Allow single vault encrypted values to be used directly as module parameters. Fixes #68275 (#70607)

This commit is contained in:
Matt Martz 2020-07-14 10:56:26 -05:00 committed by GitHub
parent 375c6b4ae4
commit a77dbf0866
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 4 deletions

View file

@ -0,0 +1,3 @@
bugfixes:
- Vault - Allow single vault encrypted values to be used directly as module
parameters. (https://github.com/ansible/ansible/issues/68275)

View file

@ -37,6 +37,7 @@ from ansible import constants as C
from ansible.errors import AnsibleError
from ansible.executor.interpreter_discovery import InterpreterDiscoveryRequiredError
from ansible.executor.powershell import module_manifest as ps_manifest
from ansible.module_utils.common.json import AnsibleJSONEncoder
from ansible.module_utils.common.text.converters import to_bytes, to_text, to_native
from ansible.plugins.loader import module_utils_loader
from ansible.utils.collection_loader._collection_finder import _get_collection_metadata, AnsibleCollectionRef
@ -1075,7 +1076,7 @@ def _find_module_utils(module_name, b_module_data, module_path, module_args, tas
if module_substyle == 'python':
params = dict(ANSIBLE_MODULE_ARGS=module_args,)
try:
python_repred_params = repr(json.dumps(params))
python_repred_params = repr(json.dumps(params, cls=AnsibleJSONEncoder, vault_to_text=True))
except TypeError as e:
raise AnsibleError("Unable to pass options to module, they must be JSON serializable: %s" % to_native(e))
@ -1256,7 +1257,7 @@ def _find_module_utils(module_name, b_module_data, module_path, module_args, tas
)
elif module_substyle == 'jsonargs':
module_args_json = to_bytes(json.dumps(module_args))
module_args_json = to_bytes(json.dumps(module_args, cls=AnsibleJSONEncoder, vault_to_text=True))
# these strings could be included in a third-party module but
# officially they were included in the 'basic' snippet for new-style

View file

@ -36,15 +36,19 @@ class AnsibleJSONEncoder(json.JSONEncoder):
Simple encoder class to deal with JSON encoding of Ansible internal types
'''
def __init__(self, preprocess_unsafe=False, **kwargs):
def __init__(self, preprocess_unsafe=False, vault_to_text=False, **kwargs):
self._preprocess_unsafe = preprocess_unsafe
self._vault_to_text = vault_to_text
super(AnsibleJSONEncoder, self).__init__(**kwargs)
# NOTE: ALWAYS inform AWS/Tower when new items get added as they consume them downstream via a callback
def default(self, o):
if getattr(o, '__ENCRYPTED__', False):
# vault object
value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
if self._vault_to_text:
value = to_text(o, errors='surrogate_or_strict')
else:
value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
elif getattr(o, '__UNSAFE__', False):
# unsafe object, this will never be triggered, see ``AnsibleJSONEncoder.iterencode``
value = {'__ansible_unsafe': to_text(o, errors='surrogate_or_strict', nonstring='strict')}

View file

@ -107,3 +107,17 @@
that:
- vaulted_value|wordcount == 2
when: lookup('pipe', ansible_python.executable ~ ' -c "import jinja2; print(jinja2.__version__)"') is version('2.11.2', '>=')
- ping:
data: !vault |
$ANSIBLE_VAULT;1.1;AES256
35323961353038346165643738646465376139363061353835303739663538343266303232326635
3365353662646236356665323135633630656238316530640a663362363763633436373439663031
33663433383037396438656464636433653837376361313638366362333037323961316364363363
3835616438623261650a636164376534376661393134326662326362323131373964313961623365
3833
register: ping_result
- assert:
that:
- ping_result.ping == 'foo bar'