-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ansible-vault edit and encrypt output different payload format version #30575
Comments
Is there an 'vault_password_file' or 'vault_identity_list' setup in configuration? Running 'ansible-vault' with a high verbosity level will show some details about which vault-ids are being used. |
I can reproduce this:
vault edit without any changes
vault edit, making and saving changes:
vault edit again:
|
@colinjc Thanks for the great bug report btw! Looking into a fix now. |
Looks like the vault_id is getting dropped on the encrypt after edit with change. (vault_id isnt passed to encrypt correctly there so got a fix for that). The traceback is from an assumption in edit that if we can decrypt, then we have a matching vault-id in the secrets. Because of above bug, on the second edit, the vault id from the edited file is unset (or 'default') but the only vault-id in secrets is 'staging'. Then the vault-id match returns a empty secrets list, and the the secrets[0][1] reference throws the IndexError. |
#30772 should fix this if you want to try it out. |
* Use vault_id when encrypted via vault-edit On the encryption stage of 'ansible-vault edit --vault-id=someid@passfile somefile', the vault id was not being passed to encrypt() so the files were always saved with the default vault id in the 1.1 version format. When trying to edit that file a second time, also with a --vault-id, the file would be decrypted with the secret associated with the provided vault-id, but since the encrypted file had no vault id in the envelope there would be no match for 'default' secrets. (Only the --vault-id was included in the potential matches, so the vault id actually used to decrypt was not). If that list was empty, there would be an IndexError when trying to encrypted the changed file. This would result in the displayed error: ERROR! Unexpected Exception, this is probably a bug: list index out of range Fix is two parts: 1) use the vault id when encrypting from edit 2) when matching the secret to use for encrypting after edit, include the vault id that was used for decryption and not just the vault id (or lack of vault id) from the envelope. add unit tests for #30575 and intg tests for 'ansible-vault edit' Fixes #30575 (cherry picked from commit a14d0f3)
* Use vault_id when encrypted via vault-edit On the encryption stage of 'ansible-vault edit --vault-id=someid@passfile somefile', the vault id was not being passed to encrypt() so the files were always saved with the default vault id in the 1.1 version format. When trying to edit that file a second time, also with a --vault-id, the file would be decrypted with the secret associated with the provided vault-id, but since the encrypted file had no vault id in the envelope there would be no match for 'default' secrets. (Only the --vault-id was included in the potential matches, so the vault id actually used to decrypt was not). If that list was empty, there would be an IndexError when trying to encrypted the changed file. This would result in the displayed error: ERROR! Unexpected Exception, this is probably a bug: list index out of range Fix is two parts: 1) use the vault id when encrypting from edit 2) when matching the secret to use for encrypting after edit, include the vault id that was used for decryption and not just the vault id (or lack of vault id) from the envelope. add unit tests for #30575 and intg tests for 'ansible-vault edit' Fixes #30575
* Use vault_id when encrypted via vault-edit On the encryption stage of 'ansible-vault edit --vault-id=someid@passfile somefile', the vault id was not being passed to encrypt() so the files were always saved with the default vault id in the 1.1 version format. When trying to edit that file a second time, also with a --vault-id, the file would be decrypted with the secret associated with the provided vault-id, but since the encrypted file had no vault id in the envelope there would be no match for 'default' secrets. (Only the --vault-id was included in the potential matches, so the vault id actually used to decrypt was not). If that list was empty, there would be an IndexError when trying to encrypted the changed file. This would result in the displayed error: ERROR! Unexpected Exception, this is probably a bug: list index out of range Fix is two parts: 1) use the vault id when encrypting from edit 2) when matching the secret to use for encrypting after edit, include the vault id that was used for decryption and not just the vault id (or lack of vault id) from the envelope. add unit tests for ansible#30575 and intg tests for 'ansible-vault edit' Fixes ansible#30575
* Use vault_id when encrypted via vault-edit On the encryption stage of 'ansible-vault edit --vault-id=someid@passfile somefile', the vault id was not being passed to encrypt() so the files were always saved with the default vault id in the 1.1 version format. When trying to edit that file a second time, also with a --vault-id, the file would be decrypted with the secret associated with the provided vault-id, but since the encrypted file had no vault id in the envelope there would be no match for 'default' secrets. (Only the --vault-id was included in the potential matches, so the vault id actually used to decrypt was not). If that list was empty, there would be an IndexError when trying to encrypted the changed file. This would result in the displayed error: ERROR! Unexpected Exception, this is probably a bug: list index out of range Fix is two parts: 1) use the vault id when encrypting from edit 2) when matching the secret to use for encrypting after edit, include the vault id that was used for decryption and not just the vault id (or lack of vault id) from the envelope. add unit tests for ansible#30575 and intg tests for 'ansible-vault edit' Fixes ansible#30575
ISSUE TYPE
COMPONENT NAME
ansible-vault
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
When I encrypt a file with
ansible-vault encrypt vault_name --vault-id staging@vault_pass
it creates a file with the header$ANSIBLE_VAULT;1.2;AES256;staging
When editing a vault file with
ansible-vault edit vault_name --vault-id staging@vault_pass
the vault is outputting with a header of$ANSIBLE_VAULT;1.1;AES256
If I have made any changes and try to edit the file again, the following error occurs.
ERROR! Unexpected Exception, this is probably a bug: list index out of range
There is no error if I make no changes.
If I run decrypt it is successful. If I then run
ansible-vault encrypt vault_name --vault_id staging@vault_pass
the vault is outputting with a header of
$ANSIBLE_VAULT;1.2;AES256;staging
and I can runansible-deploy edit
again successfully.STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: