mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
609 lines
29 KiB
Bash
609 lines
29 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -euvx
|
|
source virtualenv.sh
|
|
|
|
|
|
MYTMPDIR=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
|
|
trap 'rm -rf "${MYTMPDIR}"' EXIT
|
|
|
|
# create a test file
|
|
TEST_FILE="${MYTMPDIR}/test_file"
|
|
echo "This is a test file" > "${TEST_FILE}"
|
|
|
|
TEST_FILE_1_2="${MYTMPDIR}/test_file_1_2"
|
|
echo "This is a test file for format 1.2" > "${TEST_FILE_1_2}"
|
|
|
|
TEST_FILE_ENC_PASSWORD="${MYTMPDIR}/test_file_enc_password"
|
|
echo "This is a test file for encrypted with a vault password that is itself vault encrypted" > "${TEST_FILE_ENC_PASSWORD}"
|
|
|
|
TEST_FILE_ENC_PASSWORD_DEFAULT="${MYTMPDIR}/test_file_enc_password_default"
|
|
echo "This is a test file for encrypted with a vault password that is itself vault encrypted using --encrypted-vault-id default" > "${TEST_FILE_ENC_PASSWORD_DEFAULT}"
|
|
|
|
TEST_FILE_OUTPUT="${MYTMPDIR}/test_file_output"
|
|
|
|
TEST_FILE_EDIT="${MYTMPDIR}/test_file_edit"
|
|
echo "This is a test file for edit" > "${TEST_FILE_EDIT}"
|
|
|
|
TEST_FILE_EDIT2="${MYTMPDIR}/test_file_edit2"
|
|
echo "This is a test file for edit2" > "${TEST_FILE_EDIT2}"
|
|
|
|
# test case for https://github.com/ansible/ansible/issues/35834
|
|
# (being prompted for new password on vault-edit with no configured passwords)
|
|
|
|
TEST_FILE_EDIT3="${MYTMPDIR}/test_file_edit3"
|
|
echo "This is a test file for edit3" > "${TEST_FILE_EDIT3}"
|
|
|
|
# ansible-config view
|
|
ansible-config view
|
|
|
|
# ansible-config
|
|
ansible-config dump --only-changed
|
|
ansible-vault encrypt "$@" --vault-id vault-password "${TEST_FILE_EDIT3}"
|
|
# EDITOR=./faux-editor.py ansible-vault edit "$@" "${TEST_FILE_EDIT3}"
|
|
EDITOR=./faux-editor.py ansible-vault edit --vault-id vault-password -vvvvv "${TEST_FILE_EDIT3}"
|
|
echo $?
|
|
|
|
# view the vault encrypted password file
|
|
ansible-vault view "$@" --vault-id vault-password encrypted-vault-password
|
|
|
|
# check if ansible-vault fails when destination is not writable
|
|
NOT_WRITABLE_DIR="${MYTMPDIR}/not_writable"
|
|
TEST_FILE_EDIT4="${NOT_WRITABLE_DIR}/testfile"
|
|
mkdir "${NOT_WRITABLE_DIR}"
|
|
touch "${TEST_FILE_EDIT4}"
|
|
chmod ugo-w "${NOT_WRITABLE_DIR}"
|
|
ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE_EDIT4}" < /dev/null > log 2>&1 && :
|
|
grep "not writable" log && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
|
# should fail because we dont know which vault id to use to encrypt with
|
|
ansible-vault encrypt "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (5 is expected)"
|
|
[ $WRONG_RC -eq 5 ]
|
|
|
|
# try to view the file encrypted with the vault-password we didnt specify
|
|
# to verify we didnt choose the wrong vault-id
|
|
ansible-vault view "$@" --vault-id vault-password encrypted-vault-password
|
|
|
|
FORMAT_1_1_HEADER="\$ANSIBLE_VAULT;1.1;AES256"
|
|
FORMAT_1_2_HEADER="\$ANSIBLE_VAULT;1.2;AES256"
|
|
|
|
|
|
VAULT_PASSWORD_FILE=vault-password
|
|
# new format, view, using password client script
|
|
ansible-vault view "$@" --vault-id vault-password@test-vault-client.py format_1_1_AES256.yml
|
|
|
|
# view, using password client script, unknown vault/keyname
|
|
ansible-vault view "$@" --vault-id some_unknown_vault_id@test-vault-client.py format_1_1_AES256.yml && :
|
|
|
|
# Use linux setsid to test without a tty. No setsid if osx/bsd though...
|
|
if [ -x "$(command -v setsid)" ]; then
|
|
# tests related to https://github.com/ansible/ansible/issues/30993
|
|
CMD='ansible-playbook -i ../../inventory -vvvvv --ask-vault-pass test_vault.yml'
|
|
setsid sh -c "echo test-vault-password|${CMD}" < /dev/null > log 2>&1 && :
|
|
WRONG_RC=$?
|
|
cat log
|
|
echo "rc was $WRONG_RC (0 is expected)"
|
|
[ $WRONG_RC -eq 0 ]
|
|
|
|
setsid sh -c 'tty; ansible-vault view --ask-vault-pass -vvvvv test_vault.yml' < /dev/null > log 2>&1 && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
cat log
|
|
|
|
setsid sh -c 'tty; echo passbhkjhword|ansible-playbook -i ../../inventory -vvvvv --ask-vault-pass test_vault.yml' < /dev/null > log 2>&1 && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
cat log
|
|
|
|
setsid sh -c 'tty; echo test-vault-password |ansible-playbook -i ../../inventory -vvvvv --ask-vault-pass test_vault.yml' < /dev/null > log 2>&1
|
|
echo $?
|
|
cat log
|
|
|
|
setsid sh -c 'tty; echo test-vault-password|ansible-playbook -i ../../inventory -vvvvv --ask-vault-pass test_vault.yml' < /dev/null > log 2>&1
|
|
echo $?
|
|
cat log
|
|
|
|
setsid sh -c 'tty; echo test-vault-password |ansible-playbook -i ../../inventory -vvvvv --ask-vault-pass test_vault.yml' < /dev/null > log 2>&1
|
|
echo $?
|
|
cat log
|
|
|
|
setsid sh -c 'tty; echo test-vault-password|ansible-vault view --ask-vault-pass -vvvvv vaulted.inventory' < /dev/null > log 2>&1
|
|
echo $?
|
|
cat log
|
|
|
|
# test using --ask-vault-password option
|
|
CMD='ansible-playbook -i ../../inventory -vvvvv --ask-vault-password test_vault.yml'
|
|
setsid sh -c "echo test-vault-password|${CMD}" < /dev/null > log 2>&1 && :
|
|
WRONG_RC=$?
|
|
cat log
|
|
echo "rc was $WRONG_RC (0 is expected)"
|
|
[ $WRONG_RC -eq 0 ]
|
|
fi
|
|
|
|
ansible-vault view "$@" --vault-password-file vault-password-wrong format_1_1_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
set -eux
|
|
|
|
|
|
# new format, view
|
|
ansible-vault view "$@" --vault-password-file vault-password format_1_1_AES256.yml
|
|
|
|
# new format, view with vault-id
|
|
ansible-vault view "$@" --vault-id=vault-password format_1_1_AES256.yml
|
|
|
|
# new format, view, using password script
|
|
ansible-vault view "$@" --vault-password-file password-script.py format_1_1_AES256.yml
|
|
|
|
# new format, view, using password script with vault-id
|
|
ansible-vault view "$@" --vault-id password-script.py format_1_1_AES256.yml
|
|
|
|
# new 1.2 format, view
|
|
ansible-vault view "$@" --vault-password-file vault-password format_1_2_AES256.yml
|
|
|
|
# new 1.2 format, view with vault-id
|
|
ansible-vault view "$@" --vault-id=test_vault_id@vault-password format_1_2_AES256.yml
|
|
|
|
# new 1,2 format, view, using password script
|
|
ansible-vault view "$@" --vault-password-file password-script.py format_1_2_AES256.yml
|
|
|
|
# new 1.2 format, view, using password script with vault-id
|
|
ansible-vault view "$@" --vault-id password-script.py format_1_2_AES256.yml
|
|
|
|
# newish 1.1 format, view, using a vault-id list from config env var
|
|
ANSIBLE_VAULT_IDENTITY_LIST='wrong-password@vault-password-wrong,default@vault-password' ansible-vault view "$@" --vault-id password-script.py format_1_1_AES256.yml
|
|
|
|
# new 1.2 format, view, ENFORCE_IDENTITY_MATCH=true, should fail, no 'test_vault_id' vault_id
|
|
ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-password-file vault-password format_1_2_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# new 1.2 format, view with vault-id, ENFORCE_IDENTITY_MATCH=true, should work, 'test_vault_id' is provided
|
|
ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-id=test_vault_id@vault-password format_1_2_AES256.yml
|
|
|
|
# new 1,2 format, view, using password script, ENFORCE_IDENTITY_MATCH=true, should fail, no 'test_vault_id'
|
|
ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-password-file password-script.py format_1_2_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
|
|
# new 1.2 format, view, using password script with vault-id, ENFORCE_IDENTITY_MATCH=true, should fail
|
|
ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-id password-script.py format_1_2_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# new 1.2 format, view, using password script with vault-id, ENFORCE_IDENTITY_MATCH=true, 'test_vault_id' provided should work
|
|
ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-id=test_vault_id@password-script.py format_1_2_AES256.yml
|
|
|
|
# test with a default vault password set via config/env, right password
|
|
ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-vault view "$@" format_1_1_AES256.yml
|
|
|
|
# test with a default vault password set via config/env, wrong password
|
|
ANSIBLE_VAULT_PASSWORD_FILE=vault-password-wrong ansible-vault view "$@" format_1_1_AES.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# test with a default vault-id list set via config/env, right password
|
|
ANSIBLE_VAULT_PASSWORD_FILE=wrong@vault-password-wrong,correct@vault-password ansible-vault view "$@" format_1_1_AES.yml && :
|
|
|
|
# test with a default vault-id list set via config/env,wrong passwords
|
|
ANSIBLE_VAULT_PASSWORD_FILE=wrong@vault-password-wrong,alsowrong@vault-password-wrong ansible-vault view "$@" format_1_1_AES.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# try specifying a --encrypt-vault-id that doesnt exist, should exit with an error indicating
|
|
# that --encrypt-vault-id and the known vault-ids
|
|
ansible-vault encrypt "$@" --vault-password-file vault-password --encrypt-vault-id doesnt_exist "${TEST_FILE}" && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# encrypt it
|
|
ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
ansible-vault view "$@" --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
# view with multiple vault-password files, including a wrong one
|
|
ansible-vault view "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong "${TEST_FILE}"
|
|
|
|
# view with multiple vault-password files, including a wrong one, using vault-id
|
|
ansible-vault view "$@" --vault-id vault-password --vault-id vault-password-wrong "${TEST_FILE}"
|
|
|
|
# And with the password files specified in a different order
|
|
ansible-vault view "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
# And with the password files specified in a different order, using vault-id
|
|
ansible-vault view "$@" --vault-id vault-password-wrong --vault-id vault-password "${TEST_FILE}"
|
|
|
|
# And with the password files specified in a different order, using --vault-id and non default vault_ids
|
|
ansible-vault view "$@" --vault-id test_vault_id@vault-password-wrong --vault-id test_vault_id@vault-password "${TEST_FILE}"
|
|
|
|
ansible-vault decrypt "$@" --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
# encrypt it, using a vault_id so we write a 1.2 format file
|
|
ansible-vault encrypt "$@" --vault-id test_vault_1_2@vault-password "${TEST_FILE_1_2}"
|
|
|
|
ansible-vault view "$@" --vault-id vault-password "${TEST_FILE_1_2}"
|
|
ansible-vault view "$@" --vault-id test_vault_1_2@vault-password "${TEST_FILE_1_2}"
|
|
|
|
# view with multiple vault-password files, including a wrong one
|
|
ansible-vault view "$@" --vault-id vault-password --vault-id wrong_password@vault-password-wrong "${TEST_FILE_1_2}"
|
|
|
|
# And with the password files specified in a different order, using vault-id
|
|
ansible-vault view "$@" --vault-id vault-password-wrong --vault-id vault-password "${TEST_FILE_1_2}"
|
|
|
|
# And with the password files specified in a different order, using --vault-id and non default vault_ids
|
|
ansible-vault view "$@" --vault-id test_vault_id@vault-password-wrong --vault-id test_vault_id@vault-password "${TEST_FILE_1_2}"
|
|
|
|
ansible-vault decrypt "$@" --vault-id test_vault_1_2@vault-password "${TEST_FILE_1_2}"
|
|
|
|
# multiple vault passwords
|
|
ansible-vault view "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong format_1_1_AES256.yml
|
|
|
|
# multiple vault passwords, --vault-id
|
|
ansible-vault view "$@" --vault-id test_vault_id@vault-password --vault-id test_vault_id@vault-password-wrong format_1_1_AES256.yml
|
|
|
|
# encrypt it, with password from password script
|
|
ansible-vault encrypt "$@" --vault-password-file password-script.py "${TEST_FILE}"
|
|
|
|
ansible-vault view "$@" --vault-password-file password-script.py "${TEST_FILE}"
|
|
|
|
ansible-vault decrypt "$@" --vault-password-file password-script.py "${TEST_FILE}"
|
|
|
|
# encrypt it, with password from password script
|
|
ansible-vault encrypt "$@" --vault-id test_vault_id@password-script.py "${TEST_FILE}"
|
|
|
|
ansible-vault view "$@" --vault-id test_vault_id@password-script.py "${TEST_FILE}"
|
|
|
|
ansible-vault decrypt "$@" --vault-id test_vault_id@password-script.py "${TEST_FILE}"
|
|
|
|
# new password file for rekeyed file
|
|
NEW_VAULT_PASSWORD="${MYTMPDIR}/new-vault-password"
|
|
echo "newpassword" > "${NEW_VAULT_PASSWORD}"
|
|
|
|
ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
ansible-vault rekey "$@" --vault-password-file vault-password --new-vault-password-file "${NEW_VAULT_PASSWORD}" "${TEST_FILE}"
|
|
|
|
# --new-vault-password-file and --new-vault-id should cause options error
|
|
ansible-vault rekey "$@" --vault-password-file vault-password --new-vault-id=foobar --new-vault-password-file "${NEW_VAULT_PASSWORD}" "${TEST_FILE}" && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (2 is expected)"
|
|
[ $WRONG_RC -eq 2 ]
|
|
|
|
ansible-vault view "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" "${TEST_FILE}"
|
|
|
|
# view file with unicode in filename
|
|
ansible-vault view "$@" --vault-password-file vault-password vault-café.yml
|
|
|
|
# view with old password file and new password file
|
|
ansible-vault view "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
# view with old password file and new password file, different order
|
|
ansible-vault view "$@" --vault-password-file vault-password --vault-password-file "${NEW_VAULT_PASSWORD}" "${TEST_FILE}"
|
|
|
|
# view with old password file and new password file and another wrong
|
|
ansible-vault view "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --vault-password-file vault-password-wrong --vault-password-file vault-password "${TEST_FILE}"
|
|
|
|
# view with old password file and new password file and another wrong, using --vault-id
|
|
ansible-vault view "$@" --vault-id "tmp_new_password@${NEW_VAULT_PASSWORD}" --vault-id wrong_password@vault-password-wrong --vault-id myorg@vault-password "${TEST_FILE}"
|
|
|
|
ansible-vault decrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" "${TEST_FILE}"
|
|
|
|
# reading/writing to/from stdin/stdin (See https://github.com/ansible/ansible/issues/23567)
|
|
ansible-vault encrypt "$@" --vault-password-file "${VAULT_PASSWORD_FILE}" --output="${TEST_FILE_OUTPUT}" < "${TEST_FILE}"
|
|
OUTPUT=$(ansible-vault decrypt "$@" --vault-password-file "${VAULT_PASSWORD_FILE}" --output=- < "${TEST_FILE_OUTPUT}")
|
|
echo "${OUTPUT}" | grep 'This is a test file'
|
|
|
|
OUTPUT_DASH=$(ansible-vault decrypt "$@" --vault-password-file "${VAULT_PASSWORD_FILE}" --output=- "${TEST_FILE_OUTPUT}")
|
|
echo "${OUTPUT_DASH}" | grep 'This is a test file'
|
|
|
|
OUTPUT_DASH_SPACE=$(ansible-vault decrypt "$@" --vault-password-file "${VAULT_PASSWORD_FILE}" --output - "${TEST_FILE_OUTPUT}")
|
|
echo "${OUTPUT_DASH_SPACE}" | grep 'This is a test file'
|
|
|
|
|
|
# test using an empty vault password file
|
|
ansible-vault view "$@" --vault-password-file empty-password format_1_1_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
ansible-vault view "$@" --vault-id=empty@empty-password --vault-password-file empty-password format_1_1_AES256.yml && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
echo 'foo' > some_file.txt
|
|
ansible-vault encrypt "$@" --vault-password-file empty-password some_file.txt && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
|
|
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" "a test string"
|
|
|
|
# Test with multiple vault password files
|
|
# https://github.com/ansible/ansible/issues/57172
|
|
env ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --encrypt-vault-id default "a test string"
|
|
|
|
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --name "blippy" "a test string names blippy"
|
|
|
|
ansible-vault encrypt_string "$@" --vault-id "${NEW_VAULT_PASSWORD}" "a test string"
|
|
|
|
ansible-vault encrypt_string "$@" --vault-id "${NEW_VAULT_PASSWORD}" --name "blippy" "a test string names blippy"
|
|
|
|
|
|
# from stdin
|
|
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" < "${TEST_FILE}"
|
|
|
|
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --stdin-name "the_var_from_stdin" < "${TEST_FILE}"
|
|
|
|
# write to file
|
|
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --name "blippy" "a test string names blippy" --output "${MYTMPDIR}/enc_string_test_file"
|
|
|
|
[ -f "${MYTMPDIR}/enc_string_test_file" ];
|
|
|
|
# test ansible-vault edit with a faux editor
|
|
ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE_EDIT}"
|
|
|
|
# edit a 1.1 format with no vault-id, should stay 1.1
|
|
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-password-file vault-password "${TEST_FILE_EDIT}"
|
|
head -1 "${TEST_FILE_EDIT}" | grep "${FORMAT_1_1_HEADER}"
|
|
|
|
# edit a 1.1 format with vault-id, should stay 1.1
|
|
cat "${TEST_FILE_EDIT}"
|
|
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT}"
|
|
cat "${TEST_FILE_EDIT}"
|
|
head -1 "${TEST_FILE_EDIT}" | grep "${FORMAT_1_1_HEADER}"
|
|
|
|
ansible-vault encrypt "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT2}"
|
|
|
|
# verify that we aren't prompted for a new vault password on edit if we are running interactively (ie, with prompts)
|
|
# have to use setsid nd --ask-vault-pass to force a prompt to simulate.
|
|
# See https://github.com/ansible/ansible/issues/35834
|
|
setsid sh -c 'tty; echo password |ansible-vault edit --ask-vault-pass vault_test.yml' < /dev/null > log 2>&1 && :
|
|
grep 'New Vault password' log && :
|
|
WRONG_RC=$?
|
|
echo "The stdout log had 'New Vault password' in it and it is not supposed to. rc of grep was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# edit a 1.2 format with vault id, should keep vault id and 1.2 format
|
|
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT2}"
|
|
head -1 "${TEST_FILE_EDIT2}" | grep "${FORMAT_1_2_HEADER};vault_password"
|
|
|
|
# edit a 1.2 file with no vault-id, should keep vault id and 1.2 format
|
|
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-password-file vault-password "${TEST_FILE_EDIT2}"
|
|
head -1 "${TEST_FILE_EDIT2}" | grep "${FORMAT_1_2_HEADER};vault_password"
|
|
|
|
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
|
# should fail because we dont know which vault id to use to encrypt with
|
|
ansible-vault encrypt "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (5 is expected)"
|
|
[ $WRONG_RC -eq 5 ]
|
|
|
|
|
|
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
|
# but this time specify with --encrypt-vault-id, but specifying vault-id names (instead of default)
|
|
# ansible-vault encrypt "$@" --vault-id from_vault_password@vault-password --vault-id from_encrypted_vault_password@encrypted-vault-password --encrypt-vault-id from_encrypted_vault_password "${TEST_FILE(_ENC_PASSWORD}"
|
|
|
|
# try to view the file encrypted with the vault-password we didnt specify
|
|
# to verify we didnt choose the wrong vault-id
|
|
# ansible-vault view "$@" --vault-id vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
|
# WRONG_RC=$?
|
|
# echo "rc was $WRONG_RC (1 is expected)"
|
|
# [ $WRONG_RC -eq 1 ]
|
|
|
|
ansible-vault encrypt "$@" --vault-id vault-password "${TEST_FILE_ENC_PASSWORD}"
|
|
|
|
# view the file encrypted with a password from a vault encrypted password file
|
|
ansible-vault view "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}"
|
|
|
|
# try to view the file encrypted with a password from a vault encrypted password file but without the password to the password file.
|
|
# This should fail with an
|
|
ansible-vault view "$@" --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
|
|
# test playbooks using vaulted files
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password --list-tasks
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password --list-hosts
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
|
ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password
|
|
ansible-playbook test_vaulted_template.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
|
|
|
# test using --vault-pass-file option
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-pass-file vault-password
|
|
|
|
# install TOML for parse toml inventory
|
|
# test playbooks using vaulted files(toml)
|
|
pip install toml
|
|
ansible-vault encrypt ./inventory.toml -v "$@" --vault-password-file=./vault-password
|
|
ansible-playbook test_vaulted_inventory_toml.yml -i ./inventory.toml -v "$@" --vault-password-file vault-password
|
|
ansible-vault decrypt ./inventory.toml -v "$@" --vault-password-file=./vault-password
|
|
|
|
# test a playbook with a host_var whose value is non-ascii utf8 (see https://github.com/ansible/ansible/issues/37258)
|
|
ansible-playbook -i ../../inventory -v "$@" --vault-id vault-password test_vaulted_utf8_value.yml
|
|
|
|
# test with password from password script
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file password-script.py
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file password-script.py
|
|
|
|
# with multiple password files
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password
|
|
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong --syntax-check
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password
|
|
|
|
# test with a default vault password file set in config
|
|
ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong
|
|
|
|
# test using vault_identity_list config
|
|
ANSIBLE_VAULT_IDENTITY_LIST='wrong-password@vault-password-wrong,default@vault-password' ansible-playbook test_vault.yml -i ../../inventory -v "$@"
|
|
|
|
# test that we can have a vault encrypted yaml file that includes embedded vault vars
|
|
# that were encrypted with a different vault secret
|
|
ansible-playbook test_vault_file_encrypted_embedded.yml -i ../../inventory "$@" --vault-id encrypted_file_encrypted_var_password --vault-id vault-password
|
|
|
|
# with multiple password files, --vault-id, ordering
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id vault-password --vault-id vault-password-wrong
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id vault-password-wrong --vault-id vault-password
|
|
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-id vault-password --vault-id vault-password-wrong --syntax-check
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-id vault-password-wrong --vault-id vault-password
|
|
|
|
# test with multiple password files, including a script, and a wrong password
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file password-script.py --vault-password-file vault-password
|
|
|
|
# test with multiple password files, including a script, and a wrong password, and a mix of --vault-id and --vault-password-file
|
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-id password-script.py --vault-id vault-password
|
|
|
|
# test with multiple password files, including a script, and a wrong password, and a mix of --vault-id and --vault-password-file
|
|
ansible-playbook test_vault_embedded_ids.yml -i ../../inventory -v "$@" \
|
|
--vault-password-file vault-password-wrong \
|
|
--vault-id password-script.py --vault-id example1@example1_password \
|
|
--vault-id example2@example2_password --vault-password-file example3_password \
|
|
--vault-id vault-password
|
|
|
|
# with wrong password
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# with multiple wrong passwords
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password-wrong && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# with wrong password, --vault-id
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id vault-password-wrong && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# with multiple wrong passwords with --vault-id
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id vault-password-wrong --vault-id vault-password-wrong && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# with multiple wrong passwords with --vault-id
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id wrong1@vault-password-wrong --vault-id wrong2@vault-password-wrong && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# with empty password file
|
|
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id empty@empty-password && :
|
|
WRONG_RC=$?
|
|
echo "rc was $WRONG_RC (1 is expected)"
|
|
[ $WRONG_RC -eq 1 ]
|
|
|
|
# test invalid format ala https://github.com/ansible/ansible/issues/28038
|
|
EXPECTED_ERROR='Vault format unhexlify error: Non-hexadecimal digit found'
|
|
ansible-playbook "$@" -i invalid_format/inventory --vault-id invalid_format/vault-secret invalid_format/broken-host-vars-tasks.yml 2>&1 | grep "${EXPECTED_ERROR}"
|
|
|
|
EXPECTED_ERROR='Vault format unhexlify error: Odd-length string'
|
|
ansible-playbook "$@" -i invalid_format/inventory --vault-id invalid_format/vault-secret invalid_format/broken-group-vars-tasks.yml 2>&1 | grep "${EXPECTED_ERROR}"
|
|
|
|
# Run playbook with vault file with unicode in filename (https://github.com/ansible/ansible/issues/50316)
|
|
ansible-playbook -i ../../inventory -v "$@" --vault-password-file vault-password test_utf8_value_in_filename.yml
|
|
|
|
# Ensure we don't leave unencrypted temp files dangling
|
|
ansible-playbook -v "$@" --vault-password-file vault-password test_dangling_temp.yml
|
|
|
|
ansible-playbook "$@" --vault-password-file vault-password single_vault_as_string.yml
|
|
|
|
# Test that only one accessible vault password is required
|
|
export ANSIBLE_VAULT_IDENTITY_LIST="id1@./nonexistent, id2@${MYTMPDIR}/unreadable, id3@./vault-password"
|
|
|
|
touch "${MYTMPDIR}/unreadable"
|
|
sudo chmod 000 "${MYTMPDIR}/unreadable"
|
|
|
|
ansible-vault encrypt_string content
|
|
ansible-vault encrypt_string content --encrypt-vault-id id3
|
|
|
|
set +e
|
|
|
|
# Try to use a missing vault password file
|
|
ansible-vault encrypt_string content --encrypt-vault-id id1 2>&1 | tee out.txt
|
|
test $? -ne 0
|
|
grep out.txt -e '[WARNING]: Error getting vault password file (id1)'
|
|
grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
|
|
|
|
# Try to use an inaccessible vault password file
|
|
ansible-vault encrypt_string content --encrypt-vault-id id2 2>&1 | tee out.txt
|
|
test $? -ne 0
|
|
grep out.txt -e "[WARNING]: Error in vault password file loading (id2)"
|
|
grep out.txt -e "ERROR! Did not find a match for --encrypt-vault-id=id2 in the known vault-ids ['id3']"
|
|
|
|
set -e
|
|
unset ANSIBLE_VAULT_IDENTITY_LIST
|
|
|
|
# 'real script'
|
|
ansible-playbook realpath.yml "$@" --vault-password-file script/vault-secret.sh
|
|
|
|
# using symlink
|
|
ansible-playbook symlink.yml "$@" --vault-password-file symlink/get-password-symlink
|
|
|
|
### NEGATIVE TESTS
|
|
|
|
ER='Attempting to decrypt'
|
|
#### no secrets
|
|
# 'real script'
|
|
ansible-playbook realpath.yml "$@" 2>&1 |grep "${ER}"
|
|
|
|
# using symlink
|
|
ansible-playbook symlink.yml "$@" 2>&1 |grep "${ER}"
|
|
|
|
ER='Decryption failed'
|
|
### wrong secrets
|
|
# 'real script'
|
|
ansible-playbook realpath.yml "$@" --vault-password-file symlink/get-password-symlink 2>&1 |grep "${ER}"
|
|
|
|
# using symlink
|
|
ansible-playbook symlink.yml "$@" --vault-password-file script/vault-secret.sh 2>&1 |grep "${ER}"
|
|
|
|
### SALT TESTING ###
|
|
# prep files for encryption
|
|
for salted in test1 test2 test3
|
|
do
|
|
echo 'this is salty' > "salted_${salted}"
|
|
done
|
|
|
|
# encrypt files
|
|
ANSIBLE_VAULT_ENCRYPT_SALT=salty ansible-vault encrypt salted_test1 --vault-password-file example1_password "$@"
|
|
ANSIBLE_VAULT_ENCRYPT_SALT=salty ansible-vault encrypt salted_test2 --vault-password-file example1_password "$@"
|
|
ansible-vault encrypt salted_test3 --vault-password-file example1_password "$@"
|
|
|
|
# should be the same
|
|
out=$(diff salted_test1 salted_test2)
|
|
[ "${out}" == "" ]
|
|
|
|
# should be diff
|
|
out=$(diff salted_test1 salted_test3 || true)
|
|
[ "${out}" != "" ]
|