cli: Only ignore empty vault filenames

This effectively reverts 98eaa3d0fd.
pull/82721/head
corubba 8 months ago
parent 20c9015d1f
commit 24c3a20b5f

@ -1,4 +1,4 @@
--- ---
bugfixes: bugfixes:
- passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/82721). - passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/82721).
- empty vault ids are now silently ignored (https://github.com/ansible/ansible/pull/82721). - empty vault filenames are now silently ignored (https://github.com/ansible/ansible/pull/82721).

@ -254,10 +254,6 @@ class CLI(ABC):
last_exception = found_vault_secret = None last_exception = found_vault_secret = None
for vault_id_slug in vault_ids: for vault_id_slug in vault_ids:
if not vault_id_slug:
# silently ignore empty values
continue
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug) vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']: if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
@ -288,6 +284,10 @@ class CLI(ABC):
loader.set_vault_secrets(vault_secrets) loader.set_vault_secrets(vault_secrets)
continue continue
if not vault_id_value:
# silently ignore empty filenames
continue
# assuming anything else is a password file # assuming anything else is a password file
display.vvvvv('Reading vault password file: %s' % vault_id_value) display.vvvvv('Reading vault password file: %s' % vault_id_value)
# read vault_pass from a file # read vault_pass from a file

@ -359,19 +359,21 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
match = vault.match_secrets(res, ['some_vault_id'])[0][1] match = vault.match_secrets(res, ['some_vault_id'])[0][1]
self.assertEqual(match.bytes, b'prompt1_password') self.assertEqual(match.bytes, b'prompt1_password')
def test_empty_id(self): def test_empty_slug(self):
res = cli.CLI.setup_vault_secrets(loader=self.fake_loader, res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
vault_ids=['']) vault_ids=[''])
self.assertIsInstance(res, list) self.assertIsInstance(res, list)
self.assertEqual(0, len(res)) self.assertEqual(0, len(res))
@patch('ansible.cli.get_file_vault_secret') def test_empty_name_part(self):
def test_empty_file_part(self, mock_file_secret):
mock_file_secret.side_effect = AnsibleError('There is something wrong with your vault file')
self.assertRaisesRegex(AnsibleError, self.assertRaisesRegex(AnsibleError,
'.*There is something wrong with your vault file.*', '.*The vault password file .*/foo was not found.*',
cli.CLI.setup_vault_secrets, cli.CLI.setup_vault_secrets,
loader=self.fake_loader, loader=self.fake_loader,
vault_ids=['foo@']) vault_ids=['@foo'])
mock_file_secret.assert_called_once()
def test_empty_value_part(self):
res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
vault_ids=['foo@'])
self.assertIsInstance(res, list)
self.assertEqual(0, len(res))

Loading…
Cancel
Save