* Shadow input for encrypt_string by default unless asked (fixes #71618)
This commit is contained in:
parent
bc60d8ccda
commit
823c72bcb5
3 changed files with 28 additions and 2 deletions
2
changelogs/fragments/73263-shadow-encrypt-string.yml
Normal file
2
changelogs/fragments/73263-shadow-encrypt-string.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- "Shadow prompt input to ansible-vault encrypt-string unless the ``--show-input`` flag is set"
|
|
@ -99,6 +99,8 @@ class VaultCLI(CLI):
|
||||||
enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt',
|
enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt',
|
||||||
action='store_true',
|
action='store_true',
|
||||||
help="Prompt for the string to encrypt")
|
help="Prompt for the string to encrypt")
|
||||||
|
enc_str_parser.add_argument('--show-input', dest='show_string_input', default=False, action='store_true',
|
||||||
|
help='Do not hide input when prompted for the string to encrypt')
|
||||||
enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names',
|
enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names',
|
||||||
action='append',
|
action='append',
|
||||||
help="Specify the variable name")
|
help="Specify the variable name")
|
||||||
|
@ -300,8 +302,13 @@ class VaultCLI(CLI):
|
||||||
|
|
||||||
# TODO: could prompt for which vault_id to use for each plaintext string
|
# TODO: could prompt for which vault_id to use for each plaintext string
|
||||||
# currently, it will just be the default
|
# currently, it will just be the default
|
||||||
# could use private=True for shadowed input if useful
|
hide_input = not context.CLIARGS['show_string_input']
|
||||||
prompt_response = display.prompt(msg)
|
if hide_input:
|
||||||
|
msg = "String to encrypt (hidden): "
|
||||||
|
else:
|
||||||
|
msg = "String to encrypt:"
|
||||||
|
|
||||||
|
prompt_response = display.prompt(msg, private=hide_input)
|
||||||
|
|
||||||
if prompt_response == '':
|
if prompt_response == '':
|
||||||
raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')
|
raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')
|
||||||
|
|
|
@ -108,9 +108,26 @@ class TestVaultCli(unittest.TestCase):
|
||||||
cli = VaultCLI(args=['ansible-vault',
|
cli = VaultCLI(args=['ansible-vault',
|
||||||
'encrypt_string',
|
'encrypt_string',
|
||||||
'--prompt',
|
'--prompt',
|
||||||
|
'--show-input',
|
||||||
'some string to encrypt'])
|
'some string to encrypt'])
|
||||||
cli.parse()
|
cli.parse()
|
||||||
cli.run()
|
cli.run()
|
||||||
|
args, kwargs = mock_display.call_args
|
||||||
|
assert kwargs["private"] is False
|
||||||
|
|
||||||
|
@patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
|
||||||
|
@patch('ansible.cli.vault.VaultEditor')
|
||||||
|
@patch('ansible.cli.vault.display.prompt', return_value='a_prompt')
|
||||||
|
def test_shadowed_encrypt_string_prompt(self, mock_display, mock_vault_editor, mock_setup_vault_secrets):
|
||||||
|
mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
|
||||||
|
cli = VaultCLI(args=['ansible-vault',
|
||||||
|
'encrypt_string',
|
||||||
|
'--prompt',
|
||||||
|
'some string to encrypt'])
|
||||||
|
cli.parse()
|
||||||
|
cli.run()
|
||||||
|
args, kwargs = mock_display.call_args
|
||||||
|
assert kwargs["private"]
|
||||||
|
|
||||||
@patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
|
@patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
|
||||||
@patch('ansible.cli.vault.VaultEditor')
|
@patch('ansible.cli.vault.VaultEditor')
|
||||||
|
|
Loading…
Reference in a new issue