mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-23 05:10:22 -07:00
Support using vault password files that are themselves vault encrypted (#27668)
Extract vault related bits of DataLoader._get_file_contents to DataLoader._decrypt_if_vault_data When loading vault password files, detect if they are vault encrypted, and if so, try to decrypt with any already known vault secrets. This implements the 'Allow vault password files to be vault encrypted' (#31002) feature card from the 2.5.0 project at https://github.com/ansible/ansible/projects/9 Fixes #31002
This commit is contained in:
parent
ca8982f96c
commit
fc180a378a
5 changed files with 112 additions and 13 deletions
6
test/integration/targets/vault/encrypted-vault-password
Normal file
6
test/integration/targets/vault/encrypted-vault-password
Normal file
|
@ -0,0 +1,6 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34353166613539646338666531633061646161663836373965663032313466613135313130383133
|
||||
3634383331386336333436323832356264343033323166370a323737396234376132353731643863
|
||||
62386335616635363062613562666561643931626332623464306666636131356134386531363533
|
||||
3831323230353333620a616633376363373830346332663733316634663937336663633631326361
|
||||
62343638656532393932643530633133326233316134383036316333373962626164
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -eux
|
||||
set -euvx
|
||||
|
||||
MYTMPDIR=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
|
||||
trap 'rm -rf "${MYTMPDIR}"' EXIT
|
||||
|
@ -12,6 +12,12 @@ echo "This is a test file" > "${TEST_FILE}"
|
|||
TEST_FILE_1_2="${MYTMPDIR}/test_file_1_2"
|
||||
echo "This is a test file for format 1.2" > "${TEST_FILE_1_2}"
|
||||
|
||||
TEST_FILE_ENC_PASSWORD="${MYTMPDIR}/test_file_enc_password"
|
||||
echo "This is a test file for encrypted with a vault password that is itself vault encrypted" > "${TEST_FILE_ENC_PASSWORD}"
|
||||
|
||||
TEST_FILE_ENC_PASSWORD_DEFAULT="${MYTMPDIR}/test_file_enc_password_default"
|
||||
echo "This is a test file for encrypted with a vault password that is itself vault encrypted using --encrypted-vault-id default" > "${TEST_FILE_ENC_PASSWORD_DEFAULT}"
|
||||
|
||||
TEST_FILE_OUTPUT="${MYTMPDIR}/test_file_output"
|
||||
|
||||
TEST_FILE_EDIT="${MYTMPDIR}/test_file_edit"
|
||||
|
@ -20,6 +26,20 @@ echo "This is a test file for edit" > "${TEST_FILE_EDIT}"
|
|||
TEST_FILE_EDIT2="${MYTMPDIR}/test_file_edit2"
|
||||
echo "This is a test file for edit2" > "${TEST_FILE_EDIT2}"
|
||||
|
||||
# view the vault encrypted password file
|
||||
ansible-vault view "$@" --vault-id vault-password encrypted-vault-password
|
||||
|
||||
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
||||
# should fail because we dont know which vault id to use to encrypt with
|
||||
ansible-vault encrypt "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (5 is expected)"
|
||||
[ $WRONG_RC -eq 5 ]
|
||||
|
||||
# try to view the file encrypted with the vault-password we didnt specify
|
||||
# to verify we didnt choose the wrong vault-id
|
||||
ansible-vault view "$@" --vault-id vault-password encrypted-vault-password
|
||||
|
||||
FORMAT_1_1_HEADER="\$ANSIBLE_VAULT;1.1;AES256"
|
||||
FORMAT_1_2_HEADER="\$ANSIBLE_VAULT;1.2;AES256"
|
||||
|
||||
|
@ -30,9 +50,6 @@ ansible-vault view "$@" --vault-id vault-password@test-vault-client.py format_1_
|
|||
|
||||
# view, using password client script, unknown vault/keyname
|
||||
ansible-vault view "$@" --vault-id some_unknown_vault_id@test-vault-client.py format_1_1_AES256.yml && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
# Use linux setsid to test without a tty. No setsid if osx/bsd though...
|
||||
if [ -x "$(command -v setsid)" ]; then
|
||||
|
@ -319,6 +336,37 @@ head -1 "${TEST_FILE_EDIT2}" | grep "${FORMAT_1_2_HEADER};vault_password"
|
|||
EDITOR=./faux-editor.py ansible-vault edit "$@" --vault-password-file vault-password "${TEST_FILE_EDIT2}"
|
||||
head -1 "${TEST_FILE_EDIT2}" | grep "${FORMAT_1_2_HEADER};vault_password"
|
||||
|
||||
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
||||
# should fail because we dont know which vault id to use to encrypt with
|
||||
ansible-vault encrypt "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (5 is expected)"
|
||||
[ $WRONG_RC -eq 5 ]
|
||||
|
||||
|
||||
# encrypt with a password from a vault encrypted password file and multiple vault-ids
|
||||
# but this time specify with --encrypt-vault-id, but specifying vault-id names (instead of default)
|
||||
# ansible-vault encrypt "$@" --vault-id from_vault_password@vault-password --vault-id from_encrypted_vault_password@encrypted-vault-password --encrypt-vault-id from_encrypted_vault_password "${TEST_FILE_ENC_PASSWORD}"
|
||||
|
||||
# try to view the file encrypted with the vault-password we didnt specify
|
||||
# to verify we didnt choose the wrong vault-id
|
||||
# ansible-vault view "$@" --vault-id vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
||||
# WRONG_RC=$?
|
||||
# echo "rc was $WRONG_RC (1 is expected)"
|
||||
# [ $WRONG_RC -eq 1 ]
|
||||
|
||||
ansible-vault encrypt "$@" --vault-id vault-password "${TEST_FILE_ENC_PASSWORD}"
|
||||
|
||||
# view the file encrypted with a password from a vault encrypted password file
|
||||
ansible-vault view "$@" --vault-id vault-password --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}"
|
||||
|
||||
# try to view the file encrypted with a password from a vault encrypted password file but without the password to the password file.
|
||||
# This should fail with an
|
||||
ansible-vault view "$@" --vault-id encrypted-vault-password "${TEST_FILE_ENC_PASSWORD}" && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
|
||||
# test playbooks using vaulted files
|
||||
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-password-file vault-password --list-tasks
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue