[stable-2.10] Allow single vault encrypted values to be used directly as module parameters. Fixes #68275 (#70607) (#70641)

(cherry picked from commit a77dbf0) Co-authored-by: Matt Martz <matt@sivel.net>
2020-07-17 14:54:32 -05:00 · 2020-07-17 14:54:32 -05:00 · 255dfca7f6
commit 255dfca7f6
parent 86b24498b7
4 changed files with 26 additions and 4 deletions
--- a/changelogs/fragments/68275-vault-module-args.yml
+++ b/changelogs/fragments/68275-vault-module-args.yml
@ -0,0 +1,3 @@
+bugfixes:
+- Vault - Allow single vault encrypted values to be used directly as module
+  parameters. (https://github.com/ansible/ansible/issues/68275)
--- a/lib/ansible/executor/module_common.py
+++ b/lib/ansible/executor/module_common.py
@ -36,6 +36,7 @@ from ansible import constants as C
 from ansible.errors import AnsibleError, AnsiblePluginRemovedError
 from ansible.executor.interpreter_discovery import InterpreterDiscoveryRequiredError
 from ansible.executor.powershell import module_manifest as ps_manifest
+from ansible.module_utils.common.json import AnsibleJSONEncoder
 from ansible.module_utils.common.text.converters import to_bytes, to_text, to_native
 from ansible.plugins.loader import module_utils_loader
 from ansible.utils.collection_loader._collection_finder import _get_collection_metadata, _nested_dict_get
@ -1092,7 +1093,7 @@ def _find_module_utils(module_name, b_module_data, module_path, module_args, tas
    if module_substyle == 'python':
        params = dict(ANSIBLE_MODULE_ARGS=module_args,)
        try:
-            python_repred_params = repr(json.dumps(params))
+            python_repred_params = repr(json.dumps(params, cls=AnsibleJSONEncoder, vault_to_text=True))
        except TypeError as e:
            raise AnsibleError("Unable to pass options to module, they must be JSON serializable: %s" % to_native(e))

@ -1244,7 +1245,7 @@ def _find_module_utils(module_name, b_module_data, module_path, module_args, tas
        )

    elif module_substyle == 'jsonargs':
-        module_args_json = to_bytes(json.dumps(module_args))
+        module_args_json = to_bytes(json.dumps(module_args, cls=AnsibleJSONEncoder, vault_to_text=True))

        # these strings could be included in a third-party module but
        # officially they were included in the 'basic' snippet for new-style
--- a/lib/ansible/module_utils/common/json.py
+++ b/lib/ansible/module_utils/common/json.py
@ -36,15 +36,19 @@ class AnsibleJSONEncoder(json.JSONEncoder):
    Simple encoder class to deal with JSON encoding of Ansible internal types
    '''

-    def __init__(self, preprocess_unsafe=False, **kwargs):
+    def __init__(self, preprocess_unsafe=False, vault_to_text=False, **kwargs):
        self._preprocess_unsafe = preprocess_unsafe
+        self._vault_to_text = vault_to_text
        super(AnsibleJSONEncoder, self).__init__(**kwargs)

    # NOTE: ALWAYS inform AWS/Tower when new items get added as they consume them downstream via a callback
    def default(self, o):
        if getattr(o, '__ENCRYPTED__', False):
            # vault object
-            value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
+            if self._vault_to_text:
+                value = to_text(o, errors='surrogate_or_strict')
+            else:
+                value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
        elif getattr(o, '__UNSAFE__', False):
            # unsafe object, this will never be triggered, see ``AnsibleJSONEncoder.iterencode``
            value = {'__ansible_unsafe': to_text(o, errors='surrogate_or_strict', nonstring='strict')}
--- a/test/integration/targets/vault/single_vault_as_string.yml
+++ b/test/integration/targets/vault/single_vault_as_string.yml
@ -107,3 +107,17 @@
        that:
          - vaulted_value|wordcount == 2
      when: lookup('pipe', ansible_python.executable ~ ' -c "import jinja2; print(jinja2.__version__)"') is version('2.11.2', '>=')
+
+    - ping:
+        data: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35323961353038346165643738646465376139363061353835303739663538343266303232326635
+          3365353662646236356665323135633630656238316530640a663362363763633436373439663031
+          33663433383037396438656464636433653837376361313638366362333037323961316364363363
+          3835616438623261650a636164376534376661393134326662326362323131373964313961623365
+          3833
+      register: ping_result
+
+    - assert:
+        that:
+          - ping_result.ping == 'foo bar'