Vault secrets empty password (#28186)

* Better handling of empty/invalid passwords empty password files are global error and cause an exit. A warning is also emitted with more detail. ie, if any of the password/secret sources provide a bogus password (ie, empty) or fail (exception, ctrl-d, EOFError), we stop at the first error and exit. This makes behavior when entering empty password at prompt match 2.3 (ie, an error)
2026-05-07 05:42:50 +00:00 · 2017-08-15 11:01:46 -04:00
parent 271127113f
commit e287af1ac8
5 changed files with 111 additions and 20 deletions
--- a/lib/ansible/cli/init.py
+++ b/lib/ansible/cli/init.py
@@ -34,7 +34,7 @@ from abc import ABCMeta, abstractmethod

 import ansible
 from ansible import constants as C
-from ansible.errors import AnsibleOptionsError
+from ansible.errors import AnsibleOptionsError, AnsibleError
 from ansible.inventory.manager import InventoryManager
 from ansible.module_utils.six import with_metaclass, string_types
 from ansible.module_utils._text import to_bytes, to_text
@@ -180,7 +180,8 @@ class CLI(with_metaclass(ABCMeta, object)):
        return ret

    @staticmethod
-    def build_vault_ids(vault_ids, vault_password_files=None, ask_vault_pass=None):
+    def build_vault_ids(vault_ids, vault_password_files=None,
+                        ask_vault_pass=None, create_new_password=None):
        vault_password_files = vault_password_files or []
        vault_ids = vault_ids or []

@@ -193,7 +194,9 @@ class CLI(with_metaclass(ABCMeta, object)):
            # used by --vault-id and --vault-password-file
            vault_ids.append(id_slug)

-        if ask_vault_pass:
+        # if an action needs an encrypt password (create_new_password=True) and we dont
+        # have other secrets setup, then automatically add a password prompt as well.
+        if ask_vault_pass or (create_new_password and not vault_ids):
            id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass')
            vault_ids.append(id_slug)

@@ -233,21 +236,26 @@ class CLI(with_metaclass(ABCMeta, object)):
        for vault_id_slug in vault_ids:
            vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
            if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
-
                # --vault-id some_name@prompt_ask_vault_pass --vault-id other_name@prompt_ask_vault_pass will be a little
                # confusing since it will use the old format without the vault id in the prompt
-                if vault_id_name:
-                    prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
-                                                              vault_id=vault_id_name)
+                built_vault_id = vault_id_name or C.DEFAULT_VAULT_IDENTITY
+
+                # choose the prompt based on --vault-id=prompt or --ask-vault-pass. --ask-vault-pass
+                # always gets the old format for Tower compatibility.
+                # ie, we used --ask-vault-pass, so we need to use the old vault password prompt
+                # format since Tower needs to match on that format.
+                prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
+                                                          vault_id=built_vault_id)
+
+                # a empty or invalid password from the prompt will warn and continue to the next
+                # without erroring globablly
+                try:
                    prompted_vault_secret.load()
-                    vault_secrets.append((vault_id_name, prompted_vault_secret))
-                else:
-                    # ie, we used --ask-vault-pass, so we need to use the old vault password prompt
-                    # format since Tower needs to match on that format.
-                    prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
-                                                              vault_id=C.DEFAULT_VAULT_IDENTITY)
-                    prompted_vault_secret.load()
-                    vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, prompted_vault_secret))
+                except AnsibleError as exc:
+                    display.warning('Error in vault password prompt (%s): %s' % (vault_id_name, exc))
+                    raise
+
+                vault_secrets.append((built_vault_id, prompted_vault_secret))

                # update loader with new secrets incrementally, so we can load a vault password
                # that is encrypted with a vault secret provided earlier
@@ -260,7 +268,14 @@ class CLI(with_metaclass(ABCMeta, object)):
            file_vault_secret = get_file_vault_secret(filename=vault_id_value,
                                                      vault_id_name=vault_id_name,
                                                      loader=loader)
-            file_vault_secret.load()
+
+            # an invalid password file will error globally
+            try:
+                file_vault_secret.load()
+            except AnsibleError as exc:
+                display.warning('Error in vault password file loading (%s): %s' % (vault_id_name, exc))
+                raise
+
            if vault_id_name:
                vault_secrets.append((vault_id_name, file_vault_secret))
            else: