VhzddlmZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z ddl mZddl mZdZdZ e j&5e j(deddlmZddddd lmZdd lmZmZdd lmZdd lm Z dd l!m"Z#m$Z$m%Z%eZdZddl'm(Z(m)Z)ddl*m+Z,ddl-m.Z.ddl/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7e4Z8dZ9e:dZ;e:dZGdde>Z?Gdde(Z@dZAdeBe9fdZCd>d ZDd?d!ZEd?d"ZFd#ZGd$ZHd%ZId>d&ZJGd'd(ZKGd)d*eKZLd+ZMd@d,ZNGd-d.eKZOGd/d0eOZPGd1d2ePZQd3ZRd4ZSd>d5ZTd>d6ZUGd7d8ZVGd9d:ZWGd;d<ZXd=eXiZYy#1swY5xYw#e&$rYwxYw)A) annotationsN)hexlify) unhexlify)ErrorFignore)InvalidSignature)default_backend)hashespadding)HMAC) PBKDF2HMAC)Cipher algorithmsmodesT) AnsibleErrorAnsibleAssertionError) constants) binary_type)to_bytesto_text to_native)Display) makedirs_safe unfrackpaths$ANSIBLE_VAULT)AES256zDansible-vault requires the cryptography library in order to functionc eZdZy)AnsibleVaultErrorN__name__ __module__ __qualname__N/home/dcms/DCMS/lib/python3.12/site-packages/ansible/parsing/vault/__init__.pyrrHr#rc eZdZy)AnsibleVaultPasswordErrorNrr"r#r$r'r'Lr%r#r'c eZdZy)AnsibleVaultFormatErrorNrr"r#r$r)r)Pr%r#r)c tt|ddddd}|j t ryy#ttf$rYywxYw)z Test if this is vault encrypted data blob :arg data: a byte or text string to test whether it is recognized as vault encrypted data :returns: True if it is recognized. Otherwise, False. asciistrict)encodingerrors nonstring)r-r.FT)rr UnicodeError TypeError startswithb_HEADER)datab_datas r$ is_encryptedr6Ts]'$U]^ipzBC"  ) $ s4AAc|j} |j|t|j||j|S#|j|wxYw)aTest if the contents of a file obj are a vault encrypted data blob. :arg file_obj: A file object that will be read from. :kwarg start_pos: A byte offset in the file to start reading the header from. Defaults to 0, the beginning of the file. :kwarg count: Read up to this number of bytes from the file to determine if it looks like encrypted vault data. The default is the size of the the vault header, which is what is needed most times. For some IO classes, or files that don't begin with the vault itself, set to -1 to read to the end of file. :returns: True if the file looks like a vault file. Otherwise, False. )tellseekr6read)file_obj start_poscountcurrent_positions r$is_encrypted_filer?jsO }}( i HMM%01  &' &'s *AA!cP|j}|djjd}|dj}t|dj}|}t |dk\rt|dj}dj |dd}||||fS)Nr;r#) splitlinesstripsplitrlenjoin)b_vaulttext_envelopedefault_vault_id b_tmpdata b_tmpheader b_version cipher_namevault_id b_ciphertexts r$_parse_vaulttext_enveloperSs$//1IA,$$&,,T2KA$$&I+a...01KH ;1;q>//1288IabM*L K 99r#c|xstj} t||S#t$r$}d}|r|d|zz }|d|zz }t |d}~wwxYw)aParse the vaulttext envelope When data is saved, it has a header prepended and is formatted into 80 character lines. This method extracts the information from the header and then removes the header and the inserted newlines. The string returned is suitable for processing by the Cipher classes. :arg b_vaulttext: byte str containing the data from a save file :kwarg default_vault_id: The vault_id name to use if the vaulttext does not provide one. :kwarg filename: The filename that the data came from. This is only used to make better error messages in case the data cannot be decrypted. This is optional. :returns: A tuple of byte str of the vaulttext suitable to pass to parse_vaultext, a byte str of the vault format version, the name of the cipher used, and the vault_id. :raises: AnsibleVaultFormatError: if the vaulttext_envelope format is invalid zVault envelope format error in %s: %sN)CDEFAULT_VAULT_IDENTITYrS Exceptionr))rKrLfilenameexcmsgs r$parse_vaulttext_enveloper]si&(C1+C+C+()=?OPP ++  8x( (C v|%c** +s " AA  Ac|s td|xsd}|r|dk7rd}t|dd}t|dd}t|dd}t||g}|dk(r|r|j|d j |}|g} | t d t |d D cgc] } || | d z c} z } | d gz } d j | } | Scc} w)a Add header and format to 80 columns :arg b_ciphertext: the encrypted and hexlified data as a byte string :arg cipher_name: unicode cipher name (for ex, u'AES256') :arg version: unicode vault version (for ex, '1.2'). Optional ('1.1' is default) :arg vault_id: unicode vault identifier. If provided, the version will be bumped to 1.2. :returns: a byte str that should be dumped into a file. It's formatted to 80 char columns and has the header prepended z-the cipher must be set before adding a headerz1.1defaultz1.2utf-8r,r.1.2rArPr# )rrr3appendrJrangerI) rRrPversionrQrO b_vault_id b_cipher_name header_partsheader b_vaulttextis r$format_vaulttext_enveloperns JKKGH *'(;I(GH=J['(CM!#LFzJ' YY| $F(KE!S=NPR4STqL1r6*TTKC5K**[)K  UsCcd t|S#ttf$r}td|zd}~wwxYw)Nz Vault format unhexlify error: %s)r BinasciiErrorr1r))r5r[s r$ _unhexlifyrqs;P  9 %P%&H3&NOOPs /*/czt|}|jdd\}}}t|}t|}|||fS)NrdrC)rqrH)rlb_saltb_crypted_hmacrRs r$_parse_vaulttextrusF[)K+6+<+   !"&"="=D "0D r#c|jSr~rrs r$rzPromptVaultSecret.bytes*s {{r#c.|j|_yr~)ask_vault_passwordsrrs r$rzPromptVaultSecret.load.s..0 r#c|g}|jD]c}|d|jiz} tj|d}t |t|ddj}|j|e|D]}|j|d||r|dSy#t$rt d|jzwxYw) NrQT)privatez$EOFError (ctrl-d) on prompt for (%s)r, simplerepr)r.r/r) rrQdisplaypromptEOFErrorrrzrrGreconfirm)rb_vault_passwords prompt_formatr vault_pass b_vault_passb_vault_passwords r$rz%PromptVaultSecret.ask_vault_passwords1s!00 3M"j$--%@@F `$^^FD^A  'z 2#Jx<X^^`L  $ $\ 2 3!2 A  LL*1-/? @ A $Q' ' `'(NQUQ^Q^(^__ `s B"B;c$||k7r tdy)NzPasswords do not match)r)rb_vault_pass_1b_vault_pass_2s r$rzPromptVaultSecret.confirmIs ^ +78 8 ,r#NNN) rr r!rrrrrrr __classcell__rs@r$rrs4561109r#rcltjj|\}}|jdryy)zWDetermine if a vault secret script is a client script that can be given --vault-id argsz-clientTF)ospathsplitextendswith)rZ script_namedummys r$script_is_clientrQs3 ))(3KI& r#ct|d}tjj|st d|ztjj |rt d|d|j |rIt|r0tjdt|zt||||St|||St|||S) zI Get secret from file content or execute file and get secret from stdout F)followz(The vault password file %s was not foundz"The vault password file provided 'z' can not be a directoryz.The vault password file %s is a client script.)rZrQr-loaderrZr-r)rrrexistsrisdir is_executablerrvvvvrClientScriptVaultSecretScriptVaultSecretFileVaultSecret)rZrQr-r this_paths r$get_file_vault_secretr_sHU3I 77>>) $E QRR ww}}Y? {JbcddI& H % LLJWU^M__ `*I[clrs s!)hvVV I PPr#cBeZdZdfd ZedZdZdZdZxZ S)rcxtt| ||_||_|xsd|_d|_d|_y)Nutf8)rrrrZrr-r_text)rrZr-rrs r$rzFileVaultSecret.__init__~s: ot-/    *F   r#c|jr |jS|jr%|jj|jSyr~)rrencoder-rs r$rzFileVaultSecret.bytess6 ;;;;  ::::$$T]]3 3r#cD|j|j|_yr~) _read_filerZrrs r$rzFileVaultSecret.loadsoodmm4 r#cV t|d5}|jj}ddd|j j|\}}|jd}t|d|z|S#1swYKxYw#ttf$r}t d|d|d}~wwxYw)z Read a vault password from a file or if executable, execute the script and retrieve password from STDOUT rbNz#Could not read vault password file :  z2Invalid vault password was provided from file (%s)r\) openr:rGOSErrorIOErrorrr_decrypt_if_vault_datarz)rrZfre b_vault_datars r$rzFileVaultSecret._read_files \h% .VVX^^-  . #kk@@XV e!''0 ":'[^f'f h . .! \hXYZ[ [ \s- BA7B7B<BB(B##B(c|jr&|jjd|jdSd|jjzS)N (filename='')%s())rZrrrs r$__repr__zFileVaultSecret.__repr__s7 ==*...*A*A4==Q Q0011r#r) rr r!rrrrrrrrs@r$rr}s+ 5,2r#rc$eZdZdZdZdZdZy)rc|jj|std|z|j}|j |\}}}|j ||||j d}d|z}t|||S)Nz/The vault password script %s was not executablerz4Invalid vault password was provided from script (%s)r)rrr_build_command_run_check_resultsrGrz)rrZcommandstdoutstderrprempty_password_msgs r$rzScriptVaultSecret._read_files{{((2#$UX`$`a a%%' IIg. FFA.\\'* SV^^":3EFr#c tj|tj}|j \}}|||fS#t$r#}d}||j|fz}t |d}~wwxYw)N)rzpProblem running vault password script %s (%s). If this is not a script, remove the executable bit from the file. subprocessPopenPIPErrZr communicaterrrr msg_formatr\rrs r$rzScriptVaultSecret._runss $  AAvq   $UJ q11Cs# #  $s%? A+A&&A+cr|jdk7r(td|jd|jd|y)NrzVault password script  returned non-zero (): ) returncoderrZrrrpopens r$rz ScriptVaultSecret._check_resultss;   q  $ u/?/? IJ J !r#c|jgSr~rZrs r$rz ScriptVaultSecret._build_commands r#N)rr r!rrrrr"r#r$rrs" !J r#rc<eZdZdZdfd ZdZdZdZdZxZ S)rrCctt| |||||_tj dt |dt |y)Nrz(Executing vault password client script: z --vault-id )rrr _vault_idrrr)rrZr-rrQrs r$rz ClientScriptVaultSecret.__init__sI %t5x?G=C 6 E" T[\dTegnowgxyzr#c tj|tjtj}|j \}}|||fS#t$r#}d}||j|fz}t |d}~wwxYw)N)rrzwProblem running vault password client script %s (%s). If this is not a script, remove the executable bit from the file.rrs r$rzClientScriptVaultSecret._runs} $  (2(29Avq   $UJ q11Cs# #  $s4A A:A55A:c |j|jk(r(td|jd|jd||jdk7r5td|jd|jd|jd|y)NzVault password client script z$ did not find a secret for vault-id=rrrz#) when getting secret for vault-id=)rVAULT_ID_UNKNOWN_RCrrZrrs r$rz&ClientScriptVaultSecret._check_resultss|   t77 7 $ t~~v GH H   q  $ u/?/?QW YZ Z !r#cr|jg}|jr|jd|jg|S)Nz --vault-id)rZrextend)rrs r$rz&ClientScriptVaultSecret._build_commands.==/ >> NNL$..9 :r#c|jr3|jjd|jd|jdSd|jjzS)Nrz ', vault_id='rr)rZrrrrs r$rz ClientScriptVaultSecret.__repr__sC ==(($--I I0011r#NNNN) rr r!rrrrrrrrs@r$rrs${ !Z2r#rcP|sgS|Dcgc]\}}||vs ||f}}}|Scc}}w)zVFind all VaultSecret objects that are mapped to any of the target_vault_ids in secretsr")secretstarget_vault_idsrQrymatchess r$ match_secretsr s:  :Ab&6hXQaEa&!bGb Ncs ""c*t||}|r|dSy)zFind the best secret from secrets that matches target_vault_ids Since secrets should be ordered so the early secrets are 'better' than later ones, this just finds all the matches, then returns the first secretrN)r)rrrs r$match_best_secretrs! G%56Gqz r#c tjdt|z| td|g}t ||}|r|St d|d|Dcgc]\}}| c}}cc}}w)Nencrypt_vault_id=%szBmatch_encrypt_vault_id_secret requires a non None encrypt_vault_idz,Did not find a match for --encrypt-vault-id=z in the known vault-ids )rrrrrr)rencrypt_vault_idencrypt_vault_id_matchersencrypt_secret_v_vss r$match_encrypt_vault_id_secretrs LL''2B*CCD_``!1 2&w0IJN jz~EkFryrtvykmkFG HHkFs A&ctjdt|z|r t||S|Dcgc]\}}| }}}t ||}|Scc}}w)z@Find the best/first/only secret in secrets to use for encryptingr)r)rrrrr)rrrr_vault_id_matchers best_secrets r$match_encrypt_secretr 2sj LL''2B*CCD,W>NP P =DD(8 5)DD#G-?@K  Es Ac<eZdZddZedZddZd dZd dZy) VaultLibNc6|xsg|_d|_d|_y)Nrb)rrPrO)rrs r$rzVaultLib.__init__Es}" r#ct|Sr~)r6) vaulttexts r$r6zVaultLib.is_encryptedJs I&&r#c|0|jrt|j\}}n tdt|d}t |r t d|j r|j tvrd|_ t|j }|r.tjdt|dt|n!tjd t|z|j|||}t||j | } | S#t$r%t dj|j wxYw) aVault encrypt a piece of data. :arg plaintext: a text or byte string to encrypt. :returns: a utf-8 encoded byte str of encrypted data. The string contains a header identifying this as vault encrypted data and formatted to newline terminated lines of 80 characters. This is suitable for dumping as is to a vault file. If the string passed in is a text string, it will be encoded to UTF-8 before encryption. z2A vault password must be specified to encrypt datasurrogate_or_strictrazinput is already encryptedr{0} cipher could not be foundzEncrypting with vault_id "" and vault secret z3Encrypting without a vault_id using vault secret %srQ)rr rrr6rrPCIPHER_WRITE_ALLOWLISTCIPHER_MAPPINGKeyErrorformatrvvvvvrencryptrn) r plaintextryrQsaltr b_plaintext this_cipherrRrls r$rzVaultLib.encryptNs+ >|| 4T\\ B v'(\]]y1FG  $;< <4#3#3;Q#Q(D  Z()9)9:EEkRS S ||#$VW W    MMCghFWW X  $ $X .$T\\3DEH ry{CsDFMNVFWXY }AHIQARRS''  $ $%o4EIvYbfnYni%o p' 6GH.=! ) )O\ MMT[\hTikrtClDFMNVFWX Y  GLDY[bcr[stu)11+|L *$3M(4% "I$.$9 MMRYZcRdfmnzf{~EFU~VW+! )<WCx)H"555#C( (  %Cx)H"555s# #M+<<<]&p,+ 79(9::Cw--t4  %o68I1NO s2 K K >BK M+AL$$ M+00M&&M+r~rNN) rr r!r staticmethodr6rr#r!r"r#r$r r Ds, '',\ p=r#r c|eZdZddZdZdZddZdZddZddZ dd Z dd Z d Z d Z dd ZdZddZdZdZy) VaultEditorNc*|xs t|_yr~)r vault)rr8s r$rzVaultEditor.__init__s(hj r#c*tjj|}|dkDrtd|}d}t |d5}t |D]}|j ddtj|dz|}tj|}t d||zD]}|j||j|d||z|j|k7r ttj| dddyy#1swYyxYw)ar"Destroy a file, when shred (core-utils) is not available Unix `shred' destroys files "so that they can be recovered only with great difficulty with specialised hardware, if at all". It is based on the method from the paper "Secure Deletion of Data from Magnetic and Solid-State Memory", Proceedings of the Sixth USENIX Security Symposium (San Jose, California, July 22-25, 1996). We do not go to that length to re-implement shred in Python; instead, overwriting with a block of random data should suffice. See https://github.com/ansible/ansible/pull/13700 . ri rEwbrCN)rrgetsizeminrrfr9randomrandinturandomwriter8rfsync) rtmp_pathfile_len max_chunk_lenpassesfhr chunk_lenr4s r$_shred_file_customzVaultEditor._shred_file_customs77??8, a<:MFh% !"6]!EGGAqM &}/A= QI::i0D!&q(i*?!@''HHT"78i#789wwyH,355HHRL! ! !  ! !s B?D  Dctjj|sy tjd|g}|dk7r|j|tj|y#t t f$rd}Y?wxYw)ajSecurely destroy a decrypted file Note standard limitations of GNU shred apply (For flash, overwriting would have no effect due to wear leveling; for other storage systems, the async kernel->filesystem->disk calls never guarantee data hits the disk; etc). Furthermore, if your tmp dirs is on tmpfs (ramdisks), it is a non-issue. Nevertheless, some form of overwriting the data (instead of just removing the fs index entry) is a good idea. If shred is not available (e.g. on windows, or no core-utils installed), fall back on a custom shredding method. NshredrBr) rrisfilercallr ValueErrorrHremove)rrBrs r$ _shred_filezVaultEditor._shred_file)soww~~h'  ( 34A 6  # #H - ($  A  sA%%A98A9c tjjtjj|\}}t j |t j\}} |j| } |r|j||dtj| tj| |j%| } |s|| k7r||j&j)| ||} |j| | |j+| |t,j/dt1|d t1|d t1|d |j| y#t$r|j| wxYw#tj|wxYw#t$r?} |j| tddj!| dt#| d} ~ wwxYw) N)suffixdirFrJzUnable to execute the command " z": rzSaved edited file "z" encrypted using z and vault id "")rrrrealpathtempfilemkstemprWDEFAULT_LOCAL_TMP_editor_shell_command write_datarYrPcloserrLrrJr read_datar8r shuffle_filesrrr)rrZry existing_data force_saverQrootextfdrBcmdrrMrRs r$_edit_file_helperzVaultEditor._edit_file_helperJsGG$$RWW%5%5h%?@ c''s8K8KL H((2  r? HHRL i OOC NN8,  )3  ::--i(-SL OOL( 3   x 2 MM]dem]npwx~pBIJRBST U "?    X &   HHRL  i   X &388TW=ZcdeZfgh h is0:E!&F!E==FF G"#:GG"cR|dk(r|Stjj|}|S)N-)rrrW)rrZ real_paths r$ _real_pathzVaultEditor._real_pathus( s?OGG$$X. r#cB|jj|||}|SNr)r8r)rrryrQrRs r$ encrypt_byteszVaultEditor.encrypt_bytes}s#zz))+v)Q r#c|j|}|j|}|jj|||}|j ||xs|yrl)rjr^r8rr\)rrZryrQ output_filerrRs r$ encrypt_filezVaultEditor.encrypt_filesN ??8,nnX. zz))+v)Q   k&=X>r#c|j|}|j|} |jj||}|j ||xs|dy#t$r'}t t |dt |d}~wwxYw)Nr for FrT)rjr^r8r#rrr\)rrZro ciphertextrrs r$ decrypt_filezVaultEditor.decrypt_files??8,^^H-  R **:*II  ;#:(%H RilIh>'2 OO=@PP Q ' " 77>>( #EPQ Q x(Cr#cld}d}|j|}|j|}t|} |jj |\}}}t||\}}} } | tv} |j|||| | y#t $r'}t t |dt |d}~wwxYw)Nrrr)r`rarQ) rjr^rr8r!rrr]rrf) rrZr,r-rlrrrrrPrQras r$ edit_filezVaultEditor.edit_files  ??8,nnX. K(  R;?**:]:]^g:h 7I}&7 /G{]e.f+uk8")??  x):)`ju}~ RilIhF LL %99RWW__W5rww?"#BbggooV]F^#_``ww~~g&$$W-IIg&HHUOM ( e"**ryy*@299*Lrzz*Y[_`B!LLQ'HHR- HHRL'a   <eyyELL0*+gjstwjx+xyy&'RU^_bUc'cdd ee&'TW`abWc'cddeHHRL'sg9H6AI,J" K$6 II JA JJK$" K+KKK K!!K$$K;cbd}tjj|r*tj|}tj|t j |||Ltj||jtj||j|jyyr~) rrrKr|rNshutilmover}r~rrr)rsrcdestrs r$r_zVaultEditor.shuffle_files^st 77>>$ 774=D IIdO C   HHT4<< ( HHT4;; 4 r#ctjjd}tj|}|j ||S)NEDITOR)rWconfigget_config_valueshlexrHre)rrZ env_editoreditors r$r[z!VaultEditor._editor_shell_commandms5XX..x8 Z( h r#r~)NFNr3)Ti)rr r!rrHrPrfrjrmrprtrwryrrr^r\r_r[r"r#r$r6r6s^) #!JB)#V ? I D@ W&uP M(^ 5r#r6ceZdZdZdZedZedZedZ edZ ed dZ ed Z ed Z ed Zy) VaultAES256zw Vault implementation using AES-CTR with an HMAC-SHA256 authentication code. Keys are derived using PBKDF2 c.tsttyr~)HAS_CRYPTOGRAPHYrNEED_CRYPTO_LIBRARYrs r$rzVaultAES256.__init__s23 3 r#cttjd|z|z|dt}|j |}|S)NrCi') algorithmlengthr iterationsbackend)r r SHA256CRYPTOGRAPHY_BACKENDderive) b_passwordrs key_length iv_lengthkdf b_derivedkeys r$_create_key_cryptographyz$VaultAES256._create_key_cryptographys@mmoz>I-( * zz*- r#cd}tr@tjjdz}|j ||||}||dz|dz|z}nt t dz|d|}|||dz}|||fS)N rCz(Detected in initctr))rrAES block_sizerrr) clsrrsrrrb_ivb_key1b_key2s r$_gen_key_initctrzVaultAES256._gen_key_initctrs "11Q6I77 FJXabLa*q.I1MND25LLM Mkz*j*q.:vt##r#cXttj|tj|t }|j }tjtjjj}|j|j||jz}||jz }t|tjt }|j||j} t!t#| dt#|fS)Nrra)C_CipherrrrCTRr encryptorr PKCS7rpadderupdatefinalizer r rrr) rrrrcipherrrrRhmacb_hmacs r$_encrypt_cryptographyz!VaultAES256._encrypt_cryptographys*..0%))D/CWX$$& z~~889@@B '' k(BV__EV(VW  **,, FFMMO-AB L!0EFP\H]]]r#ctjjd}|stjd}t |S)NVAULT_ENCRYPT_SALTr)rWrrrr?r)r custom_salts r$ _get_saltzVaultAES256._get_salts2hh//0DE **R.K $$r#Ncj| td||j}n|s tdt|}|j}|j ||\}}}t r|j ||||\} } nttdzdjt|| | g} t| } | S)Nz'The secret passed to encrypt() was Nonez)Empty or invalid salt passed to encrypt()z(Detected in encrypt)rd) rrrrrrrrrrJr) rrryrrsrrrrrrRrls r$rzVaultAES256.encrypts >#$MN N <]]_F#$OP Pd^F\\ "33JG #&#<#<[&RXZ^#_ FL25LLM Mjj'&/62 3*..0%))D/CWX$$& ==%..0oo   \ *Y-?-?-A A       H#$BQ$FG G HsC>> DDDct|trt|ts tdt|t|k7ryd}t ||D] \}}|||z z}|dk(S)z Comparing 2 byte arrays in constant time to avoid timing attacks. It would be nice if there were a library for this but hey. z6_is_equal can only be used to compare two byte stringsFr)rrr1rIzip)b_ab_bresultb_xb_ys r$ _is_equalzVaultAES256._is_equalsn3 ,C1MTU U s8s3x C  HC cCi F {r#ct|\}}}|j}|j||\}}} tr|j ||||| } | St t dz)Nz(Detected in decrypt))rwrrrrrr) rrlryrRrsrtrrrrrs r$r#zVaultAES256.decryptss0?{/K, fn \\ "33JG 33L.RXZ`bfgK25LLM Mr#r~)rr r!rrr4r classmethodrrrrrrr#r"r#r$rrys4  $$$ ^ ^%% 4&$r#rrr~r3r)Z __future__rrrrr=rrrrrXwarningsbinasciirrrrprrcatch_warnings simplefilterDeprecationWarningcryptography.exceptionsrcryptography.hazmat.backendsr cryptography.hazmat.primitivesr r #cryptography.hazmat.primitives.hmacr )cryptography.hazmat.primitives.kdf.pbkdf2r &cryptography.hazmat.primitives.ciphersrrrr ImportErroransible.errorsrransiblerrWansible.module_utils.sixr+ansible.module_utils.common.text.convertersrrransible.utils.displayransible.utils.pathrrrr3 frozensetr(rrrr'r)r6rIr?rSr]rnrqrurwrzr|rrrrrrrrrr r r6rrr"r#r$rs$#  +  "=h(:;<==>8D+,?"0TT)9 ) \*"<0]   1  l ,+,3x=(.:&+>&RP0+& -&09 09f Q<02k02f&&R-2/-2` H($v=v=ruux XX|{a'==  s*F1F$15F1$F.)F11F:9F: