Shadow input for encrypt_string by default unless asked (fixes #71618) (#73263)

* Shadow input for encrypt_string by default unless asked (fixes #71618)
This commit is contained in:
Joshua Bayfield 2021-01-20 20:50:24 +00:00 committed by GitHub
parent bc60d8ccda
commit 823c72bcb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 2 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- "Shadow prompt input to ansible-vault encrypt-string unless the ``--show-input`` flag is set"

View file

@ -99,6 +99,8 @@ class VaultCLI(CLI):
enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt', enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt',
action='store_true', action='store_true',
help="Prompt for the string to encrypt") help="Prompt for the string to encrypt")
enc_str_parser.add_argument('--show-input', dest='show_string_input', default=False, action='store_true',
help='Do not hide input when prompted for the string to encrypt')
enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names', enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names',
action='append', action='append',
help="Specify the variable name") help="Specify the variable name")
@ -300,8 +302,13 @@ class VaultCLI(CLI):
# TODO: could prompt for which vault_id to use for each plaintext string # TODO: could prompt for which vault_id to use for each plaintext string
# currently, it will just be the default # currently, it will just be the default
# could use private=True for shadowed input if useful hide_input = not context.CLIARGS['show_string_input']
prompt_response = display.prompt(msg) if hide_input:
msg = "String to encrypt (hidden): "
else:
msg = "String to encrypt:"
prompt_response = display.prompt(msg, private=hide_input)
if prompt_response == '': if prompt_response == '':
raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting') raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')

View file

@ -108,9 +108,26 @@ class TestVaultCli(unittest.TestCase):
cli = VaultCLI(args=['ansible-vault', cli = VaultCLI(args=['ansible-vault',
'encrypt_string', 'encrypt_string',
'--prompt', '--prompt',
'--show-input',
'some string to encrypt']) 'some string to encrypt'])
cli.parse() cli.parse()
cli.run() cli.run()
args, kwargs = mock_display.call_args
assert kwargs["private"] is False
@patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
@patch('ansible.cli.vault.VaultEditor')
@patch('ansible.cli.vault.display.prompt', return_value='a_prompt')
def test_shadowed_encrypt_string_prompt(self, mock_display, mock_vault_editor, mock_setup_vault_secrets):
mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
cli = VaultCLI(args=['ansible-vault',
'encrypt_string',
'--prompt',
'some string to encrypt'])
cli.parse()
cli.run()
args, kwargs = mock_display.call_args
assert kwargs["private"]
@patch('ansible.cli.vault.VaultCLI.setup_vault_secrets') @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
@patch('ansible.cli.vault.VaultEditor') @patch('ansible.cli.vault.VaultEditor')