class Ansible::Vault::Decryptor

The class that handles decrypting an existing vault file

Public Instance Methods

hmac_matches?() click to toggle source

Indicates if the HMAC present in the file matches the calculated one

@return [Boolean]

# File lib/ansible/vault/decryptor.rb, line 27
def hmac_matches?
  OrokuSaki.secure_compare(calculated_hmac, file.hmac)
end
plaintext() click to toggle source

Decrypts the ciphertext from the file and strips any padding found.

@return [String] The plaintext contents of the file, this is marked for

zeroing before the GC reaps the object. Any data extracted/parsed
from this string should be similarly wiped from memory when no longer
used.
# File lib/ansible/vault/decryptor.rb, line 13
def plaintext
  return @plaintext if defined?(@plaintext)
  unless hmac_matches?
    raise HMACMismatch, 'HMAC encoded in the file does not match calculated one!'
  end
  @plaintext = cipher(mode: :decrypt).update(file.ciphertext)
  padding_length = @plaintext[-1].codepoints.first
  @plaintext.sub!(/#{padding_length.chr}{#{padding_length}}\z/, '')
  @plaintext.shred_later
end

Private Instance Methods

salt() click to toggle source
# File lib/ansible/vault/decryptor.rb, line 33
def salt
  file.salt
end