Vault secrets empty password (#28186)

* Better handling of empty/invalid passwords empty password files are global error and cause an exit. A warning is also emitted with more detail. ie, if any of the password/secret sources provide a bogus password (ie, empty) or fail (exception, ctrl-d, EOFError), we stop at the first error and exit. This makes behavior when entering empty password at prompt match 2.3 (ie, an error)
2025-04-30 14:21:26 -07:00 · 2017-08-15 11:01:46 -04:00 · 2017-08-15 11:01:46 -04:00 · e287af1ac8
commit e287af1ac8
parent 271127113f
5 changed files with 111 additions and 20 deletions
--- a/test/units/parsing/vault/test_vault.py
+++ b/test/units/parsing/vault/test_vault.py
@ -77,8 +77,9 @@ class TestPromptVaultSecret(unittest.TestCase):
    @patch('ansible.parsing.vault.display.prompt', side_effect=EOFError)
    def test_prompt_eoferror(self, mock_display_prompt):
        secret = vault.PromptVaultSecret(vault_id='test_id')
-        secret.load()
-        self.assertEqual(secret._bytes, None)
+        self.assertRaisesRegexp(vault.AnsibleVaultError,
+                                'EOFError.*test_id',
+                                secret.load)

    @patch('ansible.parsing.vault.display.prompt', side_effect=['first_password', 'second_password'])
    def test_prompt_passwords_dont_match(self, mock_display_prompt):
@ -129,6 +130,21 @@ class TestFileVaultSecret(unittest.TestCase):

        self.assertEqual(secret.bytes, to_bytes(password))

+    def test_file_empty(self):
+
+        tmp_file = tempfile.NamedTemporaryFile(delete=False)
+        tmp_file.write(to_bytes(''))
+        tmp_file.close()
+
+        fake_loader = DictDataLoader({tmp_file.name: ''})
+
+        secret = vault.FileVaultSecret(loader=fake_loader, filename=tmp_file.name)
+        self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
+                                'Invalid vault password was provided from file.*%s' % tmp_file.name,
+                                secret.load)
+
+        os.unlink(tmp_file.name)
+
    def test_file_not_a_directory(self):
        filename = '/dev/null/foobar'
        fake_loader = DictDataLoader({filename: 'sdfadf'})
@ -166,12 +182,22 @@ class TestScriptVaultSecret(unittest.TestCase):

    @patch('ansible.parsing.vault.subprocess.Popen')
    def test_read_file(self, mock_popen):
-        self._mock_popen(mock_popen)
+        self._mock_popen(mock_popen, stdout=b'some_password')
        secret = vault.ScriptVaultSecret()
        with patch.object(secret, 'loader') as mock_loader:
            mock_loader.is_executable = MagicMock(return_value=True)
            secret.load()

+    @patch('ansible.parsing.vault.subprocess.Popen')
+    def test_read_file_empty(self, mock_popen):
+        self._mock_popen(mock_popen, stdout=b'')
+        secret = vault.ScriptVaultSecret()
+        with patch.object(secret, 'loader') as mock_loader:
+            mock_loader.is_executable = MagicMock(return_value=True)
+            self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
+                                    'Invalid vault password was provided from script',
+                                    secret.load)
+
    @patch('ansible.parsing.vault.subprocess.Popen')
    def test_read_file_os_error(self, mock_popen):
        self._mock_popen(mock_popen)