ansible-vars 1.0.7__py3-none-any.whl → 1.0.8__py3-none-any.whl

ansible_vars/cli.py

@@ -84,6 +84,10 @@ Specify vault keys to load for en-/decryption. Not required for vars files with
 A key is a combination of an identifier (can be a vault ID or anything else, ideally unique) and a passphrase.
 By default, available keys are auto-detected if your current directory contains an Ansible config and appended to the ones you supplied.
 If no explicit encryption key is specified, the first supplied/available key is used.
+
+[!] When editing a hybrid vault file, changing even a single variable will change all variables' ciphers, as salts are generated randomly.
+You can prevent this by passing a fixed salt via `-S <salt>`, which will result in any plaintext always resolving to the same cipher.
+For Ansible's AES-256, a length of at least 32 characters is recommended.
 ''',
     'log_args': '''
 Log a diff of any vault changes performed with this program to an encrypted or plain logfile, creating it if necessary.
@@ -198,6 +202,7 @@ DEFAULT_EDITOR: str = os.environ.get('EDITOR', 'notepad.exe' if os.name == 'nt'
 DEFAULT_COLOR_MODE: str = os.environ.get('AV_COLOR_MODE', '256' if sys.stdout.isatty() else 'none')
 DEFAULT_TEMP_DIR: str = os.environ.get('AV_TEMP_DIR', gettempdir())
 DEFAULT_CREATE_PLAIN: bool = os.environ.get('AV_CREATE_PLAIN', 'no').lower() in [ 'yes', 'y', 'true', 't', '1' ]
+DEFAULT_SALT: str | None = os.environ.get('AV_SALT', None)
 
 args: ArgumentParser = ArgumentParser(
     prog = 'ansible-vars',
@@ -243,6 +248,10 @@ key_args.add_argument(
 )
 key_args.add_argument('--no-detect-keys', '-D', action='store_false', dest='detect_keys', help='disable automatic key detection')
 key_args.add_argument('--encryption-key', '-K', type=str, metavar='<identifier>', help='which of the loaded keys to use for encryption')
+key_args.add_argument(
+    '--fixed-salt', '-S', type=str, metavar='<salt>', default=DEFAULT_SALT,
+    help='a fixed salt to use for encryption (should be 32+ chars!)'
+)
 
 log_args = args.add_argument_group('logging vault changes', description=HELP['log_args'])
 log_mutex = log_args.add_mutually_exclusive_group()
@@ -565,7 +574,7 @@ sys.excepthook = _exc_hook
 # Load vault keys
 
 _explicit_keys: list[VaultKey] = [ VaultKey(passphrase, vault_id=id) for id, passphrase in config.keys ]
-keyring = VaultKeyring(_explicit_keys.copy(), detect_available_keys=config.detect_keys)
+keyring = VaultKeyring(_explicit_keys.copy(), detect_available_keys=config.detect_keys, default_salt=config.fixed_salt)
 
 if config.encryption_key:
     keyring.default_encryption_key = keyring.key_by_id(config.encryption_key)
@@ -575,6 +584,8 @@ try:
     debug(f"Encryption key: { keyring.encryption_key.id }")
 except:
     debug('Encryption key: unavailable')
+if config.fixed_salt:
+    debug(f"Using fixed encryption salt: { config.fixed_salt }")
 
 # Set up logging
 
@@ -690,7 +701,6 @@ if config.command in [ 'create', 'edit' ]:
                     def _find_new_plain_vars(path: tuple[Hashable, ...], value: Any) -> Any:
                         if path != ( SENTINEL_KEY, ) and type(value) is not EncryptedVar:
                             if (old_value := vault.get(path, default=Unset)) != value:
-                                std_print(path[-1], type(old_value), type(value))
                                 if type(old_value) is EncryptedVar:
                                     decrypted_vars.append(path)
                                 else:

ansible_vars/util.py

@@ -338,7 +338,7 @@ class VaultDaemon(FileSystemEventHandler):
                         content: str = src.read()
                     with open(self.target_file, 'w') as tgt:
                         try:
-                            tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                            tgt.write(Vault(content, keyring=self.keyring).as_plain())
                             self.debug(f"Created/Updated file { self.target_file } from vault contents")
                         except:
                             tgt.write(content)
@@ -373,7 +373,7 @@ class VaultDaemon(FileSystemEventHandler):
                 content: str = src.read()
             with open(target_path, 'w') as tgt:
                 try:
-                    tgt.write(Vault(content, keyring=self.keyring).as_editable(with_header=False))
+                    tgt.write(Vault(content, keyring=self.keyring).as_plain())
                     self.debug(f"Created/Updated file { target_path } from vault contents")
                 except:
                     tgt.write(content)

ansible_vars/vault_crypt.py

@@ -54,12 +54,12 @@ class VaultKey():
         '''
         return VaultLib.is_encrypted(VaultKey._strip_vault_tag(test_me))
 
-    def encrypt(self, plain: str) -> str:
-        '''Encrypts a string using this `VaultKey`'s secret.'''
+    def encrypt(self, plain: str, salt: str | None = None) -> str:
+        '''Encrypts a string using this `VaultKey`'s secret. You can specify an optional fixed salt (ideally 32+ chars).'''
         # Pass our secret directly to the encrypt call to skip expensive secret matching
         # Beware: the encrypt function takes a `secret`, but means just the VaultSecret and not a tuple of (vault_id, VaultSecret)
         # In other calls, `secret` or `secrets` may refer to the tuple(s)
-        return self._vaultlib.encrypt(plain, secret=self.secret, vault_id=self.id).decode('utf-8').strip()
+        return self._vaultlib.encrypt(plain, secret=self.secret, vault_id=self.id, salt=salt).decode('utf-8').strip()
 
     def decrypt(self, vault_cipher: str) -> str:
         '''
@@ -96,6 +96,7 @@ class VaultKeyring():
             self,
             keys: list[VaultKey] | None = None,
             default_encryption_key: VaultKey | None = None,
+            default_salt: str | None = None,
             detect_available_keys: bool = True
         ) -> None:
         '''
@@ -107,9 +108,13 @@ class VaultKeyring():
         
         When encrypting data, you can specify an explicit `VaultKey` to use. If none is specified, `default_encryption_key` is used.
         If no explicit or default keys are available, the first key of the `keys` parameter is used.
+
+        You can also set a fixed salt to use for encryption tasks, either passing it to the `encrypt` function directly
+        or as a `default_salt` here. A length of at least 32 chars is recommended for Ansible's AES-256.
         '''
         self.keys: list[VaultKey] = keys or []
         self.default_encryption_key: VaultKey | None = default_encryption_key
+        self.default_salt: str | None = default_salt
         if detect_available_keys:
             self.keys.extend(VaultKeyring.load_cli_secrets())
     
@@ -124,16 +129,15 @@ class VaultKeyring():
             raise NoVaultKeysError('No vault keys available for encryption')
         return self.default_encryption_key or self.keys[0]
 
-    def encrypt(self, plain: str, key: VaultKey | None = None) -> str:
+    def encrypt(self, plain: str, key: VaultKey | None = None, salt: str | None = None) -> str:
         '''
         Encrypts the given vault data using the supplied `VaultKey`.
         If no key is supplied, the `VaultKeyring`'s `default_encryption_key` is used.
         If that key is also unset, the first key of the `VaultKeyring`'s `keys` is used.
+        You can specify an optional fixed salt for encrypting (ideally 32+ chars).
         '''
         # If no key is provided, use the default encryption key or first key in `keys`
-        if not key:
-            key = self.encryption_key
-        return key.encrypt(plain)
+        return (key or self.encryption_key).encrypt(plain, salt=(salt or self.default_salt))
 
     def decrypt(self, vault_cipher: str, key: VaultKey | None = None) -> str:
         '''
@@ -143,7 +147,7 @@ class VaultKeyring():
 
         Expects a cipher with optional YAML tag preamble (`!vault | $ANSIBLE_VAULT;<options>\\n<cipher>`).
         '''
-        if not key and not self.keys:
+        if not (key or self.keys):
             raise NoVaultKeysError('No vault keys available for decryption')
         if key:
             return key.decrypt(vault_cipher)

{ansible_vars-1.0.7.dist-info → ansible_vars-1.0.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-vars
-Version: 1.0.7
+Version: 1.0.8
 Summary: Manage vaults and variable files for Ansible
 Project-URL: Homepage, https://github.com/xorwow/ansible-vars
 Project-URL: Issues, https://github.com/xorwow/ansible-vars/issues
@@ -105,6 +105,10 @@ By default, the first loaded key is used for all encryption tasks. Note that aut
 
 You can disable automatic key detection by flagging `--no-encrypt-keys|-D`. Use `ansible-vars keyring` to view all available keys.
 
+#### Encryption salts
+
+Each time you edit a vault or otherwise encrypt a value, a randomly generated salt is used so even identical plain values will result in unique ciphers. However, this also means that each time a single encrypted variable is edited, all other ciphers in the vault will change as well. You can avoid this by passing a fixed salt via `--fixed-salt|-S <salt>`. Note that it should be at least 32 characters long and sufficiently random for Ansible's AES-256 encryption, and that you won't benefit from unique ciphers for identical plaintexts anymore.
+
 ### Diff logging
 
 **TL;DR:** You can use `-l <log directory>` to log changes to edited vaults to a vault-encrypted log file.
@@ -220,6 +224,10 @@ Set the tempfile/staging root as you would with `-T <path>`.
 
