diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2017-06-01 18:55:00 -0500 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2017-06-01 18:55:31 -0500 |
commit | eee983b6a6b8cf09256d37f46ab28117f317a3ee (patch) | |
tree | 719b31dc4c7c6b6706123197766e9e48a35aed9e /app-admin/ansible/files | |
parent | sys-block/tgt: bup 1.0.70 (diff) | |
download | gentoo-eee983b6a6b8cf09256d37f46ab28117f317a3ee.tar.gz gentoo-eee983b6a6b8cf09256d37f46ab28117f317a3ee.tar.bz2 gentoo-eee983b6a6b8cf09256d37f46ab28117f317a3ee.zip |
app-admin/ansible: 2.3.1.0 bup
Package-Manager: Portage-2.3.5, Repoman-2.3.2
Diffstat (limited to 'app-admin/ansible/files')
-rw-r--r-- | app-admin/ansible/files/ansible-2.3.1.0-pycryptodome.patch | 905 |
1 files changed, 905 insertions, 0 deletions
diff --git a/app-admin/ansible/files/ansible-2.3.1.0-pycryptodome.patch b/app-admin/ansible/files/ansible-2.3.1.0-pycryptodome.patch new file mode 100644 index 000000000000..71799dec1aba --- /dev/null +++ b/app-admin/ansible/files/ansible-2.3.1.0-pycryptodome.patch @@ -0,0 +1,905 @@ +diff -uNr ansible-2.3.0.0.ORIG/lib/ansible/executor/process/worker.py ansible-2.3.0.0/lib/ansible/executor/process/worker.py +--- ansible-2.3.0.0.ORIG/lib/ansible/executor/process/worker.py 2017-05-23 14:23:12.313595450 +0100 ++++ ansible-2.3.0.0/lib/ansible/executor/process/worker.py 2017-05-23 14:24:22.116598926 +0100 +@@ -26,14 +26,6 @@ + + from jinja2.exceptions import TemplateNotFound + +-# TODO: not needed if we use the cryptography library with its default RNG +-# engine +-HAS_ATFORK=True +-try: +- from Crypto.Random import atfork +-except ImportError: +- HAS_ATFORK=False +- + from ansible.errors import AnsibleConnectionFailure + from ansible.executor.task_executor import TaskExecutor + from ansible.executor.task_result import TaskResult +@@ -95,9 +87,6 @@ + #pr = cProfile.Profile() + #pr.enable() + +- if HAS_ATFORK: +- atfork() +- + try: + # execute the task and build a TaskResult from the result + display.debug("running TaskExecutor() for %s/%s" % (self._host, self._task)) +diff -uNr ansible-2.3.0.0.ORIG/lib/ansible/modules/cloud/amazon/ec2_win_password.py ansible-2.3.0.0/lib/ansible/modules/cloud/amazon/ec2_win_password.py +--- ansible-2.3.0.0.ORIG/lib/ansible/modules/cloud/amazon/ec2_win_password.py 2017-05-23 14:23:12.299595449 +0100 ++++ ansible-2.3.0.0/lib/ansible/modules/cloud/amazon/ec2_win_password.py 2017-05-23 14:29:51.003615305 +0100 +@@ -93,9 +93,10 @@ + ''' + + from base64 import b64decode +-from Crypto.Cipher import PKCS1_v1_5 +-from Crypto.PublicKey import RSA + import datetime ++from cryptography.hazmat.backends import default_backend ++from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 ++from cryptography.hazmat.primitives.serialization import load_pem_private_key + + try: + import boto.ec2 +@@ -103,6 +104,9 @@ + except ImportError: + HAS_BOTO = False + ++BACKEND = default_backend() ++ ++ + def main(): + argument_spec = ec2_argument_spec() + argument_spec.update(dict( +@@ -151,15 +155,12 @@ + else: + try: + with f: +- key = RSA.importKey(f.read(), key_passphrase) +- except (ValueError, IndexError, TypeError) as e: ++ key = load_pem_private_key(f.read(), key_passphrase, BACKEND) ++ except (ValueError, TypeError) as e: + module.fail_json(msg = "unable to parse key file") + +- cipher = PKCS1_v1_5.new(key) +- sentinel = 'password decryption failed!!!' +- + try: +- decrypted = cipher.decrypt(decoded, sentinel) ++ decrypted = key.decrypt(decoded, PKCS1v15()) + except ValueError as e: + decrypted = None + +diff -uNr ansible-2.3.0.0.ORIG/lib/ansible/parsing/vault/__init__.py ansible-2.3.0.0/lib/ansible/parsing/vault/__init__.py +--- ansible-2.3.0.0.ORIG/lib/ansible/parsing/vault/__init__.py 2017-05-23 14:23:12.311595449 +0100 ++++ ansible-2.3.0.0/lib/ansible/parsing/vault/__init__.py 2017-05-23 14:31:23.267619901 +0100 +@@ -25,7 +25,6 @@ + import sys + import tempfile + import random +-from io import BytesIO + from subprocess import call + from hashlib import sha256 + from binascii import hexlify +@@ -35,32 +34,14 @@ + # Note: Only used for loading obsolete VaultAES files. All files are written + # using the newer VaultAES256 which does not require md5 + +-try: +- from Crypto.Hash import SHA256, HMAC +- HAS_HASH = True +-except ImportError: +- HAS_HASH = False +- +-# Counter import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Util import Counter +- HAS_COUNTER = True +-except ImportError: +- HAS_COUNTER = False +- +-# KDF import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Protocol.KDF import PBKDF2 +- HAS_PBKDF2 = True +-except ImportError: +- HAS_PBKDF2 = False +- +-# AES IMPORTS +-try: +- from Crypto.Cipher import AES as AES +- HAS_AES = True +-except ImportError: +- HAS_AES = False ++from cryptography.exceptions import InvalidSignature ++from cryptography.hazmat.backends import default_backend ++from cryptography.hazmat.primitives import hashes, padding ++from cryptography.hazmat.primitives.hmac import HMAC ++from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC ++from cryptography.hazmat.primitives.ciphers import ( ++ Cipher as C_Cipher, algorithms, modes ++) + + from ansible.compat.six import PY3, binary_type + from ansible.compat.six.moves import zip +@@ -73,26 +54,8 @@ + from ansible.utils.display import Display + display = Display() + +-# OpenSSL pbkdf2_hmac +-HAS_PBKDF2HMAC = False +-try: +- from cryptography.hazmat.primitives.hashes import SHA256 as c_SHA256 +- from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +- from cryptography.hazmat.backends import default_backend +- HAS_PBKDF2HMAC = True +-except ImportError: +- pass +-except Exception as e: +- display.vvvv("Optional dependency 'cryptography' raised an exception, falling back to 'Crypto'.") +- import traceback +- display.vvvv("Traceback from import of cryptography was {0}".format(traceback.format_exc())) +- +-HAS_ANY_PBKDF2HMAC = HAS_PBKDF2 or HAS_PBKDF2HMAC +- +- +-CRYPTO_UPGRADE = "ansible-vault requires a newer version of pycrypto than the one installed on your platform." \ +- " You may fix this with OS-specific commands such as: yum install python-devel; rpm -e --nodeps python-crypto; pip install pycrypto" + ++BACKEND = default_backend() + b_HEADER = b'$ANSIBLE_VAULT' + CIPHER_WHITELIST = frozenset((u'AES', u'AES256')) + CIPHER_WRITE_WHITELIST = frozenset((u'AES256',)) +@@ -100,12 +63,6 @@ + # (used in VaultFile header) to a cipher class + + +-def check_prereqs(): +- +- if not HAS_AES or not HAS_COUNTER or not HAS_ANY_PBKDF2HMAC or not HAS_HASH: +- raise AnsibleError(CRYPTO_UPGRADE) +- +- + class AnsibleVaultError(AnsibleError): + pass + +@@ -410,8 +367,6 @@ + + def encrypt_file(self, filename, output_file=None): + +- check_prereqs() +- + # A file to be encrypted into a vaultfile could be any encoding + # so treat the contents as a byte string. + +@@ -424,8 +379,6 @@ + + def decrypt_file(self, filename, output_file=None): + +- check_prereqs() +- + # follow the symlink + filename = os.path.realpath(filename) + +@@ -440,8 +393,6 @@ + def create_file(self, filename): + """ create a new encrypted file """ + +- check_prereqs() +- + # FIXME: If we can raise an error here, we can probably just make it + # behave like edit instead. + if os.path.isfile(filename): +@@ -451,8 +402,6 @@ + + def edit_file(self, filename): + +- check_prereqs() +- + # follow the symlink + filename = os.path.realpath(filename) + +@@ -471,7 +420,6 @@ + + def plaintext(self, filename): + +- check_prereqs() + ciphertext = self.read_data(filename) + + try: +@@ -483,8 +431,6 @@ + + def rekey_file(self, filename, b_new_password): + +- check_prereqs() +- + # follow the symlink + filename = os.path.realpath(filename) + +@@ -581,10 +527,6 @@ + + # Note: strings in this class should be byte strings by default. + +- def __init__(self): +- if not HAS_AES: +- raise AnsibleError(CRYPTO_UPGRADE) +- + def _aes_derive_key_and_iv(self, b_password, b_salt, key_length, iv_length): + + """ Create a key and an initialization vector """ +@@ -620,41 +562,22 @@ + ' switch to the newer VaultAES256 format', version='2.3') + # http://stackoverflow.com/a/14989032 + +- b_ciphertext = unhexlify(b_vaulttext) +- +- in_file = BytesIO(b_ciphertext) +- in_file.seek(0) +- out_file = BytesIO() ++ b_vaultdata = unhexlify(b_vaulttext) ++ b_tmpsalt = b_vaultdata[:16] ++ b_ciphertext = b_vaultdata[16:] + +- bs = AES.block_size +- b_tmpsalt = in_file.read(bs) ++ bs = algorithms.AES.block_size // 8 + b_salt = b_tmpsalt[len(b'Salted__'):] + b_key, b_iv = self._aes_derive_key_and_iv(b_password, b_salt, key_length, bs) +- cipher = AES.new(b_key, AES.MODE_CBC, b_iv) +- b_next_chunk = b'' +- finished = False +- +- while not finished: +- b_chunk, b_next_chunk = b_next_chunk, cipher.decrypt(in_file.read(1024 * bs)) +- if len(b_next_chunk) == 0: +- if PY3: +- padding_length = b_chunk[-1] +- else: +- padding_length = ord(b_chunk[-1]) ++ cipher = C_Cipher(algorithms.AES(b_key), modes.CBC(b_iv), BACKEND).decryptor() ++ unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() + +- b_chunk = b_chunk[:-padding_length] +- finished = True +- +- out_file.write(b_chunk) +- out_file.flush() +- +- # reset the stream pointer to the beginning +- out_file.seek(0) +- b_out_data = out_file.read() +- out_file.close() ++ b_plaintext = unpadder.update( ++ cipher.update(b_ciphertext) + cipher.finalize() ++ ) + unpadder.finalize() + + # split out sha and verify decryption +- b_split_data = b_out_data.split(b"\n", 1) ++ b_split_data = b_plaintext.split(b"\n", 1) + b_this_sha = b_split_data[0] + b_plaintext = b_split_data[1] + b_test_sha = to_bytes(sha256(b_plaintext).hexdigest()) +@@ -676,19 +599,16 @@ + + # Note: strings in this class should be byte strings by default. + +- def __init__(self): +- +- check_prereqs() +- + @staticmethod + def _create_key(b_password, b_salt, keylength, ivlength): +- hash_function = SHA256 +- +- # make two keys and one iv +- pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest() ++ kdf = PBKDF2HMAC( ++ algorithm=hashes.SHA256(), ++ length=2 * keylength + ivlength, ++ salt=b_salt, ++ iterations=10000, ++ backend=BACKEND) ++ b_derivedkey = kdf.derive(b_password) + +- b_derivedkey = PBKDF2(b_password, b_salt, dkLen=(2 * keylength) + ivlength, +- count=10000, prf=pbkdf2_prf) + return b_derivedkey + + @classmethod +@@ -696,55 +616,31 @@ + # 16 for AES 128, 32 for AES256 + keylength = 32 + +- # match the size used for counter.new to avoid extra work +- ivlength = 16 ++ # AES is a 128-bit block cipher, so IVs and counter nonces are 16 bytes ++ ivlength = algorithms.AES.block_size // 8 + +- if HAS_PBKDF2HMAC: +- backend = default_backend() +- kdf = PBKDF2HMAC( +- algorithm=c_SHA256(), +- length=2 * keylength + ivlength, +- salt=b_salt, +- iterations=10000, +- backend=backend) +- b_derivedkey = kdf.derive(b_password) +- else: +- b_derivedkey = cls._create_key(b_password, b_salt, keylength, ivlength) ++ b_derivedkey = cls._create_key(b_password, b_salt, keylength, ivlength) + + b_key1 = b_derivedkey[:keylength] + b_key2 = b_derivedkey[keylength:(keylength * 2)] + b_iv = b_derivedkey[(keylength * 2):(keylength * 2) + ivlength] + +- return b_key1, b_key2, hexlify(b_iv) ++ return b_key1, b_key2, b_iv + + def encrypt(self, b_plaintext, b_password): + b_salt = os.urandom(32) + b_key1, b_key2, b_iv = self._gen_key_initctr(b_password, b_salt) + +- # PKCS#7 PAD DATA http://tools.ietf.org/html/rfc5652#section-6.3 +- bs = AES.block_size +- padding_length = (bs - len(b_plaintext) % bs) or bs +- b_plaintext += to_bytes(padding_length * chr(padding_length), encoding='ascii', errors='strict') +- +- # COUNTER.new PARAMETERS +- # 1) nbits (integer) - Length of the counter, in bits. +- # 2) initial_value (integer) - initial value of the counter. "iv" from _gen_key_initctr +- +- ctr = Counter.new(128, initial_value=int(b_iv, 16)) +- +- # AES.new PARAMETERS +- # 1) AES key, must be either 16, 24, or 32 bytes long -- "key" from _gen_key_initctr +- # 2) MODE_CTR, is the recommended mode +- # 3) counter=<CounterObject> +- +- cipher = AES.new(b_key1, AES.MODE_CTR, counter=ctr) +- +- # ENCRYPT PADDED DATA +- b_ciphertext = cipher.encrypt(b_plaintext) ++ cipher = C_Cipher(algorithms.AES(b_key1), modes.CTR(b_iv), BACKEND) ++ encryptor = cipher.encryptor() ++ padder = padding.PKCS7(algorithms.AES.block_size).padder() ++ b_ciphertext = encryptor.update(padder.update(b_plaintext) + padder.finalize()) ++ b_ciphertext += encryptor.finalize() + + # COMBINE SALT, DIGEST AND DATA +- hmac = HMAC.new(b_key2, b_ciphertext, SHA256) +- b_vaulttext = b'\n'.join([hexlify(b_salt), to_bytes(hmac.hexdigest()), hexlify(b_ciphertext)]) ++ hmac = HMAC(b_key2, hashes.SHA256(), BACKEND) ++ hmac.update(b_ciphertext) ++ b_vaulttext = b'\n'.join([hexlify(b_salt), hexlify(hmac.finalize()), hexlify(b_ciphertext)]) + b_vaulttext = hexlify(b_vaulttext) + return b_vaulttext + +@@ -757,48 +653,21 @@ + b_key1, b_key2, b_iv = self._gen_key_initctr(b_password, b_salt) + + # EXIT EARLY IF DIGEST DOESN'T MATCH +- hmacDecrypt = HMAC.new(b_key2, b_ciphertext, SHA256) +- if not self._is_equal(b_cryptedHmac, to_bytes(hmacDecrypt.hexdigest())): ++ hmac = HMAC(b_key2, hashes.SHA256(), BACKEND) ++ hmac.update(b_ciphertext) ++ try: ++ hmac.verify(unhexlify(b_cryptedHmac)) ++ except InvalidSignature: + return None +- # SET THE COUNTER AND THE CIPHER +- ctr = Counter.new(128, initial_value=int(b_iv, 16)) +- cipher = AES.new(b_key1, AES.MODE_CTR, counter=ctr) +- +- # DECRYPT PADDED DATA +- b_plaintext = cipher.decrypt(b_ciphertext) +- +- # UNPAD DATA +- if PY3: +- padding_length = b_plaintext[-1] +- else: +- padding_length = ord(b_plaintext[-1]) + +- b_plaintext = b_plaintext[:-padding_length] +- return b_plaintext ++ cipher = C_Cipher(algorithms.AES(b_key1), modes.CTR(b_iv), BACKEND) ++ decryptor = cipher.decryptor() ++ unpadder = padding.PKCS7(128).unpadder() ++ b_plaintext = unpadder.update( ++ decryptor.update(b_ciphertext) + decryptor.finalize() ++ ) + unpadder.finalize() + +- @staticmethod +- def _is_equal(b_a, b_b): +- """ +- Comparing 2 byte arrrays in constant time +- to avoid timing attacks. +- +- It would be nice if there was a library for this but +- hey. +- """ +- if not (isinstance(b_a, binary_type) and isinstance(b_b, binary_type)): +- raise TypeError('_is_equal can only be used to compare two byte strings') +- +- # http://codahale.com/a-lesson-in-timing-attacks/ +- if len(b_a) != len(b_b): +- return False +- +- result = 0 +- for b_x, b_y in zip(b_a, b_b): +- if PY3: +- result |= b_x ^ b_y +- else: +- result |= ord(b_x) ^ ord(b_y) +- return result == 0 ++ return b_plaintext + + + # Keys could be made bytes later if the code that gets the data is more +diff -uNr ansible-2.3.0.0.ORIG/test/runner/requirements/integration.txt ansible-2.3.0.0/test/runner/requirements/integration.txt +--- ansible-2.3.0.0.ORIG/test/runner/requirements/integration.txt 2017-05-23 14:23:12.379595453 +0100 ++++ ansible-2.3.0.0/test/runner/requirements/integration.txt 2017-05-23 14:24:22.118598926 +0100 +@@ -1,8 +1,8 @@ ++cryptography + jinja2 + jmespath + junit-xml + ordereddict ; python_version < '2.7' + paramiko + passlib +-pycrypto + pyyaml +diff -uNr ansible-2.3.0.0.ORIG/test/runner/requirements/network-integration.txt ansible-2.3.0.0/test/runner/requirements/network-integration.txt +--- ansible-2.3.0.0.ORIG/test/runner/requirements/network-integration.txt 2017-05-23 14:23:12.379595453 +0100 ++++ ansible-2.3.0.0/test/runner/requirements/network-integration.txt 2017-05-23 14:24:22.119598926 +0100 +@@ -1,5 +1,5 @@ ++cryptography + jinja2 + junit-xml + paramiko +-pycrypto + pyyaml +diff -uNr ansible-2.3.0.0.ORIG/test/runner/requirements/sanity.txt ansible-2.3.0.0/test/runner/requirements/sanity.txt +--- ansible-2.3.0.0.ORIG/test/runner/requirements/sanity.txt 2017-05-23 14:23:12.379595453 +0100 ++++ ansible-2.3.0.0/test/runner/requirements/sanity.txt 2017-05-23 14:26:01.910603896 +0100 +@@ -1,5 +1,7 @@ ++cryptography + jinja2 + mock ++paramiko + pep8 + pylint + pytest +diff -uNr ansible-2.3.0.0.ORIG/test/runner/requirements/units.txt ansible-2.3.0.0/test/runner/requirements/units.txt +--- ansible-2.3.0.0.ORIG/test/runner/requirements/units.txt 2017-05-23 14:23:12.379595453 +0100 ++++ ansible-2.3.0.0/test/runner/requirements/units.txt 2017-05-23 14:24:22.119598926 +0100 +@@ -1,10 +1,10 @@ + boto + boto3 ++cryptography + jinja2 + mock + nose + passlib +-pycrypto + pytest + pytest-mock + pytest-xdist +diff -uNr ansible-2.3.0.0.ORIG/test/runner/requirements/windows-integration.txt ansible-2.3.0.0/test/runner/requirements/windows-integration.txt +--- ansible-2.3.0.0.ORIG/test/runner/requirements/windows-integration.txt 2017-05-23 14:23:12.379595453 +0100 ++++ ansible-2.3.0.0/test/runner/requirements/windows-integration.txt 2017-05-23 14:24:22.119598926 +0100 +@@ -1,4 +1,6 @@ ++cryptography + jinja2 + junit-xml ++paramiko + pywinrm + pyyaml +diff -uNr ansible-2.3.0.0.ORIG/test/units/parsing/vault/test_vault_editor.py ansible-2.3.0.0/test/units/parsing/vault/test_vault_editor.py +--- ansible-2.3.0.0.ORIG/test/units/parsing/vault/test_vault_editor.py 2017-05-23 14:23:12.324595450 +0100 ++++ ansible-2.3.0.0/test/units/parsing/vault/test_vault_editor.py 2017-05-23 14:24:22.120598926 +0100 +@@ -22,7 +22,6 @@ + + import os + import tempfile +-from nose.plugins.skip import SkipTest + + from ansible.compat.tests import unittest + from ansible.compat.tests.mock import patch +@@ -32,27 +31,6 @@ + from ansible.module_utils._text import to_bytes, to_text + + +-# Counter import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Util import Counter +- HAS_COUNTER = True +-except ImportError: +- HAS_COUNTER = False +- +-# KDF import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Protocol.KDF import PBKDF2 +- HAS_PBKDF2 = True +-except ImportError: +- HAS_PBKDF2 = False +- +-# AES IMPORTS +-try: +- from Crypto.Cipher import AES as AES +- HAS_AES = True +-except ImportError: +- HAS_AES = False +- + v10_data = """$ANSIBLE_VAULT;1.0;AES + 53616c7465645f5fd0026926a2d415a28a2622116273fbc90e377225c12a347e1daf4456d36a77f9 + 9ad98d59f61d06a4b66718d855f16fb7bdfe54d1ec8aeaa4d06c2dc1fa630ae1846a029877f0eeb1 +@@ -423,9 +401,6 @@ + + def test_decrypt_1_0(self): + # Skip testing decrypting 1.0 files if we don't have access to AES, KDF or Counter. +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest +- + v10_file = tempfile.NamedTemporaryFile(delete=False) + with v10_file as f: + f.write(to_bytes(v10_data)) +@@ -451,9 +426,6 @@ + assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip() + + def test_decrypt_1_1(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest +- + v11_file = tempfile.NamedTemporaryFile(delete=False) + with v11_file as f: + f.write(to_bytes(v11_data)) +@@ -478,10 +450,6 @@ + assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip() + + def test_rekey_migration(self): +- # Skip testing rekeying files if we don't have access to AES, KDF or Counter. +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest +- + v10_file = tempfile.NamedTemporaryFile(delete=False) + with v10_file as f: + f.write(to_bytes(v10_data)) +diff -uNr ansible-2.3.0.0.ORIG/test/units/parsing/vault/test_vault.py ansible-2.3.0.0/test/units/parsing/vault/test_vault.py +--- ansible-2.3.0.0.ORIG/test/units/parsing/vault/test_vault.py 2017-05-23 14:23:12.324595450 +0100 ++++ ansible-2.3.0.0/test/units/parsing/vault/test_vault.py 2017-05-23 14:24:22.120598926 +0100 +@@ -38,28 +38,6 @@ + from ansible.module_utils._text import to_bytes, to_text + + +-# Counter import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Util import Counter +- HAS_COUNTER = True +-except ImportError: +- HAS_COUNTER = False +- +-# KDF import fails for 2.0.1, requires >= 2.6.1 from pip +-try: +- from Crypto.Protocol.KDF import PBKDF2 +- HAS_PBKDF2 = True +-except ImportError: +- HAS_PBKDF2 = False +- +-# AES IMPORTS +-try: +- from Crypto.Cipher import AES as AES +- HAS_AES = True +-except ImportError: +- HAS_AES = False +- +- + class TestVaultIsEncrypted(unittest.TestCase): + def test_bytes_not_encrypted(self): + b_data = b"foobar" +@@ -181,38 +159,6 @@ + self.assertIsInstance(b_key, six.binary_type) + self.assertEqual(b_key, b_key_2) + +- def test_is_equal_is_equal(self): +- self.assertTrue(self.vault_cipher._is_equal(b'abcdefghijklmnopqrstuvwxyz', b'abcdefghijklmnopqrstuvwxyz')) +- +- def test_is_equal_unequal_length(self): +- self.assertFalse(self.vault_cipher._is_equal(b'abcdefghijklmnopqrstuvwxyz', b'abcdefghijklmnopqrstuvwx and sometimes y')) +- +- def test_is_equal_not_equal(self): +- self.assertFalse(self.vault_cipher._is_equal(b'abcdefghijklmnopqrstuvwxyz', b'AbcdefghijKlmnopQrstuvwxZ')) +- +- def test_is_equal_empty(self): +- self.assertTrue(self.vault_cipher._is_equal(b'', b'')) +- +- def test_is_equal_non_ascii_equal(self): +- utf8_data = to_bytes(u'私はガラスを食べられます。それは私を傷つけません。') +- self.assertTrue(self.vault_cipher._is_equal(utf8_data, utf8_data)) +- +- def test_is_equal_non_ascii_unequal(self): +- utf8_data = to_bytes(u'私はガラスを食べられます。それは私を傷つけません。') +- utf8_data2 = to_bytes(u'Pot să mănânc sticlă și ea nu mă rănește.') +- +- # Test for the len optimization path +- self.assertFalse(self.vault_cipher._is_equal(utf8_data, utf8_data2)) +- # Test for the slower, char by char comparison path +- self.assertFalse(self.vault_cipher._is_equal(utf8_data, utf8_data[:-1] + b'P')) +- +- def test_is_equal_non_bytes(self): +- """ Anything not a byte string should raise a TypeError """ +- self.assertRaises(TypeError, self.vault_cipher._is_equal, u"One fish", b"two fish") +- self.assertRaises(TypeError, self.vault_cipher._is_equal, b"One fish", u"two fish") +- self.assertRaises(TypeError, self.vault_cipher._is_equal, 1, b"red fish") +- self.assertRaises(TypeError, self.vault_cipher._is_equal, b"blue fish", 2) +- + + class TestVaultLib(unittest.TestCase): + def setUp(self): +@@ -267,8 +213,6 @@ + self.assertEqual(self.v.b_version, b"9.9", msg="version was not properly set") + + def test_encrypt_decrypt_aes(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + self.v.cipher_name = u'AES' + self.v.b_password = b'ansible' + # AES encryption code has been removed, so this is old output for +@@ -282,8 +226,6 @@ + self.assertEqual(b_plaintext, b"foobar", msg="decryption failed") + + def test_encrypt_decrypt_aes256(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + self.v.cipher_name = u'AES256' + plaintext = u"foobar" + b_vaulttext = self.v.encrypt(plaintext) +@@ -292,8 +234,6 @@ + self.assertEqual(b_plaintext, b"foobar", msg="decryption failed") + + def test_encrypt_decrypt_aes256_existing_vault(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + self.v.cipher_name = u'AES256' + b_orig_plaintext = b"Setec Astronomy" + vaulttext = u'''$ANSIBLE_VAULT;1.1;AES256 +@@ -314,8 +254,6 @@ + # FIXME This test isn't working quite yet. + raise SkipTest + +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + self.v.cipher_name = 'AES256' + # plaintext = "Setec Astronomy" + enc_data = '''$ANSIBLE_VAULT;1.1;AES256 +@@ -350,8 +288,6 @@ + self.v.decrypt(b_invalid_ciphertext) + + def test_encrypt_encrypted(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + self.v.cipher_name = u'AES' + b_vaulttext = b"$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify(b"ansible") + vaulttext = to_text(b_vaulttext, errors='strict') +@@ -359,8 +295,6 @@ + self.assertRaises(errors.AnsibleError, self.v.encrypt, vaulttext) + + def test_decrypt_decrypted(self): +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + plaintext = u"ansible" + self.assertRaises(errors.AnsibleError, self.v.decrypt, plaintext) + +@@ -368,9 +302,6 @@ + self.assertRaises(errors.AnsibleError, self.v.decrypt, b_plaintext) + + def test_cipher_not_set(self): +- # not setting the cipher should default to AES256 +- if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: +- raise SkipTest + plaintext = u"ansible" + self.v.encrypt(plaintext) + self.assertEquals(self.v.cipher_name, "AES256") +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/centos6/Dockerfile ansible-2.3.0.0/test/utils/docker/centos6/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/centos6/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/centos6/Dockerfile 2017-05-23 14:24:22.121598926 +0100 +@@ -9,6 +9,8 @@ + file \ + gcc \ + git \ ++ libffi \ ++ libffi-devel \ + make \ + mercurial \ + mysql \ +@@ -16,6 +18,7 @@ + mysql-server \ + openssh-clients \ + openssh-server \ ++ openssl-devel \ + python-coverage \ + python-devel \ + python-httplib2 \ +@@ -40,8 +43,6 @@ + && \ + yum clean all + +-RUN rpm -e --nodeps python-crypto && pip install --upgrade pycrypto +- + RUN /bin/sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + RUN mkdir /etc/ansible/ + RUN /bin/echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/centos7/Dockerfile ansible-2.3.0.0/test/utils/docker/centos7/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/centos7/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/centos7/Dockerfile 2017-05-23 14:24:22.121598926 +0100 +@@ -17,15 +17,20 @@ + bzip2 \ + dbus-python \ + file \ ++ gcc \ + git \ + iproute \ ++ libffi \ ++ libffi-devel \ + make \ + mariadb-server \ + mercurial \ + MySQL-python \ + openssh-clients \ + openssh-server \ ++ openssl-devel \ + python-coverage \ ++ python-devel \ + python-httplib2 \ + python-jinja2 \ + python-keyczar \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/fedora24/Dockerfile ansible-2.3.0.0/test/utils/docker/fedora24/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/fedora24/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/fedora24/Dockerfile 2017-05-23 14:24:22.121598926 +0100 +@@ -17,18 +17,23 @@ + dbus-python \ + file \ + findutils \ ++ gcc \ + git \ + glibc-locale-source \ + iproute \ ++ libffi \ ++ libffi-devel \ + make \ + mariadb-server \ + mercurial \ + MySQL-python \ + openssh-clients \ + openssh-server \ ++ openssl-devel \ + procps \ + python2-dnf \ + python-coverage \ ++ python-devel \ + python-httplib2 \ + python-jinja2 \ + python-keyczar \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/fedora25/Dockerfile ansible-2.3.0.0/test/utils/docker/fedora25/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/fedora25/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/fedora25/Dockerfile 2017-05-23 14:24:22.121598926 +0100 +@@ -20,12 +20,15 @@ + git \ + glibc-locale-source \ + iproute \ ++ libffi \ ++ libffi-devel \ + make \ + mariadb-server \ + mercurial \ + MySQL-python \ + openssh-clients \ + openssh-server \ ++ openssl-devel \ + procps \ + python2-dnf \ + python-coverage \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/opensuse42.1/Dockerfile ansible-2.3.0.0/test/utils/docker/opensuse42.1/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/opensuse42.1/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/opensuse42.1/Dockerfile 2017-05-23 14:24:22.121598926 +0100 +@@ -21,6 +21,8 @@ + openssh \ + postgresql-server \ + python-coverage \ ++ python-cryptography \ ++ python-devel \ + python-httplib2 \ + python-jinja2 \ + python-keyczar \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/opensuse42.2/Dockerfile ansible-2.3.0.0/test/utils/docker/opensuse42.2/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/opensuse42.2/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/opensuse42.2/Dockerfile 2017-05-23 14:24:22.122598926 +0100 +@@ -21,6 +21,7 @@ + openssh \ + postgresql-server \ + python-coverage \ ++ python-cryptography \ + python-httplib2 \ + python-jinja2 \ + python-keyczar \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1204/Dockerfile ansible-2.3.0.0/test/utils/docker/ubuntu1204/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1204/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/ubuntu1204/Dockerfile 2017-05-23 14:24:22.122598926 +0100 +@@ -17,6 +17,8 @@ + gawk \ + gcc \ + git \ ++ libffi-dev \ ++ libssl-dev \ + libxml2-utils \ + locales \ + make \ +@@ -50,8 +52,6 @@ + && \ + apt-get clean + +-RUN pip install --upgrade pycrypto +- + # helpful things taken from the ubuntu-upstart Dockerfile: + # https://github.com/tianon/dockerfiles/blob/4d24a12b54b75b3e0904d8a285900d88d3326361/sbin-init/ubuntu/upstart/14.04/Dockerfile + ADD init-fake.conf /etc/init/fake-container-events.conf +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1404/Dockerfile ansible-2.3.0.0/test/utils/docker/ubuntu1404/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1404/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/ubuntu1404/Dockerfile 2017-05-23 14:24:22.122598926 +0100 +@@ -16,6 +16,8 @@ + fakeroot \ + gawk \ + git \ ++ libffi-dev \ ++ libssl-dev \ + libxml2-utils \ + locales \ + make \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1604/Dockerfile ansible-2.3.0.0/test/utils/docker/ubuntu1604/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1604/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/ubuntu1604/Dockerfile 2017-05-23 14:24:22.122598926 +0100 +@@ -17,6 +17,8 @@ + gawk \ + git \ + iproute2 \ ++ libffi-dev \ ++ libssl-dev \ + libxml2-utils \ + locales \ + lsb-release \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1604py3/Dockerfile ansible-2.3.0.0/test/utils/docker/ubuntu1604py3/Dockerfile +--- ansible-2.3.0.0.ORIG/test/utils/docker/ubuntu1604py3/Dockerfile 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/docker/ubuntu1604py3/Dockerfile 2017-05-23 14:24:22.122598926 +0100 +@@ -15,6 +15,8 @@ + gawk \ + git \ + iproute2 \ ++ libffi-dev \ ++ libssl-dev \ + libxml2-utils \ + locales \ + lsb-release \ +diff -uNr ansible-2.3.0.0.ORIG/test/utils/shippable/other.sh ansible-2.3.0.0/test/utils/shippable/other.sh +--- ansible-2.3.0.0.ORIG/test/utils/shippable/other.sh 2017-05-23 14:23:12.320595450 +0100 ++++ ansible-2.3.0.0/test/utils/shippable/other.sh 2017-05-23 14:24:22.123598926 +0100 +@@ -12,6 +12,8 @@ + retry.py apt-get install -qq \ + shellcheck \ + python2.4 \ ++ libssl-dev \ ++ libffi-dev \ + + ln -sf x86_64-linux-gnu-gcc-4.9 /usr/bin/x86_64-linux-gnu-gcc + +diff -uNr ansible-2.3.0.0.ORIG/test/utils/tox/requirements.txt ansible-2.3.0.0/test/utils/tox/requirements.txt +--- ansible-2.3.0.0.ORIG/test/utils/tox/requirements.txt 2017-05-23 14:23:12.321595450 +0100 ++++ ansible-2.3.0.0/test/utils/tox/requirements.txt 2017-05-23 14:24:22.123598926 +0100 +@@ -11,7 +11,7 @@ + redis + python-memcached + python-systemd +-pycrypto ++cryptography + botocore + boto3 + pytest |