[stable-2.7] Support nested JSON decoding in AnsibleJSONDecoder (#45924)

* Support nested JSON decoding in AnsibleJSONDecoder

* Add tests for vault portion of AnsibleJSONDecoder
(cherry picked from commit c0915e2)

Co-authored-by: Matt Martz <matt@sivel.net>
This commit is contained in:
Matt Martz 2018-09-24 14:33:19 -05:00 committed by Toshio Kuratomi
parent f360df4e10
commit 8da4113ec0
4 changed files with 58 additions and 21 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- Ansible JSON Decoder - Switch from decode to object_hook to support nested use of __ansible_vault and __ansible_unsafe (https://github.com/ansible/ansible/pull/45514)

View file

@ -20,33 +20,27 @@ class AnsibleJSONDecoder(json.JSONDecoder):
_vaults = {}
def __init__(self, *args, **kwargs):
kwargs['object_hook'] = self.object_hook
super(AnsibleJSONDecoder, self).__init__(*args, **kwargs)
@classmethod
def set_secrets(cls, secrets):
cls._vaults['default'] = VaultLib(secrets=secrets)
def _decode_map(self, value):
def object_hook(self, pairs):
for key in pairs:
value = pairs[key]
if value.get('__ansible_unsafe', False):
value = wrap_var(value.get('__ansible_unsafe'))
elif value.get('__ansible_vault', False):
value = AnsibleVaultEncryptedUnicode(value.get('__ansible_vault'))
if self._vaults:
value.vault = self._vaults['default']
else:
for k in value:
if isinstance(value[k], Mapping):
value[k] = self._decode_map(value[k])
return value
if key == '__ansible_vault':
value = AnsibleVaultEncryptedUnicode(value)
if self._vaults:
value.vault = self._vaults['default']
return value
elif key == '__ansible_unsafe':
return wrap_var(value.get('__ansible_unsafe'))
def decode(self, obj):
''' use basic json decoding except for specific ansible objects unsafe and vault '''
value = super(AnsibleJSONDecoder, self).decode(obj)
if isinstance(value, Mapping):
value = self._decode_map(value)
return value
return pairs
# TODO: find way to integrate with the encoding modules do in module_utils

View file

@ -0,0 +1,19 @@
{
"password": {
"__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n34646264306632313333393636316562356435376162633631326264383934326565333633366238\n3863373264326461623132613931346165636465346337310a326434313830316337393263616439\n64653937313463396366633861363266633465663730303633323534363331316164623237363831\n3536333561393238370a313330316263373938326162386433313336613532653538376662306435\n3339\n"
},
"bar": {
"baz": [
{
"password": {
"__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n34646264306632313333393636316562356435376162633631326264383934326565333633366238\n3863373264326461623132613931346165636465346337310a326434313830316337393263616439\n64653937313463396366633861363266633465663730303633323534363331316164623237363831\n3536333561393238370a313330316263373938326162386433313336613532653538376662306435\n3339\n"
}
}
]
},
"foo": {
"password": {
"__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n34646264306632313333393636316562356435376162633631326264383934326565333633366238\n3863373264326461623132613931346165636465346337310a326434313830316337393263616439\n64653937313463396366633861363266633465663730303633323534363331316164623237363831\n3536333561393238370a313330316263373938326162386433313336613532653538376662306435\n3339\n"
}
}
}

View file

@ -0,0 +1,22 @@
# Copyright 2018, Matt Martz <matt@sivel.net>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
import os
import json
import pytest
from ansible.parsing.ajson import AnsibleJSONDecoder
from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode
def test_AnsibleJSONDecoder_vault():
with open(os.path.join(os.path.dirname(__file__), 'fixtures/ajson.json')) as f:
data = json.load(f, cls=AnsibleJSONDecoder)
assert isinstance(data['password'], AnsibleVaultEncryptedUnicode)
assert isinstance(data['bar']['baz'][0]['password'], AnsibleVaultEncryptedUnicode)
assert isinstance(data['foo']['password'], AnsibleVaultEncryptedUnicode)