From a9550b835e195db79a86d97d2e455672e8d121f1 Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Mon, 20 Jan 2025 15:19:38 -0500
Subject: [PATCH] fix incongruent ansible-vault cli options (#84494) (#84553)

prompt now only errors if stdin is specifically triggered and not due to lack of other args

fixes #84489
---------

Co-authored-by: Sloane Hertel <19572925+s-hertel@users.noreply.github.com>
(cherry picked from commit a046ef5a95b3011bff097c0c709680324ab27c2c)
---
 changelogs/fragments/vault_cli_fix.yml |  2 ++
 lib/ansible/cli/vault.py               |  5 +++--
 test/units/cli/test_vault.py           | 17 +++++++++++++++--
 3 files changed, 20 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/vault_cli_fix.yml

diff --git a/changelogs/fragments/vault_cli_fix.yml b/changelogs/fragments/vault_cli_fix.yml
new file mode 100644
index 00000000000..424204f4e50
--- /dev/null
+++ b/changelogs/fragments/vault_cli_fix.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-vault will now correctly handle `--prompt`, previously it would issue an error about stdin if no 2nd argument was passed
diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py
index 86902a695fd..3800783a579 100755
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@@ -138,11 +138,12 @@ class VaultCLI(CLI):
             raise AnsibleOptionsError("At most one input file may be used with the --output option")
 
         if options.action == 'encrypt_string':
-            if '-' in options.args or not options.args or options.encrypt_string_stdin_name:
+            if '-' in options.args or options.encrypt_string_stdin_name or (not options.args and not options.encrypt_string_prompt):
+                # prompting from stdin and reading from stdin are mutually exclusive, if stdin is still provided, it is ignored
                 self.encrypt_string_read_stdin = True
 
-            # TODO: prompting from stdin and reading from stdin seem mutually exclusive, but verify that.
             if options.encrypt_string_prompt and self.encrypt_string_read_stdin:
+                # should only trigger if prompt + either - or encrypt string stdin name were provided
                 raise AnsibleOptionsError('The --prompt option is not supported if also reading input from stdin')
 
         return options
diff --git a/test/units/cli/test_vault.py b/test/units/cli/test_vault.py
index a049610f2f6..744b632c025 100644
--- a/test/units/cli/test_vault.py
+++ b/test/units/cli/test_vault.py
@@ -120,8 +120,21 @@ class TestVaultCli(unittest.TestCase):
         mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
         cli = VaultCLI(args=['ansible-vault',
                              'encrypt_string',
-                             '--prompt',
-                             'some string to encrypt'])
+                             '--prompt'])
+        cli.parse()
+        cli.run()
+        args, kwargs = mock_display.call_args
+        assert kwargs["private"]
+
+    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
+    @patch('ansible.cli.vault.VaultEditor')
+    @patch('ansible.cli.vault.display.prompt', return_value='a_prompt')
+    def test_shadowed_encrypt_string_prompt_plus(self, mock_display, mock_vault_editor, mock_setup_vault_secrets):
+        mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
+        cli = VaultCLI(args=['ansible-vault',
+                             'encrypt_string',
+                             'some string to encrypt',
+                             '--prompt'])
         cli.parse()
         cli.run()
         args, kwargs = mock_display.call_args