diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index f7d5ed14a17..3faf3450f66 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -194,7 +194,7 @@ class CLI(with_metaclass(ABCMeta, object)): vault_ids.append(id_slug) if ask_vault_pass: - id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt') + id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass') vault_ids.append(id_slug) return vault_ids @@ -206,11 +206,17 @@ class CLI(with_metaclass(ABCMeta, object)): # list of tuples vault_secrets = [] + # Depending on the vault_id value (including how --ask-vault-pass / --vault-password-file create a vault_id) + # we need to show different prompts. This is for compat with older Towers that expect a + # certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format. + prompt_formats = {} if create_new_password: - prompt_formats = ['New vault password (%s): ', - 'Confirm vew vault password (%s): '] + prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ', + 'Confirm vew vault password (%(vault_id)s): '] else: - prompt_formats = ['Vault password (%s): '] + prompt_formats['prompt'] = ['Vault password (%(vault_id)s): '] + # The format when we use just --ask-vault-pass needs to match 'Vault password:\s*?$' + prompt_formats['prompt_ask_vault_pass'] = ['Vault password: '] vault_ids = CLI.build_vault_ids(vault_ids, vault_password_files, @@ -218,15 +224,19 @@ class CLI(with_metaclass(ABCMeta, object)): for index, vault_id_slug in enumerate(vault_ids): vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug) - if vault_id_value == 'prompt': - # TODO: we could assume --vault-id=prompt implies --ask-vault-pass - # if not, we need to 'if ask_vault_pass' here + if vault_id_value in ['prompt', 'prompt_ask_vault_pass']: + + # --vault-id some_name@prompt_ask_vault_pass --vault-id other_name@prompt_ask_vault_pass will be a little + # confusing since it will use the old format without the vault id in the prompt if vault_id_name: - prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats, vault_id=vault_id_name) + prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value], + vault_id=vault_id_name) prompted_vault_secret.load() vault_secrets.append((vault_id_name, prompted_vault_secret)) else: - prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats, + # ie, we used --ask-vault-pass, so we need to use the old vault password prompt + # format since Tower needs to match on that format. + prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value], vault_id=C.DEFAULT_VAULT_IDENTITY) prompted_vault_secret.load() vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, prompted_vault_secret)) diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index c69910f2d78..1d278b883ec 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -259,7 +259,7 @@ class PromptVaultSecret(VaultSecret): b_vault_passwords = [] for prompt_format in self.prompt_formats: - prompt = prompt_format % self.vault_id + prompt = prompt_format % {'vault_id': self.vault_id} try: vault_pass = display.prompt(prompt, private=True) except EOFError: