Fix vault reading from stdin (avoid realpath() on non-links) (#23583)

* Fix vault reading from stdin (avoid realpath() on non-links) os.path.realpath() is used to find the target of file paths that are symlinks so vault operations happen directly on the target. However, in addition to resolving symlinks, realpath() also returns a full path. when reading from stdin, vault cli uses '-' as a special file path so VaultEditor() will replace with stdin. realpath() was expanding '-' with the CWD to something like '/home/user/playbooks/-' causing errors like: ERROR! [Errno 2] No such file or directory: u'/home/user/ansible/-' Fix is to specialcase '-' to not use realpath() Fixes #23567 * to_text decrypt output when writing to stdout
2026-05-06 21:32:49 +00:00 · 2017-04-18 13:09:02 -04:00
parent f82d95ae28
commit ae3d7fb29e
3 changed files with 47 additions and 5 deletions
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@@ -402,6 +402,14 @@ class VaultEditor:
        # shuffle tmp file into place
        self.shuffle_files(tmp_path, filename)

+    def _real_path(self, filename):
+        # '-' is special to VaultEditor, dont expand it.
+        if filename == '-':
+            return filename
+
+        real_path = os.path.realpath(filename)
+        return real_path
+
    def encrypt_bytes(self, b_plaintext):
        check_prereqs()

@@ -417,7 +425,7 @@ class VaultEditor:
        # so treat the contents as a byte string.

        # follow the symlink
-        filename = os.path.realpath(filename)
+        filename = self._real_path(filename)

        b_plaintext = self.read_data(filename)
        b_ciphertext = self.vault.encrypt(b_plaintext)
@@ -428,7 +436,7 @@ class VaultEditor:
        check_prereqs()

        # follow the symlink
-        filename = os.path.realpath(filename)
+        filename = self._real_path(filename)

        ciphertext = self.read_data(filename)

@@ -455,7 +463,7 @@ class VaultEditor:
        check_prereqs()

        # follow the symlink
-        filename = os.path.realpath(filename)
+        filename = self._real_path(filename)

        ciphertext = self.read_data(filename)

@@ -487,7 +495,7 @@ class VaultEditor:
        check_prereqs()

        # follow the symlink
-        filename = os.path.realpath(filename)
+        filename = self._real_path(filename)

        prev = os.stat(filename)
        ciphertext = self.read_data(filename)
@@ -536,7 +544,8 @@ class VaultEditor:
        b_file_data = to_bytes(data, errors='strict')

        if filename == '-':
-            sys.stdout.write(b_file_data)
+            file_data = to_text(b_file_data, encoding='utf-8', errors='strict', nonstring='strict')
+            sys.stdout.write(file_data)
        else:
            if os.path.isfile(filename):
                if shred: