cli: ignore empty vault ids

An empty string is not really a useful usecase here, because it will
resolve to the cwd and thus never a valid vault file. Just silently
ignoring these makes it possible to reset the DEFAULT_VAULT_IDENTITY_LIST
option from a config file by setting the matching env var to an empty
value.
pull/82721/head
corubba 9 months ago
parent d30a1d2f34
commit 98eaa3d0fd

@ -1,3 +1,4 @@
--- ---
bugfixes: bugfixes:
- passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/xxxxx). - passing a directory as vault password file now raises a meaningful error (https://github.com/ansible/ansible/pull/xxxxx).
- empty vault ids are now silently ignored (https://github.com/ansible/ansible/pull/xxxxx).

@ -254,6 +254,10 @@ class CLI(ABC):
last_exception = found_vault_secret = None last_exception = found_vault_secret = None
for vault_id_slug in vault_ids: for vault_id_slug in vault_ids:
if not vault_id_slug:
# silently ignore empty values
continue
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug) vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']: if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:

@ -22,6 +22,7 @@ from unittest.mock import patch, MagicMock
from units.mock.loader import DictDataLoader from units.mock.loader import DictDataLoader
from ansible.errors import AnsibleError
from ansible.release import __version__ from ansible.release import __version__
from ansible.parsing import vault from ansible.parsing import vault
from ansible import cli from ansible import cli
@ -357,3 +358,20 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
self.assertIsInstance(res, list) self.assertIsInstance(res, list)
match = vault.match_secrets(res, ['some_vault_id'])[0][1] match = vault.match_secrets(res, ['some_vault_id'])[0][1]
self.assertEqual(match.bytes, b'prompt1_password') self.assertEqual(match.bytes, b'prompt1_password')
def test_empty_id(self):
res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
vault_ids=[''])
self.assertIsInstance(res, list)
self.assertEqual(0, len(res))
@patch('ansible.cli.get_file_vault_secret')
def test_empty_file_part(self, mock_file_secret):
mock_file_secret.side_effect = AnsibleError('There is something wrong with your vault file')
self.assertRaisesRegex(AnsibleError,
'.*There is something wrong with your vault file.*',
cli.CLI.setup_vault_secrets,
loader=self.fake_loader,
vault_ids=['foo@'])
mock_file_secret.assert_called_once()

Loading…
Cancel
Save