%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python3.9/site-packages/ansible/parsing/vault/__pycache__/
Upload File :
Create Path :
Current File : //lib/python3.9/site-packages/ansible/parsing/vault/__pycache__/__init__.cpython-39.pyc

a

�)g0��@s�ddlmZmZmZeZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlmZddlmZddlmZdZdZz�e���(e�de�ddlmZWd�n1s�0Ydd	lmZdd
lmZm Z ddl!m"Z"ddl#m$Z$dd
l%m&Z'm(Z(m)Z)e�ZdZWne*�y>Yn0ddl+m,Z,m-Z-ddl.m/Z0ddl1m2Z2ddl3m4Z4m5Z5m6Z6ddl7m8Z8ddl9m:Z:m;Z;e8�Z<dZ=e>d�Z?e>d�Z@dZAGdd�de,�ZBGdd�deB�ZCGdd�de,�ZDdd�ZEdNd!d"�ZFdOd#d$�ZGdPd%d&�ZHdQd'd(�ZId)d*�ZJd+d,�ZKd-d.�ZLdRd/d0�ZMGd1d2�d2�ZNGd3d4�d4eN�ZOd5d6�ZPdSd7d8�ZQGd9d:�d:eN�ZRGd;d<�d<eR�ZSGd=d>�d>eS�ZTd?d@�ZUdAdB�ZVdTdCdD�ZWdUdEdF�ZXGdGdH�dH�ZYGdIdJ�dJ�ZZGdKdL�dL�Z[dMe[iZ\dS)V�)�absolute_import�division�print_functionN)�hexlify)�	unhexlify)�ErrorF�ignore)�InvalidSignature)�default_backend)�hashes�padding)�HMAC)�
PBKDF2HMAC)�Cipher�
algorithms�modesT)�AnsibleError�AnsibleAssertionError)�	constants)�binary_type)�to_bytes�to_text�	to_native)�Display)�
makedirs_safe�unfrackpaths$ANSIBLE_VAULT)�AES256zDansible-vault requires the cryptography library in order to functionc@seZdZdS)�AnsibleVaultErrorN��__name__�
__module__�__qualname__�r"r"�B/usr/lib/python3.9/site-packages/ansible/parsing/vault/__init__.pyrJsrc@seZdZdS)�AnsibleVaultPasswordErrorNrr"r"r"r#r$Nsr$c@seZdZdS)�AnsibleVaultFormatErrorNrr"r"r"r#r%Rsr%c	CsJztt|dddd�ddd�}Wnttfy6YdS0|�t�rFdSdS)z� Test if this is vault encrypted data blob

    :arg data: a byte or text string to test whether it is recognized as vault
        encrypted data
    :returns: True if it is recognized.  Otherwise, False.
    �ascii�strict)�encoding�errors�	nonstring)r(r)FT)rr�UnicodeError�	TypeError�
startswith�b_HEADER)�data�b_datar"r"r#�is_encryptedVs
r1���c	Cs>|��}z$|�|�t|�|��W|�|�S|�|�0dS)aTest if the contents of a file obj are a vault encrypted data blob.

    :arg file_obj: A file object that will be read from.
    :kwarg start_pos: A byte offset in the file to start reading the header
        from.  Defaults to 0, the beginning of the file.
    :kwarg count: Read up to this number of bytes from the file to determine
        if it looks like encrypted vault data.  The default is -1, read to the
        end of file.
    :returns: True if the file looks like a vault file. Otherwise, False.
    N)�tell�seekr1�read)Zfile_objZ	start_pos�countZcurrent_positionr"r"r#�is_encrypted_filels

�r7cCst|��}|d���d�}|d��}t|d���}|}t|�dkrVt|d���}d�|dd��}||||fS)Nr�;�����)�
splitlines�strip�splitr�len�join)�b_vaulttext_envelope�default_vault_id�	b_tmpdataZb_tmpheader�	b_version�cipher_name�vault_id�b_ciphertextr"r"r#�_parse_vaulttext_envelope�srJc
Csh|ptj}zt||�WStyb}z4d}|r:|d|7}|d|7}t|��WYd}~n
d}~00dS)a�Parse the vaulttext envelope

    When data is saved, it has a header prepended and is formatted into 80
    character lines.  This method extracts the information from the header
    and then removes the header and the inserted newlines.  The string returned
    is suitable for processing by the Cipher classes.

