ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-16 01:45:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
community.general/lib/ansible
History
Adrian Likins 9c58827410
Better handling of malformed vault data envelope (#32515) 
* Better handling of malformed vault data envelope

If an embedded vaulted variable ('!vault' in yaml)
had an invalid format, it would eventually cause
an error for seemingly unrelated reasons.
"Invalid" meaning not valid hexlify (extra chars,
non-hex chars, etc).

For ex, if a host_vars file had invalid vault format
variables, on py2, it would cause an error like:

  'ansible.vars.hostvars.HostVars object' has no
  attribute u'broken.example.com'

Depending on where the invalid vault is, it could
also cause "VARIABLE IS NOT DEFINED!". The behavior
can also change if ansible-playbook is py2 or py3.

Root cause is errors from binascii.unhexlify() not
being handled consistently.

Fix is to add a AnsibleVaultFormatError exception and
raise it on any unhexlify() errors and to handle it
properly elsewhere.

Add a _unhexlify() that try/excepts around a binascii.unhexlify()
and raises an AnsibleVaultFormatError on invalid vault data.
This is so the same exception type is always raised for this
case. Previous it was different between py2 and py3.

binascii.unhexlify() raises a binascii.Error if the hexlified
blobs in a vault data blob are invalid.

On py2, binascii.Error is a subclass of Exception.
On py3, binascii.Error is a subclass of TypeError

When decrypting content of vault encrypted variables,
if a binascii.Error is raised it propagates up to
playbook.base.Base.post_validate(). post_validate()
handles exceptions for TypeErrors but not for
base Exception subclasses (like py2 binascii.Error).

* Add a display.warning on vault format errors
* Unit tests for _unhexlify, parse_vaulttext*
* Add intg test cases for invalid vault formats

Fixes #28038
2017-11-10 14:24:56 -05:00
..
cli Enable autoloading of inventory plugins (#32709) 2017-11-09 19:38:34 -05:00
compat Create a short license for PSF and MIT. (#32212) 2017-11-06 10:25:30 -08:00
config Enable autoloading of inventory plugins (#32709) 2017-11-09 19:38:34 -05:00
errors more info on yaml errors 2017-10-30 12:39:30 -04:00
executor Connection plugins network_cli and netconf (#32521) 2017-11-09 15:04:40 -05:00
galaxy Removes container-enabled warning (#27578) 2017-08-01 12:51:03 -04:00
inventory Enable autoloading of inventory plugins (#32709) 2017-11-09 19:38:34 -05:00
module_utils clean args only if needed 2017-11-09 17:21:26 -05:00
modules Fix documentation for mount state (#32647) 2017-11-10 12:31:40 -05:00
parsing Better handling of malformed vault data envelope (#32515) 2017-11-10 14:24:56 -05:00
playbook Connection plugins network_cli and netconf (#32521) 2017-11-09 15:04:40 -05:00
plugins avoid chroot paths (#32778) 2017-11-10 13:26:49 -05:00
template added debug info when skipping undef 2017-10-27 12:16:16 -04:00
utils Connection plugins network_cli and netconf (#32521) 2017-11-09 15:04:40 -05:00
vars namespace facts 2017-11-09 09:48:14 -05:00
__init__.py Fix ziploader for the cornercase of ansible invoking ansible. 2016-04-29 08:47:49 -07:00
constants.py updated chlog, moved missed comment 2017-11-09 09:59:43 -05:00
release.py Bump the versions now that devel is 2.5 2017-09-06 13:13:57 -07:00