Package org.kiwiproject.ansible.vault

Class VaultEncryptionHelper

  • public class VaultEncryptionHelper
extends Object
    The main class in this package for executing ansible-vault commands.

    While it is possible to use the various command classes directly to build the operating system command, create a ProcessBuilder and finally a Process, this class wraps all that and makes it realtively easy to make ansible-vault calls in the operating system.

    • Constructor Detail

      • VaultEncryptionHelper

        public VaultEncryptionHelper​(VaultConfiguration configuration)
        Create an instance with the given vault configuration. Makes a copy of the given configuration, such that changes to the supplied object are not seen by this instance.

        If the configuration needs to change, for example after a rekey operation, then simply construct a new instance passing in the new VaultConfiguration object.

        Parameters:
        configuration - the vault configuration
        Implementation Note:
        while the configuration is validated at construction time, it could become invalid if the files in the operating system change. For example, if the vault password file was deleted or renamed. Since these are unlikely scenarios, we don't bother re-checking on every call.

    • Method Detail

      • encryptFile

        public Path encryptFile​(Path plainTextFilePath)
        Wraps the ansible-vault encrypt command. Encrypts file in place.
        Parameters:
        plainTextFilePath - the path to the file to encrypt in place
        Returns:
        the Path to the encrypted file, which will be the same as the argument

      • encryptFile

        public Path encryptFile​(String plainTextFilePath)
        Wraps the ansible-vault encrypt command. Encrypts file in place.
        Parameters:
        plainTextFilePath - the path to the file to encrypt in place
        Returns:
        the Path to the encrypted file

      • encryptFile

        public Path encryptFile​(Path plainTextFilePath,
                        String vaultIdLabel)
        Wraps the ansible-vault encrypt command using a vault ID label. Encrypts file in place.
        Parameters:
        plainTextFilePath - the path to the file to encrypt in place
        vaultIdLabel - the label for the --vault-id
        Returns:
        the Path to the encrypted file, which will be the same as the argument

      • encryptFile

        public Path encryptFile​(String plainTextFilePath,
                        String vaultIdLabel)
        Wraps the ansible-vault encrypt command using a vault ID label. Encrypts file in place.
        Parameters:
        plainTextFilePath - the path to the file to encrypt in place
        vaultIdLabel - the label for the --vault-id
        Returns:
        the Path to the encrypted file

      • decryptFile

        public Path decryptFile​(Path encryptedFilePath)
        Wraps ansible-vault decrypt command. Decrypts file in place.
        Parameters:
        encryptedFilePath - the path to the file to decrypt in place
        Returns:
        the Path to the decrypted file, which will be the same as the argument

      • decryptFile

        public Path decryptFile​(String encryptedFilePath)
        Wraps ansible-vault decrypt command. Decrypts file in place.
        Parameters:
        encryptedFilePath - the path to the file to decrypt in place
        Returns:
        the Path to the decrypted file

      • decryptFile

        public Path decryptFile​(Path encryptedFilePath,
                        Path outputFilePath)
        Wraps ansible-vault decrypt command. Decrypts file to a new specified output path. The original encrypted file is not modified.
        Parameters:
        encryptedFilePath - the path to the file to decrypt in place
        outputFilePath - the path to the new output file where decrypted content will be written
        Returns:
        the Path to the decrypted file

      • decryptFile

        public Path decryptFile​(String encryptedFilePath,
                        String outputFilePath)
        Wraps ansible-vault decrypt command. Decrypts file to a new specified output path. The original encrypted file is not modified.
        Parameters:
        encryptedFilePath - the path to the file to decrypt in place
        outputFilePath - the path to the new output file where decrypted content will be written
        Returns:
        the Path to the decrypted file

      • viewFile

        public String viewFile​(Path encryptedFilePath)
        Wraps ansible-vault view command. Returns the decrypted contents of the file. The original encrypted file is not modified.
        Parameters:
        encryptedFilePath - the path to the file to view
        Returns:
        the decrypted contents of the given file

      • viewFile

        public String viewFile​(String encryptedFilePath)
        Wraps ansible-vault view command. Returns the decrypted contents of the file. The original encrypted file is not modified.
        Parameters:
        encryptedFilePath - the path to the file to view
        Returns:
        the decrypted contents of the given file

      • rekeyFile

        public Path rekeyFile​(Path encryptedFilePath,
                      Path newVaultPasswordFilePath)
        Wraps ansible-vault rekey command. Returns the path of the rekeyed file.
        Parameters:
        encryptedFilePath - the path to the file to view
        newVaultPasswordFilePath - path to the file containing the new password
        Returns:
        the Path to the rekeyed file

      • rekeyFile

        public Path rekeyFile​(String encryptedFilePath,
                      String newVaultPasswordFilePath)
        Wraps ansible-vault rekey command. Returns the path of the rekeyed file.
        Parameters:
        encryptedFilePath - the path to the file to view
        newVaultPasswordFilePath - path to the file containing the new password
        Returns:
        the Path to the rekeyed file

      • encryptString

        public String encryptString​(String plainText,
                            String variableName)
        Wraps the ansible-vault encrypt_string command.
        Parameters:
        plainText - the plain text to encrypt
        variableName - the name of the variable
        Returns:
        the encrypted variable

      • encryptString

        public String encryptString​(String vaultIdLabel,
                            String plainText,
                            String variableName)
        Wraps the ansible-vault encrypt_string command using an optional vault ID label.
        Parameters:
        vaultIdLabel - the label of the vault (for use with the --vault-id argument
        plainText - the plain text to encrypt
        variableName - the name of the variable
        Returns:
        the encrypted variable

      • decryptString

        public String decryptString​(String encryptedString)
        Decrypts an encrypted string variable formatted using encrypt_string with a --name option.
        Parameters:
        encryptedString - the encrypted variable
        Returns:
        the decrypted content of the encrypted content