add a vault --encrypt-vault-to specify vault id to use for encrypt (#31067)

Enforce that there can be only one --new-vault-id or --new-vault-password-file and use this instead of --encrypt-vault-id * Add a config option for default vault encrypt id
2025-08-22 14:01:42 -07:00 · 2018-01-22 17:12:10 -05:00 · 2018-01-22 17:12:10 -05:00 · ffe0ddea96
commit ffe0ddea96
parent 866239e01a
5 changed files with 110 additions and 19 deletions
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@ -556,12 +556,40 @@ def match_best_secret(secrets, target_vault_ids):
    return None


-def match_encrypt_secret(secrets):
+def match_encrypt_vault_id_secret(secrets, encrypt_vault_id=None):
+    # See if the --encrypt-vault-id matches a vault-id
+    display.vvvv('encrypt_vault_id=%s' % encrypt_vault_id)
+
+    if encrypt_vault_id is None:
+        raise AnsibleError('match_encrypt_vault_id_secret requires a non None encrypt_vault_id')
+
+    encrypt_vault_id_matchers = [encrypt_vault_id]
+    encrypt_secret = match_best_secret(secrets, encrypt_vault_id_matchers)
+
+    # return the best match for --encrypt-vault-id
+    if encrypt_secret:
+        return encrypt_secret
+
+    # If we specified a encrypt_vault_id and we couldn't find it, dont
+    # fallback to using the first/best secret
+    raise AnsibleVaultError('Did not find a match for --encrypt-vault-id=%s in the known vault-ids %s' % (encrypt_vault_id,
+                                                                                                          [_v for _v, _vs in secrets]))
+
+
+def match_encrypt_secret(secrets, encrypt_vault_id=None):
    '''Find the best/first/only secret in secrets to use for encrypting'''

+    display.vvvv('encrypt_vault_id=%s' % encrypt_vault_id)
+    # See if the --encrypt-vault-id matches a vault-id
+    if encrypt_vault_id:
+        return match_encrypt_vault_id_secret(secrets,
+                                             encrypt_vault_id=encrypt_vault_id)
+
+    # Find the best/first secret from secrets since we didnt specify otherwise
    # ie, consider all of the available secrets as matches
    _vault_id_matchers = [_vault_id for _vault_id, dummy in secrets]
    best_secret = match_best_secret(secrets, _vault_id_matchers)
+
    # can be empty list sans any tuple
    return best_secret

@ -625,7 +653,11 @@ class VaultLib:
            raise AnsibleError(u"{0} cipher could not be found".format(self.cipher_name))

        # encrypt data
-        display.vvvvv('Encrypting with vault secret %s' % secret)
+        if vault_id:
+            display.vvvvv('Encrypting with vault_id "%s" and vault secret %s' % (vault_id, secret))
+        else:
+            display.vvvvv('Encrypting without a vault_id using vault secret %s' % secret)
+
        b_ciphertext = this_cipher.encrypt(b_plaintext, secret)

        # format the data for output to the file
@ -725,7 +757,10 @@ class VaultLib:
                b_plaintext = this_cipher.decrypt(b_vaulttext, vault_secret)
                if b_plaintext is not None:
                    vault_id_used = vault_secret_id
-                    display.vvvvv('decrypt successful with secret=%s and vault_id=%s' % (vault_secret, vault_secret_id))
+                    file_slug = ''
+                    if filename:
+                        file_slug = ' of "%s"' % filename
+                    display.vvvvv('Decrypt%s successful with secret=%s and vault_id=%s' % (file_slug, vault_secret, vault_secret_id))
                    break
            except AnsibleVaultFormatError as exc:
                msg = "There was a vault format error"
@ -963,7 +998,7 @@ class VaultEditor:
        vaulttext = to_text(b_vaulttext)

        try:
-            plaintext = self.vault.decrypt(vaulttext)
+            plaintext = self.vault.decrypt(vaulttext, filename=filename)
            return plaintext
        except AnsibleError as e:
            raise AnsibleVaultError("%s for %s" % (to_bytes(e), to_bytes(filename)))
@ -978,8 +1013,10 @@ class VaultEditor:
        b_vaulttext = self.read_data(filename)
        vaulttext = to_text(b_vaulttext)

+        display.vvvvv('Rekeying file "%s" to with new vault-id "%s" and vault secret %s' %
+                      (filename, new_vault_id, new_vault_secret))
        try:
-            plaintext = self.vault.decrypt(vaulttext)
+            plaintext, vault_id_used = self.vault.decrypt_and_get_vault_id(vaulttext)
        except AnsibleError as e:
            raise AnsibleError("%s for %s" % (to_bytes(e), to_bytes(filename)))

@ -1004,6 +1041,9 @@ class VaultEditor:
        os.chmod(filename, prev.st_mode)
        os.chown(filename, prev.st_uid, prev.st_gid)

+        display.vvvvv('Rekeyed file "%s" (decrypted with vault id "%s") was encrypted with new vault-id "%s" and vault secret %s' %
+                      (filename, vault_id_used, new_vault_id, new_vault_secret))
+
    def read_data(self, filename):

        try: