tomoh1r / ansible-vault Goto Github PK
View Code? Open in Web Editor NEWThis project aim to R/W an ansible-vault yaml file
License: GNU General Public License v3.0
ansible-vault's People
Contributors
Stargazers
Watchers
Forkers
pedmiston rdhyee regiwils ahosking aladdinh paolodina decentral1se aioue daneeesh jbarascut jerm rarenicks gitkent muhammedabad tobiasmcnulty mathijsvanwilligen pradeepkumar2060 orangepeelbeef danijo01 stevebeck89 cwolfe1 jefg60 fossabot adrielt07 logdnalf sudeepms fpc7063 arpitjain799 dja-tel aoberest cdorsmanansible-vault's Issues
Security issue
Please provide contact/information on reporting security issues for Ansible-vault
Release 1.1.2 or 2.0.0b1
I think merged #12 derive incompatible change, so check it and has to decide what version has to release.
- Decide what version has to release.
- Check incompatiblity.
- Release it.
1.1.0 uploaded to pypi with no code in it :(
Seems like the newest version uploaded but with no code in it :(
$ cd ansible-vault-1.1.0
(.venv) LMDV-JHARLOW:ansible-vault-1.1.0 jxharlow$ tree .
.
├── PKG-INFO
├── README.rst
├── ansible_vault.egg-info
│ ├── PKG-INFO
│ ├── SOURCES.txt
│ ├── dependency_links.txt
│ ├── requires.txt
│ └── top_level.txt
├── setup.cfg
├── setup.py
└── test
└── test_api.py
2 directories, 10 files
Release v2.0.0bN as v2.0.0
- Wait 2week to 2019/07/29
- Release v2.0.0 which revision as latest v2.0.0bN.
- Adopt black.
- Adopt isort.
- Adopt GitHub Actions.
When decrypting with ansible-vault I get three dots (...) at the end of my secret.
When I encrypt a string with this module and try to decrypt it again with ansible-vault I get (...) three dots at the end of my secret value.
vault = Vault("pass123")
with open("test.yaml", "w") as f:
f.write(vault.dump("super_secret_password"))
And then I try to decrypt it with ansible-vault:
ansible-vault decrypt test.yaml
I get the following output:
super_secret_password
...
or super_secret_password\n...\n to be more precise.
I was expecting just super_secret_password to be returned.
I'm using:
ansible-vault [core 2.13.6]
config file = None
python version = 3.9.15 (main, Oct 12 2022, 19:14:37) [GCC 11.2.0]
jinja version = 3.1.2
libyaml = True
and python:
ansible==6.6.0
ansible-core==2.13.6
ansible-vault==2.1.0
Is there something I'm missing, maybe a setting in this module to disable this (...) explicit end funtionality.
how pwned.txt be made
All I know vault.dump make the input_data to be a string in the yaml_text, and the result of it also is a string , but the pwned.txt you give can be executed in the version 1.0.4
I wonder how to make txt just like the pwned.txt
thks very much!
Adopt code scanning alerts.
AnsibleError: Decryption failed
When I run
data = vault.load(open(test).read()) where test = "/path/to/vault.yml"
I get this
---------------------------------------------------------------------------
AnsibleError Traceback (most recent call last)
<ipython-input-104-4b5e48176f32> in <module>()
2 password = get_ansible_password()
3 vault = ansible_vault.Vault(password)
----> 4 data = vault.load(open(test).read())
~/.pyenv/versions/3.5.1/lib/python3.5/site-packages/ansible_vault/api.py in load(self, stream)
48 def load_raw(self, stream):
49 """Read vault stream and return raw data."""
---> 50 return self.vault.decrypt(stream)
51
52 def dump_raw(self, text, stream=None):
~/.pyenv/versions/3.5.1/lib/python3.5/site-packages/ansible/parsing/vault/__init__.py in decrypt(self, vaulttext, filename)
249 try:
250 return unhexlify(b_data)
--> 251 except (BinasciiError, TypeError) as exc:
252 raise AnsibleVaultFormatError('Vault format unhexlify error: %s' % exc)
253
AnsibleError: Decryption failed
I tested with variable test in Unicode string and byte string format. They both returned the same error.
implement get/set/update
draft
from ansible_vault import Vault
vault = Vault('password')
with open(fpath) as fp:
store = vault.get_store(fp)
some = store['hoge']
store['hoge']['fuga'] = 'aaa'
store.update({'hoge': 'fuga'})Support for non YAML files
I see another user has support for JSON files but what about just simple text files? We have encrypted configuration files for our deployments and they fail yaml parsing because they are not yaml files.
