* update version parsing and move requirements to nso_* modules
prepare for introduction of nso_show module that has other version
requirements than the existing nso_* modules.
* Add nso_show module for retreiving config from Cisco NSO
New module that supports getting configuration and operational data
from Cisco NSO.
Shell is implemented via the command module. There was a special case
in mod_args to do that. Make shell into an action plugin to handle that
instead.
Also move the special case for the command nanny into a command module
action plugin. This is more appropriate as we then do not have to send
a parameter that is only for the command module to every single module.
* WIP adds network subnetting functions
* adds functions to convert between netmask and masklen
* adds functions to verify netmask and masklen
* adds function to dtermine network and subnet from address / mask pair
* network_common: add a function to get the first 48 bits in a IPv6 address.
ec2_group: only use network bits of a CIDR.
* Add tests for CIDRs with host bits set.
* ec2_group: add warning if CIDR isn't the networking address.
* Fix pep8.
* Improve wording.
* fix import for network utils
* Update tests to use pytest instead of unittest
* add test for to_ipv6_network()
* Fix PEP8
This fix check if DNS4 is None or not before proceeding with
other operations. Also, added unit test for this change.
Signed-off-by: Fedor Sumkin <qosys.net@gmail.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Split the one monolithic test for basic.py into several files
* Split test_basic.py along categories.
This is preliminary to get a handle on things. Eventually we may want
to further split it so each file is only testing a single function.
* Cleanup unused imports from splitting test_basic.py
* Port atomic_move test to pytest.
Working on getting rid of need to maintain procenv
* Split a test of symbolic_mode_to_octal to follow unittest best practices
Each test should only invoke the function under test once
* Port test_argument_spec to pytest.
* Fix suboptions failure
* Fixing aruba's inconsitent indenting.
* Adding config with different children indentation and unit test to confirm the different spacing does not matter.
* Fixing pylint check. Missed an r prefix.
* When inserting a new rule in `insert_after_rule`, check if the old rule is
the last rule, to avoid a list index out of range error when attempting to
access the next rule.
* Add a test for inserting a new rule after the last rule.
Allow CamelCase version of snake_dict_to_camel_dict
(currently only dromedaryCase is supported)
Add reversible option to camel_dict_to_snake_dict
Add tests for both of these options
* TestPlaybookCLI: '--flush-cache' were ignored
Check that using '--flush-cache' does something
* check that '_flush_cache' does something
There isn't any fact by default: the assertion was true even if
'cli._flush_cache()' isn't called.
* Fixing save so it still works. Adding changed as an option for save_when.
* Updating unit tests.
* Updating description to state that changed was added in 2.5.
* Change cast_list_to_dict to more generic rekey_on_member
cast_list_to_dict was taking an arbitrary data format in and returning
an arbitrary data format out. Rework this to be a more generic function
which creates a dict of dicts based on a member of the dict.
Remove cast_dict_to_list since rekey_on_member handles the use cases we
know about and cast_dict_to_list suffers from the same problems as
cast_list_to_dict. If this is still needed we could think about filters
we could add to do this in a short jinja2 pipeline.
* Fix bare excepts (bare excepts even catch sys.exit())
* Fix _clean_result for debug callback with 1 char var names
The check in _clean_results was removing any keys that happened
to be one of the chars in ('invocation') instead of the string
'invocation'. This was meant to be a tuple but there was no comma
so the for iterated the string instead of the tuple.
Introduced in 9dba580204fcc7d95d4ca2ea2ae4ce23fe28c2ed
Update unit test to catch this.
Fixes#33723
* Use .pop() to remove invocation from results dict
In base callback _clean_results, simplify the way the
'invocation' item is removed.
Add some more unit tests.
* Deprecate Entity, EntityCollection and use subspec in network modules
* As per proposal https://github.com/ansible/proposals/issues/76
deprecate use of Entity, EntityCollection, ComplexDict, ComplexList
and use subspec instead.
* Refactor ios modules
* Refactor eos modules
* Refactor vyos modules
* Refactor nxos modules
* Refactor iosxr modules
* Add support for key in suboptions handling
* Fix CI issues
* - Netconf plugin addition for iosxr
- Utilities refactoring to support netconf and cliconf
- iosx_banner refactoring for netconf and cliconf
- Integration testcases changes to accomodate above changes
* Fix sanity failures, shippable errors and review comments
* fix pep8 issue
* changes run_command method to send specific command args
* - Review comment fixes
- iosxr_command changes to remove ComplexDict based command_spec
* - Move namespaces removal method from utils to netconf plugin
* Minor refactoring in utils and change in deprecation message
* rewrite build_xml logic and import changes for new utils dir structure
* - Review comment changes and minor changes to documentation
* * refactor common code and docs updates
In case of workflow delete action, the returned 404 status code
considered as invalid although it's a valid code for not found (deleted)
entity.
Removed verification of the status. Only success should be verified.
Fixes#33524
* Porting tests to pytest
* Achievement Get: No longer need mock/generator.py
* Now done via pytest's parametrization
* Port safe_eval to pytest
* Port text tests to pytest
* Port test_set_mode_if_different to pytest
* Change conftest AnsibleModule fixtures to be more flexible
* Move the AnsibleModules fixtures to module_utils/conftest.py for sharing
* Testing the argspec code requires:
* injecting both the argspec and the arguments.
* Patching the arguments into sys.stdin at a different level
* More porting to obsolete mock/procenv.py
* Port run_command to pytest
* Port known_hosts tests to pytest
* Port safe_eval to pytest
* Port test_distribution_version.py to pytest
* Port test_log to pytest
* Port test__log_invocation to pytest
* Remove unneeded import of procenv in test_postgresql
* Port test_pip to pytest style
* As part of this, create a pytest ansiblemodule fixture in
modules/conftest.py. This is slightly different than the
approach taken in module_utils because here we need to override the
AnsibleModule that the modules will inherit from instead of one that
we're instantiating ourselves.
* Fixup usage of parametrization in test_deprecate_warn
* Check that the pip module failed in our test
* Refactor common network shared and platform specific code into package (part-1)
As per proposal #76 refactor common network shared and platform specific
code into sub-package.
https://github.com/ansible/proposals/issues/76
* ansible.module_utils.network.common - command shared functions
* ansible.module_utils.network.{{ platform }} - where platform is platform specific shared functions
* Fix review comments
* Fix review comments
* Refactors bigip_node
Includes a number of fixes and enhancements in addition to refactoring
the code to be inline with f5 standards
* Fixes upstream errors
* Adds bigip_policy_rule module
This module is the second component of managing LTM policies on
BIG-IP. This module lets you manage the rules of a policy
* Fixing upstream errors
* Correcting YAML errors
* Fixes and features for bigip_provision
Adds support for dedicated modules. Fixes bug in minimum name.
Adds wrappers around checking for up-ness so that they will contribute
to the watch loop
* Fixes upstream errors
* Added . and / to rule args regexp
Things like pam_echo.so file=/etc/foo.txt weren't being matched and
causing incorrect change counts. Adding / and . fixed that.
Fixes#33351
* pamd: test argument with value
Relates #33351
* Adding module enos_config and its UT files
* Removing trailing line
* Removing trailing lines
* Editing enos_module.py to fix build errors
* Removing blank lines in end
* Updating enos_config.py based on review comments
* Adding one more blank line
* Removing training white space
* Removing test_enos_config_force method from UT
* Updating documentation
* Comments by John, Remove version_added: "2.5"
* Add netscaler_nitro_request module
* Make changes as requested.
* Fix whitepsace in EXAMPLES block.
* Set module changed status according to operation performed.
* Added support to Datacenter resources in HPE OneView
* Adjusting comments in oneview_datacenter_facts
* Adding no_log on the documentation
* Using Pytest to Oneview DatacenterFactsModule tests
* Warn on tests used as filters
* Update docs, add aliases for tests that fit more gramatically with test syntax
* Fix rst formatting
* Add successful filter, alias of success
* Remove renamed_deprecation, it was overkill
* Make directory alias for is_dir
* Update tests to use proper jinja test syntax
* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax
* Add conversion script, porting guide updates, and changelog updates
* Update newly added uses of tests as filters
* No underscore variable
* Convert recent tests as filter changes to win_stat
* Fix some changes related to rebasing a few integration tests
* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name
* Add test for tests_as_filters_warning
* Update tests as filters in newly added/modified tests
* Address recent changes to several integration tests
* Address recent changes in cs_vpc
* add type manipulation
* update for py3
* add tests for list to dict
* Add dict to list tests
* Update tests to search for regex in response
* pep8 clean up
* update Exception for py3
* update test to be py2/3 compat
* update for py26 compat
* potential fix for py3 and py26
* potential fix for py3 and py26 take2
* add new line to kick off shippable
* remove cache file created
* fix filter name
* add space for shipable
* Fix junos integration test fixes as per connection refactor (#33050)
Refactor netconf connection plugin to work with netconf plugin
* Fix junos integration test fixes as per connection refactor (#33050)
Refactor netconf connection plugin to work with netconf plugin
Fix CI failure
Fix unit test failure
Fix review comments
* Adding aliases for field attributes and renaming async attribute
As of Python 3.7, the use of async raises an error, whereas before the use
of the reserved word was ignored. This adds an alias field for field attrs
so that both async and async_val (interally) work. This allows us to be
backwards-compatible with 3rd party plugins that may still reference Task.async,
but for the core engine to work on Py3.7+.
* Remove files fixed for 'async' usage from the python 3.7 skip list
* Allow the user to circumvent adding -tt on ssh commands to help aid in
debugging ssh related problems.
* Move config to the plugin
* Set version_added
* Change yaml section to "connection"
* Fix ssh unit tests
* jsonify inventory
* smarter import, dont pass kwargs where not needed
* added datetime
* Eventual plan for json utilities to migrate to common/json_utils when we split
basic.py no need to move jsonify to another file now as we'll do that later.
* json_dict_bytes_to_unicode and json_dict_unicode_to_bytes will also
change names and move to common/text.py at that time (not to json).
Their purpose is to recursively change the elements of a container
(dict, list, set, tuple) into text or bytes, not to json encode or
decode (they could be a generic precursor to that but are not limited
to that.)
* Reimplement the private _SetEncoder which changes sets and datetimes
into objects that are json serializable into a private function
instead. Functions are more flexible, less overhead, and simpler than
an object.
* Remove code that handled simplejson-1.5.x and earlier. Raise an error
if that's the case instead.
* We require python-2.6 or better which has the json module builtin to
the stdlib. So this is only an issue if the stdlib json has been
overridden by a third party module and the simplejson on the system
is 1.5.x or less. (1.5 was released on 2007-01-18)
* Add new filter to parse xml output for network use cases
Fixes#31026
* Add parse_xml filter
* Add documentation for parse_xml filter
* Edited for clarity.
* Fix review comment and add unit tests
* Fix unit test CI failure
* Fix CI issues
* Fix unit test failures
* Fix review comments
* More copy edits.
* Adding RPC attribute arguments to `junos_rpc` network module.
* Specifying module argument version.
* Fixing DOCUMENTATION block.
* First attempt at new test fixture.
* Updated RPC_CLI_MAP.
* Use `result` instead of `reply`.
This module can be used to manage guests on a vCMP provisioned BIG-IP.
vCMP is a hardware-only feature, therefore this module cannot be used
on the VE editions of BIG-IP.
* move set_module_args to units.modules.utils
* unit tests: reuse set_module_args
* unit tests: mock exit/fail_json in module.utils.ModuleTestCase
* unit tests: use module.utils.ModuleTestCase
* unit tests: fix 'import shadowed by loop variable'
* included inventory and callback in new config
allow inventory to be configurable
updated connection options settings
also updated winrm to work with new configs
removed now obsolete set_host_overrides
added notes for future bcoca, current one is just punting, it's future's problem
updated docs per feedback
added remove group/host methods to inv data
moved fact cache from data to constructed
cleaner/better options
fix when vars are added
extended ignore list to config dicts
updated paramiko connection docs
removed options from base that paramiko already handles
left the look option as it is used by other plugin types
resolve delegation
updated cache doc options
fixed test_script
better fragment merge for options
fixed proxy command
restore ini for proxy
normalized options
moved pipelining to class
updates for host_key_checking
restructured mixins
* fix typo
* Fix vault --ask-vault-pass with no tty
2.4.0 added a check for isatty() that would skip setting up interactive
vault password prompts if not running on a tty.
But... getpass.getpass() will fallback to reading from stdin if
it gets that far without a tty. Since 2.4.0 skipped the interactive
prompts / getpass.getpass() in that case, it would never get a chance
to fall back to stdin.
So if 'echo $VAULT_PASSWORD| ansible-playbook --ask-vault-pass site.yml'
was ran without a tty (ie, from a jenkins job or via the vagrant
ansible provisioner) the 2.4 behavior was different than 2.3. 2.4
would never read the password from stdin, resulting in a vault password
error like:
ERROR! Attempting to decrypt but no vault secrets found
Fix is just to always call the interactive password prompts based
on getpass.getpass() on --ask-vault-pass or --vault-id @prompt and
let getpass sort it out.
* up test_prompt_no_tty to expect prompt with no tty
We do call the PromptSecret class if there is no tty, but
we are back to expecting it to read from stdin in that case.
* Fix logic for when to auto-prompt vault pass
If --ask-vault-pass is used, then pretty much always
prompt.
If it is not used, then prompt if there are no other
vault ids provided and 'auto_prompt==True'.
Fixes vagrant bug https://github.com/hashicorp/vagrant/issues/9033Fixes#30993
* Adding git_command module and its UT file
* Changing Author Name and removing 2 blank lines
* Removing blank lines
* Adding enos_config and its UT files
* Removing config module as I am allowed to have only module per PR
* Work on Ganesh's Review comments
* John Review Comments on enos_command.py
* Review comments of John
* Add mtu option nxos_interface feature idea
Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* Add unit test for mtu feature
Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* Better handling of malformed vault data envelope
If an embedded vaulted variable ('!vault' in yaml)
had an invalid format, it would eventually cause
an error for seemingly unrelated reasons.
"Invalid" meaning not valid hexlify (extra chars,
non-hex chars, etc).
For ex, if a host_vars file had invalid vault format
variables, on py2, it would cause an error like:
'ansible.vars.hostvars.HostVars object' has no
attribute u'broken.example.com'
Depending on where the invalid vault is, it could
also cause "VARIABLE IS NOT DEFINED!". The behavior
can also change if ansible-playbook is py2 or py3.
Root cause is errors from binascii.unhexlify() not
being handled consistently.
Fix is to add a AnsibleVaultFormatError exception and
raise it on any unhexlify() errors and to handle it
properly elsewhere.
Add a _unhexlify() that try/excepts around a binascii.unhexlify()
and raises an AnsibleVaultFormatError on invalid vault data.
This is so the same exception type is always raised for this
case. Previous it was different between py2 and py3.
binascii.unhexlify() raises a binascii.Error if the hexlified
blobs in a vault data blob are invalid.
On py2, binascii.Error is a subclass of Exception.
On py3, binascii.Error is a subclass of TypeError
When decrypting content of vault encrypted variables,
if a binascii.Error is raised it propagates up to
playbook.base.Base.post_validate(). post_validate()
handles exceptions for TypeErrors but not for
base Exception subclasses (like py2 binascii.Error).
* Add a display.warning on vault format errors
* Unit tests for _unhexlify, parse_vaulttext*
* Add intg test cases for invalid vault formats
Fixes#28038
* implements jsonrpc message passing for ansible-connection
* implements more generic mechanism for persistent connections
* starts persistent connection in task_executor if enabled and supported
* supports using network_cli as top level connection plugin
* enhances logging for persistent connection to stdout
* Update action plugins
* Fix Python3 RPC
* Fix Junos bytes<-->str issues
* supports using netconf as top level connection plugin
* Error message when running netconf on an unsupported platform
* Update tests
* Fix `authorize: yes` for `connection: local`
* Handle potentially JSON data in terminal
* Add clarifying detail if possible on ConnectionError
* Squashing all commits to one as suggested by John
* Adding Unit test method for the module enos_facts.py
* Pep8 and Ylint issues addressed
* Trying again to remove blank line. Some scripts are required for this.
* Bug Fixing for interfaces
* Editing for over indenting issue
* E203 whitespace before ','
* Update enos.py
Added warnings argument as to check_args method
* Update enos_facts.py
Added warnings to check_args method
* When getting the stack events we need to consider the case where we don't have ClientRequestToken fixes#32396
* Adding tests for the case when the ClientRequestToken is not present in the stack creation.
* Renaming the stack that the test for Client Request Token requires so it won't cause collisions with the basic test.
* Ensure include_role unit tests check something
This is not the case: get_tasks_vars doesn't yield
* Fix include_role unit tests
Since e609618274, include_role are not
static anymore.
* Add some tests for iptables
* Fix remove bug (calls 2 times check to remove a chain)
* Add me as maintainer
* Fix PEP8
* Doc: Give more information on issue #18988
* Fix#18988 and test it
* Fix doc (thanks Pillou)
* enable PEP8 check for iptables
This patch addresses a number of issues, large and small, that were
identified by users in the downstream repo.
* formatting of some code
* specific option combinations leading to errors
* missing includes for unit tests
* ios_logging: Fix typo in documentation
* ios_logging: Fix traceback when setting buffered destination without size
When the size parameter is not configured while configuring the buffered
destination, a traceback occurs due to the fact that validate_size expects the
parameter to be an int. Explicitely converting value to int makes the
check work for every case.
* ios_logging: Update size parameter documentation
Update the documentation of the size paramter to reflect the current behaviour
of setting a default of 4096 for the buffered dest.
* ios_logging: Add unit test
Add unit test for ios_logging testing the behaviour clarified in the previous
commits.
* ios_logging: Fix python 2.6 compliance
This module's purpose is to specifically manage the ssl keys. It
is essentially the key component of the bigip_ssl_certificate module.
The modules were separated and the key portion deprecated from
bigip_ssl_certificate in favor of this module.
* - Adds iosxr_netconf module to configure netcong service on Cisco
IOS-XR devices
* - Adds Integration test for module
- Handles diff return from load_config
* - Adds unit test for iosxr_netconf module
* Start using ClientRequestTokens in event lists
* Include request token in all reqs that support it (basically all but check mode/changeset)
* Update placebo recordings
* Add comments for CRQ popping
Module allows you to wait for a bigip device to be
"ready" for configuration. This module will wait for things like
the device coming online as well as the REST API and MCPD being
ready.
If all of the above is not online and ready, then no configuration
will be able to be made.
* better cleanup on task results display
callbacks get 'clean' copy of result objects
moved cleanup into result object itself
removed now redundant callback cleanup
moved no_log tests
* moved import as per feedback
In this refactor we moved to the most recent coding standards for
both F5 and Ansible. Many bugs were fixed and some features were
also added (such as ipv6 support).
New conventions for ansible warrant fixes to accomodate those
in bigip_partition.
This patch also includes an import fix that can raise an error when
Ansible unit tests run
This adds a new type of vault-password script (a 'client') that takes advantage of and enhances the
multiple vault password support.
If a vault password script basename ends with the name '-client', consider it a vault password script client.
A vault password script 'client' just means that the script will take a '--vault-id' command line arg.
The previous vault password script (as invoked by --vault-password-file pointing to an executable) takes
no args and returns the password on stdout. But it doesnt know anything about --vault-id or multiple vault
passwords.
The new 'protocol' of the vault password script takes a cli arg ('--vault-id') so that it can lookup that specific
vault-id and return it's password.
Since existing vault password scripts don't know the new 'protocol', a way to distinguish password scripts
that do understand the protocol was needed. The convention now is to consider password scripts that are
named like 'something-client.py' (and executable) to be vault password client scripts.
The new client scripts get invoked with the '--vault-id' they were requested for. An example:
ansible-playbook --vault-id my_vault_id@contrib/vault/vault-keyring-client.py some_playbook.yml
That will cause the 'contrib/vault/vault-keyring-client.py' script to be invoked as:
contrib/vault/vault-keyring-client.py --vault-id my_vault_id
The previous vault-keyring.py password script was extended to become vault-keyring-client.py. It uses
the python 'keyring' module to request secrets from various backends. The plain 'vault-keyring.py' script
would determine which key id and keyring name to use based on values that had to be set in ansible.cfg.
So it was also limited to one keyring name.
The new vault-keyring-client.py will request the secret for the vault id provided via the '--vault-id' option.
The script can be used without config and can be used for multiple keyring ids (and keyrings).
On success, a vault password client script will print the password to stdout and exit with a return code of 0.
If the 'client' script can't find a secret for the --vault-id, the script will exit with return code of 2 and print an error to stderr.
* documentation was not inline with other Ansible modules
* Python 3 specific imports were missing
* monitor_type is no longer required when creating a new pool; it is now the default.
* A new monitor_type choice of "single" was added for a more intuitive way to specify "a single monitor". It uses "and_list" underneath, but provides additional checks to ensure that you are specifying only a single monitor.
* host and port arguments have been deprecated for now. Please use bigip_pool_member instead.
* 'partition' field was missing from documentation.
* A note that "python 2.7 or greater is required" has been added for those who were not aware that this applies for ALL F5 modules.
* Unit tests were fixed to support the above module
* Adding a cli transport option for the bigip_command module.
* Fixing keyerror when using other f5 modules. Adding version_added for new option in bigip_command.
* Removing local connection check because the F5 tasks can be delegated to any host that has the libraries for REST.
* Using the network_common load_provider.
* Adding unit test to cover cli transport and updating previous unit test to ensure cli was not called.
* Fix rollback in junos_config
Fixes#30778
* Call `load_configuration` with rollback id in case
the id is given as input
* Pass rollback id to `get_diff()` to fetch diff from device
* Fix unit test
- old functionality is still available direct lookup use, the following are equivalent
with_nested: [[1,2,3], ['a','b','c']]
loop: "{{lookup('nested', [1,2,3], ['a','b','c'])}}"
- avoid squashing with 'loop:'
- fixed test to use new intenal attributes
- removed most of 'lookup docs' as these now reside in the plugins
* Make ansible_selinux facts a consistent type
Rather than returning a bool if the Python library is missing, return a dict with one key containing a message explaining there is no way to tell the status of SELinux on the system becasue the Python library is not present.
* Fix unit test
The /etc/os-release based distro detection doesn't
seem to work for Ubuntu 10.04 (no /etc/os-release?).
So it was testing the next case which was /etc/lsb-release to
see if it is 'Mandriva'. Since the check for existence of
(/etc/lsb-release, Mandrive) was the first non-empty dist
file match, 'ansible_distribution' was being set to 'Mandriva'
expecting to be corrected by the data from the dist file content.
But since the dist file parsing for Mandriva didn't match for
Ubuntu 10.04 /etc/lsb-release _and_ there is no Debian specific
lsb-release check, 'ansible_distribution' stayed at 'Mandriva'
and the dist file checking loop keeps going and eventually off
the end of the list before finding a better match.
Adding a debian/ubuntu specific check for /etc/lsb-release after
the debian os-release sets the info correctly and stops further
checking of dist files.
Fixes#30693
* Added support to retrieving LIG resources in HPE OneView
* Fixing copyright header according to review
* Swapping out config for full credentials in parameter for documentation
* Added support to retrieving Enclosures in HPE OneView
- Added unit tests
* Updated version_added to 2.5
* Changing return type of enclosure_script to string
* Fixing copyright header according to review
* Replaced config for credentials in parameters for documentation
* Fix fact failures cause by ordering of collectors
Some fact collectors need info collected by other facts.
(for ex, service_mgr needs to know 'ansible_system').
This info is passed to the Collector.collect method via
the 'collected_facts' info.
But, the order the fact collectors were running in is
not a set order, so collectors like service_mgr could
run before the PlatformFactCollect ('ansible_system', etc),
so the 'ansible_system' fact would not exist yet.
Depending on the collector and the deps, this can result
in incorrect behavior and wrong or missing facts.
To make the ordering of the collectors more consistent
and predictable, the code that builds that list is now
driven by the order of collectors in default_collectors.py,
and the rest of the code tries to preserve it.
* Flip the loops when building collector names
iterate over the ordered default_collectors list
selecting them for the final list in order instead
of driving it from the unordered collector_names set.
This lets the list returned by select_collector_classes
to stay in the same order as default_collectors.collectors
For collectors that have implicit deps on other fact collectors,
the default collectors can be ordered to include those early.
* default_collectors.py now uses a handful of sub lists of
collectors that can be ordered in default_collectors.collectors.
fixes#30753fixes#30623
* Use vault_id when encrypted via vault-edit
On the encryption stage of
'ansible-vault edit --vault-id=someid@passfile somefile',
the vault id was not being passed to encrypt() so the files were
always saved with the default vault id in the 1.1 version format.
When trying to edit that file a second time, also with a --vault-id,
the file would be decrypted with the secret associated with the
provided vault-id, but since the encrypted file had no vault id
in the envelope there would be no match for 'default' secrets.
(Only the --vault-id was included in the potential matches, so
the vault id actually used to decrypt was not).
If that list was empty, there would be an IndexError when trying
to encrypted the changed file. This would result in the displayed
error:
ERROR! Unexpected Exception, this is probably a bug: list index out of range
Fix is two parts:
1) use the vault id when encrypting from edit
2) when matching the secret to use for encrypting after edit,
include the vault id that was used for decryption and not just
the vault id (or lack of vault id) from the envelope.
add unit tests for #30575 and intg tests for 'ansible-vault edit'
Fixes#30575
* Fix 'distribution' fact for ArchLinux
Allow empty wasn't breaking out of the process_dist_files
loop, so a empty /etc/arch-release would continue searching
and eventually try /etc/os-release. The os-release parsing
works, but the distro name there is 'Arch Linux' which does
not match the 2.3 behavior of 'Archlinux'
Add a OS_RELEASE_ALIAS map for the cases where we need to get
the distro name from os-release but use an alias.
We can't include 'Archlinux' in SEARCH_STRING because a name match on its keys
but without a match on the content causes a fallback to using the first
whitespace seperated item from the file content as the name.
For os-release, that is in form 'NAME=Arch Linux'
With os-release returning the right name, this also supports the
case where there is no /etc/arch-release, but there is a /etc/os-release
Fixes#30600
* pep8 and comment cleanup
* Fix pkg_mgr fact on OpenBSD
Add a OpenBSDPkgMgrFactCollector that hardcodes pkg_mgr
to 'openbsd_pkg'. The ansible collector will choose the
OpenBSD collector if the system is OpenBSD and the 'Generic'
one otherwise.
This removes PkgMgrFactCollectors depenency on the
'system' fact being in collected_facts, which also
avoids ordering issues (if the pkg mgr fact is collected
before the system fact...)
Fixes#30623
* Fix nxos provider transport warning issue
* Add default value of transport arg in provider spec
* Remove default value if transport arg in top level spec
This ensure deprecation warning is seen only in case transport
is given as a top level arg in task
* Refactor nxos modules to reference transport value from provider
spec
* Fix unit test
* Remove transport arg assignment in nxos action plugin
* As assigning transport value is handled in provider spec
top level task arg assignment is no longer required
* Add Routing Engine Facts
- Map routing engine output information to routing_engines facts dict.
- Add fact 'has_2RE', which is a quick way to determine how many REs
the chassis has.
* Fix a typo
* Fix more typos
* Add slot number to routing_engine dict
* Add facts about the installed chassis modules
* Fix typo
* Fixed another typo
* Fix Path
* Change path again.
* More Typos
* Add some deubgging
* Add additional information for hardware components.
- Return information about the Routing Engines.
- Return a fact to easily determine if the device
has two routing engines.
- Return information about the hardware modules.
* Addressed pep8 stardard failures.
* Add unit test fixtures.
* Rename fixture.
* Fix unit test failures.
- Rename the fixture file to what the unit test expects.
- Strip out junos namespace attributes.
Rename file to match what the unit test expects.
* Scrubbed the routing engine serial numbers.
* Add unit test facts for new tests.
- Add unit test for ansible_net_routing_engines fact
- Add unit test for ansible_net_modules fact
- Add unit test for ansible_net_has_2RE
* Fixed spacing.
* Don't ask for password confirm on 'ansible-vault edit'
This is to match the 2.3 behavior on:
ansible-vault edit encrypted_file.yml
Previously, the above command would consider that a 'new password'
scenario and prompt accordingly, ie:
$ ansible-vault edit encrypted_file.yml
New Password:
Confirm New Password:
The bug was cause by 'create_new_password' being used for
'edit' action. This also causes the previous implicit 'auto prompt'
to get triggered and prompt the user.
Fix is to make auto prompt explicit in the calling code to handle
the 'edit' case where we want to auto prompt but we do not want
to request a password confirm.
Fixes#30491
Unittests are sometimes run without network connectivity in build
systems. Make that work correctly by mocking out _get_url_data with the
expected return value.
* This commit includes a unit test to exercise the _is_role
function and make sure it doesn't break in any Python version.
* Import os.path and other minor fixups
* module should fail if eos_user is added without configured_password or nopassword or sshkey
Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* fix eos_user unit test
Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* fix eos_user integration test
Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* Add FcoeNetworkFactsModule for retrieving HPE OneView FCoE Networks
- Allow querying for FCoE Network resources in HPE OneView
- Adds unit tests to new module
* Fix "required: no"
* Add NetworkSetFactsModule for retrieving HPE OneView Network Sets
- Allow querying for Network Set resources in HPE OneView
- Adds unit tests to new module
- Updates oneview_module_loader copyright header to short GPL3 version
* Adding possibility to pass in credentials as parameters
* Removed required false and changed format of filter_by_name declaration
* Updated examples in docs to reflect new way to pass in credentials
- All examples of the oneview_network_set_facts updated to use
credential parameters
- All required=False from oneview base module removed
- Shared docs updated to bring attention to API version being used
* Add the ability to modify shard count to kinesis_stream module
* Fixed an issue in kinesis_stream where update() reports not changed when it is changed
* Remove unreachable message and make the try and catch block shorter
* Tidy mount module for testing
Fix spelling mistakes in comments. I *think* the example for omitting parents
root has the wrong parent ID.
Make mountinfo file a parameter for testing.
* Don't strip leading slash from mounts
The current code does not follow the example, it produces src=tmp/aaa instead
of src=/tmp/aaa. This causes problems with bind mounts under /rootfs.
* Use dictionary to store mounts by ID
Instead of looping over each one to check if the ID matches. This does not
preserve the order of the output on < Python3.6, but that is not necessary.
* Make linux_mounts a dict
Always accessed by 'dst', so avoid looping by just making it a key.
* Add test case for get_linux_mounts
* make groups magic var dependant on inventory
it was overtly restricted by 'host'
minor fixes to test_var_manager.py, need to test other values also
* pepe hates extra blank line
- Fixes to lambda
- reformatting + tests for lambda_facts
- lambda module integration test
- switch lambda and lambda_facts to AnsibleAwsModule
- Get the account ID from STS, GetUser, and finally error message
* Added FcNetworkFactsModule to query FC Network Resources in HPE OneView
- Added unit tests
* Removing unnecessary quotes from example and documentation
* Module for uploading templates into vDirect server
Module for uploading configuration and workflow templates
into Radware vDirect server
* Module for uploading templates into vDirect server
Module for uploading configuration and workflow templates
into Radware vDirect server
* Add VPN module and unittests
* remove unnecessary imports
* fix documentation
* raise custom exception rather than passing module everywhere
* remove recordings
Rerecord tests
Fix docs
Ensure vpn_connection_id is a list of strings when checking if it exists
* fix check mode
* Rerecord tests
* remove superfluous code and comments and make exception handling uniform
fix docs
* Fix ec2_vpc_vpn documentation
* make ec2_vpc_vpn compatible with python 2.6 and make check mode logic more succinct
* fix comparison of list of dicts
* Fix typos and docstrings
make requested changes for imports
make code clearer
* Fix copyright and metadata version.
* Adding module to manage ethernet network on HPE OneView
* Adding unit tests to EthernetNetwork module
* Added OneViewModuleException custom exceptions to module
- Removed exception imports from hpOneView
- Updated unit tests
* Fixing mock import inside ethernet network module unit test
* Fixing issues found in METADATA by CI
* Updated paths to use solution name instead of vendor name
* Fixed documentation, removed redundant if and improved readability
* Updated _bulk_present to use and return `result`, same way as _present
* Changed __ to _ in private methods following ansible style
* Fixed some example inconsistencies and turned states doc into a list
* Added adriane-cardozo to list of maintainers
* New module for AWS Direct Connect connections
Unittests for new module
Added utils that will be used by other Direct Connect modules
* pep8 fixes
* Correct aws_direct_connect_connection EXAMPLES to be valid yaml
* Make requested changes
* remove use of the variable changed
get rid of unnecessary parentheses
* Fix unit test
* Rename variable.
* Fix metadata version
* Add module_utils/aws/direct_connect.py for frequently used functions
* new AWS Direct Connect link aggregation group module with tests and placebo recordings
* remove extra argument
* Remove use of undefined var
* Fix param name for extra exception codes for AWSRetry to use.
* Fix undefined var and line length and metadata version number
* Fix copyright headers
* Added new oneview_fcoe_network module and unit tests
* Fixing metadata issues and importing unittest from ansible.compat.tests
* Fixing shebang and adding correct copyright header
* Renamed remote_management/hpe to remote_management/oneview
* Updated documentation and default state according to review comments
- Added present as the default state
- Added delegate_to: localhost in all examples
- Changed config path from a variable to illustrate a location
- Other documentation fixes
* Added the ability to extend the exception list in CloudRetry
* AWSRetry boto and boto compatible
* Updated tests to reflect boto/boto3
* Added boto to shippable requirements
* Have base_class and added_exceptions default to None in CloudRetry
AWSRetry - only retry on boto3 exceptions and remove boto requirement from tests
* Make requested changes.
* refactors nxos_vrf_af module
fixes#27595
* fix up unit test cases
* add commands to result dict
* add route-target on afi create
* adds deprecation note to safi argument
* Add network value to support_by field.
* New support_by value, certified
* Deprecate curated in favor of certified
* Add conversion from 1.0 to 1.1 to metadata-tool
* Add supported by Red Hat field to ansible-doc output
* Ansible Config part2
- made dump_me nicer, added note this is not prod
- moved internal key removal function to vars
- carry tracebacks in errors we can now show tracebacks for plugins on vvv
- show inventory plugin tracebacks on vvv
- minor fixes to cg groups plugin
- draft config from plugin docs
- made search path warning 'saner' (top level dirs only)
- correctly display config entries and others
- removed unneeded code
- commented out some conn plugin specific from base.yml
- also deprecated sudo/su
- updated ssh conn docs
- shared get option method for connection plugins
- note about needing eval for defaults
- tailored yaml ext
- updated strategy entry
- for connection pliugins, options load on plugin load
- allow for long types in definitions
- better display in ansible-doc
- cleaned up/updated source docs and base.yml
- added many descriptions
- deprecated include toggles as include is
- draft backwards compat get_config
- fixes to ansible-config, added --only-changed
- some code reoorg
- small license headers
- show default in doc type
- pushed module utils details to 5vs
- work w/o config file
- PEPE ATE!
- moved loader to it's own file
- fixed rhn_register test
- fixed boto requirement in make tests
- I ate Pepe
- fixed dynamic eval of defaults
- better doc code
skip ipaddr filter tests when missing netaddr
removed devnull string from config
better becoem resolution
* killed extra space with extreeme prejudice
cause its an affront against all that is holy that 2 spaces touch each other!
shippable timing out on some images, but merging as it passes most
* prompt for new pass on create/encrypt if none specified
Make 'ansible-vault' edit or encrypt prompt for a password
if none or provided elsewhere.
Note: ansible-playbook does not prompt if not vault password
is provided
* dont show vault password prompts if not a tty
* Add config option for a default list of vault-ids
This is the vault-id equilivent of ANSIBLE_DEFAULT_PASSWORD_FILE
except ANSIBLE_DEFAULT_VAULT_IDENTITY_LIST is a list.
* Better handling of empty/invalid passwords
empty password files are global error and cause an
exit. A warning is also emitted with more detail.
ie, if any of the password/secret sources provide
a bogus password (ie, empty) or fail (exception,
ctrl-d, EOFError), we stop at the first error and exit.
This makes behavior when entering empty password at
prompt match 2.3 (ie, an error)
* [password] _random_password -> random_password and moved to util/encrypt.py
* [passwordstore] Use built-in random_password instead of pwgen utility
* [passwordstore] Add integration tests
1fe67f9 introduced retries to the ssh connection put file and fetch
file. Unfortunately, that change broke the smart transport because it
started raising exceptions instead of returning from _run(). This
breakage is documented in #23711.
