From 24c3a20b5fe0abdedd43781a641a7c96f9b7dc1b Mon Sep 17 00:00:00 2001
From: corubba <corubba@gmx.de>
Date: Tue, 19 Mar 2024 23:14:10 +0100
Subject: [PATCH] cli: Only ignore empty vault filenames

This effectively reverts 98eaa3d0fdf22645d3cbb4c2f8c9bd738c57cace.
---
 changelogs/fragments/82721-vault-empty.yml |  2 +-
 lib/ansible/cli/__init__.py                |  8 ++++----
 test/units/cli/test_cli.py                 | 18 ++++++++++--------
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/changelogs/fragments/82721-vault-empty.yml b/changelogs/fragments/82721-vault-empty.yml
index 89acb3ee5fd..130fa86e225 100644
--- a/changelogs/fragments/82721-vault-empty.yml
+++ b/changelogs/fragments/82721-vault-empty.yml
@@ -1,4 +1,4 @@
 ---
 bugfixes:
   - passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/82721).
-  - empty vault ids are now silently ignored (https://github.com/ansible/ansible/pull/82721).
+  - empty vault filenames are now silently ignored (https://github.com/ansible/ansible/pull/82721).
diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py
index d6b7a0e2877..a125856bd97 100644
--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
@@ -254,10 +254,6 @@ class CLI(ABC):
 
         last_exception = found_vault_secret = None
         for vault_id_slug in vault_ids:
-            if not vault_id_slug:
-                # silently ignore empty values
-                continue
-
             vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
             if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
 
@@ -288,6 +284,10 @@ class CLI(ABC):
                 loader.set_vault_secrets(vault_secrets)
                 continue
 
+            if not vault_id_value:
+                # silently ignore empty filenames
+                continue
+
             # assuming anything else is a password file
             display.vvvvv('Reading vault password file: %s' % vault_id_value)
             # read vault_pass from a file
diff --git a/test/units/cli/test_cli.py b/test/units/cli/test_cli.py
index 7115159b21e..e9110b7f8b6 100644
--- a/test/units/cli/test_cli.py
+++ b/test/units/cli/test_cli.py
@@ -359,19 +359,21 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
         match = vault.match_secrets(res, ['some_vault_id'])[0][1]
         self.assertEqual(match.bytes, b'prompt1_password')
 
-    def test_empty_id(self):
+    def test_empty_slug(self):
         res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
                                           vault_ids=[''])
         self.assertIsInstance(res, list)
         self.assertEqual(0, len(res))
 
-    @patch('ansible.cli.get_file_vault_secret')
-    def test_empty_file_part(self, mock_file_secret):
-        mock_file_secret.side_effect = AnsibleError('There is something wrong with your vault file')
-
+    def test_empty_name_part(self):
         self.assertRaisesRegex(AnsibleError,
-                               '.*There is something wrong with your vault file.*',
+                               '.*The vault password file .*/foo was not found.*',
                                cli.CLI.setup_vault_secrets,
                                loader=self.fake_loader,
-                               vault_ids=['foo@'])
-        mock_file_secret.assert_called_once()
+                               vault_ids=['@foo'])
+
+    def test_empty_value_part(self):
+        res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
+                                          vault_ids=['foo@'])
+        self.assertIsInstance(res, list)
+        self.assertEqual(0, len(res))