ansible

Commit Graph

Author	SHA1	Message	Date
Matt Clay	82b5544b09	Improve code coverage of unit tests (#81119 ) - Remove unused code - Remove unnecessary code - Ignore coverage for unreachable code - Use previously unused code to increase coverage	1 year ago
Matt Clay	2cd1744be3	Use ansible.module_utils.common.text.converters (#80704 ) Replace use of old `ansible.module_utils._text` and add a unit test to maintain backwards compatibility.	1 year ago
Matt Clay	97104f1221	Avoid deprecated TestCase functions in unit tests. (#76678 ) * Avoid deprecated TestCase functions in unit tests. * Add assertRaisesRegex for Python 2.7. * Fix indentation.	3 years ago
Sloane Hertel	826f224f02	Handle vaulted non-ascii characters for Python2 (#58503 ) * Handle vaulted non-ascii characters for Python2 * Add a test to ensure str() no longer raises UnicodeEncodeError	5 years ago
Matt Clay	3033fd96b0	Move unit test compat code out of `lib/ansible/`. (#46996 ) * Move ansible.compat.tests to test/units/compat/. * Fix unit test references to ansible.compat.tests. * Move builtins compat to separate file. * Fix classification of test/units/compat/ dir.	6 years ago
Adrian Likins	1613a739ad	fix decrypted vault utf8 values (#37539 ) * Fix errors decrypted non-ascii vault vars AnsibleVaultEncryptedUnicode was just using b"".decode() instead of to_text() on the bytestrings returned from vault.decrypt() and could cause errors on python2 if non-ascii since decode() defaults to ascii. Use to_text() to default to decoding utf-8. add intg and unit tests for value of vaulted vars being non-ascii utf8 based on https://github.com/ansible/ansible/issues/37258 Fixes #37258 * yamllint fixups	6 years ago
Adrian Likins	934b645191	Support multiple vault passwords (#22756 ) Fixes #13243 Add --vault-id to name/identify multiple vault passwords Use --vault-id to indicate id and path/type --vault-id=prompt # prompt for default vault id password --vault-id=myorg@prompt # prompt for a vault_id named 'myorg' --vault-id=a_password_file # load ./a_password_file for default id --vault-id=myorg@a_password_file # load file for 'myorg' vault id vault_id's are created implicitly for existing --vault-password-file and --ask-vault-pass options. Vault ids are just for UX purposes and bookkeeping. Only the vault payload and the password bytestring is needed to decrypt a vault blob. Replace passing password around everywhere with a VaultSecrets object. If we specify a vault_id, mention that in password prompts Specifying multiple -vault-password-files will now try each until one works Rev vault format in a backwards compatible way The 1.2 vault format adds the vault_id to the header line of the vault text. This is backwards compatible with older versions of ansible. Old versions will just ignore it and treat it as the default (and only) vault id. Note: only 2.4+ supports multiple vault passwords, so while earlier ansible versions can read the vault-1.2 format, it does not make them magically support multiple vault passwords. use 1.1 format for 'default' vault_id Vaulted items that need to include a vault_id will be written in 1.2 format. If we set a new DEFAULT_VAULT_IDENTITY, then the default will use version 1.2 vault will only use a vault_id if one is specified. So if none is specified and C.DEFAULT_VAULT_IDENTITY is 'default' we use the old format. Changes/refactors needed to implement multiple vault passwords raise exceptions on decrypt fail, check vault id early split out parsing the vault plaintext envelope (with the sha/original plaintext) to _split_plaintext_envelope() some cli fixups for specifying multiple paths in the unfrack_paths optparse callback fix py3 dict.keys() 'dict_keys object is not indexable' error pluralize cli.options.vault_password_file -> vault_password_files pluralize cli.options.new_vault_password_file -> new_vault_password_files pluralize cli.options.vault_id -> cli.options.vault_ids Add a config option (vault_id_match) to force vault id matching. With 'vault_id_match=True' and an ansible vault that provides a vault_id, then decryption will require that a matching vault_id is required. (via --vault-id=my_vault_id@password_file, for ex). In other words, if the config option is true, then only the vault secrets with matching vault ids are candidates for decrypting a vault. If option is false (the default), then all of the provided vault secrets will be selected. If a user doesn't want all vault secrets to be tried to decrypt any vault content, they can enable this option. Note: The vault id used for the match is not encrypted or cryptographically signed. It is just a label/id/nickname used for referencing a specific vault secret.	7 years ago
Dag Wieers	4efec414e7	test/: PEP8 compliancy (#24803 ) * test/: PEP8 compliancy - Make PEP8 compliant * Python3 chokes on casting int to bytes (#24952) But if we tell the formatter that the var is a number, it works	7 years ago
Adrian Likins	c771ab34c7	Add a encode() to AnsibleVaultEncryptedUnicode (#19840 ) * Add a encode() to AnsibleVaultEncryptedUnicode Without it, calling encode() on it results in a bytestring of the encrypted !vault-encrypted string. ssh connection plugin triggers this if ansible_password is from a var using !vault-encrypted. That path ends up calling .encode() instead of using the __str__. Fixes #19795 * Fix str.encode() errors on py2.6 py2.6 str.encode() does not take keyword arguments.	8 years ago
Adrian Likins	e396d5d508	Implement vault encrypted yaml variables. (#16274 ) Make !vault-encrypted create a AnsibleVaultUnicode yaml object that can be used as a regular string object. This allows a playbook to include a encrypted vault blob for the value of a yaml variable. A 'secret_password' variable can have it's value encrypted instead of having to vault encrypt an entire vars file. Add __ENCRYPTED__ to the vault yaml types so template.Template can treat it similar to __UNSAFE__ flags. vault.VaultLib api changes: - Split VaultLib.encrypt to encrypt and encrypt_bytestring - VaultLib.encrypt() previously accepted the plaintext data as either a byte string or a unicode string. Doing the right thing based on the input type would fail on py3 if given a arg of type 'bytes'. To simplify the API, vaultlib.encrypt() now assumes input plaintext is a py2 unicode or py3 str. It will encode to utf-8 then call the new encrypt_bytestring(). The new methods are less ambiguous. - moved VaultLib.is_encrypted logic to vault module scope and split to is_encrypted() and is_encrypted_file(). Add a test/unit/mock/yaml_helper.py It has some helpers for testing parsing/yaml Integration tests added as roles test_vault and test_vault_embedded	8 years ago

10 Commits (11e261b54fc0a4801543c48bb6782f69376f9662)