    :arg b_vaulttext: byte str containing the data from a save file
    :kwarg default_vault_id: The vault_id name to use if the vaulttext does not provide one.
    :kwarg filename: The filename that the data came from.  This is only
        used to make better error messages in case the data cannot be
        decrypted. This is optional.
    :returns: A tuple of byte str of the vaulttext suitable to pass to parse_vaultext,
        a byte str of the vault format version,
        the name of the cipher used, and the vault_id.
    :raises: AnsibleVaultFormatError: if the vaulttext_envelope format is invalid
    zVault envelope format error� in %s�: %sN)�CZDEFAULT_VAULT_IDENTITYrJ�	Exceptionr%)rCrD�filename�exc�msgr"r"r#�parse_vaulttext_envelope�s
rRc
s�|std��|pd}|r$|dkr$d}t|ddd�}t|ddd�}t|ddd�}t||g}|dkrn|rn|�|�d	�|�}|g}	|	�fd
d�tdt��d
�D�7}	|	dg7}	d�|	�}	|	S)a� Add header and format to 80 columns

        :arg b_ciphertext: the encrypted and hexlified data as a byte string
        :arg cipher_name: unicode cipher name (for ex, u'AES256')
        :arg version: unicode vault version (for ex, '1.2'). Optional ('1.1' is default)
        :arg vault_id: unicode vault identifier. If provided, the version will be bumped to 1.2.
        :returns: a byte str that should be dumped into a file.  It's
            formatted to 80 char columns and has the header prepended
    z-the cipher must be set before adding a headerz1.1�defaultz1.2�utf-8r'�r)�1.2r8csg|]}�||d��qS)�Pr")�.0�i�rIr"r#�
<listcomp>�r=z-format_vaulttext_envelope.<locals>.<listcomp>rrWr=�
)rrr.�appendrB�rangerA)
rIrG�versionrHrFZ
b_vault_idZ
b_cipher_nameZheader_parts�header�b_vaulttextr"rZr#�format_vaulttext_envelope�s(�

"

rbc
CsDz
t|�WSttfy>}ztd|��WYd}~n
d}~00dS)Nz Vault format unhexlify error: %s)r�
BinasciiErrorr,r%)r0rPr"r"r#�
_unhexlify�s
rdcCs4t|�}|�dd�\}}}t|�}t|�}|||fS)Nr\r:)rdr@)ra�b_salt�b_crypted_hmacrIr"r"r#�_parse_vaulttext�s
rgc
CsVz
t|�WSty�Yn4tyP}zd|}t|��WYd}~n
d}~00dS)awParse the vaulttext

    :arg b_vaulttext: byte str containing the vaulttext (ciphertext, salt, crypted_hmac)
    :returns: A tuple of byte str of the ciphertext suitable for passing to a
        Cipher class's decrypt() function, a byte str of the salt,
        and a byte str of the crypted_hmac
    :raises: AnsibleVaultFormatError: if the vaulttext format is invalid
    z Vault vaulttext format error: %sN)rgr%rN)rarPrQr"r"r#�parse_vaulttext�s

rhcCs|pd}|st|��dS)z�Check the secret against minimal requirements.

    Raises: AnsibleVaultPasswordError if the password does not meet requirements.

    Currently, only requirement is that the password is not None or an empty string.
    z#Invalid vault password was providedN)r$)�secretrQr"r"r#�verify_secret_is_not_empty�srjc@s.eZdZdZd	dd�Zedd��Zdd�ZdS)
�VaultSecretzKOpaque/abstract objects for a single vault secret. ie, a password or a key.NcCs
||_dS�N��_bytes)�selfrnr"r"r#�__init__szVaultSecret.__init__cCs|jS)z�The secret as a bytestring.

        Sub classes that store text types will need to override to encode the text to bytes.
        rm�ror"r"r#�bytesszVaultSecret.bytescCs|jSrlrmrqr"r"r#�loadszVaultSecret.load)N)rr r!�__doc__rp�propertyrrrsr"r"r"r#rks


rkcsHeZdZdgZd
�fdd�	Zedd��Zdd�Zd	d
�Zdd�Z	�Z
S)�PromptVaultSecretzVault password (%s): Ncs4tt|�j|d�||_|dur*|j|_n||_dS)Nrm)�superrvrprH�default_prompt_formats�prompt_formats)rornrHry��	__class__r"r#rp!s

zPromptVaultSecret.__init__cCs|jSrlrmrqr"r"r#rr*szPromptVaultSecret.bytescCs|��|_dSrl)�ask_vault_passwordsrnrqr"r"r#rs.szPromptVaultSecret.loadc	Cs�g}|jD]j}|d|ji}ztj|dd�}Wn tyNtd|j��Yn0t|�t|ddd���}|�	|�q
|D]}|�
|d|�qz|r�|dSdS)	NrHT)Zprivatez$EOFError (ctrl-d) on prompt for (%s)r'Z
simplerepr)r)r*r)ryrH�display�prompt�EOFErrorrrjrr?r]�confirm)roZb_vault_passwordsZ
prompt_formatr~�
vault_passZb_vault_passZb_vault_passwordr"r"r#r|1s
z%PromptVaultSecret.ask_vault_passwordscCs||krtd��dS)NzPasswords do not match)r)roZb_vault_pass_1Zb_vault_pass_2r"r"r#r�IszPromptVaultSecret.confirm)NNN)rr r!rxrprurrrsr|r��
__classcell__r"r"rzr#rvs	
rvcCs"tj�|�\}}|�d�rdSdS)zWDetermine if a vault secret script is a client script that can be given --vault-id argsz-clientTF)�os�path�splitext�endswith)rO�script_name�dummyr"r"r#�script_is_clientQs
r�cCstt|dd�}tj�|�s$td|��|�|�rft|�rXt�dt	|��t
||||d�St|||d�St|||d�S)zI Get secret from file content or execute file and get secret from stdout F)�followz(The vault password file %s was not foundz.The vault password file %s is a client script.)rOrHr(�loader�rOr(r�)
rr�r��existsr�
is_executabler�r}�vvvvr�ClientScriptVaultSecret�ScriptVaultSecret�FileVaultSecret)rOrHr(r�Z	this_pathr"r"r#�get_file_vault_secret_s
r�csBeZdZd�fdd�	Zedd��Zdd�Zdd	�Zd
d�Z�Z	S)
r�Ncs4tt|���||_||_|p d|_d|_d|_dS)N�utf8)rwr�rprOr�r(rn�_text)rorOr(r�rzr"r#rp{s
zFileVaultSecret.__init__cCs$|jr|jS|jr |j�|j�SdSrl)rnr��encoder(rqr"r"r#rr�s
zFileVaultSecret.bytescCs|�|j�|_dSrl)�
_read_filerOrnrqr"r"r#rs�szFileVaultSecret.loadc
Cs�z:t|d��}|����}Wd�n1s.0YWn8ttfyr}ztd||f��WYd}~n
d}~00|j�||�\}}|�d�}t|d|d�|S)z�
        Read a vault password from a file or if executable, execute the script and
        retrieve password from STDOUT
        �rbNz)Could not read vault password file %s: %s�
z2Invalid vault password was provided from file (%s)�rQ)	�openr5r?�OSError�IOErrorrr�Z_decrypt_if_vault_datarj)rorO�fr��eZb_vault_datar�r"r"r#r��s.&
�zFileVaultSecret._read_filecCs$|jrd|jj|jfSd|jjS)Nz%s(filename='%s')�%s())rOr{rrqr"r"r#�__repr__�szFileVaultSecret.__repr__)NNN)
rr r!rprurrrsr�r�r�r"r"rzr#r�zs
r�c@s,eZdZdd�Zdd�Zdd�Zdd�Zd	S)
r�cCs`|j�|�std|��|��}|�|�\}}}|�|||�|�d�}d|}t||d�|S)Nz/The vault password script %s was not executabler�z4Invalid vault password was provided from script (%s)r�)r�r�r�_build_command�_run�_check_resultsr?rj)rorO�command�stdout�stderr�pr�Zempty_password_msgr"r"r#r��s
zScriptVaultSecret._read_filec
Csjztj|tjd�}Wn>tyR}z&d}||j|f}t|��WYd}~n
d}~00|��\}}|||fS)N)r�zpProblem running vault password script %s (%s). If this is not a script, remove the executable bit from the file.��
subprocess�Popen�PIPEr�rOrZcommunicate�ror�r�r�Z
msg_formatrQr�r�r"r"r#r��szScriptVaultSecret._runcCs$|jdkr td|j|j|f��dS)Nrz3Vault password script %s returned non-zero (%s): %s)�
returncoderrO�ror�r��popenr"r"r#r��s
�z ScriptVaultSecret._check_resultscCs|jgSrl�rOrqr"r"r#r��sz ScriptVaultSecret._build_commandN)rr r!r�r�r�r�r"r"r"r#r��sr�csBeZdZdZd
�fdd�	Zdd�Zdd�Zd	d
�Zdd�Z�Z	S)r�r:Ncs:tt|�j|||d�||_t�dt|�t|�f�dS)Nr�z8Executing vault password client script: %s --vault-id %s)rwr�rp�	_vault_idr}r�r)rorOr(r�rHrzr"r#rp�s�z ClientScriptVaultSecret.__init__c
Csnztj|tjtjd�}Wn>tyV}z&d}||j|f}t|��WYd}~n
d}~00|��\}}|||fS)N)r�r�zwProblem running vault password client script %s (%s). If this is not a script, remove the executable bit from the file.r�r�r"r"r#r��s�
zClientScriptVaultSecret._runcCsJ|j|jkr"td|j|j|f��|jdkrFtd|j|j|j|f��dS)NzIVault password client script %s did not find a secret for vault-id=%s: %srz^Vault password client script %s returned non-zero (%s) when getting secret for vault-id=%s: %s)r��VAULT_ID_UNKNOWN_RCrrOr�r�r"r"r#r��s�
�z&ClientScriptVaultSecret._check_resultscCs"|jg}|jr|�d|jg�|S)Nz
--vault-id)rOr��extend)ror�r"r"r#r��sz&ClientScriptVaultSecret._build_commandcCs(|jrd|jj|j|jfSd|jjS)Nz %s(filename='%s', vault_id='%s')r�)rOr{rr�rqr"r"r#r��s
�z ClientScriptVaultSecret.__repr__)NNNN)
rr r!r�rpr�r�r�r�r�r"r"rzr#r��s	r�cs|sgS�fdd�|D�}|S)zVFind all VaultSecret objects that are mapped to any of the target_vault_ids in secretscs g|]\}}|�vr||f�qSr"r")rXrHri��target_vault_idsr"r#r[r=z!match_secrets.<locals>.<listcomp>r"��secretsr��matchesr"r�r#�
match_secretssr�cCst||�}|r|dSdS)z�Find the best secret from secrets that matches target_vault_ids

    Since secrets should be ordered so the early secrets are 'better' than later ones, this
    just finds all the matches, then returns the first secretrN)r�r�r"r"r#�match_best_secrets
r�cCsXt�dt|��|dur"td��|g}t||�}|r:|Std|dd�|D�f��dS)N�encrypt_vault_id=%szBmatch_encrypt_vault_id_secret requires a non None encrypt_vault_idzHDid not find a match for --encrypt-vault-id=%s in the known vault-ids %scSsg|]\}}|�qSr"r")rXZ_vZ_vsr"r"r#r[,r=z1match_encrypt_vault_id_secret.<locals>.<listcomp>)r}r�rrr�r)r��encrypt_vault_idZencrypt_vault_id_matchersZencrypt_secretr"r"r#�match_encrypt_vault_id_secrets
�r�cCs>t�dt|��|r"t||d�Sdd�|D�}t||�}|S)z@Find the best/first/only secret in secrets to use for encryptingr�)r�cSsg|]\}}|�qSr"r")rXr�r�r"r"r#r[:r=z(match_encrypt_secret.<locals>.<listcomp>)r}r�rr�r�)r�r�Z_vault_id_matchersZbest_secretr"r"r#�match_encrypt_secret/s�
r�c@s@eZdZddd�Zedd��Zd
dd�Zddd	�Zdd
d�ZdS)�VaultLibNcCs|pg|_d|_d|_dS)NrV)r�rGrF)ror�r"r"r#rpBs
zVaultLib.__init__cCst|�Srl)r1)�	vaulttextr"r"r#r1GszVaultLib.is_encryptedc
Cs�|dur&|jrt|j�\}}ntd��t|dd�}t|�rBtd��|jrR|jtvrXd|_zt|j�}Wn"t	y�td�
|j���Yn0|r�t�dt
|�t
|�f�nt�d	t
|��|�|||�}t||j|d
�}	|	S)a�Vault encrypt a piece of data.

        :arg plaintext: a text or byte string to encrypt.
        :returns: a utf-8 encoded byte str of encrypted data.  The string
            contains a header identifying this as vault encrypted data and
            formatted to newline terminated lines of 80 characters.  This is
            suitable for dumping as is to a vault file.

        If the string passed in is a text string, it will be encoded to UTF-8
        before encryption.
        Nz2A vault password must be specified to encrypt data�surrogate_or_strictrUzinput is already encryptedr�{0} cipher could not be foundz1Encrypting with vault_id "%s" and vault secret %sz3Encrypting without a vault_id using vault secret %s�rH)r�r�rrr1rrG�CIPHER_WRITE_WHITELIST�CIPHER_MAPPING�KeyError�formatr}�vvvvvr�encryptrb)
ro�	plaintextrirH�saltr��b_plaintext�this_cipherrIrar"r"r#r�Ks,
�zVaultLib.encryptcCs|j|||d�\}}}|S)a�Decrypt a piece of vault encrypted data.

        :arg vaulttext: a string to decrypt.  Since vault encrypted data is an
            ascii text format this can be either a byte str or unicode string.
        :kwarg filename: a filename that the data came from.  This is only
            used to make better error messages in case the data cannot be
            decrypted.
        :returns: a byte string containing the decrypted data and the vault-id that was used

        )rO�obj)�decrypt_and_get_vault_id)ror�rOr�r�rH�vault_secretr"r"r#�decryptyszVaultLib.decryptcs�t|ddd�}|jdur td��t|�sHd}|r@|dt|�7}t|��t||d�\}}}�|tvrpt|�}ntd	�	|���d}	|js�td
��g}
d}d}�r�t
�dt���|
�
��t|j|
�}
|
r�t
�dt��t|�f�nt
�d
t���tj�s|
��fdd�|jD��t|j|
�}|D�]V\}}t
�dt|�t|�t|�f�zvt
�dt|�t|�f�|�||�}	|	du�r�|}|}d}|�r�d|}t
�dt|�t|�t|�f�W�q�Wn�t�y2}zL||_d}|�r�|dt|�7}|dt|�7}t
j|dd��WYd}~nXd}~0t�y�}z6t
�dt|�t|�|f�WYd}~�q,WYd}~n
d}~00�q,d}|�r�|dt|�7}t|��|	du�r�d}|�r�|dt|�7}t|��|	||fS)a�Decrypt a piece of vault encrypted data.

        :arg vaulttext: a string to decrypt.  Since vault encrypted data is an
            ascii text format this can be either a byte str or unicode string.
        :kwarg filename: a filename that the data came from.  This is only
            used to make better error messages in case the data cannot be
            decrypted.
        :returns: a byte string containing the decrypted data and the vault-id vault-secret that was used

        r'rT)r)r(Nz2A vault password must be specified to decrypt dataz#input is not vault encrypted data. z %s is not a vault encrypted filer�r�z0Attempting to decrypt but no vault secrets foundz&Found a vault_id (%s) in the vaulttextzMWe have a secret associated with vault id (%s), will try to use to decrypt %sz\Found a vault_id (%s) in the vault text, but we do not have a associated secret (--vault-id)csg|]\}}|�kr|�qSr"r")rXr��_dummyr�r"r#r[�r=z5VaultLib.decrypt_and_get_vault_id.<locals>.<listcomp>z3Trying to use vault secret=(%s) id=%s to decrypt %sz Trying secret %s for vault_id=%s�z of "%s"z3Decrypt%s successful with secret=%s and vault_id=%szThere was a vault format errorrKrLT)�	formattedzKTried to use the vault secret (%s) to decrypt (%s) but it failed. Error: %szBDecryption failed (no vault secrets were found that could decrypt)z on %szDecryption failed)rr�rr1rrrR�CIPHER_WHITELISTr�r�r}r�rr]r�rMZDEFAULT_VAULT_ID_MATCHr�r�r�r%r��warning)ror�rOr�rarQr�rGr�r�Zvault_id_matchers�
vault_id_used�vault_secret_usedZ_matchesZmatched_secretsZvault_secret_idr�Z	file_slugrPr�r"r�r#r��s�

 
��(
z!VaultLib.decrypt_and_get_vault_id)N)NNN)NN)NN)	rr r!rp�staticmethodr1r�r�r�r"r"r"r#r�As


.
r�c@s�eZdZd%dd�Zdd�Zdd�Zd&d	d
�Zdd�Zd'd
d�Zd(dd�Z	d)dd�Z
d*dd�Zdd�Zdd�Z
d+dd�Zdd�Zd,dd �Zd!d"�Zd#d$�ZdS)-�VaultEditorNcCs|pt�|_dSrl)r��vault)ror�r"r"r#rp�szVaultEditor.__init__c	Cs�tj�|�}|dkr�td|�}d}t|d���}t|�D]z}|�dd�t�|d|�}t�	|�}td||�D]}|�
|�qn|�
|d||��|��|kr�t��t�
|�q6Wd�n1s�0YdS)ar"Destroy a file, when shred (core-utils) is not available

        Unix `shred' destroys files "so that they can be recovered only with great difficulty with
        specialised hardware, if at all". It is based on the method from the paper
        "Secure Deletion of Data from Magnetic and Solid-State Memory",
        Proceedings of the Sixth USENIX Security Symposium (San Jose, California, July 22-25, 1996).

        We do not go to that length to re-implement shred in Python; instead, overwriting with a block
        of random data should suffice.

        See https://github.com/ansible/ansible/pull/13700 .
        ri r<�wbr:N)r�r��getsize�minr�r^r4�randomZrandint�urandom�writer3r�fsync)	ro�tmp_pathZfile_lenZ
max_chunk_lenZpasses�fh�_Z	chunk_lenr/r"r"r#�_shred_file_custom�s

zVaultEditor._shred_file_customc	Cs^tj�|�sdSzt�d|g�}Wnttfy<d}Yn0|dkrP|�|�t�|�dS)ajSecurely destroy a decrypted file

        Note standard limitations of GNU shred apply (For flash, overwriting would have no effect
        due to wear leveling; for other storage systems, the async kernel->filesystem->disk calls never
        guarantee data hits the disk; etc). Furthermore, if your tmp dirs is on tmpfs (ramdisks),
        it is a non-issue.

        Nevertheless, some form of overwriting the data (instead of just removing the fs index entry) is
        a good idea. If shred is not available (e.g. on windows, or no core-utils installed), fall back on
        a custom shredding method.
        N�shredr9r)	r�r��isfiler��callr��
ValueErrorr��remove)ror��rr"r"r#�_shred_file#s


zVaultEditor._shred_fileFc
CsRtj�tj�|��\}}tj|tjd�\}}	|�|	�}
zFz|rN|j	||dd�Wnt
yn|�|	��Yn0Wt�|�nt�|�0zt
�|
�WnHt
y�}z0|�|	�tdd�|
�t|�f��WYd}~n
d}~00|�|	�}|s�||k�rD|jj|||d�}
|�	|
|	�|�|	|�t�dt|�t|�t|�f�|�|	�dS)N)�suffix�dirF�r�z&Unable to execute the command "%s": %s� r�z<Saved edited file "%s" encrypted using %s and  vault id "%s")r�r�r��realpath�tempfileZmkstemprMZDEFAULT_LOCAL_TMP�_editor_shell_command�
write_datarNr��closer�r�rrBr�	read_datar�r��
shuffle_filesr}r�r)rorOri�
existing_data�
force_saverH�root�ext�fdr��cmdr�rErIr"r"r#�_edit_file_helperDs,



0
 zVaultEditor._edit_file_helpercCs|dkr|Stj�|�}|S)N�-)r�r�r�)rorOZ	real_pathr"r"r#�
_real_pathoszVaultEditor._real_pathcCs|jj|||d�}|S�Nr�)r�r�)ror�rirHrIr"r"r#�
encrypt_byteswszVaultEditor.encrypt_bytescCs:|�|�}|�|�}|jj|||d�}|�||p2|�dSr)rr�r�r�r�)rorOrirH�output_filer�rIr"r"r#�encrypt_file}s

zVaultEditor.encrypt_filec
Cs~|�|�}|�|�}z|jj||d�}Wn<tyd}z$tdt|�t|�f��WYd}~n
d}~00|j||pr|dd�dS)Nr��	%s for %sFr�)rr�r�r�rrr�)rorOrZ
ciphertextr�r�r"r"r#�decrypt_file�s

.zVaultEditor.decrypt_filecCsbtj�|�}|r6tj�|�s6t�dt|��t|�tj�|�rNt	d|��|j
|||d�dS)z create a new encrypted file z%s does not exist, creating...z$%s exists, please use 'edit' insteadr�N)r�r��dirnamer�r}r�rrr�rr)rorOrirHr	r"r"r#�create_file�szVaultEditor.create_filec
Cs�d}d}|�|�}|�|�}t|�}z|j�|�\}}}Wn<tyv}z$tdt|�t|�f��WYd}~n
d}~00t||d�\}}}	}
|	tv}|j	|||||
d�dS)Nrr�)r�r�rH)
rr�rr�r�rrrRr�r)rorOr�r�rar�r�r�r�rGrHr�r"r"r#�	edit_file�s

.zVaultEditor.edit_filec
Csj|�|�}t|�}z|jj||d�}|WStyd}z$tdt|�t|�f��WYd}~n
d}~00dS)Nr�r)r�rr�r�rrr)rorOrar�r�r�r"r"r#r��s
zVaultEditor.plaintextc

Cs|�|�}t�|�}|�|�}t|�}t�dt|�t|�t|�f�z|j�|�\}}}	Wn<t	y�}
z$t	dt
|
�t
|�f��WYd}
~
n
d}
~
00|dur�t	d|��tid�}|j|||d�}|�
||�t�||j�t�||j|j�t�dt|�t|�t|�t|�f�dS)Nz@Rekeying file "%s" to with new vault-id "%s" and vault secret %srz<The value for the new_password to rekey %s with is not valid)r�r�ziRekeyed file "%s" (decrypted with vault id "%s") was encrypted with new vault-id "%s" and vault secret %s)rr��statr�rr}r�r�r�rrr�r�r��chmod�st_mode�chown�st_uid�st_gid)
rorOZnew_vault_secretZnew_vault_id�prevrar�r�r�r�r�Z	new_vaultZb_new_vaulttextr"r"r#�
rekey_file�s*


�.

�zVaultEditor.rekey_filec
Cs�zL|dkrtjj��}n2t|d��}|��}Wd�n1s@0YWnLty�}z4t|�}|spt|�}tdt|�|f��WYd}~n
d}~00|S)Nrr�z#Unable to read source file (%s): %s)	�sys�stdin�bufferr5r�rNr�reprr)rorOr/r�r�rQr"r"r#r��s**zVaultEditor.read_dataT�c
Cs�t|dd�}d}z t|t�o,t�|tj�dk}WntyBYn0|rdt�|d�t�||��n^|dkr�t	t
jdt
j�}|�|��n8tj�
|�r�|r�|�|�n
t�|�t�d�}z�z&t�|tjtjBtjBtjB|�}	WnTt�y6}
z:|
jtjk�rtd	t|
���td
t|
���WYd}
~
n
d}
~
00zbzt�|	d�t�|	|�Wn6t�y�}ztdt|���WYd}~n
d}~00Wt�|	�nt�|	�0Wt�|�nt�|�0dS)
a)Write the data bytes to given path

        This is used to write a byte string to a file or stdout. It is used for
        writing the results of vault encryption or decryption. It is used for
        saving the ciphertext after encryption and it is also used for saving the
        plaintext after decrypting a vault. The type of the 'data' arg should be bytes,
        since in the plaintext case, the original contents can be of any text encoding
        or arbitrary binary data.

        When used to write the result of vault encryption, the val of the 'data' arg
        should be a utf-8 encoded byte string and not a text typ and not a text type..

        When used to write the result of vault decryption, the val of the 'data' arg
        should be a byte string and not a text type.

        :arg data: the byte string (bytes) data
        :arg thefile: file descriptor or filename to save 'data' to.
        :arg shred: if shred==True, make sure that the original data is first shredded so that is cannot be recovered.
        :returns: None
        r'rUFr2rrr�?z:Vault file got recreated while we were operating on it: %sz)Problem creating temporary vault file: %sNz+Unable to write to temporary vault file: %s)r�
isinstance�int�fcntlZF_GETFDrNr��	ftruncater��getattrrr�r�r�r�r��umaskr��O_CREAT�O_EXCL�O_RDWR�O_TRUNCr��errnoZEEXISTrrr�)ror/�thefiler��modeZb_file_dataZis_fd�outputZ
current_umaskr�Zoser�r"r"r#r�	s> 

&&(zVaultEditor.write_datacCs\d}tj�|�r$t�|�}t�|�t�||�|durXt�||j�t�	||j
|j�dSrl)r�r�r�rr��shutil�mover
rrrr)ro�src�destrr"r"r#r�Vs

zVaultEditor.shuffle_filescCs&tj�dd�}t�|�}|�|�|S)NZEDITOR�vi)r��environ�get�shlexr@r])rorOZ
env_editorZeditorr"r"r#r�es

z!VaultEditor._editor_shell_command)N)NFN)N)NN)N)N)N)Tr)rr r!rpr�r�rrrrrr
rr�rr�r�r�r�r"r"r"r#r��s 
%!
+



 
(
Mr�c@sneZdZdZdd�Zedd��Zedd��Zedd	��Z	eddd��Z
ed
d��Zedd��Zedd��Z
d
S)�VaultAES256zw
    Vault implementation using AES-CTR with an HMAC-SHA256 authentication code.
    Keys are derived using PBKDF2
    cCststt��dSrl)�HAS_CRYPTOGRAPHYr�NEED_CRYPTO_LIBRARYrqr"r"r#rp|szVaultAES256.__init__cCs,tt��d|||dtd�}|�|�}|S)Nr:i')�	algorithm�lengthr�Z
iterationsZbackend)rr�SHA256�CRYPTOGRAPHY_BACKENDZderive)�
b_passwordre�
key_length�	iv_lengthZkdf�b_derivedkeyr"r"r#�_create_key_cryptography�s
�
z$VaultAES256._create_key_cryptographyc	Cspd}tr>tjjd}|�||||�}||d|d|�}nttd��|d|�}|||d�}|||fS)N� �r:z(Detected in initctr))r1r�AES�
block_sizer;rr2)	�clsr7rer8r9r:�b_iv�b_key1�b_key2r"r"r#�_gen_key_initctr�szVaultAES256._gen_key_initctrc
Cs�tt�|�t�|�t�}|��}t�tjj	��
�}|�|�|�|���}||��7}t
|t��t�}|�|�|��}	tt|	�dd�t|�fS)Nr�rU)�C_Cipherrr>r�CTRr6�	encryptorr�PKCS7r?�padder�update�finalizer
rr5rr)
r�rBrCrA�cipherrGrIrI�hmac�b_hmacr"r"r#�_encrypt_cryptography�s
z!VaultAES256._encrypt_cryptographyNcCs�|durtd��|dur$t�d�}n|s2td��nt|�}|j}|�||�\}}}trl|�||||�\}	}
ntt	d��d�
t|�|	|
g�}t|�}|S)Nz'The secret passed to encrypt() was Noner<z)Empty or invalid salt passed to encrypt()z(Detected in encrypt)r\)rr�r�rrrrDr1rOrr2rBr)r@r�rir�rer7rBrCrArNrIrar"r"r#r��s
zVaultAES256.encryptc
Cs�t|t��t�}|�|�z|�t|��Wn0ty\}ztd|��WYd}~n
d}~00t	t
�|�t�
|�t�}|��}	t�d���}
|
�|	�|�|	���|
��}|S)NzHMAC verification failed: %s�)r
rr5r6rJZverifyrdr	rrErr>rrF�	decryptorrrH�unpadderrK)r@rIrfrBrCrArMr�rLrQrRr�r"r"r#�_decrypt_cryptography�s
"��z!VaultAES256._decrypt_cryptographycCs\t|t�rt|t�std��t|�t|�kr0dSd}t||�D]\}}|||AO}q>|dkS)z�
        Comparing 2 byte arrays in constant time to avoid timing attacks.

        It would be nice if there were a library for this but hey.
        z6_is_equal can only be used to compare two byte stringsFr)rrr,rA�zip)Zb_aZb_b�result�b_xZb_yr"r"r#�	_is_equal�szVaultAES256._is_equalcCsNt|�\}}}|j}|�||�\}}}	tr>|�|||||	�}
nttd��|
S)Nz(Detected in decrypt))rhrrrDr1rSrr2)r@rarirIrerfr7rBrCrAr�r"r"r#r��szVaultAES256.decrypt)N)rr r!rtrpr�r;�classmethodrDrOr�rSrWr�r"r"r"r#r0qs 	




r0r)rr2)N)NN)NN)N)NNNN)N)N)]Z
__future__rrr�typeZ
__metaclass__r$rr�r�r/r(r�rr��warningsZbinasciirrrrcr1r6�catch_warnings�simplefilter�DeprecationWarningZcryptography.exceptionsr	Zcryptography.hazmat.backendsr
Zcryptography.hazmat.primitivesrrZ#cryptography.hazmat.primitives.hmacr
Z)cryptography.hazmat.primitives.kdf.pbkdf2rZ&cryptography.hazmat.primitives.ciphersrrErr�ImportErrorZansible.errorsrrZansiblerrMZansible.module_utils.sixrZansible.module_utils._textrrrZansible.utils.displayrZansible.utils.pathrrr}r.�	frozensetr�r�r2rr$r%r1r7rJrRrbrdrgrhrjrkrvr�r�r�r�r�r�r�r�r�r�r�r0r�r"r"r"r#�<module>s�
*



)	
3
3)0	

7|�

Zerion Mini Shell 1.0