Package org.kiwiproject.ansible.vault

Class VaultEncryptionHelper

java.lang.Object
org.kiwiproject.ansible.vault.VaultEncryptionHelper
public class VaultEncryptionHelper extends Object
The main class in this package for executing ansible-vault commands.

While it is possible to use the various command classes directly to build the operating system command, create a ProcessBuilder and finally a Process, this class wraps all that and makes it relatively easy to make ansible-vault calls in the operating system.

  • Constructor Details

    • VaultEncryptionHelper

      public VaultEncryptionHelper(VaultConfiguration configuration)
      Create an instance with the given vault configuration. Makes a copy of the given configuration, such that changes to the supplied object are not seen by this instance.

      If the configuration needs to change, for example after a re-key operation, then simply construct a new instance passing in the new VaultConfiguration object.

      Parameters:
      configuration - the vault configuration
      Implementation Note:
      while the configuration is validated at construction time, it could become invalid if the files in the operating system change. For example, if the vault password file was deleted or renamed. Since these are unlikely scenarios, we don't bother re-checking on every call.

  • Method Details

    • whichAnsibleVault

      public static Optional<String> whichAnsibleVault()
      Locate the ansible-vault program in the user's path.
      Returns:
      an Optional containing the full path to ansible-vault, or an empty Optional if not found
      See Also:

    • whichAnsibleVaultAsPath

      public static Optional<Path> whichAnsibleVaultAsPath()
      Locate the ansible-vault program in the user's path, returning the result as a Path.
      Returns:
      an Optional containing the full Path to ansible-vault, or an empty Optional if not found
      See Also:
      Implementation Note:
      This is a convenience wrapper around Processes.whichAsPath(String) specifically for the ansible-vault program

    • encryptFile

      public Path encryptFile(Path plainTextFilePath)
      Wraps the ansible-vault encrypt command. Encrypts file in place.
      Parameters:
      plainTextFilePath - the path to the file to encrypt in place
      Returns:
      the Path to the encrypted file, which will be the same as the argument

    • encryptFile

      public Path encryptFile(String plainTextFilePath)
      Wraps the ansible-vault encrypt command. Encrypts file in place.
      Parameters:
      plainTextFilePath - the path to the file to encrypt in place
      Returns:
      the Path to the encrypted file

    • encryptFile

      public Path encryptFile(Path plainTextFilePath, String vaultIdLabel)
      Wraps the ansible-vault encrypt command using a vault ID label. Encrypts file in place.
      Parameters:
      plainTextFilePath - the path to the file to encrypt in place
      vaultIdLabel - the label for the --vault-id
      Returns:
      the Path to the encrypted file, which will be the same as the argument

    • encryptFile

      public Path encryptFile(String plainTextFilePath, String vaultIdLabel)
      Wraps the ansible-vault encrypt command using a vault ID label. Encrypts file in place.
      Parameters:
      plainTextFilePath - the path to the file to encrypt in place
      vaultIdLabel - the label for the --vault-id
      Returns:
      the Path to the encrypted file

    • decryptFile

      public Path decryptFile(Path encryptedFilePath)
      Wraps ansible-vault decrypt command. Decrypts file in place.
      Parameters:
      encryptedFilePath - the path to the file to decrypt in place
      Returns:
      the Path to the decrypted file, which will be the same as the argument

    • decryptFile

      public Path decryptFile(String encryptedFilePath)
      Wraps ansible-vault decrypt command. Decrypts file in place.
      Parameters:
      encryptedFilePath - the path to the file to decrypt in place
      Returns:
      the Path to the decrypted file

    • decryptFile

      public Path decryptFile(Path encryptedFilePath, Path outputFilePath)
      Wraps ansible-vault decrypt command. Decrypts file to a new specified output path. The original encrypted file is not modified.
      Parameters:
      encryptedFilePath - the path to the file to decrypt in place
      outputFilePath - the path to the new output file where decrypted content will be written
      Returns:
      the Path to the decrypted file

    • decryptFile

      public Path decryptFile(String encryptedFilePath, String outputFilePath)
      Wraps ansible-vault decrypt command. Decrypts file to a new specified output path. The original encrypted file is not modified.
      Parameters:
      encryptedFilePath - the path to the file to decrypt in place
      outputFilePath - the path to the new output file where decrypted content will be written
      Returns:
      the Path to the decrypted file

    • viewFile

      public String viewFile(Path encryptedFilePath)
      Wraps ansible-vault view command. Returns the decrypted contents of the file. The original encrypted file is not modified.
      Parameters:
      encryptedFilePath - the path to the file to view
      Returns:
      the decrypted contents of the given file

    • viewFile

      public String viewFile(String encryptedFilePath)
      Wraps ansible-vault view command. Returns the decrypted contents of the file. The original encrypted file is not modified.
      Parameters:
      encryptedFilePath - the path to the file to view
      Returns:
      the decrypted contents of the given file

    • rekeyFile

      public Path rekeyFile(Path encryptedFilePath, Path newVaultPasswordFilePath)
      Wraps ansible-vault rekey command. Returns the path of the re-keyed file.
      Parameters:
      encryptedFilePath - the path to the file to view
      newVaultPasswordFilePath - path to the file containing the new password
      Returns:
      the Path to the re-keyed file

    • rekeyFile

      public Path rekeyFile(String encryptedFilePath, String newVaultPasswordFilePath)
      Wraps ansible-vault rekey command. Returns the path of the re-keyed file.
      Parameters:
      encryptedFilePath - the path to the file to view
      newVaultPasswordFilePath - path to the file containing the new password
      Returns:
      the Path to the re-keyed file

    • encryptString

      public String encryptString(String plainText, String variableName)
      Wraps the ansible-vault encrypt_string command.
      Parameters:
      plainText - the plain text to encrypt
      variableName - the name of the variable
      Returns:
      the encrypted variable

    • encryptString

      public String encryptString(String vaultIdLabel, String plainText, String variableName)
      Wraps the ansible-vault encrypt_string command using an optional vault ID label.
      Parameters:
      vaultIdLabel - the label of the vault (for use with the --vault-id argument
      plainText - the plain text to encrypt
      variableName - the name of the variable
      Returns:
      the encrypted variable

    • decryptString

      public String decryptString(String encryptedString)
      Decrypts an encrypted string variable formatted using encrypt_string with a --name option.
      Parameters:
      encryptedString - the encrypted variable
      Returns:
      the decrypted content of the encrypted content