let user control "auto-de-vault" (#22739)

* added option to toggle off autodevaulting * fixes per feedbazck
2025-04-23 19:01:26 -07:00 · 2017-03-24 15:39:25 -04:00 · 2017-03-24 15:39:25 -04:00 · 7b197d823e
commit 7b197d823e
parent 29f623571e
10 changed files with 73 additions and 26 deletions
--- a/lib/ansible/parsing/dataloader.py
+++ b/lib/ansible/parsing/dataloader.py
@ -372,7 +372,7 @@ class DataLoader:
            f.close()
        return content_tempfile

-    def get_real_file(self, file_path):
+    def get_real_file(self, file_path, decrypt=True):
        """
        If the file is vault encrypted return a path to a temporary decrypted file
        If the file is not encrypted then the path is returned
@ -392,22 +392,23 @@ class DataLoader:
        real_path = self.path_dwim(file_path)

        try:
-            with open(to_bytes(real_path), 'rb') as f:
-                # Limit how much of the file is read since we do not know
-                # whether this is a vault file and therefore it could be very
-                # large.
-                if is_encrypted_file(f, count=len(b_HEADER)):
-                    # if the file is encrypted and no password was specified,
-                    # the decrypt call would throw an error, but we check first
-                    # since the decrypt function doesn't know the file name
-                    data = f.read()
-                    if not self._b_vault_password:
-                        raise AnsibleParserError("A vault password must be specified to decrypt %s" % file_path)
+            if decrypt:
+                with open(to_bytes(real_path), 'rb') as f:
+                    # Limit how much of the file is read since we do not know
+                    # whether this is a vault file and therefore it could be very
+                    # large.
+                    if is_encrypted_file(f, count=len(b_HEADER)):
+                        # if the file is encrypted and no password was specified,
+                        # the decrypt call would throw an error, but we check first
+                        # since the decrypt function doesn't know the file name
+                        data = f.read()
+                        if not self._b_vault_password:
+                            raise AnsibleParserError("A vault password must be specified to decrypt %s" % file_path)

-                    data = self._vault.decrypt(data, filename=real_path)
-                    # Make a temp file
-                    real_path = self._create_content_tempfile(data)
-                    self._tempfiles.add(real_path)
+                        data = self._vault.decrypt(data, filename=real_path)
+                        # Make a temp file
+                        real_path = self._create_content_tempfile(data)
+                        self._tempfiles.add(real_path)

            return real_path