Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible-vault decrypt --output - no longer working in ansible 2.4 #30550

Closed
jleclanche opened this issue Sep 19, 2017 · 10 comments · Fixed by #31066
Closed

ansible-vault decrypt --output - no longer working in ansible 2.4 #30550

jleclanche opened this issue Sep 19, 2017 · 10 comments · Fixed by #31066
Assignees
@alikins
Labels
affects_2.5 This issue/PR affects Ansible v2.5 needs_info This issue requires further information. Please answer any outstanding questions. needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly. support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@jleclanche
Copy link

jleclanche commented Sep 19, 2017
edited

ANSIBLE VERSION
ansible 2.4.0.0

In ansible 2.3.x, it was possible to do ansible-vault decrypt example.txt --output - to get the decrypted output into stdout. In fact, that is advertised in ansible-vault decrypt --help:

  --output=OUTPUT_FILE  output file name for encrypt or decrypt; use - for stdout

In Ansible 2.4, this is bugged and results in a file named -.
@ansibot
Copy link
Contributor

ansibot commented Sep 19, 2017

@jleclanche Greetings! Thanks for taking the time to open this issue. In order for the community to handle your issue effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type
  • ansible version
  • component name

Please set the description of this issue with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/ISSUE_TEMPLATE.md

click here for bot help

@ansibot ansibot added affects_2.5 This issue/PR affects Ansible v2.5 needs_info This issue requires further information. Please answer any outstanding questions. needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 19, 2017
@jleclanche
Copy link
Author

jleclanche commented Sep 19, 2017
edited

cc @bcoca because this is a regression due to #29663 (525c318):

 +        # add output if needed
 +        if self.action in self.can_output:
 +            self.parser.add_option('--output', default=None, dest='output_file',
 +                                   help='output file name for encrypt or decrypt; use - for stdout',
 +                                   action="callback", callback=CLI.unfrack_path, type='string')
 +

CLI.unfrack_path will always turn - into /path/to/current/directory/- which then fails comparisons to - in parsing/vault/__init__.py.

@jleclanche jleclanche mentioned this issue Sep 19, 2017
Closed
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Sep 19, 2017
@enrh
Copy link

enrh commented Sep 19, 2017

After upgrading PIP package ansible-vault to 1.0.5, this function is no longer working for me. Multiple systems, CentOS and Fedora. Could this be related?

>>> from ansible_vault import Vault
>>> dictpass = Vault("passphrase")
>>> nodedict = dictpass.load(open('nodedict.yml').read())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ansible_vault/api.py", line 18, in load
    return yaml.safe_load(self.vault.decrypt(stream))
  File "/usr/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 543, in decrypt
    _matches = match_secrets(self.secrets, vault_id_matchers)
  File "/usr/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py", line 399, in match_secrets
    matches = [(vault_id, secret) for vault_id, secret in secrets if vault_id in target_vault_ids]
ValueError: need more than 1 value to unpack

@jleclanche
Copy link
Author

jleclanche commented Sep 19, 2017
edited

No that doesn't seem related. You should file a separate issue for that.

@j-cavoizy
Copy link

@enrh : I have the same issue I've filed a separate issue there:
#30969

@alikins
Copy link
Contributor

alikins commented Sep 28, 2017

fwiw, 'ansible-vault view example.txt' can be used in lieu of 'ansible-vault decrypt example.txt --output= -' for the time being.

@alikins alikins self-assigned this Sep 28, 2017
@alikins
Copy link
Contributor

alikins commented Sep 28, 2017

I thought I had an intg test case for this, but it was slightly different:

ansible-vault decrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --output=- < "${TEST_FILE_OUTPUT}"

But the test doesnt actually check the stdout, so it was passing... fixing both.

This was referenced Sep 28, 2017
Closed
Merged
@alikins
Copy link
Contributor

alikins commented Sep 29, 2017

@jleclanche #31066 should fix this. If you can test out the pr I would appreciate it.

alikins added a commit that referenced this issue Oct 3, 2017
@alikins
Handle vault decrypt --output=- (#31066)
278ff19 
In cli.CLI.unfrack_path callback, special case if the
value of '--output' is '-', and avoid expanding
it to a full path.

vault cli already has special cases for '-', so it
just needs to get the original value to work.

Fixes #30550
@jleclanche
Copy link
Author

@alikins thanks - sorry i was not able to get back to all this, stuff got in the way :/

@alikins
Copy link
Contributor

alikins commented Oct 3, 2017

cherry-pick'ed to stable-2.4 in commit 576e337

alikins added a commit that referenced this issue Oct 3, 2017
@alikins
Handle vault decrypt --output=- (#31066)
74e0643 
In cli.CLI.unfrack_path callback, special case if the
value of '--output' is '-', and avoid expanding
it to a full path.

vault cli already has special cases for '-', so it
just needs to get the original value to work.

Fixes #30550
(cherry picked from commit 278ff19)
BondAnthony pushed a commit to BondAnthony/ansible that referenced this issue Oct 5, 2017
@alikins @BondAnthony
Handle vault decrypt --output=- (ansible#31066)
8d72412 
In cli.CLI.unfrack_path callback, special case if the
value of '--output' is '-', and avoid expanding
it to a full path.

vault cli already has special cases for '-', so it
just needs to get the original value to work.

Fixes ansible#30550
@alikins alikins mentioned this issue Oct 16, 2017
Closed
@cornelius-keller cornelius-keller mentioned this issue Oct 26, 2017
Closed
@pyup-bot pyup-bot mentioned this issue Jan 1, 2018
Closed
@pyup-bot pyup-bot mentioned this issue Jan 31, 2018
Closed
This was referenced Jan 31, 2018
Closed
Closed
Closed
Closed
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alikins alikins

Labels
affects_2.5 This issue/PR affects Ansible v2.5 needs_info This issue requires further information. Please answer any outstanding questions. needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
6 participants
@alikins @jleclanche @bcoca @ansibot @j-cavoizy @enrh