1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Fix --ask-vault-pass prompt to match old when poss (#27602)

If we don't use more than one vault-id, and we use
--ask-vault-pass, instead of using the new vault prompt
format ('Vault password (my_vault_id): ') we use the old
one ('Vault password: ').

This avoids confusing Tower when it needs to detect an
interactive vault password prompt.

This also potentially could allow vault password prompts
to be customized per vault_id.
This commit is contained in:
Adrian Likins 2017-08-01 16:39:54 -04:00 committed by GitHub
parent 37392318a6
commit 9f57920eab
2 changed files with 20 additions and 10 deletions

View file

@ -194,7 +194,7 @@ class CLI(with_metaclass(ABCMeta, object)):
vault_ids.append(id_slug)
if ask_vault_pass:
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt')
id_slug = u'%s@%s' % (C.DEFAULT_VAULT_IDENTITY, u'prompt_ask_vault_pass')
vault_ids.append(id_slug)
return vault_ids
@ -206,11 +206,17 @@ class CLI(with_metaclass(ABCMeta, object)):
# list of tuples
vault_secrets = []
# Depending on the vault_id value (including how --ask-vault-pass / --vault-password-file create a vault_id)
# we need to show different prompts. This is for compat with older Towers that expect a
# certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format.
prompt_formats = {}
if create_new_password:
prompt_formats = ['New vault password (%s): ',
'Confirm vew vault password (%s): ']
prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ',
'Confirm vew vault password (%(vault_id)s): ']
else:
prompt_formats = ['Vault password (%s): ']
prompt_formats['prompt'] = ['Vault password (%(vault_id)s): ']
# The format when we use just --ask-vault-pass needs to match 'Vault password:\s*?$'
prompt_formats['prompt_ask_vault_pass'] = ['Vault password: ']
vault_ids = CLI.build_vault_ids(vault_ids,
vault_password_files,
@ -218,15 +224,19 @@ class CLI(with_metaclass(ABCMeta, object)):
for index, vault_id_slug in enumerate(vault_ids):
vault_id_name, vault_id_value = CLI.split_vault_id(vault_id_slug)
if vault_id_value == 'prompt':
# TODO: we could assume --vault-id=prompt implies --ask-vault-pass
# if not, we need to 'if ask_vault_pass' here
if vault_id_value in ['prompt', 'prompt_ask_vault_pass']:
# --vault-id some_name@prompt_ask_vault_pass --vault-id other_name@prompt_ask_vault_pass will be a little
# confusing since it will use the old format without the vault id in the prompt
if vault_id_name:
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats, vault_id=vault_id_name)
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
vault_id=vault_id_name)
prompted_vault_secret.load()
vault_secrets.append((vault_id_name, prompted_vault_secret))
else:
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats,
# ie, we used --ask-vault-pass, so we need to use the old vault password prompt
# format since Tower needs to match on that format.
prompted_vault_secret = PromptVaultSecret(prompt_formats=prompt_formats[vault_id_value],
vault_id=C.DEFAULT_VAULT_IDENTITY)
prompted_vault_secret.load()
vault_secrets.append((C.DEFAULT_VAULT_IDENTITY, prompted_vault_secret))

View file

@ -259,7 +259,7 @@ class PromptVaultSecret(VaultSecret):
b_vault_passwords = []
for prompt_format in self.prompt_formats:
prompt = prompt_format % self.vault_id
prompt = prompt_format % {'vault_id': self.vault_id}
try:
vault_pass = display.prompt(prompt, private=True)
except EOFError: