copy(self) -> 'Vault':
         '''Create a copy of this `Vault` instance.'''
         copy = Vault('', self.keyring)
-        copy._data = self._data.copy()
+        copy._data = Vault._copy_data(self._data)
         copy.full_encryption = self.full_encryption
         copy.keyring = self.keyring
         copy._parser = self._parser
@@ -804,7 +819,7 @@ class VaultFile(Vault):
     def copy(self) -> 'VaultFile':
         '''Create a copy of this `VaultFile` instance.'''
         copy: VaultFile = self.from_editable(self, '')
-        copy._data = self._data.copy()
+        copy._data = VaultFile._copy_data(self._data)
         copy.full_encryption = self.full_encryption
         copy.keyring = self.keyring
         copy._parser = self._parser

{ansible_vars-1.0.6 → ansible_vars-1.0.7}/src/ansible_vars/vault_crypt.py

@@ -70,7 +70,7 @@ class VaultKey():
         vault_cipher = VaultKey._strip_vault_tag(vault_cipher)
         try:
             decrypted: bytes = self._vaultlib.decrypt(vault_cipher)
-            return decrypted.decode('utf-8').strip()
+            return decrypted.decode('utf-8')
         except AnsibleVaultError as e:
             if e.message.startswith('Decryption failed (no vault secrets were found that could decrypt)'):
                 raise VaultKeyMatchError(f"Could not match cipher with { self }")