Add TTY check and argument to disable it (#50603) (#68260)

* Add TTY check and argument to disable it (#50603)

* Fix formatting

* add changelog

* rename flag and updated help description

* add tests for tty check

* replace deprecated uses of assertRaisesRegexp to assertRaisesRegex

* fix yaml syntax

* shorten line 79

* Revert "replace deprecated uses of assertRaisesRegexp to assertRaisesRegex"

This reverts commit cea5fe1655.

* change back to assertRaisesRegexp

changelogs/fragments/50603-tty-check.yaml

@@ -0,0 +1,4 @@
+---
+minor_changes:
+  - "ansible-vault create: Now raises an error when opening the editor without
+    tty. The flag --skip-tty-check restores previous behaviour."

lib/ansible/cli/vault.py

@@ -82,6 +82,8 @@ class VaultCLI(CLI):
         create_parser = subparsers.add_parser('create', help='Create new vault encrypted file', parents=[vault_id, common])
         create_parser.set_defaults(func=self.execute_create)
         create_parser.add_argument('args', help='Filename', metavar='file_name', nargs='*')
+        create_parser.add_argument('--skip-tty-check', default=False, help='allows editor to be opened when no tty attached',
+                                   dest='skip_tty_check', action='store_true')
 
         decrypt_parser = subparsers.add_parser('decrypt', help='Decrypt vault encrypted file', parents=[output, common])
         decrypt_parser.set_defaults(func=self.execute_decrypt)
@@ -447,8 +449,11 @@ class VaultCLI(CLI):
         if len(context.CLIARGS['args']) != 1:
             raise AnsibleOptionsError("ansible-vault create can take only one filename argument")
 
+        if sys.stdout.isatty() or context.CLIARGS['skip_tty_check']:
             self.editor.create_file(context.CLIARGS['args'][0], self.encrypt_secret,
                                     vault_id=self.encrypt_vault_id)
+        else:
+            raise AnsibleOptionsError("not a tty, editor cannot be opened")
 
     def execute_edit(self):
         ''' open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed'''

test/units/cli/test_vault.py

@@ -171,7 +171,28 @@ class TestVaultCli(unittest.TestCase):
         mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
         cli = VaultCLI(args=['ansible-vault', 'create', '/dev/null/foo'])
         cli.parse()
+        self.assertRaisesRegexp(errors.AnsibleOptionsError,
+                                "not a tty, editor cannot be opened",
+                                cli.run)
+
+    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
+    @patch('ansible.cli.vault.VaultEditor')
+    def test_create_skip_tty_check(self, mock_vault_editor, mock_setup_vault_secrets):
+        mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
+        cli = VaultCLI(args=['ansible-vault', 'create', '--skip-tty-check', '/dev/null/foo'])
+        cli.parse()
+        cli.run()
+
+    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
+    @patch('ansible.cli.vault.VaultEditor')
+    def test_create_with_tty(self, mock_vault_editor, mock_setup_vault_secrets):
+        mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
+        self.tty_stdout_patcher = patch('ansible.cli.sys.stdout.isatty', return_value=True)
+        self.tty_stdout_patcher.start()
+        cli = VaultCLI(args=['ansible-vault', 'create', '/dev/null/foo'])
+        cli.parse()
         cli.run()
+        self.tty_stdout_patcher.stop()
 
     @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
     @patch('ansible.cli.vault.VaultEditor')