An attempt to fix it was made at #23717 but the first attempt was
objected to as needing to touch too much code. The second attmept was
objected to as smart was forced to encapsulate retries (thus retrying
a sftp "rety" times before trying scp "retry" times and then finally
moving onto piped). This third attempt has retries encapsulate smart.
So each sub-transport is tried once and if all three fail, another retry
attempt is made which tries each of the three again.
Fixes#23711Fixes#23717
* replace boto with boto3 for the s3 module
make s3 pep8 and remove from legacy files
fix s3 unit tests
* fix indentation
* s3 module - if we can't create an MD5 sum return None and always upload file
* remove Location.DEFAULT which isn't used in boto3 and tidy up the docs
* pep8
* s3: remove default: null, empty aliases, and required: false from documentation
fix incorrectly documented defaults
* Porting s3 to boto3. Simplify some logic and remove unused imports
* Fix s3 module variables
* Fix a typo in s3 module and remove from pep8 legacy files
* s3: add pagination for listing objects.
Fix logic and use head_object instead of get_object for efficiency.
Fix typo in unit test.
* Fix pagination to maintain backwards compatibility.
Fix incorrect conditional.
Remove redundant variable assignment.
Fix s3 list_object pagination to return all pages
* Use the revised List Objects API as recommended.
* Wrap call to paginated_list in a try/except
Also remembered to allow marker/prefix/max_keys to modify what keys are listed
* Simplify argument
The prompt_formats dict didn't get the 'prompt_ask_vault_pass'
item added for interactive --ask-vault-pass, which
caused "KeyError: u'prompt_ask_vault_pass'"
Fixes#27885
* template: fix KeyError: 'undefined variable: 0
For compatibility with the Context.get_all() implementation
in jinja 2.9, make AnsibleJ2Vars implement collections.Mapping.
Also, make AnsibleJ2Template.newcontext() handle dict type
for the 'vars' parameter.
See: d67f0fd4cc
Fixes: https://github.com/ansible/ansible/issues/20494
* add units/template/test_vars
* intg tests for jinja-2.9 issues like 20494
test cases here are based on
https://github.com/ansible/ansible/issues/20494#issue-202108318
* nxos_bgp_neighbor_af does not want required_together
* fixup tests
* Fix max_prefix_* issues
* Require address-family
* Fix idempotency for next_hop_third_party
* Fix idempotency for allowas_in*
* Fix idempotency for *_in and *_out
* Reorder command generation again
`default` is first, then `max-prefix`, then booleans
* rm unneeded parens following assert
* rm unused parse_vaulttext_envelope from yaml.constructor
* No longer need index/enumerate over vault_ids
* rm unnecessary else
* rm unused VaultCli.secrets
* rm unused vault_id arg on VaultAES.decrypt()
pylint: Unused argument 'vault_id'
pylint: Unused parse_vaulttext_envelope imported from ansible.parsing.vault
pylint: Unused variable 'index'
pylint: Unnecessary parens after 'assert' keyword
pylint: Unnecessary "else" after "return" (no-else-return)
pylint: Attribute 'editor' defined outside __init__
* use 'dummy' for unused variables instead of _
Based on pylint unused variable warnings.
Existing code use '_' for this, but that is old
and busted. The hot new thing is 'dummy'. It
is so fetch.
Except for where we get warnings for reusing
the 'dummy' var name inside of a list comprehension.
* Add super().__init__ call to PromptVaultSecret.__init__
pylint: __init__ method from base class 'VaultSecret' is not called (super-init-not-called)
* Make FileVaultSecret.read_file reg method again
The base class read_file() doesnt need self but
the sub classes do.
Rm now unneeded loader arg to read_file()
* Fix err msg string literal that had no effect
pylint: String statement has no effect
The indent on the continuation of the msg_format was wrong
so the second half was dropped.
There was also no need to join() filename (copy/paste from
original with a command list I assume...)
* Use local cipher_name in VaultEditor.edit_file not instance
pylint: Unused variable 'cipher_name'
pylint: Unused variable 'b_ciphertext'
Use the local cipher_name returned from parse_vaulttext_envelope()
instead of the instance self.cipher_name var.
Since there is only one valid cipher_name either way, it was
equilivent, but it will not be with more valid cipher_names
* Rm unused b_salt arg on VaultAES256._encrypt*
pylint: Unused argument 'b_salt'
Previously the methods computed the keys and iv themselves
so needed to be passed in the salt, but now the key/iv
are built before and passed in so b_salt arg is not used
anymore.
* rm redundant import of call from subprocess
pylint: Imports from package subprocess are not grouped
use via subprocess module now instead of direct
import.
* self._bytes is set in super init now, rm dup
* Make FileVaultSecret.read_file() -> _read_file()
_read_file() is details of the implementation of
load(), so now 'private'.
Fix 'module' object is not callable
* rhn_register: fix Python 3 compatibility
* rhn_register: update requirements
* rhn_register: add unit tests
* Add missing method name
* use a dedicated line for XML related requirements
* rhn_register: drop support for Python 2.4
* rhn_register unit tests: fix Python 3 compatibility
* refactor in order to check order of the requests
* Fix for issue ansible/ansible#27715
* Also fixing mutually exclusive check
* Updating subspec checks
These changes take into account a spec with all features enabled and do
the following tests for subspecs:
1. Test proper specs
2. Test Alias
3. Test missing required param
4. Test mutually exclusive params
5. Test required if params
6. Test required one of params
7. Test required together params
8. Test required if params with a default value
9. Test basis subspec params
10. Test invalid subsec params
* adds new filter plugins for network use cases
* adds parse_cli filter
* adds parse_cli_textfsm filter
* adds Template class to network_common
* adds conditional function to network_common
* fix up PEP8 issues
* s3_bucket: fix policy sorting for python3 so strings are evaluated as less than tuples.
Add tests to ensure this behavior is maintained.
* Fix s3_bucket comparison function to work on both Python 3.5 and 3.6
* s3_bucket: document that cmp_to_key is used for python 2.7.
Add another test for s3_bucket to compare policies of different sizes.
* fix pep8
* Work around code-smell grepping by not using the word 'cmp'.
* New module for managing AWS Datapipelines
* Supports create/activate/deactivate and deletion
* Handles idempotent creation by embeding the version in the
uniqueId field
* Waits for requested state to be reached, as Botocore doesn't
have waiters yet for datapipelines
* rename module, fix imports, add tags option, improve exit_json results, fix a couple bugs, add a TODO so I don't forget
fix pep8
allow timeout to be used for pipeline creation
make .format syntax uniform
fix pep8
fix exception handling
allow pipeline to be modified, refactor, add some comments, remove unnecessary imports
pipeline activation may not be in the activated state long
remove datapipeline version option
change a loop to a list comprehension
create idempotence by hashing the options given to the module minus the objects (which can be modified)
small bugfix
* data_pipeline unittests
make unittests pep8
fix bug in unittests
* remove exception handling that serves no purpose
* Fix python3 incompatibilities in datapipeline tests and add placebo fixture maybe_sleep for faster tests
Fix python3 incompatibilities in data_pipeline build_unique_id()
Don't delete a pipeline in diff_pipeline() because it's unexpected
Don't use time.time() because it causes an issue with placebo testing
re-recorded tests
fix pep8 in data_pipeline
Remove disable_rollback from tests
Make sure unique identifier is a string
re-record tests
* improve documentation and add another example
* use a placebo fixture instead of redundant code in tests
fix tests for PLACEBO_RECORD=false
* Fix data_pipeline docs
use isinstance instead of type()
fix documentation
* fix documentation
* Remove use of undefined variable from data_pipeline module and fix license
* fix copyright header
* Initial commit for integration of HPE OneView resources with Ansible Core. Adding FC Network and FC Network Fact modules and unit tests, and OneView base class for all OV resources.
previously gather_subset=['!all'] would still gather the
min set of facts, and there was no way to collect no facts.
The 'min' specifier in gather_subset is equilivent to
exclude the minimal_gather_subset facts as well.
gather_subset=['!all', '!min'] will collect no facts
This also lets explicitly added gather_subsets override excludes.
gather_subset=['pkg_mgr', '!all', '!min'] will collect only the pkg_mgr
fact.
* Add module cv_server_provision for integration with Arista CloudVision Portal.
* Doc update.
* Remove shebang from test file. Update short description with company and product name.
* Update exception syntax to Python3 style.
* Remove blank line between imports.
* Remove newlines from RETURN documentation.
* Add cvprac to unittest requirements.
* Update unittest format. Add a few additional tests.
* Mock exceptions from cvprac so the library is not needed for unittests.
* Mock cvprac imports.
* Update unit tests to support python 3.5.
* Mock full cvprac library for unittests.
* Update Jinja2 import to pass updated CI checks.
* Update cvprac imports format for new CI tests.
* Add __metaclass__ and __future__.
When parsing a vaulttext blob, use .splitlines()
instead of split(b'\n') to handle \n newlines and
windows style \r\n (CRLF) new lines.
The vaulttext enevelope at this point is just the header line
and a hexlify()'ed blob, so CRLF is a valid newline here.
Fixes#22914
* Added new module interfaces_file
* interfaces_file: added unit tests
* interfaces_file: added golden files for unit tests
* interfaces_file: moved to system modules
* interfaces_file: fixed code formatting and convention issues
* Add 2.0-2.3 facts api compat (ansible_facts(), get_all_facts())
These are intended to provide compatibilty for modules that
use 'ansible.module_utils.facts.ansible_facts' and
'ansible.module_utils.facts.get_all_facts' from 2.0-2.3 facts
API.
Fixes#25686
Some related changes/fixes needed to provide the compat api:
* rm ansible.constants import from module_utils.facts.compat
Just use a hard coded default for gather_subset/gather_timeout
instead of trying to load it from non existent config if the
module params dont include it.
* include 'external' collectors in compat ansible_facts()
* Add facter/ohai back to the valid collector classes
facter/ohai had gotten removed from the default_collectors
class used as the default list for all_collector_classes by
setup.py and compat.py
That made gather_subset['facter'] fail.
* Add aggregate parameter validation
aggregate parameter validation will support checking each individual dict
to resolve conditions for aliases, no_log, mutually_exclusive,
required, type check, values, required_together, required_one_of
and required_if conditions in argspec. It will also set default values.
eg:
tasks:
- name: Configure interface attribute with aggregate
net_interface:
aggregate:
- {name: ge-0/0/1, description: test-interface-1, duplex: full, state: present}
- {name: ge-0/0/2, description: test-interface-2, active: False}
register: response
purge: Yes
Usage:
```
from ansible.module_utils.network_common import AggregateCollection
transform = AggregateCollection(module)
param = transform(module.params.get('aggregate'))
```
Aggregate allows supports for `purge` parameter, it will instruct the module
to remove resources from remote device that hasn’t been explicitly
defined in aggregate. This is not supported by with_* iterators
Also, it improves performace as compared to with_* iterator for network device
that has seperate candidate and running datastore.
For with_* iteration the sequence of operartion is
load-config-1 (candidate db) -> commit (running db) -> load_config-2
(candidate db) -> commit (running db) ...
With aggregate the sequence of operation is
load-config-1 (candidate db) -> load-config-2 (candidate db) -> commit
(running db)
As commit is executed only once per task for aggregate it has
huge perfomance benefit for large configurations.
* Fix CI issues
* Fix review comments
* Add support for options validation for aliases, no_log,
mutually_exclusive, required, type check, value check,
required_together, required_one_of and required_if
conditions in sub-argspec.
* Add unit test for options in argspec.
* Reverted aggregate implementaion.
* Minor change
* Add multi-level argspec support
* Multi-level argspec support with module's top most
conditionals options.
* Fix unit test failure
* Add parent context in errors for sub options
* Resolve merge conflict
* Fix CI issue
* Make camel_to_snake work on capitalized plurals
`TargetGroupARNs` should become `target_group_arns`, not
`target_group_ar_ns`
Promote `camel_to_snake` to top layer function but prefix
it with an underscore.
Add tests for improved `_camel_to_snake` function.
Reduce use of `re.compile` as it makes no sense when the
compilation result is not reused.
* Remove unused LooseVersion check
* Fix PLURALs case for camel_to_snake
Also renamed EXPECTED_CAMELIZATION to EXPECTED_SNAKIFICATION
* ACI module_utils library for ACI modules
This PR includes:
- the ACI argument_spec
- an aci_login function
- an experimental aci_request function
- an aci_response function
- included the ACI team
* New prototype using ACIModule
This PR includes:
- A new ACIModule object with various useful methods
Fixes#13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.