ansible-vars 1.0.8__tar.gz → 1.0.10__tar.gz

{ansible_vars-1.0.8 → ansible_vars-1.0.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-vars
-Version: 1.0.8
+Version: 1.0.10
 Summary: Manage vaults and variable files for Ansible
 Project-URL: Homepage, https://github.com/xorwow/ansible-vars
 Project-URL: Issues, https://github.com/xorwow/ansible-vars/issues
@@ -178,6 +178,10 @@ Shows the amounts of encrypted and decrypted variables in a vault file. Supports
 
 En-/Decrypts or checks the encryption status of a file or string value. Note that only full file encryption is considered in file mode, a hybrid vault with individually encrypted variables will be counted as plain.
 
+#### rekey
+
+Re-encrypts a vault file with a different encryption key and/or salt. The key specified in the global `--encryption-key|-K <identifier>` flag is used for encryption, along with an optional fixed salt set via the global `--fixed-salt|-S <salt>` flag.
+
 #### convert
 
 Convenience function to convert between fully encrypted vaults and hybrid vaults. Useful if you wish to convert your "legacy" fully encrypted vaults to plain files with all string values individually encrypted. Works both ways.

{ansible_vars-1.0.8 → ansible_vars-1.0.10}/README.md

@@ -156,6 +156,10 @@ Shows the amounts of encrypted and decrypted variables in a vault file. Supports
 
 En-/Decrypts or checks the encryption status of a file or string value. Note that only full file encryption is considered in file mode, a hybrid vault with individually encrypted variables will be counted as plain.
 
+#### rekey
+
+Re-encrypts a vault file with a different encryption key and/or salt. The key specified in the global `--encryption-key|-K <identifier>` flag is used for encryption, along with an optional fixed salt set via the global `--fixed-salt|-S <salt>` flag.
+
 #### convert
 
 Convenience function to convert between fully encrypted vaults and hybrid vaults. Useful if you wish to convert your "legacy" fully encrypted vaults to plain files with all string values individually encrypted. Works both ways.

{ansible_vars-1.0.8 → ansible_vars-1.0.10}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "ansible-vars"
-version = "1.0.8"
+version = "1.0.10"
 authors = [
   { name="xorwow", email="pip@xorwow.de" },
 ]

{ansible_vars-1.0.8 → ansible_vars-1.0.10}/src/ansible_vars/cli.py

@@ -134,6 +134,10 @@ Decrypt a string and return it or fully decrypt a file in-place. Uses the first
 ''',
     'cmd_is_enc': '''
 Check if a string or file is (fully) vault-encrypted.
+''',
+    'cmd_rekey': '''
+Update a vault's ciphers with a new encryption key and/or salt.
+The key referenced by `--encryption-key|-K <identifier>` and/or the salt set by `--fixed-salt|-S <salt>` are used for re-encryption.
 ''',
     'cmd_convert': '''
 Switch a file between full outer and full inner encryption for convenient migrating between encryption schemes.
@@ -338,6 +342,13 @@ cmd_is_enc.add_argument('target', type=str, metavar='<vault path | string>', hel
     .completer = _prefixed_path_completer # type: ignore
 cmd_is_enc.add_argument('--quiet', '-q', action='store_true', help='no output, only set the rc to 0 if encrypted or 100 if unencrypted')
 
+cmd_rekey = commands.add_parser(
+    'rekey', help='update a vault\'s encryption key (from -K) and/or salt (from -S)', description=HELP['cmd_rekey'],
+    formatter_class=RawDescriptionHelpFormatter
+)
+cmd_rekey.add_argument('vault_path', type=str, metavar='<vault path>', help='path of vault to rekey') \
+    .completer = _prefixed_path_completer # type: ignore
+
 cmd_convert = commands.add_parser(
     'convert', help='switch vault between outer (file) and inner (vars) encryption', description=HELP['cmd_convert'],
     formatter_class=RawDescriptionHelpFormatter
@@ -765,12 +776,12 @@ if config.command == 'info':
         if encrypted_leaves:
             print('\n'.join([ f"- { format_key_path(key) }" for key in encrypted_leaves ]))
         else:
-            print('No encrypted vars')
+            print('None', Color.MEH)
         print('\nPlain leaf values:', Color.GOOD)
-        if encrypted_leaves:
+        if plain_leaves:
             print('\n'.join([ f"- { format_key_path(key) }" for key in plain_leaves ]))
         else:
-            print('No plain vars')
+            print('None', Color.MEH)
 
 # Encrypt & Decrypt & Is-Encrypted commands
 
@@ -832,6 +843,21 @@ if config.command in [ 'encrypt', 'decrypt', 'is-encrypted' ]:
             else:
                 print(f"Value is { 'encrypted' if is_encrypted else 'plain' }.", Color.GOOD if is_encrypted else Color.MEH)
 
+# Rekey command
+
+if config.command == 'rekey':
+    vault_path: str = resolve_vault_path(config.vault_path)
+    if not config.encryption_key:
+        print(f"No explicit encryption key specified, falling back to '{ keyring.encryption_key.id }'", Color.MEH)
+    # Since ciphers are usually not changed from load to save, we force re-encryption by loading from an editable
+    vault = VaultFile(vault_path, keyring=keyring)
+    vault = VaultFile.from_editable(vault, vault.as_editable())
+    vault.save()
+    print(
+        f"Re-encrypted vault with key '{ keyring.encryption_key.id }' and a { 'fixed' if config.fixed_salt else 'random' } salt",
+        Color.GOOD
+    )
+
 # Convert command
 
 if config.command == 'convert':