From 98eaa3d0fdf22645d3cbb4c2f8c9bd738c57cace Mon Sep 17 00:00:00 2001
From: corubba <corubba@gmx.de>
Date: Wed, 21 Feb 2024 02:14:10 +0100
Subject: [PATCH] cli: ignore empty vault ids

An empty string is not really a useful usecase here, because it will
resolve to the cwd and thus never a valid vault file. Just silently
ignoring these makes it possible to reset the DEFAULT_VAULT_IDENTITY_LIST
option from a config file by setting the matching env var to an empty
value.
---
 changelogs/fragments/xxxxx-vault-empty.yml |  1 +
 lib/ansible/cli/__init__.py                |  4 ++++
 test/units/cli/test_cli.py                 | 18 ++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/changelogs/fragments/xxxxx-vault-empty.yml b/changelogs/fragments/xxxxx-vault-empty.yml
index c43251284e8..e96fd115cf2 100644
--- a/changelogs/fragments/xxxxx-vault-empty.yml
+++ b/changelogs/fragments/xxxxx-vault-empty.yml
@@ -1,3 +1,4 @@
 ---
 bugfixes:
   - passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/xxxxx).
+  - empty vault ids are now silently ignored (https://github.com/ansible/ansible/pull/xxxxx).
diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py
index 64ab78fb0ab..d6b7a0e2877 100644
--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
@@ -254,6 +254,10 @@ class CLI(ABC):
 
         last_exception = found_vault_secret = None
         for vault_id_slug in vault_ids:
+            if not vault_id_slug:
+                # silently ignore empty values
+                continue
+
             vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
             if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
 
diff --git a/test/units/cli/test_cli.py b/test/units/cli/test_cli.py
index 510f5c351b2..7115159b21e 100644
--- a/test/units/cli/test_cli.py
+++ b/test/units/cli/test_cli.py
@@ -22,6 +22,7 @@ from unittest.mock import patch, MagicMock
 
 from units.mock.loader import DictDataLoader
 
+from ansible.errors import AnsibleError
 from ansible.release import __version__
 from ansible.parsing import vault
 from ansible import cli
@@ -357,3 +358,20 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
         self.assertIsInstance(res, list)
         match = vault.match_secrets(res, ['some_vault_id'])[0][1]
         self.assertEqual(match.bytes, b'prompt1_password')
+
+    def test_empty_id(self):
+        res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
+                                          vault_ids=[''])
+        self.assertIsInstance(res, list)
+        self.assertEqual(0, len(res))
+
+    @patch('ansible.cli.get_file_vault_secret')
+    def test_empty_file_part(self, mock_file_secret):
+        mock_file_secret.side_effect = AnsibleError('There is something wrong with your vault file')
+
+        self.assertRaisesRegex(AnsibleError,
+                               '.*There is something wrong with your vault file.*',
+                               cli.CLI.setup_vault_secrets,
+                               loader=self.fake_loader,
+                               vault_ids=['foo@'])
+        mock_file_secret.assert_called_once()