diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index fb1eb0f585..4e1bd23aa0 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -196,7 +196,8 @@ class CLI(with_metaclass(ABCMeta, object)): @staticmethod def build_vault_ids(vault_ids, vault_password_files=None, - ask_vault_pass=None, create_new_password=None): + ask_vault_pass=None, create_new_password=None, + auto_prompt=True): vault_password_files = vault_password_files or [] vault_ids = vault_ids or [] @@ -211,7 +212,7 @@ class CLI(with_metaclass(ABCMeta, object)): # if an action needs an encrypt password (create_new_password=True) and we dont # have other secrets setup, then automatically add a password prompt as well. - if ask_vault_pass or (create_new_password and not vault_ids): + if ask_vault_pass or (auto_prompt and not vault_ids): id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass') vault_ids.append(id_slug) @@ -220,7 +221,8 @@ class CLI(with_metaclass(ABCMeta, object)): # TODO: remove the now unused args @staticmethod def setup_vault_secrets(loader, vault_ids, vault_password_files=None, - ask_vault_pass=None, create_new_password=False): + ask_vault_pass=None, create_new_password=False, + auto_prompt=True): # list of tuples vault_secrets = [] @@ -250,7 +252,8 @@ class CLI(with_metaclass(ABCMeta, object)): vault_ids = CLI.build_vault_ids(vault_ids, vault_password_files, ask_vault_pass, - create_new_password) + create_new_password, + auto_prompt=auto_prompt) for vault_id_slug in vault_ids: vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug) @@ -777,7 +780,8 @@ class CLI(with_metaclass(ABCMeta, object)): vault_secrets = CLI.setup_vault_secrets(loader, vault_ids=vault_ids, vault_password_files=options.vault_password_files, - ask_vault_pass=options.ask_vault_pass) + ask_vault_pass=options.ask_vault_pass, + auto_prompt=False) loader.set_vault_secrets(vault_secrets) # create the inventory, and filter it based on the subset specified (if any) diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py index efd7d887e8..762ba82b98 100644 --- a/lib/ansible/cli/vault.py +++ b/lib/ansible/cli/vault.py @@ -165,7 +165,7 @@ class VaultCLI(CLI): # TODO: instead of prompting for these before, we could let VaultEditor # call a callback when it needs it. - if self.action in ['decrypt', 'view', 'rekey']: + if self.action in ['decrypt', 'view', 'rekey', 'edit']: vault_secrets = self.setup_vault_secrets(loader, vault_ids=vault_ids, vault_password_files=self.options.vault_password_files, @@ -173,7 +173,7 @@ class VaultCLI(CLI): if not vault_secrets: raise AnsibleOptionsError("A vault password is required to use Ansible's Vault") - if self.action in ['encrypt', 'encrypt_string', 'create', 'edit']: + if self.action in ['encrypt', 'encrypt_string', 'create']: if len(vault_ids) > 1: raise AnsibleOptionsError("Only one --vault-id can be used for encryption") diff --git a/test/units/cli/test_cli.py b/test/units/cli/test_cli.py index 39ae28c871..c881cf78c2 100644 --- a/test/units/cli/test_cli.py +++ b/test/units/cli/test_cli.py @@ -54,6 +54,32 @@ class TestCliBuildVaultIds(unittest.TestCase): res = cli.CLI.build_vault_ids([], create_new_password=True) self.assertEqual(res, ['default@prompt_ask_vault_pass']) + def test_create_new_password_no_vault_id_no_auto_prompt(self): + res = cli.CLI.build_vault_ids([], auto_prompt=False, create_new_password=True) + self.assertEqual(res, []) + + def test_no_vault_id_no_auto_prompt(self): + # similate 'ansible-playbook site.yml' with out --ask-vault-pass, should not prompt + res = cli.CLI.build_vault_ids([], auto_prompt=False) + self.assertEqual(res, []) + + def test_no_vault_ids_auto_prompt(self): + # create_new_password=False + # simulate 'ansible-vault edit encrypted.yml' + res = cli.CLI.build_vault_ids([], auto_prompt=True) + self.assertEqual(res, ['default@prompt_ask_vault_pass']) + + def test_no_vault_ids_auto_prompt_ask_vault_pass(self): + # create_new_password=False + # simulate 'ansible-vault edit --ask-vault-pass encrypted.yml' + res = cli.CLI.build_vault_ids([], auto_prompt=True, ask_vault_pass=True) + self.assertEqual(res, ['default@prompt_ask_vault_pass']) + + def test_create_new_password_auto_prompt(self): + # simulate 'ansible-vault encrypt somefile.yml' + res = cli.CLI.build_vault_ids([], auto_prompt=True, create_new_password=True) + self.assertEqual(res, ['default@prompt_ask_vault_pass']) + def test_create_new_password_no_vault_id_ask_vault_pass(self): res = cli.CLI.build_vault_ids([], ask_vault_pass=True, create_new_password=True) @@ -74,7 +100,8 @@ class TestCliBuildVaultIds(unittest.TestCase): vault_password_files=['yet-another-password-file', 'one-more-password-file'], ask_vault_pass=True, - create_new_password=True) + create_new_password=True, + auto_prompt=False) self.assertEqual(set(res), set(['blip@prompt', 'baz@prompt_ask_vault_pass', 'default@prompt_ask_vault_pass', 'some-password-file', 'qux@another-password-file', @@ -92,7 +119,7 @@ class TestCliSetupVaultSecrets(unittest.TestCase): self.tty_patcher.stop() def test(self): - res = cli.CLI.setup_vault_secrets(None, None) + res = cli.CLI.setup_vault_secrets(None, None, auto_prompt=False) self.assertIsInstance(res, list) @patch('ansible.cli.get_file_vault_secret') @@ -134,7 +161,6 @@ class TestCliSetupVaultSecrets(unittest.TestCase): vault_ids=['prompt1@prompt'], ask_vault_pass=True) - print('res: %s' % res) self.assertIsInstance(res, list) self.assertEqual(len(res), 0) matches = vault.match_secrets(res, ['prompt1'])