Traceback (most recent call last):
File "/usr/bin/ansible-vault-rekey", line 11, in
load_entry_point('ansible-vault-rekey==1.0.1', 'console_scripts', 'ansible-vault-rekey')()
File "/usr/lib/python3.8/site-packages/click/core.py", line 829, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/ansible_vault_rekey-1.0.1-py3.8.egg/ansible_vault_rekey/cli.py", line 99, in main
rekey.decrypt_file(f['file'], password_file, newpath)
File "/usr/lib/python3.8/site-packages/ansible_vault_rekey-1.0.1-py3.8.egg/ansible_vault_rekey/ansible_vault_rekey.py", line 138, in decrypt_file
r = vault.load(f.read())
File "/usr/lib/python3.8/site-packages/ansible_vault-1.2.0-py3.8.egg/ansible_vault/api.py", line 62, in load
File "/usr/lib/python3.8/site-packages/yaml/init.py", line 162, in safe_load
return load(stream, SafeLoader)
File "/usr/lib/python3.8/site-packages/yaml/init.py", line 114, in load
return loader.get_single_data()
File "/usr/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data
node = self.get_single_node()
File "/usr/lib/python3.8/site-packages/yaml/composer.py", line 39, in get_single_node
if not self.check_event(StreamEndEvent):
File "/usr/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event
self.current_event = self.state()
File "/usr/lib/python3.8/site-packages/yaml/parser.py", line 171, in parse_document_start
raise ParserError(None, None,
yaml.parser.ParserError: expected '', but found ''
in "", line 3, column 1:
$ldap_url = REDACTED
Add samples.
AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)
Hi.
I bumped into a weird issue.
Trying to decode a vault encrypted yaml file I get this error:
AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)
Versions of installed packages
(I know there is a lot of stuff there)
adm_user@srv-admin ~/selenium-test:\) $ pip list
Package Version
------------------------- ----------------
ansible 9.1.0
ansible-base 2.10.8
ansible-compat 4.1.10
ansible-core 2.16.2
ansible-lint 6.22.1
ansible-modules-pm2 0.1.0
ansible-vault 2.1.0
apache-libcloud 3.2.0
apturl 0.5.2
argcomplete 1.8.1
asn1crypto 1.4.0
asttokens 2.4.1
attrs 23.1.0
ayatana-settings 21.1.28
Babel 2.8.0
bcrypt 3.2.0
beautifulsoup4 4.12.2
black 23.12.1
blessed 1.20.0
blinker 1.4
bpython 0.24
bracex 2.4
Brlapi 0.8.3
bs4 0.0.1
cajarename 21.11.24
certifi 2022.6.15
chardet 5.0.0
charset-normalizer 2.1.0
click 8.0.3
colorama 0.4.4
colorlog 6.6.0
configobj 5.0.6
cryptography 3.4.8
cupshelpers 1.0
curtsies 0.4.2
cwcwidth 0.1.9
dbus-python 1.2.18
decorator 5.1.1
defer 1.0.6
defusedxml 0.7.1
deja-dup-caja 0.0.9
distro 1.7.0
distro-info 1.1+ubuntu0.1
dnspython 2.1.0
duplicity 0.8.21
exceptiongroup 1.2.0
executing 2.0.1
fasteners 0.14.1
filelock 3.13.1
folder-color-caja 0.0.86
folder-color-common 0.0.86
future 0.18.2
gpg 1.16.0
greenlet 3.0.3
h11 0.14.0
httplib2 0.20.2
idna 3.3
importlib-metadata 4.6.4
ipython 8.18.1
jedi 0.19.1
jeepney 0.7.1
Jinja2 3.0.3
jmespath 0.10.0
jsonschema 4.20.0
jsonschema-specifications 2023.12.1
keyring 23.5.0
language-selector 0.1
launchpadlib 1.10.16
lazr.restfulclient 0.14.4
lazr.uri 1.0.6
lockfile 0.12.2
louis 3.20.0
Magnus 1.0.3
Mako 1.1.3
markdown-it-py 3.0.0
MarkupSafe 2.0.1
mate-hud 22.4.4
mate-menu 22.4.1
mate-tweak 22.4.8
matplotlib-inline 0.1.6
mdurl 0.1.2
meld 3.20.4
monotonic 1.6
more-itertools 8.10.0
mypy-extensions 1.0.0
netaddr 0.8.0
netifaces 0.11.0
ntlm-auth 1.4.0
oauthlib 3.2.0
olefile 0.46
onboard 1.4.1
outcome 1.3.0.post0
packaging 23.2
paramiko 2.9.3
parso 0.8.3
pathspec 0.12.1
pexpect 4.8.0
Pillow 9.0.1
pip 22.0.2
pip-search 0.0.12
platformdirs 4.1.0
prompt-toolkit 3.0.43
psutil 5.9.0
ptyprocess 0.7.0
pulsemixer 1.5.1
pure-eval 0.2.2
