From 75a8be9a5d29b574638f3f6e4176882f1f324781 Mon Sep 17 00:00:00 2001 From: Adrian Likins Date: Tue, 1 Aug 2017 18:07:33 -0400 Subject: [PATCH] Add back support for vault_password_file config var (#27597) Got removed in arg parsing updates. Now added back in setup_vault_secrets(). The default value for DEFAULT_VAULT_PASSWORD_FILE was also set to '~' for some reason, change to to no default. Add integration tests. --- lib/ansible/cli/__init__.py | 5 +++++ lib/ansible/config/data/config.yml | 2 +- test/integration/targets/vault/runme.sh | 12 ++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index 3faf3450f66..89f2cd1a025 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -210,6 +210,11 @@ class CLI(with_metaclass(ABCMeta, object)): # we need to show different prompts. This is for compat with older Towers that expect a # certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format. prompt_formats = {} + + vault_password_files = vault_password_files or [] + if C.DEFAULT_VAULT_PASSWORD_FILE: + vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE) + if create_new_password: prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ', 'Confirm vew vault password (%(vault_id)s): '] diff --git a/lib/ansible/config/data/config.yml b/lib/ansible/config/data/config.yml index cc04be2bf23..8c70d7b037e 100644 --- a/lib/ansible/config/data/config.yml +++ b/lib/ansible/config/data/config.yml @@ -1089,7 +1089,7 @@ DEFAULT_VAULT_IDENTITY: vars: [] yaml: {key: defaults.vault_identity} DEFAULT_VAULT_PASSWORD_FILE: - default: ~ + default: desc: 'TODO: write it' env: [{name: ANSIBLE_VAULT_PASSWORD_FILE}] ini: diff --git a/test/integration/targets/vault/runme.sh b/test/integration/targets/vault/runme.sh index e0a99844548..c5ce2764ae9 100755 --- a/test/integration/targets/vault/runme.sh +++ b/test/integration/targets/vault/runme.sh @@ -87,6 +87,15 @@ echo "rc was $WRONG_RC (1 is expected)" # new 1.2 format, view, using password script with vault-id, ENFORCE_IDENTITY_MATCH=true, 'test_vault_id' provided should work ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-id=test_vault_id@password-script.py format_1_2_AES256.yml +# test with a default vault password set via config/env, right password +ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-vault view "$@" format_1_1_AES256.yml + +# test with a default vault password set via config/env, wrong password +ANSIBLE_VAULT_PASSWORD_FILE=vault-password-wrong ansible-vault view "$@" format_1_1_AES.yml && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + # encrypt it ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE}" @@ -214,6 +223,9 @@ ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-pass ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong --syntax-check ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password +# test with a default vault password file set in config +ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong + # test that we can have a vault encrypted yaml file that includes embedded vault vars # that were encrypted with a different vault secret ansible-playbook test_vault_file_encrypted_embedded.yml -i ../../inventory "$@" --vault-id encrypted_file_encrypted_var_password --vault-id vault-password