Prevent rewriting the encrypted file if decryption fails

b8f627d1 · James Tanner · e71857fb · b8f627d1
Commit b8f627d1 authored Mar 19, 2014 by James Tanner
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

lib/ansible/utils/vault.py
+6 -2

No files found.
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@@ -113,7 +113,6 @@ class VaultLib(object):
        # clean out header
        data = self._split_header(data)

-
        # create the cipher object
        if 'Vault' + self.cipher_name in globals() and self.cipher_name in CIPHER_WHITELIST: 
            cipher = globals()['Vault' + self.cipher_name]
@@ -123,6 +122,8 @@ class VaultLib(object):

        # try to unencrypt data
        data = this_cipher.decrypt(data, self.password)
+        if not data:
+            raise errors.AnsibleError("Decryption failed")

        return data            

@@ -209,7 +210,10 @@ class VaultEditor(object):
        this_vault = VaultLib(self.password)
        if this_vault.is_encrypted(tmpdata):
            dec_data = this_vault.decrypt(tmpdata)
-            self.write_data(dec_data, self.filename)
+            if not dec_data:
+                raise errors.AnsibleError("Decryption failed")
+            else:
+                self.write_data(dec_data, self.filename)
        else:
            raise errors.AnsibleError("%s is not encrypted" % self.filename)