pyasn1 0.4.8
pycairo 1.20.1
pycryptodomex 3.11.0
pycups 2.0.1
Pygments 2.17.2
PyGObject 3.42.1
PyJWT 2.3.0
pymacaroons 0.13.0
PyNaCl 1.5.0
pyparsing 2.4.7
PySocks 1.7.1
python-apt 2.4.0+ubuntu2
python-dateutil 2.8.1
python-debian 0.1.43+ubuntu1.1
python-dotenv 1.0.0
python-xapp 2.2.1
python-xlib 0.29
pytz 2022.1
pyvmomi 6.7.1
pywinrm 0.3.0
pyxattr 0.7.2
pyxdg 0.27
PyYAML 5.4.1
referencing 0.32.0
reportlab 3.6.8
requests 2.31.0
requests-ntlm 1.1.0
requests-toolbelt 0.9.1
resolvelib 1.0.1
rich 13.7.0
rpds-py 0.16.2
ruamel.yaml 0.18.5
ruamel.yaml.clib 0.2.8
SecretStorage 3.3.1
selenium 4.16.0
selinux 3.3
setproctitle 1.2.2
setuptools 59.6.0
simplejson 3.17.6
six 1.16.0
sniffio 1.3.0
sortedcontainers 2.4.0
soupsieve 2.5
stack-data 0.6.3
stormshield.sns.sslclient 1.0.4
subprocess-tee 0.4.1
systemd-python 234
terminator 2.1.1
tomli 2.0.1
traitlets 5.14.0
trio 0.23.2
trio-websocket 0.11.1
typing_extensions 4.9.0
ubuntu-advantage-tools 8001
ubuntu-drivers-common 0.0.0
ufw 0.36.1
unattended-upgrades 0.1
urllib3 1.26.10
wadllib 1.3.6
wcmatch 8.5
wcwidth 0.2.12
webdriver-manager 4.0.1
wheel 0.37.1
wsproto 1.2.0
xdg 5
xkit 0.0.0
xmltodict 0.12.0
yamllint 1.33.0
youtube-dl 2021.12.17
zipp 1.0.0
Python is 3.10.12
Steps to reproduce
adm_user@srv-admin ~/selenium-test:\) $ cat toto.yml
soft:
user: toto
password: rototo
adm_user@srv-admin ~/selenium-test:\) $ echo -n "toto" > password
adm_user@srv-admin ~/selenium-test:\) $ cat password
totoadm_user@srv-admin ~/selenium-test:\) $
adm_user@srv-admin ~/selenium-test:\) $ ansible-vault encrypt toto.yml --vault-password-file password
Encryption successful
adm_user@srv-admin ~/selenium-test:\) $ cat toto.yml
$ANSIBLE_VAULT;1.1;AES256
32353335396261646339343466646261306239633333366365663862353062653632653633656162
6464663731366136633131646531303063366332633734370a653464373830666666343930393564
39393162396564356336336339666666383432323738376566626434393461376334656664396339
6461363530383238340a376333306631383762323134303931393938653837633263386664633830
61383664303562386131306234333238396434316636343230633231386138613264383566363432
6165626266626437653735383835663564313162633265643964
adm_user@srv-admin ~/selenium-test:\) $
Now to python:
adm_user@srv-admin ~/selenium-test:\) $ ipython
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.18.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from ansible_vault import Vault
In [2]: vault = Vault(open('password').read())
In [3]: data = vault.load(open('toto.yml').read())
---------------------------------------------------------------------------
AnsibleVaultError Traceback (most recent call last)
Cell In[3], line 1
----> 1 data = vault.load(open('toto.yml').read())
File ~/.local/lib/python3.10/site-packages/ansible_vault/api.py:53, in Vault.load(self, stream)
51 def load(self, stream):
52 """Read vault steam and return python object."""
---> 53 return yaml.safe_load(self.load_raw(stream))
File ~/.local/lib/python3.10/site-packages/ansible_vault/api.py:41, in Vault.load_raw(self, stream)
39 def load_raw(self, stream):
40 """Read vault stream and return raw data."""
---> 41 return self.vault.decrypt(stream)
File ~/.local/lib/python3.10/site-packages/ansible_vault/parsing.py:47, in AnsibleVaultLib.decrypt(self, vaulttext)
46 def decrypt(self, vaulttext):
---> 47 return self.vault.decrypt(vaulttext)
File ~/.local/lib/python3.10/site-packages/ansible/parsing/vault/__init__.py:644, in VaultLib.decrypt(self, vaulttext, filename, obj)
633 def decrypt(self, vaulttext, filename=None, obj=None):
634 '''Decrypt a piece of vault encrypted data.
635
636 :arg vaulttext: a string to decrypt. Since vault encrypted data is an
(...)
642
643 '''
--> 644 plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename, obj=obj)
645 return plaintext
File ~/.local/lib/python3.10/site-packages/ansible/parsing/vault/__init__.py:751, in VaultLib.decrypt_and_get_vault_id(self, vaulttext, filename, obj)
749 if filename:
750 msg += " on %s" % to_native(filename)
--> 751 raise AnsibleVaultError(msg)
753 if b_plaintext is None:
754 msg = "Decryption failed"
AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)
In [4]:
vault string not supported
Since ansible 2.4 you can encrypt strings in a yaml file. We moved our whole yaml files encrypted to encrypted strings and it looks that the module does not support this:
File "/usr/local/lib/python2.7/site-packages/ansible_vault/api.py", line 62, in load
return yaml.safe_load(self.load_raw(stream))
File "/usr/local/lib/python2.7/site-packages/ansible_vault/api.py", line 50, in load_raw
return self.vault.decrypt(stream)
File "/usr/local/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 661, in decrypt
plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename)
File "/usr/local/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 684, in decrypt_and_get_vault_id
raise AnsibleError(msg)
ansible.errors.AnsibleError: input is not vault encrypted data
Remove six dependence
Add support for JSON files
I have the need to occasionally encrypt/decrypt a JSON file that is part of my ansible project. Not sure if this is something that would be a worthwhile addition or be of interest to many users, but I made some changes to add support for JSON files and thought of sharing them.
See #27 for more info.
I get this error when I try to decrypt a file using this package
File "test.py", line 4, in
data = vault.load(open('vars.yml').read())
File "/usr/local/lib/python3.8/dist-packages/ansible_vault/api.py", line 62, in load
return yaml.safe_load(self.load_raw(stream))
File "/usr/local/lib/python3.8/dist-packages/ansible_vault/api.py", line 50, in load_raw
return self.vault.decrypt(stream)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 663, in decrypt
plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 720, in decrypt_and_get_vault_id
_matches = match_secrets(self.secrets, vault_id_matchers)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 542, in match_secrets
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 542, in
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
TypeError: cannot unpack non-iterable int object
Incorrect version comparison logic
_ANSIBLE_VER = float(".".join(ansible.__version__.split(".")[:2]))
def _make_secrets(self, secret):
if _ANSIBLE_VER < 2.4:
return secret
The above code worked correctly up to 2.9 version. Current ansible version is 2.10. It's greater than 2.4, but float(2.10) is less than 2.4
more pylint, adopt codecov
- pylint
- codecov
- 2021/05 test
Seeing new issue with newer ansible
Seeing the following now happen (maybe ansible changed the api?):
>>> utils.load_secrets("secrets/daddy.eyaml")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/jxharlow/Dev/els/openstack-deploy/os_deploy/utils.py", line 87, in load_secrets
return munch.munchify(v.load(fh.read()))
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible_vault/api.py", line 18, in load
return yaml.safe_load(self.vault.decrypt(stream))
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 543, in decrypt
_matches = match_secrets(self.secrets, vault_id_matchers)
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 399, in match_secrets
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
ValueError: need more than 1 value to unpack
implement read password file on ansible cfg
Integrate with wiki.
Vault ID Support
I have been trying to decrypt ansible-vault enctrypted strings with python, but I could not find much documentation when it comes to using vault ids. I tried to create a vault with the latest version of ansible-vault
ansible-vault 2.8.6
config file = None
configured module search path = ['/home/neville/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/neville/.pyenv/versions/3.7.4/lib/python3.7/site-packages/ansible
executable location = /home/neville/.pyenv/versions/3.7.4/bin/ansible-vault
python version = 3.7.4 (default, Sep 8 2019, 10:28:23) [GCC 8.3.0]
but I could not find examples of how to set up the Vault Id when you decode the ansible_vault part, and when I tried to use Vault("password"), I got an error that no secrets were found. Can someone provide some snippets that will help me decrypt the below string?
Note: I used 'password' for the vault password
ansible-vault encrypt_string --vault-id test_vault@prompt
New vault password (test_vault):
Confirm new vault password (test_vault):
Reading plaintext input from stdin. (ctrl-d to end input)
Hello World
!vault |
$ANSIBLE_VAULT;1.2;AES256;test_vault
65336466616237373839383838383633646266656235336665626633626337376334663564353637
6237303233376162656461336537336335616565316535650a613731653162366239623739386234
64663838393235303463363063363761343435343134333739616366376663316337313764346265
3332356164373533610a636261366337643566326362663733393131623661383632373666316166
3135
Encryption successful
using yaml.safe_load in Vault.load absorb line break in RSA private key
To test
# generate rsa256 key
ssh-keygen -t rsa -b 4096 -f test.key
# encrypt with ansible
ansible-vault encrypt test.key
When decrypt using ansible-vault, output text is the original key with all linebreaks replaced by whitespace
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.