Fix 'vault rekey' with vault secret env var

if ANSIBLE_VAULT_PASSWORD_FILE is set, 'ansible-vault rekey myvault.yml' will fail to prompt for the new vault password file, and will use None. Fix is to split out 'ask_vault_passwords' into 'ask_vault_passwords' and 'ask_new_vault_passwords' to make the logic simpler. And then make sure new_vault_pass is always set for 'rekey', and if not, then call ask_new_vault_passwords() to set it. ask_vault_passwords() would return values for vault_pass and new vault_pass, and vault cli previously would not prompt for new_vault_pass if there was a vault_pass set via a vault password file. Fixes #18247
2025-08-22 22:11:44 -07:00 · 2016-10-31 12:56:18 -04:00 · 2016-10-31 12:56:18 -04:00 · 309f54b709
commit 309f54b709
parent 557f46658c
5 changed files with 32 additions and 22 deletions
--- a/lib/ansible/cli/init.py
+++ b/lib/ansible/cli/init.py
@ -161,33 +161,37 @@ class CLI(with_metaclass(ABCMeta, object)):
                display.display(u"No config file found; using defaults")

    @staticmethod
-    def ask_vault_passwords(ask_new_vault_pass=False, rekey=False):
+    def ask_vault_passwords():
        ''' prompt for vault password and/or password change '''

        vault_pass = None
-        new_vault_pass = None
        try:
-            if rekey or not ask_new_vault_pass:
-                vault_pass = getpass.getpass(prompt="Vault password: ")
+            vault_pass = getpass.getpass(prompt="Vault password: ")

-            if ask_new_vault_pass:
-                new_vault_pass = getpass.getpass(prompt="New Vault password: ")
-                new_vault_pass2 = getpass.getpass(prompt="Confirm New Vault password: ")
-                if new_vault_pass != new_vault_pass2:
-                    raise AnsibleError("Passwords do not match")
        except EOFError:
            pass

        # enforce no newline chars at the end of passwords
        if vault_pass:
            vault_pass = to_bytes(vault_pass, errors='strict', nonstring='simplerepr').strip()
+
+        return vault_pass
+
+    @staticmethod
+    def ask_new_vault_passwords():
+        new_vault_pass = None
+        try:
+            new_vault_pass = getpass.getpass(prompt="New Vault password: ")
+            new_vault_pass2 = getpass.getpass(prompt="Confirm New Vault password: ")
+            if new_vault_pass != new_vault_pass2:
+                raise AnsibleError("Passwords do not match")
+        except EOFError:
+            pass
+
        if new_vault_pass:
            new_vault_pass = to_bytes(new_vault_pass, errors='strict', nonstring='simplerepr').strip()

-        if ask_new_vault_pass and not rekey:
-            vault_pass = new_vault_pass
-
-        return vault_pass, new_vault_pass
+        return new_vault_pass

    def ask_passwords(self):
        ''' prompt for connection and become passwords if needed '''