From 1f962bd937ddc687562648bdc88d79ee882e6aaf Mon Sep 17 00:00:00 2001 From: Adrian Likins Date: Mon, 28 Aug 2017 10:13:14 -0400 Subject: [PATCH] Fix config value type for VAULT_IDENTITY_LIST (#28678) Was using the 'value_type' key, but didn't get updated to the new 'type' key in merge. Fix playbooks cli so it uses VAULT_IDENTITY_LIST as well. --- lib/ansible/cli/__init__.py | 6 +++++- lib/ansible/config/base.yml | 2 +- test/integration/targets/vault/runme.sh | 7 +++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index 61076032b4..07bf7a6911 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -756,8 +756,12 @@ class CLI(with_metaclass(ABCMeta, object)): # all needs loader loader = DataLoader() + vault_ids = options.vault_ids + default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST + vault_ids = default_vault_ids + vault_ids + vault_secrets = CLI.setup_vault_secrets(loader, - vault_ids=options.vault_ids, + vault_ids=vault_ids, vault_password_files=options.vault_password_files, ask_vault_pass=options.ask_vault_pass) loader.set_vault_secrets(vault_secrets) diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 4db0e1c256..a1c2d8f925 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -1067,7 +1067,7 @@ DEFAULT_VAULT_IDENTITY_LIST: env: [{name: ANSIBLE_VAULT_IDENTITY_LIST}] ini: - {key: vault_identity_list, section: defaults} - value_type: list + type: list vars: [] yaml: {key: defaults.vault_identity_list} DEFAULT_VAULT_PASSWORD_FILE: diff --git a/test/integration/targets/vault/runme.sh b/test/integration/targets/vault/runme.sh index 24a98936e8..2d4db75267 100755 --- a/test/integration/targets/vault/runme.sh +++ b/test/integration/targets/vault/runme.sh @@ -15,6 +15,7 @@ echo "This is a test file for format 1.2" > "${TEST_FILE_1_2}" TEST_FILE_OUTPUT="${MYTMPDIR}/test_file_output" + # old format ansible-vault view "$@" --vault-password-file vault-password-ansible format_1_0_AES.yml @@ -64,6 +65,9 @@ ansible-vault view "$@" --vault-password-file password-script.py format_1_2_AES2 # new 1.2 format, view, using password script with vault-id ansible-vault view "$@" --vault-id password-script.py format_1_2_AES256.yml +# newish 1.1 format, view, using a vault-id list from config env var +ANSIBLE_VAULT_IDENTITY_LIST='wrong-password@vault-password-wrong,default@vault-password' ansible-vault view "$@" --vault-id password-script.py format_1_1_AES256.yml + # new 1.2 format, view, ENFORCE_IDENTITY_MATCH=true, should fail, no 'test_vault_id' vault_id ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-password-file vault-password format_1_2_AES256.yml && : WRONG_RC=$? @@ -255,6 +259,9 @@ ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-pass # test with a default vault password file set in config ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong +# test using vault_identity_list config +ANSIBLE_VAULT_IDENTITY_LIST='wrong-password@vault-password-wrong,default@vault-password' ansible-playbook test_vault.yml -i ../../inventory -v "$@" + # test that we can have a vault encrypted yaml file that includes embedded vault vars # that were encrypted with a different vault secret ansible-playbook test_vault_file_encrypted_embedded.yml -i ../../inventory "$@" --vault-id encrypted_file_encrypted_var_password --vault-id vault-password