Fix --ask-vault-pass prompt to match old when poss (#27602)
If we don't use more than one vault-id, and we use
--ask-vault-pass, instead of using the new vault prompt
format ('Vault password (my_vault_id): ') we use the old
one ('Vault password: ').
This avoids confusing Tower when it needs to detect an
interactive vault password prompt.
This also potentially could allow vault password prompts
to be customized per vault_id.
This commit is contained in:
Adrian Likins
GitHub
parent
37392318a6
commit
9f57920eab
2 changed files with 20 additions and 10 deletions
|
|
@ -194,7 +194,7 @@ class CLI(with_metaclass(ABCMeta, object)):
|
|||
vault_ids.append(id_slug)
|
||||
|
||||
if ask_vault_pass:
|
||||
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt')
|
||||
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass')
|
||||
vault_ids.append(id_slug)
|
||||
|
||||
return vault_ids
|
||||
|
|
@ -206,11 +206,17 @@ class CLI(with_metaclass(ABCMeta, object)):
|
|||
# list of tuples
|
||||
vault_secrets = []
|
||||
|
||||
# Depending on the vault_id value (including how --ask-vault-pass / --vault-password-file create a vault_id)
|
||||
# we need to show different prompts. This is for compat with older Towers that expect a
|
||||
# certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format.
|
||||
prompt_formats = {}
|
||||
if create_new_password:
|
||||
prompt_formats = ['New vault password (%s): ',
|
||||
'Confirm vew vault password (%s): ']
|
||||
prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ',
|
||||
'Confirm vew vault password (%(vault_id)s): ']
|
||||
else:
|
||||
prompt_formats = ['Vault password (%s): ']
|
||||
prompt_formats['prompt'] = ['Vault password (%(vault_id)s): ']
|
||||
# The format when we use just --ask-vault-pass needs to match 'Vault password:\s*?$'
|
||||
prompt_formats['prompt_ask_vault_pass'] = ['Vault password: ']
|
||||
|
||||
vault_ids = CLI.build_vault_ids(vault_ids,
|
||||
vault_password_files,
|
||||
|
|
@ -218,15 +224,19 @@ class CLI(with_metaclass(ABCMeta, object)):
|
|||
|
||||
for index, vault_id_slug in enumerate(vault_ids):
|
||||
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
|
||||
if vault_id_value == 'prompt':
|
||||
# TODO: we could assume --vault-id=prompt implies --ask-vault-pass
|
||||
# if not, we need to 'if ask_vault_pass' here
|
||||
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
|
||||
|
||||
# --vault-id some_name@prompt_ask_vault_pass --vault-id other_name@prompt_ask_vault_pass will be a little
|
||||
# confusing since it will use the old format without the vault id in the prompt
|
||||
if vault_id_name:
|
||||
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats, vault_id=vault_id_name)
|
||||
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
|
||||
vault_id=vault_id_name)
|
||||
prompted_vault_secret.load()
|
||||
vault_secrets.append((vault_id_name, prompted_vault_secret))
|
||||
else:
|
||||
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats,
|
||||
# ie, we used --ask-vault-pass, so we need to use the old vault password prompt
|
||||
# format since Tower needs to match on that format.
|
||||
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
|
||||
vault_id=C.DEFAULT_VAULT_IDENTITY)
|
||||
prompted_vault_secret.load()
|
||||
vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, prompted_vault_secret))
|
||||
|
|
|
|||
|
|
@ -259,7 +259,7 @@ class PromptVaultSecret(VaultSecret):
|
|||
b_vault_passwords = []
|
||||
|
||||
for prompt_format in self.prompt_formats:
|
||||
prompt = prompt_format % self.vault_id
|
||||
prompt = prompt_format % {'vault_id': self.vault_id}
|
||||
try:
|
||||
vault_pass = display.prompt(prompt, private=True)
|
||||
except EOFError:
|
||||
|
|
|
|||
Loading…
Reference in a new issue