archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

exhaust list of vault ids before failing (#75540)

Browse Source 
* Try to find any valid vault id before raising an exception
* Apply the same logic during vault password file loading
* Also. Improve the warning msg and tests
pull/76194/head
Sloane Hertel 3 years ago committed by GitHub
parent 47ee282227
commit 8bbecc7cac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 46 additions and 6 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/75540-warn-invalid-configured-vault-secret-files.yaml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- vault - Warn instead of fail for missing vault IDs if at least one valid vault secret is found.

17
lib/ansible/cli/__init__.py
Unescape Escape View File

@ -202,6 +202,7 @@ class CLI(ABC):
create_new_password,
auto_prompt=auto_prompt)
last_exception = found_vault_secret = None
for vault_id_slug in vault_ids:
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
@ -225,6 +226,7 @@ class CLI(ABC):
display.warning('Error in vault password prompt (%s): %s' % (vault_id_name, exc))
raise
found_vault_secret = True
vault_secrets.append((built_vault_id, prompted_vault_secret))
# update loader with new secrets incrementally, so we can load a vault password
@ -235,17 +237,23 @@ class CLI(ABC):
# assuming anything else is a password file
display.vvvvv('Reading vault password file: %s' % vault_id_value)
# read vault_pass from a file
try:
file_vault_secret = get_file_vault_secret(filename=vault_id_value,
vault_id=vault_id_name,
loader=loader)
except AnsibleError as exc:
display.warning('Error getting vault password file (%s): %s' % (vault_id_name, to_text(exc)))
last_exception = exc
continue
# an invalid password file will error globally
try:
file_vault_secret.load()
except AnsibleError as exc:
display.warning('Error in vault password file loading (%s): %s' % (vault_id_name, to_text(exc)))
raise
last_exception = exc
continue
found_vault_secret = True
if vault_id_name:
vault_secrets.append((vault_id_name, file_vault_secret))
else:
@ -254,6 +262,11 @@ class CLI(ABC):
# update loader with as-yet-known vault secrets
loader.set_vault_secrets(vault_secrets)
# An invalid or missing password file will error globally
# if no valid vault secret was found.
if last_exception and not found_vault_secret:
raise last_exception
return vault_secrets
@staticmethod

25
test/integration/targets/ansible-vault/runme.sh
Unescape Escape View File

@ -522,3 +522,28 @@ ansible-playbook -i ../../inventory -v "$@" --vault-password-file vault-password
ansible-playbook -v "$@" --vault-password-file vault-password test_dangling_temp.yml
ansible-playbook "$@" --vault-password-file vault-password single_vault_as_string.yml
# Test that only one accessible vault password is required
export ANSIBLE_VAULT_IDENTITY_LIST="id1@./nonexistent, id2@${MYTMPDIR}/unreadable, id3@./vault-password"
touch "${MYTMPDIR}/unreadable"
sudo chmod 000 "${MYTMPDIR}/unreadable"
ansible-vault encrypt_string content
ansible-vault encrypt_string content --encrypt-vault-id id3
set +e
# Try to use a missing vault password file
ansible-vault encrypt_string content --encrypt-vault-id id1 2>&1 | tee out.txt
test $? -ne 0
grep out.txt -e '[WARNING]: Error getting vault password file (id1)'
grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
# Try to use an inaccessible vault password file
ansible-vault encrypt_string content --encrypt-vault-id id2 2>&1 | tee out.txt
test $? -ne 0
grep out.txt -e "[WARNING]: Error in vault password file loading (id2)"
grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
set -e

Write Preview
Loading…
Cancel
Save