Don't ask for password confirm on 'ansible-vault edit' (#30514)

* Don't ask for password confirm on 'ansible-vault edit'

This is to match the 2.3 behavior on:

        ansible-vault edit encrypted_file.yml

Previously, the above command would consider that a 'new password'
scenario and prompt accordingly, ie:

        $ ansible-vault edit encrypted_file.yml
        New Password:
        Confirm New Password:

The bug was cause by 'create_new_password' being used for
'edit' action. This also causes the previous implicit 'auto prompt'
to get triggered and prompt the user.

Fix is to make auto prompt explicit in the calling code to handle
the 'edit' case where we want to auto prompt but we do not want
to request a password confirm.

Fixes #30491
This commit is contained in:
Adrian Likins 2017-09-19 17:39:51 -04:00 committed by GitHub
parent 71cc906ec8
commit 307be59092
3 changed files with 40 additions and 10 deletions

View file

@ -196,7 +196,8 @@ class CLI(with_metaclass(ABCMeta, object)):
@staticmethod
def build_vault_ids(vault_ids, vault_password_files=None,
ask_vault_pass=None, create_new_password=None):
ask_vault_pass=None, create_new_password=None,
auto_prompt=True):
vault_password_files = vault_password_files or []
vault_ids = vault_ids or []
@ -211,7 +212,7 @@ class CLI(with_metaclass(ABCMeta, object)):
# if an action needs an encrypt password (create_new_password=True) and we dont
# have other secrets setup, then automatically add a password prompt as well.
if ask_vault_pass or (create_new_password and not vault_ids):
if ask_vault_pass or (auto_prompt and not vault_ids):
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass')
vault_ids.append(id_slug)
@ -220,7 +221,8 @@ class CLI(with_metaclass(ABCMeta, object)):
# TODO: remove the now unused args
@staticmethod
def setup_vault_secrets(loader, vault_ids, vault_password_files=None,
ask_vault_pass=None, create_new_password=False):
ask_vault_pass=None, create_new_password=False,
auto_prompt=True):
# list of tuples
vault_secrets = []
@ -250,7 +252,8 @@ class CLI(with_metaclass(ABCMeta, object)):
vault_ids = CLI.build_vault_ids(vault_ids,
vault_password_files,
ask_vault_pass,
create_new_password)
create_new_password,
auto_prompt=auto_prompt)
for vault_id_slug in vault_ids:
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
@ -777,7 +780,8 @@ class CLI(with_metaclass(ABCMeta, object)):
vault_secrets = CLI.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=options.vault_password_files,
ask_vault_pass=options.ask_vault_pass)
ask_vault_pass=options.ask_vault_pass,
auto_prompt=False)
loader.set_vault_secrets(vault_secrets)
# create the inventory, and filter it based on the subset specified (if any)

View file

@ -165,7 +165,7 @@ class VaultCLI(CLI):
# TODO: instead of prompting for these before, we could let VaultEditor
# call a callback when it needs it.
if self.action in ['decrypt', 'view', 'rekey']:
if self.action in ['decrypt', 'view', 'rekey', 'edit']:
vault_secrets = self.setup_vault_secrets(loader,
vault_ids=vault_ids,
vault_password_files=self.options.vault_password_files,
@ -173,7 +173,7 @@ class VaultCLI(CLI):
if not vault_secrets:
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
if self.action in ['encrypt', 'encrypt_string', 'create', 'edit']:
if self.action in ['encrypt', 'encrypt_string', 'create']:
if len(vault_ids) > 1:
raise AnsibleOptionsError("Only one --vault-id can be used for encryption")

View file

@ -54,6 +54,32 @@ class TestCliBuildVaultIds(unittest.TestCase):
res = cli.CLI.build_vault_ids([], create_new_password=True)
self.assertEqual(res, ['default@prompt_ask_vault_pass'])
def test_create_new_password_no_vault_id_no_auto_prompt(self):
res = cli.CLI.build_vault_ids([], auto_prompt=False, create_new_password=True)
self.assertEqual(res, [])
def test_no_vault_id_no_auto_prompt(self):
# similate 'ansible-playbook site.yml' with out --ask-vault-pass, should not prompt
res = cli.CLI.build_vault_ids([], auto_prompt=False)
self.assertEqual(res, [])
def test_no_vault_ids_auto_prompt(self):
# create_new_password=False
# simulate 'ansible-vault edit encrypted.yml'
res = cli.CLI.build_vault_ids([], auto_prompt=True)
self.assertEqual(res, ['default@prompt_ask_vault_pass'])
def test_no_vault_ids_auto_prompt_ask_vault_pass(self):
# create_new_password=False
# simulate 'ansible-vault edit --ask-vault-pass encrypted.yml'
res = cli.CLI.build_vault_ids([], auto_prompt=True, ask_vault_pass=True)
self.assertEqual(res, ['default@prompt_ask_vault_pass'])
def test_create_new_password_auto_prompt(self):
# simulate 'ansible-vault encrypt somefile.yml'
res = cli.CLI.build_vault_ids([], auto_prompt=True, create_new_password=True)
self.assertEqual(res, ['default@prompt_ask_vault_pass'])
def test_create_new_password_no_vault_id_ask_vault_pass(self):
res = cli.CLI.build_vault_ids([], ask_vault_pass=True,
create_new_password=True)
@ -74,7 +100,8 @@ class TestCliBuildVaultIds(unittest.TestCase):
vault_password_files=['yet-another-password-file',
'one-more-password-file'],
ask_vault_pass=True,
create_new_password=True)
create_new_password=True,
auto_prompt=False)
self.assertEqual(set(res), set(['blip@prompt', 'baz@prompt_ask_vault_pass',
'default@prompt_ask_vault_pass',
'some-password-file', 'qux@another-password-file',
@ -92,7 +119,7 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
self.tty_patcher.stop()
def test(self):
res = cli.CLI.setup_vault_secrets(None, None)
res = cli.CLI.setup_vault_secrets(None, None, auto_prompt=False)
self.assertIsInstance(res, list)
@patch('ansible.cli.get_file_vault_secret')
@ -134,7 +161,6 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
vault_ids=['prompt1@prompt'],
ask_vault_pass=True)
print('res: %s' % res)
self.assertIsInstance(res, list)
self.assertEqual(len(res), 0)
matches = vault.match_secrets(res, ['prompt1'])