mirror of
https://github.com/ansible-collections/community.general.git
synced 2026-05-07 13:52:54 +00:00
Use vault_id when encrypted via vault-edit (#30772)
* Use vault_id when encrypted via vault-edit On the encryption stage of 'ansible-vault edit --vault-id=someid@passfile somefile', the vault id was not being passed to encrypt() so the files were always saved with the default vault id in the 1.1 version format. When trying to edit that file a second time, also with a --vault-id, the file would be decrypted with the secret associated with the provided vault-id, but since the encrypted file had no vault id in the envelope there would be no match for 'default' secrets. (Only the --vault-id was included in the potential matches, so the vault id actually used to decrypt was not). If that list was empty, there would be an IndexError when trying to encrypted the changed file. This would result in the displayed error: ERROR! Unexpected Exception, this is probably a bug: list index out of range Fix is two parts: 1) use the vault id when encrypting from edit 2) when matching the secret to use for encrypting after edit, include the vault id that was used for decryption and not just the vault id (or lack of vault id) from the envelope. add unit tests for #30575 and intg tests for 'ansible-vault edit' Fixes #30575
This commit is contained in:
Adrian Likins
GitHub
@@ -309,7 +309,7 @@ class TestVaultEditor(unittest.TestCase):
|
||||
self._assert_file_is_link(src_file_link_path, src_file_path)
|
||||
|
||||
@patch('ansible.parsing.vault.subprocess.call')
|
||||
def test_edit_file(self, mock_sp_call):
|
||||
def test_edit_file_no_vault_id(self, mock_sp_call):
|
||||
self._test_dir = self._create_test_dir()
|
||||
src_contents = to_bytes("some info in a file\nyup.")
|
||||
|
||||
@@ -330,6 +330,36 @@ class TestVaultEditor(unittest.TestCase):
|
||||
new_src_file = open(src_file_path, 'rb')
|
||||
new_src_file_contents = new_src_file.read()
|
||||
|
||||
self.assertTrue(b'$ANSIBLE_VAULT;1.1;AES256' in new_src_file_contents)
|
||||
|
||||
src_file_plaintext = ve.vault.decrypt(new_src_file_contents)
|
||||
self.assertEqual(src_file_plaintext, new_src_contents)
|
||||
|
||||
@patch('ansible.parsing.vault.subprocess.call')
|
||||
def test_edit_file_with_vault_id(self, mock_sp_call):
|
||||
self._test_dir = self._create_test_dir()
|
||||
src_contents = to_bytes("some info in a file\nyup.")
|
||||
|
||||
src_file_path = self._create_file(self._test_dir, 'src_file', content=src_contents)
|
||||
|
||||
new_src_contents = to_bytes("The info is different now.")
|
||||
|
||||
def faux_editor(editor_args):
|
||||
self._faux_editor(editor_args, new_src_contents)
|
||||
|
||||
mock_sp_call.side_effect = faux_editor
|
||||
|
||||
ve = self._vault_editor()
|
||||
|
||||
ve.encrypt_file(src_file_path, self.vault_secret,
|
||||
vault_id='vault_secrets')
|
||||
ve.edit_file(src_file_path)
|
||||
|
||||
new_src_file = open(src_file_path, 'rb')
|
||||
new_src_file_contents = new_src_file.read()
|
||||
|
||||
self.assertTrue(b'$ANSIBLE_VAULT;1.2;AES256;vault_secrets' in new_src_file_contents)
|
||||
|
||||
src_file_plaintext = ve.vault.decrypt(new_src_file_contents)
|
||||
self.assertEqual(src_file_plaintext, new_src_contents)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user