tomoh1r / ansible-vault Goto Github PK
View Code? Open in Web Editor NEWThis project aim to R/W an ansible-vault yaml file
License: GNU General Public License v3.0
This project aim to R/W an ansible-vault yaml file
License: GNU General Public License v3.0
Seeing the following now happen (maybe ansible changed the api?):
>>> utils.load_secrets("secrets/daddy.eyaml")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/jxharlow/Dev/els/openstack-deploy/os_deploy/utils.py", line 87, in load_secrets
return munch.munchify(v.load(fh.read()))
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible_vault/api.py", line 18, in load
return yaml.safe_load(self.vault.decrypt(stream))
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 543, in decrypt
_matches = match_secrets(self.secrets, vault_id_matchers)
File "/Users/jxharlow/.venv/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 399, in match_secrets
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
ValueError: need more than 1 value to unpack
draft
from ansible_vault import Vault
vault = Vault('password')
with open(fpath) as fp:
store = vault.get_store(fp)
some = store['hoge']
store['hoge']['fuga'] = 'aaa'
store.update({'hoge': 'fuga'})
I see another user has support for JSON files but what about just simple text files? We have encrypted configuration files for our deployments and they fail yaml parsing because they are not yaml files.
Traceback (most recent call last):
File "/usr/bin/ansible-vault-rekey", line 11, in
load_entry_point('ansible-vault-rekey==1.0.1', 'console_scripts', 'ansible-vault-rekey')()
File "/usr/lib/python3.8/site-packages/click/core.py", line 829, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/ansible_vault_rekey-1.0.1-py3.8.egg/ansible_vault_rekey/cli.py", line 99, in main
rekey.decrypt_file(f['file'], password_file, newpath)
File "/usr/lib/python3.8/site-packages/ansible_vault_rekey-1.0.1-py3.8.egg/ansible_vault_rekey/ansible_vault_rekey.py", line 138, in decrypt_file
r = vault.load(f.read())
File "/usr/lib/python3.8/site-packages/ansible_vault-1.2.0-py3.8.egg/ansible_vault/api.py", line 62, in load
File "/usr/lib/python3.8/site-packages/yaml/init.py", line 162, in safe_load
return load(stream, SafeLoader)
File "/usr/lib/python3.8/site-packages/yaml/init.py", line 114, in load
return loader.get_single_data()
File "/usr/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data
node = self.get_single_node()
File "/usr/lib/python3.8/site-packages/yaml/composer.py", line 39, in get_single_node
if not self.check_event(StreamEndEvent):
File "/usr/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event
self.current_event = self.state()
File "/usr/lib/python3.8/site-packages/yaml/parser.py", line 171, in parse_document_start
raise ParserError(None, None,
yaml.parser.ParserError: expected '', but found ''
in "", line 3, column 1:
$ldap_url = REDACTED
_ANSIBLE_VER = float(".".join(ansible.__version__.split(".")[:2]))
def _make_secrets(self, secret):
if _ANSIBLE_VER < 2.4:
return secret
The above code worked correctly up to 2.9 version. Current ansible version is 2.10. It's greater than 2.4, but float(2.10) is less than 2.4
I have the need to occasionally encrypt/decrypt a JSON file that is part of my ansible project. Not sure if this is something that would be a worthwhile addition or be of interest to many users, but I made some changes to add support for JSON files and thought of sharing them.
See #27 for more info.
Since ansible 2.4 you can encrypt strings in a yaml file. We moved our whole yaml files encrypted to encrypted strings and it looks that the module does not support this:
File "/usr/local/lib/python2.7/site-packages/ansible_vault/api.py", line 62, in load
return yaml.safe_load(self.load_raw(stream))
File "/usr/local/lib/python2.7/site-packages/ansible_vault/api.py", line 50, in load_raw
return self.vault.decrypt(stream)
File "/usr/local/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 661, in decrypt
plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename)
File "/usr/local/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 684, in decrypt_and_get_vault_id
raise AnsibleError(msg)
ansible.errors.AnsibleError: input is not vault encrypted data
Please provide contact/information on reporting security issues for Ansible-vault
Seems like the newest version uploaded but with no code in it :(
$ cd ansible-vault-1.1.0
(.venv) LMDV-JHARLOW:ansible-vault-1.1.0 jxharlow$ tree .
.
├── PKG-INFO
├── README.rst
├── ansible_vault.egg-info
│ ├── PKG-INFO
│ ├── SOURCES.txt
│ ├── dependency_links.txt
│ ├── requires.txt
│ └── top_level.txt
├── setup.cfg
├── setup.py
└── test
└── test_api.py
2 directories, 10 files
All I know vault.dump make the input_data to be a string in the yaml_text, and the result of it also is a string , but the pwned.txt you give can be executed in the version 1.0.4
I wonder how to make txt just like the pwned.txt
thks very much!
File "test.py", line 4, in
data = vault.load(open('vars.yml').read())
File "/usr/local/lib/python3.8/dist-packages/ansible_vault/api.py", line 62, in load
return yaml.safe_load(self.load_raw(stream))
File "/usr/local/lib/python3.8/dist-packages/ansible_vault/api.py", line 50, in load_raw
return self.vault.decrypt(stream)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 663, in decrypt
plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 720, in decrypt_and_get_vault_id
_matches = match_secrets(self.secrets, vault_id_matchers)
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 542, in match_secrets
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
File "/usr/local/lib/python3.8/dist-packages/ansible/parsing/vault/init.py", line 542, in
matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
TypeError: cannot unpack non-iterable int object
I think merged #12 derive incompatible change, so check it and has to decide what version has to release.
I have been trying to decrypt ansible-vault enctrypted strings with python, but I could not find much documentation when it comes to using vault ids. I tried to create a vault with the latest version of ansible-vault
ansible-vault 2.8.6
config file = None
configured module search path = ['/home/neville/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/neville/.pyenv/versions/3.7.4/lib/python3.7/site-packages/ansible
executable location = /home/neville/.pyenv/versions/3.7.4/bin/ansible-vault
python version = 3.7.4 (default, Sep 8 2019, 10:28:23) [GCC 8.3.0]
but I could not find examples of how to set up the Vault Id when you decode the ansible_vault part, and when I tried to use Vault("password"), I got an error that no secrets were found. Can someone provide some snippets that will help me decrypt the below string?
Note: I used 'password' for the vault password
ansible-vault encrypt_string --vault-id test_vault@prompt
New vault password (test_vault):
Confirm new vault password (test_vault):
Reading plaintext input from stdin. (ctrl-d to end input)
Hello World
!vault |
$ANSIBLE_VAULT;1.2;AES256;test_vault
65336466616237373839383838383633646266656235336665626633626337376334663564353637
6237303233376162656461336537336335616565316535650a613731653162366239623739386234
64663838393235303463363063363761343435343134333739616366376663316337313764346265
3332356164373533610a636261366337643566326362663733393131623661383632373666316166
3135
Encryption successful
When I encrypt a string with this module and try to decrypt it again with ansible-vault I get (...) three dots at the end of my secret value.
vault = Vault("pass123")
with open("test.yaml", "w") as f:
f.write(vault.dump("super_secret_password"))
And then I try to decrypt it with ansible-vault:
ansible-vault decrypt test.yaml
I get the following output:
super_secret_password
...
or super_secret_password\n...\n
to be more precise.
I was expecting just super_secret_password
to be returned.
I'm using:
ansible-vault [core 2.13.6]
config file = None
python version = 3.9.15 (main, Oct 12 2022, 19:14:37) [GCC 11.2.0]
jinja version = 3.1.2
libyaml = True
and python:
ansible==6.6.0
ansible-core==2.13.6
ansible-vault==2.1.0
Is there something I'm missing, maybe a setting in this module to disable this (...) explicit end funtionality.
To test
# generate rsa256 key
ssh-keygen -t rsa -b 4096 -f test.key
# encrypt with ansible
ansible-vault encrypt test.key
When decrypt using ansible-vault, output text is the original key with all linebreaks replaced by whitespace
Hi.
I bumped into a weird issue.
Trying to decode a vault encrypted yaml file I get this error:
AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)
(I know there is a lot of stuff there)
adm_user@srv-admin ~/selenium-test:\) $ pip list
Package Version
------------------------- ----------------
ansible 9.1.0
ansible-base 2.10.8
ansible-compat 4.1.10
ansible-core 2.16.2
ansible-lint 6.22.1
ansible-modules-pm2 0.1.0
ansible-vault 2.1.0
apache-libcloud 3.2.0
apturl 0.5.2
argcomplete 1.8.1
asn1crypto 1.4.0
asttokens 2.4.1
attrs 23.1.0
ayatana-settings 21.1.28
Babel 2.8.0
bcrypt 3.2.0
beautifulsoup4 4.12.2
black 23.12.1
blessed 1.20.0
blinker 1.4
bpython 0.24
bracex 2.4
Brlapi 0.8.3
bs4 0.0.1
cajarename 21.11.24
certifi 2022.6.15
chardet 5.0.0
charset-normalizer 2.1.0
click 8.0.3
colorama 0.4.4
colorlog 6.6.0
configobj 5.0.6
cryptography 3.4.8
cupshelpers 1.0
curtsies 0.4.2
cwcwidth 0.1.9
dbus-python 1.2.18
decorator 5.1.1
defer 1.0.6
defusedxml 0.7.1
deja-dup-caja 0.0.9
distro 1.7.0
distro-info 1.1+ubuntu0.1
dnspython 2.1.0
duplicity 0.8.21
exceptiongroup 1.2.0
executing 2.0.1
fasteners 0.14.1
filelock 3.13.1
folder-color-caja 0.0.86
folder-color-common 0.0.86
future 0.18.2
gpg 1.16.0
greenlet 3.0.3
h11 0.14.0
httplib2 0.20.2
idna 3.3
importlib-metadata 4.6.4
ipython 8.18.1
jedi 0.19.1
jeepney 0.7.1
Jinja2 3.0.3
jmespath 0.10.0
jsonschema 4.20.0
jsonschema-specifications 2023.12.1
keyring 23.5.0
language-selector 0.1
launchpadlib 1.10.16
lazr.restfulclient 0.14.4
lazr.uri 1.0.6
lockfile 0.12.2
louis 3.20.0
Magnus 1.0.3
Mako 1.1.3
markdown-it-py 3.0.0
MarkupSafe 2.0.1
mate-hud 22.4.4
mate-menu 22.4.1
mate-tweak 22.4.8
matplotlib-inline 0.1.6
mdurl 0.1.2
meld 3.20.4
monotonic 1.6
more-itertools 8.10.0
mypy-extensions 1.0.0
netaddr 0.8.0
netifaces 0.11.0
ntlm-auth 1.4.0
oauthlib 3.2.0
olefile 0.46
onboard 1.4.1
outcome 1.3.0.post0
packaging 23.2
paramiko 2.9.3
parso 0.8.3
pathspec 0.12.1
pexpect 4.8.0
Pillow 9.0.1
pip 22.0.2
pip-search 0.0.12
platformdirs 4.1.0
prompt-toolkit 3.0.43
psutil 5.9.0
ptyprocess 0.7.0
pulsemixer 1.5.1
pure-eval 0.2.2
pyasn1 0.4.8
pycairo 1.20.1
pycryptodomex 3.11.0
pycups 2.0.1
Pygments 2.17.2
PyGObject 3.42.1
PyJWT 2.3.0
pymacaroons 0.13.0
PyNaCl 1.5.0
pyparsing 2.4.7
PySocks 1.7.1
python-apt 2.4.0+ubuntu2
python-dateutil 2.8.1
python-debian 0.1.43+ubuntu1.1
python-dotenv 1.0.0
python-xapp 2.2.1
python-xlib 0.29
pytz 2022.1
pyvmomi 6.7.1
pywinrm 0.3.0
pyxattr 0.7.2
pyxdg 0.27
PyYAML 5.4.1
referencing 0.32.0
reportlab 3.6.8
requests 2.31.0
requests-ntlm 1.1.0
requests-toolbelt 0.9.1
resolvelib 1.0.1
rich 13.7.0
rpds-py 0.16.2
ruamel.yaml 0.18.5
ruamel.yaml.clib 0.2.8
SecretStorage 3.3.1
selenium 4.16.0
selinux 3.3
setproctitle 1.2.2
setuptools 59.6.0
simplejson 3.17.6
six 1.16.0
sniffio 1.3.0
sortedcontainers 2.4.0
soupsieve 2.5
stack-data 0.6.3
stormshield.sns.sslclient 1.0.4
subprocess-tee 0.4.1
systemd-python 234
terminator 2.1.1
tomli 2.0.1
traitlets 5.14.0
trio 0.23.2
trio-websocket 0.11.1
typing_extensions 4.9.0
ubuntu-advantage-tools 8001
ubuntu-drivers-common 0.0.0
ufw 0.36.1
unattended-upgrades 0.1
urllib3 1.26.10
wadllib 1.3.6
wcmatch 8.5
wcwidth 0.2.12
webdriver-manager 4.0.1
wheel 0.37.1
wsproto 1.2.0
xdg 5
xkit 0.0.0
xmltodict 0.12.0
yamllint 1.33.0
youtube-dl 2021.12.17
zipp 1.0.0
Python is 3.10.12
adm_user@srv-admin ~/selenium-test:\) $ cat toto.yml
soft:
user: toto
password: rototo
adm_user@srv-admin ~/selenium-test:\) $ echo -n "toto" > password
adm_user@srv-admin ~/selenium-test:\) $ cat password
totoadm_user@srv-admin ~/selenium-test:\) $
adm_user@srv-admin ~/selenium-test:\) $ ansible-vault encrypt toto.yml --vault-password-file password
Encryption successful
