From ae31634c236f2c6d5ff94b09ad8ce132c6f46dce Mon Sep 17 00:00:00 2001
From: Adrian Likins <alikins@redhat.com>
Date: Thu, 9 Mar 2017 12:08:41 -0500
Subject: [PATCH] Make vault encrypt/create/etc confirm pass again.

Make the 'write' modes of vault confirm a new password
before using, again.

This was unintentionally disabled in
309f54b709d489114841530663642b7f3ad262ec previously.

Fixes #22438
---
 lib/ansible/cli/vault.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py
index 31579707c61..4326ff9c788 100644
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@@ -133,7 +133,12 @@ class VaultCLI(CLI):
             self.b_new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file, loader)
 
         if not self.b_vault_pass or self.options.ask_vault_pass:
-            self.b_vault_pass = self.ask_vault_passwords()
+            # the 'read' options dont need to ask for password confirmation.
+            # 'edit' is read/write, but the decrypt will confirm.
+            if self.action in ['decrypt', 'edit', 'view', 'rekey']:
+                self.b_vault_pass = self.ask_vault_passwords()
+            else:
+                self.b_vault_pass = self.ask_new_vault_passwords()
 
         if not self.b_vault_pass:
             raise AnsibleOptionsError("A password is required to use Ansible's Vault")