Shadow input for encrypt_string by default unless asked (fixes #71618) (#73263)

* Shadow input for encrypt_string by default unless asked (fixes #71618)
4 years ago · 823c72bcb5
parent bc60d8ccda
commit 823c72bcb5
3 changed files with 28 additions and 2 deletions
--- a/changelogs/fragments/73263-shadow-encrypt-string.yml
+++ b/changelogs/fragments/73263-shadow-encrypt-string.yml
@ -0,0 +1,2 @@
+minor_changes:
+- "Shadow prompt input to ansible-vault encrypt-string unless the ``--show-input`` flag is set"
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@ -99,6 +99,8 @@ class VaultCLI(CLI):
        enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt',
                                    action='store_true',
                                    help="Prompt for the string to encrypt")
+        enc_str_parser.add_argument('--show-input', dest='show_string_input', default=False, action='store_true',
+                                    help='Do not hide input when prompted for the string to encrypt')
        enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names',
                                    action='append',
                                    help="Specify the variable name")
@ -300,8 +302,13 @@ class VaultCLI(CLI):

            # TODO: could prompt for which vault_id to use for each plaintext string
            #       currently, it will just be the default
-            # could use private=True for shadowed input if useful
-            prompt_response = display.prompt(msg)
+            hide_input = not context.CLIARGS['show_string_input']
+            if hide_input:
+                msg = "String to encrypt (hidden): "
+            else:
+                msg = "String to encrypt:"
+
+            prompt_response = display.prompt(msg, private=hide_input)

            if prompt_response == '':
                raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')
--- a/test/units/cli/test_vault.py
+++ b/test/units/cli/test_vault.py
@ -108,9 +108,26 @@ class TestVaultCli(unittest.TestCase):
        cli = VaultCLI(args=['ansible-vault',
                             'encrypt_string',
                             '--prompt',
+                             '--show-input',
                             'some string to encrypt'])
        cli.parse()
        cli.run()
+        args, kwargs = mock_display.call_args
+        assert kwargs["private"] is False
+
+    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
+    @patch('ansible.cli.vault.VaultEditor')
+    @patch('ansible.cli.vault.display.prompt', return_value='a_prompt')
+    def test_shadowed_encrypt_string_prompt(self, mock_display, mock_vault_editor, mock_setup_vault_secrets):
+        mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
+        cli = VaultCLI(args=['ansible-vault',
+                             'encrypt_string',
+                             '--prompt',
+                             'some string to encrypt'])
+        cli.parse()
+        cli.run()
+        args, kwargs = mock_display.call_args
+        assert kwargs["private"]

    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
    @patch('ansible.cli.vault.VaultEditor')