diff --git a/changelogs/fragments/67492-fix-decrypting-str-types-for-plugins.yaml b/changelogs/fragments/67492-fix-decrypting-str-types-for-plugins.yaml new file mode 100644 index 00000000000..26c564ded5a --- /dev/null +++ b/changelogs/fragments/67492-fix-decrypting-str-types-for-plugins.yaml @@ -0,0 +1,2 @@ +bugfixes: + - plugins - Allow ensure_type to decrypt the value for string types (and implicit string types) when value is an inline vault. diff --git a/lib/ansible/config/manager.py b/lib/ansible/config/manager.py index 1731906b311..5310c7eb044 100644 --- a/lib/ansible/config/manager.py +++ b/lib/ansible/config/manager.py @@ -145,13 +145,13 @@ def ensure_type(value, value_type, origin=None): errmsg = 'pathlist' elif value_type in ('str', 'string'): - if isinstance(value, string_types): + if isinstance(value, (string_types, AnsibleVaultEncryptedUnicode)): value = unquote(to_text(value, errors='surrogate_or_strict')) else: errmsg = 'string' # defaults to string type - elif isinstance(value, string_types): + elif isinstance(value, (string_types, AnsibleVaultEncryptedUnicode)): value = unquote(to_text(value, errors='surrogate_or_strict')) if errmsg: diff --git a/test/units/config/test_manager.py b/test/units/config/test_manager.py index 0a0a71af97f..d103e5e6618 100644 --- a/test/units/config/test_manager.py +++ b/test/units/config/test_manager.py @@ -131,3 +131,15 @@ class TestConfigManager: actual_value, actual_origin = self.manager._loop_entries({'name': vault_var}, [{'name': 'name'}]) assert actual_value == "vault text" assert actual_origin == "name" + + @pytest.mark.parametrize("value_type", ("str", "string", None)) + def test_ensure_type_with_vaulted_str(self, value_type): + class MockVault: + def decrypt(self, value): + return value + + vault_var = AnsibleVaultEncryptedUnicode(b"vault text") + vault_var.vault = MockVault() + + actual_value = ensure_type(vault_var, value_type) + assert actual_value == "vault text"