adm_user@srv-admin ~/selenium-test:\) $ cat toto.yml
$ANSIBLE_VAULT;1.1;AES256
32353335396261646339343466646261306239633333366365663862353062653632653633656162
6464663731366136633131646531303063366332633734370a653464373830666666343930393564
39393162396564356336336339666666383432323738376566626434393461376334656664396339
6461363530383238340a376333306631383762323134303931393938653837633263386664633830
61383664303562386131306234333238396434316636343230633231386138613264383566363432
6165626266626437653735383835663564313162633265643964
adm_user@srv-admin ~/selenium-test:\) $
Now to python:
adm_user@srv-admin ~/selenium-test:\) $ ipython
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.18.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from ansible_vault import Vault
In [2]: vault = Vault(open('password').read())
In [3]: data = vault.load(open('toto.yml').read())
---------------------------------------------------------------------------
AnsibleVaultError Traceback (most recent call last)
Cell In[3], line 1
----> 1 data = vault.load(open('toto.yml').read())
File ~/.local/lib/python3.10/site-packages/ansible_vault/api.py:53, in Vault.load(self, stream)
51 def load(self, stream):
52 """Read vault steam and return python object."""
---> 53 return yaml.safe_load(self.load_raw(stream))
File ~/.local/lib/python3.10/site-packages/ansible_vault/api.py:41, in Vault.load_raw(self, stream)
39 def load_raw(self, stream):
40 """Read vault stream and return raw data."""
---> 41 return self.vault.decrypt(stream)
File ~/.local/lib/python3.10/site-packages/ansible_vault/parsing.py:47, in AnsibleVaultLib.decrypt(self, vaulttext)
46 def decrypt(self, vaulttext):
---> 47 return self.vault.decrypt(vaulttext)
File ~/.local/lib/python3.10/site-packages/ansible/parsing/vault/__init__.py:644, in VaultLib.decrypt(self, vaulttext, filename, obj)
633 def decrypt(self, vaulttext, filename=None, obj=None):
634 '''Decrypt a piece of vault encrypted data.
635
636 :arg vaulttext: a string to decrypt. Since vault encrypted data is an
(...)
642
643 '''
--> 644 plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename, obj=obj)
645 return plaintext
File ~/.local/lib/python3.10/site-packages/ansible/parsing/vault/__init__.py:751, in VaultLib.decrypt_and_get_vault_id(self, vaulttext, filename, obj)
749 if filename:
750 msg += " on %s" % to_native(filename)
--> 751 raise AnsibleVaultError(msg)
753 if b_plaintext is None:
754 msg = "Decryption failed"
AnsibleVaultError: Decryption failed (no vault secrets were found that could decrypt)
In [4]:
When I run
data = vault.load(open(test).read())
where test = "/path/to/vault.yml"
I get this
---------------------------------------------------------------------------
AnsibleError Traceback (most recent call last)
<ipython-input-104-4b5e48176f32> in <module>()
2 password = get_ansible_password()
3 vault = ansible_vault.Vault(password)
----> 4 data = vault.load(open(test).read())
~/.pyenv/versions/3.5.1/lib/python3.5/site-packages/ansible_vault/api.py in load(self, stream)
48 def load_raw(self, stream):
49 """Read vault stream and return raw data."""
---> 50 return self.vault.decrypt(stream)
51
52 def dump_raw(self, text, stream=None):
~/.pyenv/versions/3.5.1/lib/python3.5/site-packages/ansible/parsing/vault/__init__.py in decrypt(self, vaulttext, filename)
249 try:
250 return unhexlify(b_data)
--> 251 except (BinasciiError, TypeError) as exc:
252 raise AnsibleVaultFormatError('Vault format unhexlify error: %s' % exc)
253
AnsibleError: Decryption failed
I tested with variable test
in Unicode string
and byte string
format. They both returned the same error.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.