 Invert the default creation mode for files: If unset or `no`, files are created with full encryption unless specified otherwise via the `--plain|-p` flag. This behavior mirrors that of `ansible-vault`. When set to `yes`, the behavior and flag are inverted as files are created without encryption by default unless specified otherwise via the `--no-plain|-P` flag.
 
+#### AV_SALT
+
+Set a fixed salt as you would with `-S <salt>`.
+
 ### Python library
 
 When using `ansible-vars` as a library, import any of these modules from the `ansible_vars` module.
@@ -270,7 +278,6 @@ When editing a file or creating a daemon, decrypted vaults are written to disk t
     - Changes to file metadata (permissions, ...) are not mirrored.
 - `ansible-vars` does not support files which are not (Jinja2) YAML dictionaries, except for limited support in these commands:
     - `edit`, `view` (without `--json` support), `encrypt`, `decrypt`, `is-encrypted`
-- When a vault is modified, all of its ciphers will change due to new salts, even if only one encrypted variable has been changed.
 
 ## Extension plans
 

ansible_vars-1.0.8.dist-info/RECORD

@@ -0,0 +1,12 @@
+ansible_vars/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ansible_vars/cli.py,sha256=TFPSuUmOTWjX6FF5aAd2PnJkyftSur9DfccYwzjQe6A,63959
+ansible_vars/constants.py,sha256=Nd3sIuSoOvyfUfHfnsnJBDGMW7eNzbMm1NAvEQio9hE,1624
+ansible_vars/errors.py,sha256=6dzyksPKWira9O2-Ir3MIOwr4XjN9MSBiRp5e6siY6Q,1256
+ansible_vars/util.py,sha256=UwGPBT19pee7lBpWuBzLPAvcrHUBAn6i1MrJvzM9OQ4,21265
+ansible_vars/vault.py,sha256=cMvFdtc3bw6yf-aChUEP34k2yafWS2UuubFO84De_rA,46383
+ansible_vars/vault_crypt.py,sha256=nh2k686nTI3yERIp-qzx5iDE1kZKg10YG019QeZDnLM,10019
+ansible_vars-1.0.8.dist-info/METADATA,sha256=KSO8y8E4DZeGzYjXKrnuj-aW8ni3TEAh1upcwGPdlL0,17967
+ansible_vars-1.0.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+ansible_vars-1.0.8.dist-info/entry_points.txt,sha256=RrhkEH0MbfRzflguVrfYfthsFC5V2fkFnizUG3uHMtQ,55
+ansible_vars-1.0.8.dist-info/licenses/LICENSE,sha256=ocyJHLG5wD12qB4uam2pqWTHIJmzloiyNyTex6Q2DKo,1062
+ansible_vars-1.0.8.dist-info/RECORD,,

ansible_vars-1.0.7.dist-info/RECORD

@@ -1,12 +0,0 @@
-ansible_vars/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-ansible_vars/cli.py,sha256=OAIXPLMTinS48e9Wn9YEhdHt6eaBHuU9Px1qZ5peCKY,63345
-ansible_vars/constants.py,sha256=Nd3sIuSoOvyfUfHfnsnJBDGMW7eNzbMm1NAvEQio9hE,1624
-ansible_vars/errors.py,sha256=6dzyksPKWira9O2-Ir3MIOwr4XjN9MSBiRp5e6siY6Q,1256
-ansible_vars/util.py,sha256=j6Ay_TXEyCm2OUBV7VRXlGjipKSAuklIHXSXIxbrzj0,21305
-ansible_vars/vault.py,sha256=cMvFdtc3bw6yf-aChUEP34k2yafWS2UuubFO84De_rA,46383
-ansible_vars/vault_crypt.py,sha256=Eotf1JVJcvrdae2gv2KMVor-x1D1IMREkONKgKdtT2A,9493
-ansible_vars-1.0.7.dist-info/METADATA,sha256=otjXXgLP1_XT-Xykt9_V8nyIi65aoRAKM2ukGxdu5pU,17464
-ansible_vars-1.0.7.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-ansible_vars-1.0.7.dist-info/entry_points.txt,sha256=RrhkEH0MbfRzflguVrfYfthsFC5V2fkFnizUG3uHMtQ,55
-ansible_vars-1.0.7.dist-info/licenses/LICENSE,sha256=ocyJHLG5wD12qB4uam2pqWTHIJmzloiyNyTex6Q2DKo,1062
-ansible_vars-1.0.7.dist-info/RECORD,,