ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-02 06:30:19 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Fix vault reading from stdin (avoid realpath() on non-links) (#23583)

Browse source 
* Fix vault reading from stdin (avoid realpath() on non-links)

os.path.realpath() is used to find the target of file paths that
are symlinks so vault operations happen directly on the target.

However, in addition to resolving symlinks, realpath() also returns
a full path. when reading from stdin, vault cli uses '-' as a special
file path so VaultEditor() will replace with stdin.
realpath() was expanding '-' with the CWD to something like
'/home/user/playbooks/-' causing errors like:

        ERROR! [Errno 2] No such file or directory: u'/home/user/ansible/-'

Fix is to specialcase '-' to not use realpath()

Fixes #23567

* to_text decrypt output when writing to stdout
This commit is contained in:
Adrian Likins 2017-04-18 13:09:02 -04:00 committed by Brian Coca
parent f82d95ae28
commit ae3d7fb29e
3 changed files with 47 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/ansible/parsing/vault/__init__.py
View file

@ -402,6 +402,14 @@ class VaultEditor:
# shuffle tmp file into place
self.shuffle_files(tmp_path, filename)
def _real_path(self, filename):
# '-' is special to VaultEditor, dont expand it.
if filename == '-':
return filename
real_path = os.path.realpath(filename)
return real_path
def encrypt_bytes(self, b_plaintext):
check_prereqs()
@ -417,7 +425,7 @@ class VaultEditor:
# so treat the contents as a byte string.
# follow the symlink
filename = os.path.realpath(filename)
filename = self._real_path(filename)
b_plaintext = self.read_data(filename)
b_ciphertext = self.vault.encrypt(b_plaintext)
@ -428,7 +436,7 @@ class VaultEditor:
check_prereqs()
# follow the symlink
filename = os.path.realpath(filename)
filename = self._real_path(filename)
ciphertext = self.read_data(filename)
@ -455,7 +463,7 @@ class VaultEditor:
check_prereqs()
# follow the symlink
filename = os.path.realpath(filename)
filename = self._real_path(filename)
ciphertext = self.read_data(filename)
@ -487,7 +495,7 @@ class VaultEditor:
check_prereqs()
# follow the symlink
filename = os.path.realpath(filename)
filename = self._real_path(filename)
prev = os.stat(filename)
ciphertext = self.read_data(filename)
@ -536,7 +544,8 @@ class VaultEditor:
b_file_data = to_bytes(data, errors='strict')
if filename == '-':
sys.stdout.write(b_file_data)
file_data = to_text(b_file_data, encoding='utf-8', errors='strict', nonstring='strict')
sys.stdout.write(file_data)
else:
if os.path.isfile(filename):
if shred: