mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-05-02 23:31:25 -07:00
Fix 'New Vault password' on vault 'edit' (#35923)
* Fix 'New Vault password' on vault 'edit'
ffe0ddea96 introduce a
change on 'ansible-vault edit' that tried to check
for --encrypt-vault-id in that mode. But '--encrypt-vault-id'
is not intended for 'edit' since the 'edit' should always
reuse the vault secret that was used to decrypt the text.
Change cli to not check for --encrypt-vault-id on 'edit'.
VaultLib.decrypt_and_get_vault_id() was change to return
the vault secret used to decrypt (in addition to vault_id
and the plaintext).
VaultEditor.edit_file() will now use 'vault_secret_used'
as returned from decrypt_and_get_vault_id() so that
an edited file always gets reencrypted with the same
secret, regardless of any vault id configuration or
cli options.
Fixes #35834
This commit is contained in:
Adrian Likins
GitHub
parent
cbe2915ba5
commit
6e737c8cb6
4 changed files with 63 additions and 20 deletions
|
|
@ -26,6 +26,22 @@ echo "This is a test file for edit" > "${TEST_FILE_EDIT}"
|
|||
TEST_FILE_EDIT2="${MYTMPDIR}/test_file_edit2"
|
||||
echo "This is a test file for edit2" > "${TEST_FILE_EDIT2}"
|
||||
|
||||
# test case for https://github.com/ansible/ansible/issues/35834
|
||||
# (being prompted for new password on vault-edit with no configured passwords)
|
||||
|
||||
TEST_FILE_EDIT3="${MYTMPDIR}/test_file_edit3"
|
||||
echo "This is a test file for edit3" > "${TEST_FILE_EDIT3}"
|
||||
|
||||
# ansible-config view
|
||||
ansible-config view
|
||||
|
||||
# ansisle-config
|
||||
ansible-config dump --only-changed
|
||||
ansible-vault encrypt "$@" --vault-id vault-password "${TEST_FILE_EDIT3}"
|
||||
# EDITOR=./faux-editor.py ansible-vault edit "$@" "${TEST_FILE_EDIT3}"
|
||||
EDITOR=./faux-editor.py ansible-vault edit --vault-id vault-password -vvvvv "${TEST_FILE_EDIT3}"
|
||||
echo $?
|
||||
|
||||
# view the vault encrypted password file
|
||||
ansible-vault view "$@" --vault-id vault-password encrypted-vault-password
|
||||
|
||||
|
|
@ -336,11 +352,22 @@ EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-password-file vault-pass
|
|||
head -1 "${TEST_FILE_EDIT}" | grep "${FORMAT_1_1_HEADER}"
|
||||
|
||||
# edit a 1.1 format with vault-id, should stay 1.1
|
||||
cat "${TEST_FILE_EDIT}"
|
||||
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT}"
|
||||
cat "${TEST_FILE_EDIT}"
|
||||
head -1 "${TEST_FILE_EDIT}" | grep "${FORMAT_1_1_HEADER}"
|
||||
|
||||
ansible-vault encrypt "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT2}"
|
||||
|
||||
# verify that we aren't prompted for a new vault password on edit if we are running interactively (ie, with prompts)
|
||||
# have to use setsid nd --ask-vault-pass to force a prompt to simulate.
|
||||
# See https://github.com/ansible/ansible/issues/35834
|
||||
setsid sh -c 'tty; echo password |ansible-vault edit --ask-vault-pass vault_test.yml' < /dev/null > log 2>&1 && :
|
||||
grep 'New Vault password' log && :
|
||||
WRONG_RC=$?
|
||||
echo "The stdout log had 'New Vault password' in it and it is not supposed to. rc of grep was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
# edit a 1.2 format with vault id, should keep vault id and 1.2 format
|
||||
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-id vault_password@vault-password "${TEST_FILE_EDIT2}"
|
||||
head -1 "${TEST_FILE_EDIT2}" | grep "${FORMAT_1_2_HEADER};vault_password"
|
||||
|
|
|
|||
|
|
@ -888,6 +888,26 @@ fe3db930508b65e0ff5947e4386b79af8ab094017629590ef6ba486814cf70f8e4ab0ed0c7d2587e
|
|||
# assert we throw an error
|
||||
self.v.decrypt(b_invalid_ciphertext)
|
||||
|
||||
def test_decrypt_and_get_vault_id(self):
|
||||
b_expected_plaintext = to_bytes('foo bar\n')
|
||||
vaulttext = '''$ANSIBLE_VAULT;1.2;AES256;ansible_devel
|
||||
65616435333934613466373335363332373764363365633035303466643439313864663837393234
|
||||
3330656363343637313962633731333237313636633534630a386264363438363362326132363239
|
||||
39363166646664346264383934393935653933316263333838386362633534326664646166663736
|
||||
6462303664383765650a356637643633366663643566353036303162386237336233393065393164
|
||||
6264'''
|
||||
|
||||
vault_secrets = self._vault_secrets_from_password('ansible_devel', 'ansible')
|
||||
v = vault.VaultLib(vault_secrets)
|
||||
|
||||
b_vaulttext = to_bytes(vaulttext)
|
||||
|
||||
b_plaintext, vault_id_used, vault_secret_used = v.decrypt_and_get_vault_id(b_vaulttext)
|
||||
|
||||
self.assertEqual(b_expected_plaintext, b_plaintext)
|
||||
self.assertEqual(vault_id_used, 'ansible_devel')
|
||||
self.assertEqual(vault_secret_used.text, 'ansible')
|
||||
|
||||
def test_decrypt_non_default_1_2(self):
|
||||
b_expected_plaintext = to_bytes('foo bar\n')
|
||||
vaulttext = '''$ANSIBLE_VAULT;1.2;AES256;ansible_devel
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue