mirror of
https://github.com/ansible-collections/community.general.git
synced 2026-05-06 13:22:48 +00:00
Vault secrets empty password (#28186)
* Better handling of empty/invalid passwords empty password files are global error and cause an exit. A warning is also emitted with more detail. ie, if any of the password/secret sources provide a bogus password (ie, empty) or fail (exception, ctrl-d, EOFError), we stop at the first error and exit. This makes behavior when entering empty password at prompt match 2.3 (ie, an error)
This commit is contained in:
Adrian Likins
GitHub
0
test/integration/targets/vault/empty-password
Normal file
0
test/integration/targets/vault/empty-password
Normal file
@@ -14,6 +14,7 @@ echo "This is a test file for format 1.2" > "${TEST_FILE_1_2}"
|
||||
|
||||
TEST_FILE_OUTPUT="${MYTMPDIR}/test_file_output"
|
||||
|
||||
|
||||
# old format
|
||||
ansible-vault view "$@" --vault-password-file vault-password-ansible format_1_0_AES.yml
|
||||
|
||||
@@ -38,6 +39,7 @@ echo "rc was $WRONG_RC (1 is expected)"
|
||||
|
||||
set -eux
|
||||
|
||||
|
||||
# new format, view
|
||||
ansible-vault view "$@" --vault-password-file vault-password format_1_1_AES256.yml
|
||||
|
||||
@@ -184,6 +186,24 @@ ansible-vault encrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --outpu
|
||||
ansible-vault view "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" - < "${TEST_FILE_OUTPUT}"
|
||||
ansible-vault decrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --output=- < "${TEST_FILE_OUTPUT}"
|
||||
|
||||
# test using an empty vault password file
|
||||
ansible-vault view "$@" --vault-password-file empty-password format_1_1_AES256.yml && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
ansible-vault view "$@" --vault-id=empty@empty-password --vault-password-file empty-password format_1_1_AES256.yml && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
echo 'foo' > some_file.txt
|
||||
ansible-vault encrypt "$@" --vault-password-file empty-password some_file.txt && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
|
||||
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" "a test string"
|
||||
|
||||
ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --name "blippy" "a test string names blippy"
|
||||
@@ -280,3 +300,9 @@ WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
# with empty password file
|
||||
ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id empty@empty-password && :
|
||||
WRONG_RC=$?
|
||||
echo "rc was $WRONG_RC (1 is expected)"
|
||||
[ $WRONG_RC -eq 1 ]
|
||||
|
||||
|
||||
@@ -77,8 +77,9 @@ class TestPromptVaultSecret(unittest.TestCase):
|
||||
@patch('ansible.parsing.vault.display.prompt', side_effect=EOFError)
|
||||
def test_prompt_eoferror(self, mock_display_prompt):
|
||||
secret = vault.PromptVaultSecret(vault_id='test_id')
|
||||
secret.load()
|
||||
self.assertEqual(secret._bytes, None)
|
||||
self.assertRaisesRegexp(vault.AnsibleVaultError,
|
||||
'EOFError.*test_id',
|
||||
secret.load)
|
||||
|
||||
@patch('ansible.parsing.vault.display.prompt', side_effect=['first_password', 'second_password'])
|
||||
def test_prompt_passwords_dont_match(self, mock_display_prompt):
|
||||
@@ -129,6 +130,21 @@ class TestFileVaultSecret(unittest.TestCase):
|
||||
|
||||
self.assertEqual(secret.bytes, to_bytes(password))
|
||||
|
||||
def test_file_empty(self):
|
||||
|
||||
tmp_file = tempfile.NamedTemporaryFile(delete=False)
|
||||
tmp_file.write(to_bytes(''))
|
||||
tmp_file.close()
|
||||
|
||||
fake_loader = DictDataLoader({tmp_file.name: ''})
|
||||
|
||||
secret = vault.FileVaultSecret(loader=fake_loader, filename=tmp_file.name)
|
||||
self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
|
||||
'Invalid vault password was provided from file.*%s' % tmp_file.name,
|
||||
secret.load)
|
||||
|
||||
os.unlink(tmp_file.name)
|
||||
|
||||
def test_file_not_a_directory(self):
|
||||
filename = '/dev/null/foobar'
|
||||
fake_loader = DictDataLoader({filename: 'sdfadf'})
|
||||
@@ -166,12 +182,22 @@ class TestScriptVaultSecret(unittest.TestCase):
|
||||
|
||||
@patch('ansible.parsing.vault.subprocess.Popen')
|
||||
def test_read_file(self, mock_popen):
|
||||
self._mock_popen(mock_popen)
|
||||
self._mock_popen(mock_popen, stdout=b'some_password')
|
||||
secret = vault.ScriptVaultSecret()
|
||||
with patch.object(secret, 'loader') as mock_loader:
|
||||
mock_loader.is_executable = MagicMock(return_value=True)
|
||||
secret.load()
|
||||
|
||||
@patch('ansible.parsing.vault.subprocess.Popen')
|
||||
def test_read_file_empty(self, mock_popen):
|
||||
self._mock_popen(mock_popen, stdout=b'')
|
||||
secret = vault.ScriptVaultSecret()
|
||||
with patch.object(secret, 'loader') as mock_loader:
|
||||
mock_loader.is_executable = MagicMock(return_value=True)
|
||||
self.assertRaisesRegexp(vault.AnsibleVaultPasswordError,
|
||||
'Invalid vault password was provided from script',
|
||||
secret.load)
|
||||
|
||||
@patch('ansible.parsing.vault.subprocess.Popen')
|
||||
def test_read_file_os_error(self, mock_popen):
|
||||
self._mock_popen(mock_popen)
|
||||
|
||||
Reference in New Issue
Block a user