ansible/test/integration/targets/vault
Adrian Likins 9c58827410
Better handling of malformed vault data envelope (#32515)
* Better handling of malformed vault data envelope

If an embedded vaulted variable ('!vault' in yaml)
had an invalid format, it would eventually cause
an error for seemingly unrelated reasons.
"Invalid" meaning not valid hexlify (extra chars,
non-hex chars, etc).

For ex, if a host_vars file had invalid vault format
variables, on py2, it would cause an error like:

  'ansible.vars.hostvars.HostVars object' has no
  attribute u'broken.example.com'

Depending on where the invalid vault is, it could
also cause "VARIABLE IS NOT DEFINED!". The behavior
can also change if ansible-playbook is py2 or py3.

Root cause is errors from binascii.unhexlify() not
being handled consistently.

Fix is to add a AnsibleVaultFormatError exception and
raise it on any unhexlify() errors and to handle it
properly elsewhere.

Add a _unhexlify() that try/excepts around a binascii.unhexlify()
and raises an AnsibleVaultFormatError on invalid vault data.
This is so the same exception type is always raised for this
case. Previous it was different between py2 and py3.

binascii.unhexlify() raises a binascii.Error if the hexlified
blobs in a vault data blob are invalid.

On py2, binascii.Error is a subclass of Exception.
On py3, binascii.Error is a subclass of TypeError

When decrypting content of vault encrypted variables,
if a binascii.Error is raised it propagates up to
playbook.base.Base.post_validate(). post_validate()
handles exceptions for TypeErrors but not for
base Exception subclasses (like py2 binascii.Error).

* Add a display.warning on vault format errors
* Unit tests for _unhexlify, parse_vaulttext*
* Add intg test cases for invalid vault formats

Fixes #28038
2017-11-10 14:24:56 -05:00
..
invalid_format Better handling of malformed vault data envelope (#32515) 2017-11-10 14:24:56 -05:00
roles
aliases
empty-password Vault secrets empty password (#28186) 2017-08-15 11:01:46 -04:00
encrypted_file_encrypted_var_password
example1_password
example2_password
example3_password
faux-editor.py Use vault_id when encrypted via vault-edit (#30772) 2017-09-26 12:28:31 -04:00
format_1_0_AES.yml
format_1_1_AES.yml
format_1_1_AES256.yml
format_1_2_AES256.yml
password-script.py
runme.sh Better handling of malformed vault data envelope (#32515) 2017-11-10 14:24:56 -05:00
runme_change_pip_installed.sh
test-vault-client.py Vault secrets script client inc new 'keyring' client (#27669) 2017-10-13 15:23:08 -04:00
test_vault.yml
test_vault_embedded.yml
test_vault_embedded_ids.yml
test_vault_file_encrypted_embedded.yml
test_vaulted_inventory.yml
test_vaulted_template.yml
vault-password
vault-password-ansible
vault-password-wrong
vault-secret.txt
vaulted.inventory