diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index 233bee21d37..b0ec708e9ab 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -107,25 +107,18 @@ class CLI(object): self.display.display("No config file found; using defaults") @staticmethod - def ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=False, confirm_vault=False, confirm_new=False): + def ask_vault_passwords(ask_new_vault_pass=False, rekey=False): ''' prompt for vault password and/or password change ''' vault_pass = None new_vault_pass = None try: - if ask_vault_pass: + if rekey or not ask_new_vault_pass: vault_pass = getpass.getpass(prompt="Vault password: ") - if ask_vault_pass and confirm_vault: - vault_pass2 = getpass.getpass(prompt="Confirm Vault password: ") - if vault_pass != vault_pass2: - raise AnsibleError("Passwords do not match") - if ask_new_vault_pass: new_vault_pass = getpass.getpass(prompt="New Vault password: ") - - if ask_new_vault_pass and confirm_new: new_vault_pass2 = getpass.getpass(prompt="Confirm New Vault password: ") if new_vault_pass != new_vault_pass2: raise AnsibleError("Passwords do not match") @@ -138,6 +131,9 @@ class CLI(object): if new_vault_pass: new_vault_pass = to_bytes(new_vault_pass, errors='strict', nonstring='simplerepr').strip() + if ask_new_vault_pass and not rekey: + vault_pass = new_vault_pass + return vault_pass, new_vault_pass diff --git a/lib/ansible/cli/adhoc.py b/lib/ansible/cli/adhoc.py index 77b34fc3a49..f2d6780c931 100644 --- a/lib/ansible/cli/adhoc.py +++ b/lib/ansible/cli/adhoc.py @@ -109,7 +109,7 @@ class AdHocCLI(CLI): vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader=loader) loader.set_vault_password(vault_pass) elif self.options.ask_vault_pass: - vault_pass = self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)[0] + vault_pass = self.ask_vault_passwords()[0] loader.set_vault_password(vault_pass) variable_manager = VariableManager() diff --git a/lib/ansible/cli/playbook.py b/lib/ansible/cli/playbook.py index 417c41c6e93..33414601ed9 100644 --- a/lib/ansible/cli/playbook.py +++ b/lib/ansible/cli/playbook.py @@ -100,7 +100,7 @@ class PlaybookCLI(CLI): vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader=loader) loader.set_vault_password(vault_pass) elif self.options.ask_vault_pass: - vault_pass = self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)[0] + vault_pass = self.ask_vault_passwords()[0] loader.set_vault_password(vault_pass) # initial error check, to make sure all specified playbooks are accessible diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py index f3367ea28f5..e4909cc255e 100644 --- a/lib/ansible/cli/vault.py +++ b/lib/ansible/cli/vault.py @@ -93,7 +93,12 @@ class VaultCLI(CLI): # read vault_pass from a file self.vault_pass = CLI.read_vault_password_file(self.options.vault_password_file, loader) else: - self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False) + newpass = False + rekey = False + if self.options.new_vault_password_file: + newpass = self.action in ['create', 'rekey', 'encrypt'] + rekey = self.action == 'rekey' + self.vault_pass, self.new_vault_pass = self.ask_vault_passwords(ask_new_vault_pass=newpass, rekey=rekey) if self.options.new_vault_password_file: # for rekey only @@ -149,12 +154,7 @@ class VaultCLI(CLI): if not (os.path.isfile(f)): raise AnsibleError(f + " does not exist") - if self.new_vault_pass: - new_password = self.new_vault_pass - else: - __, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True) - for f in self.args: - self.editor.rekey_file(f, new_password) + self.editor.rekey_file(f, self.new_vault_pass) self.display.display("Rekey successful", stderr=True)