Plugin for Encrypted Files
I'm working on implementing a plugin to handle files encrypted with Ansible Vault (https://docs.ansible.com/ansible/playbooks_vault.html). This has been asked for by others, for example (https://github.com/vermut/intellij-ansible/issues/33). The underlying files (once decrypted) are plain YAML, and in fact the repository of that GitHub issue is a plugin to handle Ansible/YAML files.
Ideally the behavior I'd like is when you click on an encrypted file it decrypts, and then parses and treats it like a YAML file (for example using the YamlFileType in the plugin mentioned). Similarly whenever the contents are saved the Element tree would convert to a text string, get encrypted, and then the encrypted string be written out.
I have Java code to do (en/de)cryption, and have been playing with creating my own VaultFileType, VaultParserDefinition, VaultParser, etc. My thinking was in the parse() method I would do the decryption, then pass it down to the YamlParser? I'm not sure if that's the right place though and how to make that work. On the write/encryption side I'm also not clear where to inject the right code.
Thanks!
Please sign in to leave a comment.
Hi,
I don't think that the plugin should support transparent encryption/decryption of the file. The IDE may read a file a lot - during indexing, search operations, resolving references etc. Besides possible performance degradation, decrypted parts of the file will leak into indices.
I'd suggest adding an `EditorNotifications.Provider` which would recognize encrypted files and provide corresponding actions.
I use ansible vault. It would be nice if there was a convenient solution to view/edit ansible vault files without compromising performance or security. Did you have any luck with the plugin?
I have not. I also haven't had much time to dive into it, but will let you know when I do if we come up with a solution. Likewise I'd love to hear if come across a way to do this.
I have tried to use Tools -> External Tools to create a vault-edit action.
The tools runs a script that sets the editor to charm, then runs...
> ansible-vault edit $FileDir$/$FileName$
The problem is that when charm is invoked, it forks it's own process, the thread of execution returns to ansible-vault, which thinks that file editing has been completed, sees no changed to the edited file, and exits.
What the user sees, is an editor with the unencrypted data on the screen for less than a second, then the editor disappears. because the process thread for the Tool Task completed.
This is the behaviour of charm on a MAC.
What is needed to make this work, is a flag that causes charm to just execute within the context of the script, rather than forking the editor to a sub process.
Would it be possible to add a no-fork option to the charm command?
The most feasible way I could imagine is adding an editor notification provider which would detect encrypted files and suggest an action that decrypts a file in memory, shows a dialog with an editor, and encrypts the file back on closing the dialog.
For examples of how this could be implemented see AttachSourcesNotificationProvider and EditCustomSettingsAction.
I have this exact same need/desire, but for SOPS encryption/decryption. If anyone knows of any activity in this area, I would appreciate it if you could put that knowledge here. If I can find the time, I will look into implementing a plugin by following Roman's suggestion.
Like this: https://plugins.jetbrains.com/plugin/21317-simple-sops-edit ?