From 617372f8c0103c0f508f640bbb2f9f4a1fc85957 Mon Sep 17 00:00:00 2001 From: Matt Martz Date: Mon, 20 Aug 2018 16:26:10 -0500 Subject: [PATCH] Mass nuke deprecated items that are easily removed. ci_complete (#44320) --- .../fragments/mass-remove-deprecated.yaml | 8 + lib/ansible/cli/galaxy.py | 9 +- lib/ansible/modules/system/service.py | 18 +-- lib/ansible/parsing/vault/__init__.py | 144 ------------------ lib/ansible/playbook/base.py | 11 +- lib/ansible/playbook/play.py | 15 +- lib/ansible/playbook/role/definition.py | 7 +- lib/ansible/playbook/role/include.py | 2 +- lib/ansible/playbook/role/requirement.py | 50 +----- lib/ansible/plugins/action/__init__.py | 24 --- lib/ansible/plugins/action/service.py | 5 - .../gathering_facts/test_gathering_facts.yml | 14 +- .../targets/vault/format_1_0_AES.yml | 4 - .../targets/vault/format_1_1_AES.yml | 4 - test/integration/targets/vault/runme.sh | 17 --- test/units/parsing/vault/test_vault.py | 21 --- test/units/parsing/vault/test_vault_editor.py | 69 --------- test/units/playbook/test_base.py | 6 - 18 files changed, 32 insertions(+), 396 deletions(-) create mode 100644 changelogs/fragments/mass-remove-deprecated.yaml delete mode 100644 test/integration/targets/vault/format_1_0_AES.yml delete mode 100644 test/integration/targets/vault/format_1_1_AES.yml diff --git a/changelogs/fragments/mass-remove-deprecated.yaml b/changelogs/fragments/mass-remove-deprecated.yaml new file mode 100644 index 0000000000..ad29911264 --- /dev/null +++ b/changelogs/fragments/mass-remove-deprecated.yaml @@ -0,0 +1,8 @@ +minor_changes: +- roles - removed deprecated functionality for non YAML role specs (https://github.com/ansible/ansible/pull/44320) +- vault - removed deprecated functionality for insecure VaultAES class (https://github.com/ansible/ansible/pull/44320) +- gather_subset - removed deprecated functionality for using comma separated list with gather_subset (https://github.com/ansible/ansible/pull/44320) +- vars_prompt - removed deprecated functionality supporting 'short form' for vars_prompt (https://github.com/ansible/ansible/pull/44320) +- roles - removed deprecated special casing functionality of connection, port, and remote_user for role params (https://github.com/ansible/ansible/pull/44320) +- ActionBase - removed deprecated _fixup_perms method (https://github.com/ansible/ansible/pull/44320) +- service - removed deprecated state=running (https://github.com/ansible/ansible/pull/44320) diff --git a/lib/ansible/cli/galaxy.py b/lib/ansible/cli/galaxy.py index 5a83c90723..fceb36eb38 100644 --- a/lib/ansible/cli/galaxy.py +++ b/lib/ansible/cli/galaxy.py @@ -358,14 +358,7 @@ class GalaxyCLI(CLI): msg = "Unable to load data from the include requirements file: %s %s" raise AnsibleError(msg % (role_file, e)) else: - display.deprecated("going forward only the yaml format will be supported", version="2.6") - # roles listed in a file, one per line - for rline in f.readlines(): - if rline.startswith("#") or rline.strip() == '': - continue - display.debug('found role %s in text file' % str(rline)) - role = RoleRequirement.role_yaml_parse(rline.strip()) - roles_left.append(GalaxyRole(self.galaxy, **role)) + raise AnsibleError("Invalid role requirements file") f.close() except (IOError, OSError) as e: raise AnsibleError('Unable to open %s: %s' % (role_file, str(e))) diff --git a/lib/ansible/modules/system/service.py b/lib/ansible/modules/system/service.py index dce8c7f2fd..b388b0aba4 100644 --- a/lib/ansible/modules/system/service.py +++ b/lib/ansible/modules/system/service.py @@ -36,7 +36,7 @@ options: and enabled are required.) Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally. - choices: [ reloaded, restarted, running, started, stopped ] + choices: [ reloaded, restarted, started, stopped ] sleep: description: - If the service is being C(restarted) then sleep this many seconds @@ -49,7 +49,7 @@ options: - If the service does not respond to the status command, name a substring to look for as would be found in the output of the I(ps) command as a stand-in for a status result. If the string is found, - the service will be assumed to be running. + the service will be assumed to be started. version_added: "0.7" enabled: description: @@ -75,12 +75,12 @@ notes: ''' EXAMPLES = ''' -- name: Start service httpd, if not running +- name: Start service httpd, if not started service: name: httpd state: started -- name: Stop service httpd, if running +- name: Stop service httpd, if started service: name: httpd state: stopped @@ -95,7 +95,7 @@ EXAMPLES = ''' name: httpd state: reloaded -- name: Enable service httpd, and not touch the running state +- name: Enable service httpd, and not touch the state service: name: httpd enabled: yes @@ -316,7 +316,7 @@ class Service(object): if self.state and self.running is None: self.module.fail_json(msg="failed determining service state, possible typo of service name?") # Find out if state has changed - if not self.running and self.state in ["reloaded", "running", "started"]: + if not self.running and self.state in ["reloaded", "started"]: self.svc_change = True elif self.running and self.state in ["reloaded", "stopped"]: self.svc_change = True @@ -330,7 +330,7 @@ class Service(object): # Only do something if state will change if self.svc_change: # Control service - if self.state in ['running', 'started']: + if self.state in ['started']: self.action = "start" elif not self.running and self.state == 'reloaded': self.action = "start" @@ -1518,7 +1518,7 @@ def main(): module = AnsibleModule( argument_spec=dict( name=dict(type='str', required=True), - state=dict(type='str', choices=['running', 'started', 'stopped', 'reloaded', 'restarted']), + state=dict(type='str', choices=['started', 'stopped', 'reloaded', 'restarted']), sleep=dict(type='int'), pattern=dict(type='str'), enabled=dict(type='bool'), @@ -1597,7 +1597,7 @@ def main(): else: # as we may have just bounced the service the service command may not # report accurate state at this moment so just show what we ran - if service.module.params['state'] in ['reloaded', 'restarted', 'running', 'started']: + if service.module.params['state'] in ['reloaded', 'restarted', 'started']: result['state'] = 'started' else: result['state'] = 'stopped' diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index 6e71724050..d5ef4fca49 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -30,9 +30,6 @@ import warnings from binascii import hexlify from binascii import unhexlify from binascii import Error as BinasciiError -from hashlib import md5 -from hashlib import sha256 -from io import BytesIO HAS_CRYPTOGRAPHY = False HAS_PYCRYPTO = False @@ -1107,146 +1104,6 @@ class VaultEditor: # CIPHERS # ######################################## -class VaultAES: - - # this version has been obsoleted by the VaultAES256 class - # which uses encrypt-then-mac (fixing order) and also improving the KDF used - # code remains for upgrade purposes only - # http://stackoverflow.com/a/16761459 - - # Note: strings in this class should be byte strings by default. - - def __init__(self): - if not HAS_CRYPTOGRAPHY and not HAS_PYCRYPTO: - raise AnsibleError(NEED_CRYPTO_LIBRARY) - - @staticmethod - def _aes_derive_key_and_iv(b_password, b_salt, key_length, iv_length): - - """ Create a key and an initialization vector """ - - b_d = b_di = b'' - while len(b_d) < key_length + iv_length: - b_text = b''.join([b_di, b_password, b_salt]) - b_di = to_bytes(md5(b_text).digest(), errors='strict') - b_d += b_di - - b_key = b_d[:key_length] - b_iv = b_d[key_length:key_length + iv_length] - - return b_key, b_iv - - @staticmethod - def encrypt(b_plaintext, b_password, key_length=32): - - """ Read plaintext data from in_file and write encrypted to out_file """ - - raise AnsibleError("Encryption disabled for deprecated VaultAES class") - - @staticmethod - def _parse_plaintext_envelope(b_envelope): - # split out sha and verify decryption - b_split_data = b_envelope.split(b"\n", 1) - b_this_sha = b_split_data[0] - b_plaintext = b_split_data[1] - b_test_sha = to_bytes(sha256(b_plaintext).hexdigest()) - - return b_plaintext, b_this_sha, b_test_sha - - @classmethod - def _decrypt_cryptography(cls, b_salt, b_ciphertext, b_password, key_length): - - bs = algorithms.AES.block_size // 8 - b_key, b_iv = cls._aes_derive_key_and_iv(b_password, b_salt, key_length, bs) - cipher = C_Cipher(algorithms.AES(b_key), modes.CBC(b_iv), CRYPTOGRAPHY_BACKEND).decryptor() - unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() - - try: - b_plaintext_envelope = unpadder.update( - cipher.update(b_ciphertext) + cipher.finalize() - ) + unpadder.finalize() - except ValueError: - # In VaultAES, ValueError: invalid padding bytes can mean bad - # password was given - raise AnsibleError("Decryption failed") - - b_plaintext, b_this_sha, b_test_sha = cls._parse_plaintext_envelope(b_plaintext_envelope) - - if b_this_sha != b_test_sha: - raise AnsibleError("Decryption failed") - - return b_plaintext - - @classmethod - def _decrypt_pycrypto(cls, b_salt, b_ciphertext, b_password, key_length): - in_file = BytesIO(b_ciphertext) - in_file.seek(0) - out_file = BytesIO() - - bs = AES_pycrypto.block_size - - b_key, b_iv = cls._aes_derive_key_and_iv(b_password, b_salt, key_length, bs) - cipher = AES_pycrypto.new(b_key, AES_pycrypto.MODE_CBC, b_iv) - b_next_chunk = b'' - finished = False - - while not finished: - b_chunk, b_next_chunk = b_next_chunk, cipher.decrypt(in_file.read(1024 * bs)) - if len(b_next_chunk) == 0: - if PY3: - padding_length = b_chunk[-1] - else: - padding_length = ord(b_chunk[-1]) - - b_chunk = b_chunk[:-padding_length] - finished = True - - out_file.write(b_chunk) - out_file.flush() - - # reset the stream pointer to the beginning - out_file.seek(0) - b_plaintext_envelope = out_file.read() - out_file.close() - - b_plaintext, b_this_sha, b_test_sha = cls._parse_plaintext_envelope(b_plaintext_envelope) - - if b_this_sha != b_test_sha: - raise AnsibleError("Decryption failed") - - return b_plaintext - - @classmethod - def decrypt(cls, b_vaulttext, secret, key_length=32): - - """ Decrypt the given data and return it - :arg b_data: A byte string containing the encrypted data - :arg b_password: A byte string containing the encryption password - :arg key_length: Length of the key - :returns: A byte string containing the decrypted data - """ - - display.deprecated(u'The VaultAES format is insecure and has been ' - 'deprecated since Ansible-1.5. Use vault rekey FILENAME to ' - 'switch to the newer VaultAES256 format', version='2.3') - # http://stackoverflow.com/a/14989032 - - b_vaultdata = _unhexlify(b_vaulttext) - b_salt = b_vaultdata[len(b'Salted__'):16] - b_ciphertext = b_vaultdata[16:] - - b_password = secret.bytes - - if HAS_CRYPTOGRAPHY: - b_plaintext = cls._decrypt_cryptography(b_salt, b_ciphertext, b_password, key_length) - elif HAS_PYCRYPTO: - b_plaintext = cls._decrypt_pycrypto(b_salt, b_ciphertext, b_password, key_length) - else: - raise AnsibleError(NEED_CRYPTO_LIBRARY + ' (Late detection)') - - return b_plaintext - - class VaultAES256: """ @@ -1470,6 +1327,5 @@ class VaultAES256: # Keys could be made bytes later if the code that gets the data is more # naturally byte-oriented CIPHER_MAPPING = { - u'AES': VaultAES, u'AES256': VaultAES256, } diff --git a/lib/ansible/playbook/base.py b/lib/ansible/playbook/base.py index daaa7c1065..6ac2c86c47 100644 --- a/lib/ansible/playbook/base.py +++ b/lib/ansible/playbook/base.py @@ -382,18 +382,11 @@ class FieldAttributeBase(with_metaclass(BaseMeta, object)): if isinstance(value, string_types) and '%' in value: value = value.replace('%', '') value = float(value) - elif attribute.isa in ('list', 'barelist'): + elif attribute.isa == 'list': if value is None: value = [] elif not isinstance(value, list): - if isinstance(value, string_types) and attribute.isa == 'barelist': - display.deprecated( - "Using comma separated values for a list has been deprecated. " - "You should instead use the correct YAML syntax for lists. " - ) - value = value.split(',') - else: - value = [value] + value = [value] if attribute.listof is not None: for item in value: if not isinstance(item, attribute.listof): diff --git a/lib/ansible/playbook/play.py b/lib/ansible/playbook/play.py index 0bcb2526b3..3457a2281f 100644 --- a/lib/ansible/playbook/play.py +++ b/lib/ansible/playbook/play.py @@ -59,7 +59,7 @@ class Play(Base, Taggable, Become): # Facts _fact_path = FieldAttribute(isa='string', default=None) _gather_facts = FieldAttribute(isa='bool', default=None, always_post_validate=True) - _gather_subset = FieldAttribute(isa='barelist', default=None, always_post_validate=True) + _gather_subset = FieldAttribute(isa='list', default=None, always_post_validate=True) _gather_timeout = FieldAttribute(isa='int', default=None, always_post_validate=True) # Variable Attributes @@ -203,18 +203,7 @@ class Play(Base, Taggable, Become): if new_ds is not None: for prompt_data in new_ds: if 'name' not in prompt_data: - display.deprecated("Using the 'short form' for vars_prompt has been deprecated", version="2.7") - for vname, prompt in prompt_data.items(): - vars_prompts.append(dict( - name=vname, - prompt=prompt, - default=None, - private=None, - confirm=None, - encrypt=None, - salt_size=None, - salt=None, - )) + raise AnsibleParserError("Invalid vars_prompt data structure", obj=ds) else: vars_prompts.append(prompt_data) return vars_prompts diff --git a/lib/ansible/playbook/role/definition.py b/lib/ansible/playbook/role/definition.py index dddda27d80..658749c271 100644 --- a/lib/ansible/playbook/role/definition.py +++ b/lib/ansible/playbook/role/definition.py @@ -204,12 +204,7 @@ class RoleDefinition(Base, Become, Conditional, Taggable): # other mechanism where we exclude certain kinds of field attributes, # or make this list more automatic in some way so we don't have to # remember to update it manually. - if key not in base_attribute_names or key in ('connection', 'port', 'remote_user'): - if key in ('connection', 'port', 'remote_user'): - display.deprecated("Using '%s' as a role param has been deprecated. " % key + - "In the future, these values should be entered in the `vars:` " + - "section for roles, but for now we'll store it as both a param and an attribute.", version="2.7") - role_def[key] = value + if key not in base_attribute_names: # this key does not match a field attribute, so it must be a role param role_params[key] = value else: diff --git a/lib/ansible/playbook/role/include.py b/lib/ansible/playbook/role/include.py index 578e47ec9e..ddcdf80997 100644 --- a/lib/ansible/playbook/role/include.py +++ b/lib/ansible/playbook/role/include.py @@ -53,7 +53,7 @@ class RoleInclude(RoleDefinition): raise AnsibleParserError("Invalid role definition: %s" % to_native(data)) if isinstance(data, string_types) and ',' in data: - data = RoleRequirement.role_spec_parse(data) + raise AnsibleError("Invalid old style role requirement: %s" % data) ri = RoleInclude(play=play, role_basedir=current_role_path, variable_manager=variable_manager, loader=loader) return ri.load_data(data, variable_manager=variable_manager, loader=loader) diff --git a/lib/ansible/playbook/role/requirement.py b/lib/ansible/playbook/role/requirement.py index 0790404b2f..764d0c591f 100644 --- a/lib/ansible/playbook/role/requirement.py +++ b/lib/ansible/playbook/role/requirement.py @@ -77,53 +77,6 @@ class RoleRequirement(RoleDefinition): trailing_path = trailing_path.split(',')[0] return trailing_path - @staticmethod - def role_spec_parse(role_spec): - # takes a repo and a version like - # git+http://git.example.com/repos/repo.git,v1.0 - # and returns a list of properties such as: - # { - # 'scm': 'git', - # 'src': 'http://git.example.com/repos/repo.git', - # 'version': 'v1.0', - # 'name': 'repo' - # } - display.deprecated("The comma separated role spec format, use the yaml/explicit format instead. Line that trigger this: %s" % role_spec, - version="2.7") - - default_role_versions = dict(git='master', hg='tip') - - role_spec = role_spec.strip() - role_version = '' - if role_spec == "" or role_spec.startswith("#"): - return (None, None, None, None) - - tokens = [s.strip() for s in role_spec.split(',')] - - # assume https://github.com URLs are git+https:// URLs and not - # tarballs unless they end in '.zip' - if 'github.com/' in tokens[0] and not tokens[0].startswith("git+") and not tokens[0].endswith('.tar.gz'): - tokens[0] = 'git+' + tokens[0] - - if '+' in tokens[0]: - (scm, role_url) = tokens[0].split('+') - else: - scm = None - role_url = tokens[0] - - if len(tokens) >= 2: - role_version = tokens[1] - - if len(tokens) == 3: - role_name = tokens[2] - else: - role_name = RoleRequirement.repo_url_to_role_name(tokens[0]) - - if scm and not role_version: - role_version = default_role_versions.get(scm, '') - - return dict(scm=scm, src=role_url, version=role_version, name=role_name) - @staticmethod def role_yaml_parse(role): @@ -152,8 +105,7 @@ class RoleRequirement(RoleDefinition): if 'role' in role: name = role['role'] if ',' in name: - # Old style: {role: "galaxy.role,version,name", other_vars: "here" } - role = RoleRequirement.role_spec_parse(role['role']) + raise AnsibleError("Invalid old style role requirement: %s" % name) else: del role['role'] role['name'] = name diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 9f55f299aa..4af91a480a 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -377,30 +377,6 @@ class ActionBase(with_metaclass(ABCMeta, object)): return remote_path - def _fixup_perms(self, remote_path, remote_user=None, execute=True, recursive=True): - """ - We need the files we upload to be readable (and sometimes executable) - by the user being sudo'd to but we want to limit other people's access - (because the files could contain passwords or other private - information. - - Deprecated in favor of _fixup_perms2. Ansible code has been updated to - use _fixup_perms2. This code is maintained to provide partial support - for custom actions (non-recursive mode only). - - """ - if remote_user is None: - remote_user = self._play_context.remote_user - - display.deprecated('_fixup_perms is deprecated. Use _fixup_perms2 instead.', version='2.4', removed=False) - - if recursive: - raise AnsibleError('_fixup_perms with recursive=True (the default) is no longer supported. ' + - 'Use _fixup_perms2 if support for previous releases is not required. ' - 'Otherwise use fixup_perms with recursive=False.') - - return self._fixup_perms2([remote_path], remote_user, execute) - def _fixup_perms2(self, remote_paths, remote_user=None, execute=True): """ We need the files we upload to be readable (and sometimes executable) diff --git a/lib/ansible/plugins/action/service.py b/lib/ansible/plugins/action/service.py index fc084194c1..c07113c06b 100644 --- a/lib/ansible/plugins/action/service.py +++ b/lib/ansible/plugins/action/service.py @@ -65,11 +65,6 @@ class ActionModule(ActionBase): if 'use' in new_module_args: del new_module_args['use'] - # for backwards compatibility - if 'state' in new_module_args and new_module_args['state'] == 'running': - self._display.deprecated(msg="state=running is deprecated. Please use state=started", version="2.7") - new_module_args['state'] = 'started' - if module in self.UNUSED_PARAMS: for unused in self.UNUSED_PARAMS[module]: if unused in new_module_args: diff --git a/test/integration/targets/gathering_facts/test_gathering_facts.yml b/test/integration/targets/gathering_facts/test_gathering_facts.yml index 9dd0960dba..5924a15649 100644 --- a/test/integration/targets/gathering_facts/test_gathering_facts.yml +++ b/test/integration/targets/gathering_facts/test_gathering_facts.yml @@ -15,7 +15,7 @@ hosts: facthost21 tags: [ 'fact_network' ] connection: local - gather_subset: "!all,network" + gather_subset: ["!all", "network"] gather_facts: yes tasks: - name: Test that retrieving network facts works and gets prereqs from platform and distribution @@ -69,7 +69,7 @@ hosts: facthost23 tags: [ 'fact_service_mgr' ] connection: local - gather_subset: "!all,service_mgr" + gather_subset: ["!all", "service_mgr"] gather_facts: yes tasks: - name: Test that retrieving service_mgr facts works and gets prereqs from platform and distribution @@ -195,7 +195,7 @@ - hosts: facthost2 tags: [ 'fact_network' ] connection: local - gather_subset: "!all,!min,network" + gather_subset: ["!all", "!min", "network"] gather_facts: yes tasks: - name: Test that retrieving network facts work @@ -237,7 +237,7 @@ - hosts: facthost5 tags: [ 'fact_comma_string' ] connection: local - gather_subset: "virtual,network" + gather_subset: ["virtual", "network"] gather_facts: yes tasks: - name: Test that retrieving virtualization and network as a string works @@ -288,7 +288,7 @@ - hosts: facthost8 tags: [ 'fact_mixed_negation_addition' ] connection: local - gather_subset: "!hardware,network" + gather_subset: ["!hardware", "network"] gather_facts: yes tasks: - name: Test that negation and additional subsets work together @@ -302,7 +302,7 @@ - hosts: facthost14 tags: [ 'fact_mixed_negation_addition_min' ] connection: local - gather_subset: "!all,!min,network" + gather_subset: ["!all", "!min", "network"] gather_facts: yes tasks: - name: Test that negation and additional subsets work together for min subset @@ -319,7 +319,7 @@ - hosts: facthost15 tags: [ 'fact_negate_all_min_add_pkg_mgr' ] connection: local - gather_subset: "!all,!min,pkg_mgr" + gather_subset: ["!all", "!min", "pkg_mgr"] gather_facts: yes tasks: - name: Test that negation and additional subsets work together for min subset diff --git a/test/integration/targets/vault/format_1_0_AES.yml b/test/integration/targets/vault/format_1_0_AES.yml deleted file mode 100644 index f71ddf10ce..0000000000 --- a/test/integration/targets/vault/format_1_0_AES.yml +++ /dev/null @@ -1,4 +0,0 @@ -$ANSIBLE_VAULT;1.0;AES -53616c7465645f5fd0026926a2d415a28a2622116273fbc90e377225c12a347e1daf4456d36a77f9 -9ad98d59f61d06a4b66718d855f16fb7bdfe54d1ec8aeaa4d06c2dc1fa630ae1846a029877f0eeb1 -83c62ffb04c2512995e815de4b4d29ed diff --git a/test/integration/targets/vault/format_1_1_AES.yml b/test/integration/targets/vault/format_1_1_AES.yml deleted file mode 100644 index 488eceb3d0..0000000000 --- a/test/integration/targets/vault/format_1_1_AES.yml +++ /dev/null @@ -1,4 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES -53616c7465645f5fc107ce1ef4d7b455e038a13b053225776458052f8f8f332d554809d3f150bfa3 -fe3db930508b65e0ff5947e4386b79af8ab094017629590ef6ba486814cf70f8e4ab0ed0c7d2587e -786a5a15efeb787e1958cbdd480d076c diff --git a/test/integration/targets/vault/runme.sh b/test/integration/targets/vault/runme.sh index 0de80d63bc..1dee54a9e5 100755 --- a/test/integration/targets/vault/runme.sh +++ b/test/integration/targets/vault/runme.sh @@ -106,23 +106,6 @@ if [ -x "$(command -v setsid)" ]; then cat log fi -# old format -ansible-vault view "$@" --vault-password-file vault-password-ansible format_1_0_AES.yml - -ansible-vault view "$@" --vault-password-file vault-password-ansible format_1_1_AES.yml - -# old format, wrong password -echo "The wrong password tests are expected to return 1" -ansible-vault view "$@" --vault-password-file vault-password-wrong format_1_0_AES.yml && : -WRONG_RC=$? -echo "rc was $WRONG_RC (1 is expected)" -[ $WRONG_RC -eq 1 ] - -ansible-vault view "$@" --vault-password-file vault-password-wrong format_1_1_AES.yml && : -WRONG_RC=$? -echo "rc was $WRONG_RC (1 is expected)" -[ $WRONG_RC -eq 1 ] - ansible-vault view "$@" --vault-password-file vault-password-wrong format_1_1_AES256.yml && : WRONG_RC=$? echo "rc was $WRONG_RC (1 is expected)" diff --git a/test/units/parsing/vault/test_vault.py b/test/units/parsing/vault/test_vault.py index 7035a225fb..20c64a9b20 100644 --- a/test/units/parsing/vault/test_vault.py +++ b/test/units/parsing/vault/test_vault.py @@ -751,20 +751,6 @@ class TestVaultLib(unittest.TestCase): self.assertEqual(cipher_name, u'TEST', msg="cipher name was not properly set") self.assertEqual(b_version, b"9.9", msg="version was not properly set") - def test_encrypt_decrypt_aes(self): - self.v.cipher_name = u'AES' - vault_secrets = self._vault_secrets_from_password('default', 'ansible') - self.v.secrets = vault_secrets - # AES encryption code has been removed, so this is old output for - # AES-encrypted 'foobar' with password 'ansible'. - b_vaulttext = b'''$ANSIBLE_VAULT;1.1;AES -53616c7465645f5fc107ce1ef4d7b455e038a13b053225776458052f8f8f332d554809d3f150bfa3 -fe3db930508b65e0ff5947e4386b79af8ab094017629590ef6ba486814cf70f8e4ab0ed0c7d2587e -786a5a15efeb787e1958cbdd480d076c -''' - b_plaintext = self.v.decrypt(b_vaulttext) - self.assertEqual(b_plaintext, b"foobar", msg="decryption failed") - def test_encrypt_decrypt_aes256(self): self.v.cipher_name = u'AES256' plaintext = u"foobar" @@ -929,13 +915,6 @@ fe3db930508b65e0ff5947e4386b79af8ab094017629590ef6ba486814cf70f8e4ab0ed0c7d2587e self.assertEqual('ansible_devel', vault_id) self.assertEqual(b'1.2', b_version) - def test_encrypt_encrypted(self): - self.v.cipher_name = u'AES' - b_vaulttext = b"$ANSIBLE_VAULT;9.9;TEST\n%s" % hexlify(b"ansible") - vaulttext = to_text(b_vaulttext, errors='strict') - self.assertRaises(errors.AnsibleError, self.v.encrypt, b_vaulttext) - self.assertRaises(errors.AnsibleError, self.v.encrypt, vaulttext) - def test_decrypt_decrypted(self): plaintext = u"ansible" self.assertRaises(errors.AnsibleError, self.v.decrypt, plaintext) diff --git a/test/units/parsing/vault/test_vault_editor.py b/test/units/parsing/vault/test_vault_editor.py index b416bb2c84..b9166a334b 100644 --- a/test/units/parsing/vault/test_vault_editor.py +++ b/test/units/parsing/vault/test_vault_editor.py @@ -36,11 +36,6 @@ from ansible.module_utils._text import to_bytes, to_text from units.mock.vault_helper import TextVaultSecret -v10_data = """$ANSIBLE_VAULT;1.0;AES -53616c7465645f5fd0026926a2d415a28a2622116273fbc90e377225c12a347e1daf4456d36a77f9 -9ad98d59f61d06a4b66718d855f16fb7bdfe54d1ec8aeaa4d06c2dc1fa630ae1846a029877f0eeb1 -83c62ffb04c2512995e815de4b4d29ed""" - v11_data = """$ANSIBLE_VAULT;1.1;AES256 62303130653266653331306264616235333735323636616539316433666463323964623162386137 3961616263373033353631316333623566303532663065310a393036623466376263393961326530 @@ -458,33 +453,6 @@ class TestVaultEditor(unittest.TestCase): self.assertTrue(os.path.exists(tmp_file.name)) - def test_decrypt_1_0(self): - # Skip testing decrypting 1.0 files if we don't have access to AES, KDF or Counter. - v10_file = tempfile.NamedTemporaryFile(delete=False) - with v10_file as f: - f.write(to_bytes(v10_data)) - - ve = self._vault_editor(self._secrets("ansible")) - - # make sure the password functions for the cipher - error_hit = False - try: - ve.decrypt_file(v10_file.name) - except errors.AnsibleError: - error_hit = True - raise - - # verify decrypted content - f = open(v10_file.name, "rb") - fdata = to_text(f.read()) - f.close() - - os.unlink(v10_file.name) - - assert error_hit is False, "error decrypting 1.0 file" - self.assertEqual(fdata.strip(), "foo") - assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip() - def test_decrypt_1_1(self): v11_file = tempfile.NamedTemporaryFile(delete=False) with v11_file as f: @@ -509,43 +477,6 @@ class TestVaultEditor(unittest.TestCase): assert error_hit is False, "error decrypting 1.1 file" assert fdata.strip() == "foo", "incorrect decryption of 1.1 file: %s" % fdata.strip() - def test_rekey_migration(self): - v10_file = tempfile.NamedTemporaryFile(delete=False) - with v10_file as f: - f.write(to_bytes(v10_data)) - - ve = self._vault_editor(self._secrets("ansible")) - - # make sure the password functions for the cipher - error_hit = False - new_secrets = self._secrets("ansible2") - try: - ve.rekey_file(v10_file.name, vault.match_encrypt_secret(new_secrets)[1]) - except errors.AnsibleError: - error_hit = True - - # verify decrypted content - f = open(v10_file.name, "rb") - fdata = f.read() - f.close() - - assert error_hit is False, "error rekeying 1.0 file to 1.1" - - # ensure filedata can be decrypted, is 1.1 and is AES256 - vl = VaultLib(new_secrets) - dec_data = None - error_hit = False - try: - dec_data = vl.decrypt(fdata) - except errors.AnsibleError: - error_hit = True - - os.unlink(v10_file.name) - - self.assertIn(b'AES256', fdata, 'AES256 was not found in vault file %s' % to_text(fdata)) - assert error_hit is False, "error decrypting migrated 1.0 file" - assert dec_data.strip() == b"foo", "incorrect decryption of rekeyed/migrated file: %s" % dec_data - def test_real_path_dash(self): filename = '-' ve = self._vault_editor() diff --git a/test/units/playbook/test_base.py b/test/units/playbook/test_base.py index b4723cd83a..6562af9997 100644 --- a/test/units/playbook/test_base.py +++ b/test/units/playbook/test_base.py @@ -348,7 +348,6 @@ class BaseSubClass(base.Base): _test_attr_list_no_listof = FieldAttribute(isa='list', always_post_validate=True) _test_attr_list_required = FieldAttribute(isa='list', listof=string_types, required=True, default=[], always_post_validate=True) - _test_attr_barelist = FieldAttribute(isa='barelist', always_post_validate=True) _test_attr_string = FieldAttribute(isa='string', default='the_test_attr_string_default_value') _test_attr_string_required = FieldAttribute(isa='string', required=True, default='the_test_attr_string_default_value') @@ -610,11 +609,6 @@ class TestBaseSubClass(TestBase): self.assertRaisesRegexp(AnsibleParserError, 'cannot have empty values', bsc.post_validate, templar) - def test_attr_barelist(self): - ds = {'test_attr_barelist': 'comma,separated,values'} - bsc = self._base_validate(ds) - self.assertEquals(['comma', 'separated', 'values'], bsc._attributes['test_attr_barelist']) - def test_attr_unknown(self): a_list = ['some string'] ds = {'test_attr_unknown_isa': a_list}