Merge pull request #3 from tchlr/bugfix/eof

fix: rekey of encrypted values at the end of the file

Author: janritter

ansible_vault_rotate/match/__testdata__/single_vaulted_eof.yml

@@ -0,0 +1,7 @@
+test: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34636530313034373261383234633232653732316262383339653836323862306263613432623935
+  6536646366356261386539343166333065356432663264650a313566316439356364663032346639
+  64396563353261333239643163303933343265666433666632333535336565313331613863383936
+  6662356434666238370a346334643536653462333164643464383233623830393766333561316538
+  3333

ansible_vault_rotate/match/find.py

@@ -1,7 +1,7 @@
 import re
 import typing
 
-ANSIBLE_VAULT_REGEX = re.compile(r'(^(\s*)\$ANSIBLE_VAULT;(\S*)\n(\s*\w+\n)*)', re.MULTILINE)
+ANSIBLE_VAULT_REGEX = re.compile(r'(^(\s*)\$ANSIBLE_VAULT;(\S*)\n(\s*\w+$)*)', re.MULTILINE)
 
 
 class FindVaultStringResult(typing.TypedDict):

ansible_vault_rotate/match/test_find.py

@@ -17,6 +17,14 @@ def test_find_single(self):
         result = results[0]
         self.assertIsNone(result['label'])
         self.assertEqual(result['indent'], '  ')
+    
+    def test_find_single_eof(self):
+        results = self.load_results("single_vaulted_eof")
+        self.assertEqual(len(results), 1)
+
+        result = results[0]
+        self.assertIsNone(result['label'])
+        self.assertEqual(result['indent'], '  ')
 
     def test_find_labeled(self):
         results = self.load_results("label_vaulted")

ansible_vault_rotate/vault/__testdata__/single-secret-eof.yml

@@ -0,0 +1,7 @@
+test: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31663031633532633662666465396235383461646561373762303432373866313466376637303764
+  3734363362623037613935326332623039636434373562300a336639313131326135323833346634
+  39343737336437333161656434613064376633366435383663643836316135393336393932386530
+  3965643937663235320a353463623430373333373337636339313238633931343932313166363663
+  6161

ansible_vault_rotate/vault/file_test.py

@@ -29,6 +29,16 @@ def test_single_secret(self):
             self.assertEqual(doc['regular_key'], "goes here")
             self.assertEqual(doc['test'], 'test')
 
+    def test_single_secret_eof(self):
+        with NamedTemporaryFile("r", delete=False) as f:
+            rekey_file(self.fixture_name("single-secret-eof.yml"), "test", "test123", f.name)
+
+            self.assertLineCount(f, 7)
+
+            os.chdir("/tmp") # work around for ansible path resolve issues
+            doc = load_with_vault(f.name, "default", "test123")
+            self.assertEqual(doc['test'], 'test')
+
     def test_multiple_secret(self):
         with NamedTemporaryFile("r", delete=False) as f:
             rekey_file(self.fixture_name("multiple-secret.yml"), "test", "test123", f.name)

ansible_vault_rotate/vault/string.py

@@ -35,7 +35,7 @@ def vault_string(vault_string_search_result: FindVaultStringResult, old_passphra
 
     # read content and add indentation again
     with open(f.name, "r") as f:
-        new_vault = indent + indent.join(f.readlines())
+        new_vault = indent + indent.join(f.readlines()).rstrip()
         content = vaulted_string.replace(vaulted_string, new_vault)
 
     # delete temp file and return ready to use string

ansible_vault_rotate/vault/string_test.py

@@ -10,7 +10,7 @@ def verify_indent(self, result, indent):
             if line == "":
                 continue
             self.assertTrue(line.startswith(indent), "line '%s' is not indented" % line)
-        self.assertEqual(len(lines), 7)
+        self.assertEqual(len(lines), 6)
 
     def test_rekey_unlabeled(self):
         search_result = FindVaultStringResult(