Vault secrets default vault ids list (#28190)

* Add config option for a default list of vault-ids This is the vault-id equilivent of ANSIBLE_DEFAULT_PASSWORD_FILE except ANSIBLE_DEFAULT_VAULT_IDENTITY_LIST is a list.
2025-04-30 14:21:26 -07:00 · 2017-08-15 11:56:17 -04:00 · 2017-08-15 11:56:17 -04:00 · 5739bb075f
commit 5739bb075f
parent 1b8fe94e5a
6 changed files with 59 additions and 4 deletions
--- a/test/units/cli/test_cli.py
+++ b/test/units/cli/test_cli.py
@ -121,7 +121,7 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
        vault_id_names = ['prompt1', 'prompt2', 'prompt3', 'default']
        self._assert_ids(vault_id_names, res)

-    @patch('ansible.cli.C', name='MockConfig')
+    @patch('ansible.cli.C')
    @patch('ansible.cli.get_file_vault_secret')
    @patch('ansible.cli.PromptVaultSecret')
    def test_default_file_vault(self, mock_prompt_secret,
@ -146,6 +146,35 @@ class TestCliSetupVaultSecrets(unittest.TestCase):
        self.assertEqual(matches[0][1].bytes, b'file1_password')
        self.assertEqual(matches[1][1].bytes, b'prompt1_password')

+    @patch('ansible.cli.get_file_vault_secret')
+    @patch('ansible.cli.PromptVaultSecret')
+    def test_default_file_vault_identity_list(self, mock_prompt_secret,
+                                              mock_file_secret):
+        default_vault_ids = ['some_prompt@prompt',
+                             'some_file@/dev/null/secret']
+
+        mock_prompt_secret.return_value = MagicMock(bytes=b'some_prompt_password',
+                                                    vault_id='some_prompt')
+
+        filename = '/dev/null/secret'
+        mock_file_secret.return_value = MagicMock(bytes=b'some_file_password',
+                                                  vault_id='some_file',
+                                                  filename=filename)
+
+        vault_ids = default_vault_ids
+        res = cli.CLI.setup_vault_secrets(loader=self.fake_loader,
+                                          vault_ids=vault_ids,
+                                          create_new_password=False,
+                                          ask_vault_pass=True)
+
+        self.assertIsInstance(res, list)
+        matches = vault.match_secrets(res, ['some_file'])
+        # --vault-password-file/DEFAULT_VAULT_PASSWORD_FILE is higher precendce than prompts
+        # if the same vault-id ('default') regardless of cli order since it didn't matter in 2.3
+        self.assertEqual(matches[0][1].bytes, b'some_file_password')
+        matches = vault.match_secrets(res, ['some_prompt'])
+        self.assertEqual(matches[0][1].bytes, b'some_prompt_password')
+
    @patch('ansible.cli.PromptVaultSecret')
    def test_prompt_just_ask_vault_pass(self, mock_prompt_secret):
        mock_prompt_secret.return_value = MagicMock(bytes=b'prompt1_password',