New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invoke vault password scripts via original path specified #18320
Conversation
@jmehnle Would you mind rebasing and testing, we believe this has been fixed. |
@calfonso, how would this have been fixed? It seems the code still suffers from the same confusion of what my patch calls the "full path" with the "real path". Unless you separate the two out, I don't believe the problem can be fixed. |
@jmehnle this PR contains the following merge comits: Please rebase your branch to remove these commits. |
Rebase needed. |
I just rebased it the other day. What gives?? |
@jmehnle this PR contains the following merge comits: Please rebase your branch to remove these commits. |
@jmehnle The latest rebase was needed because the file changed by this PR had been modified by other PR(s) which were already merged, causing conflicts with your changes. |
This issue still exists, but the code has change quite a lot. I think this would be a good change, as I understand the reasons behind it. The new code is located at: ansible/lib/ansible/parsing/vault/__init__.py Lines 372 to 373 in 9773a1f
I think we just need to change |
keeps context of the symlink instead of original file path fixes ansible#18320
@jmehnle can you confirm that PR above resolves your issue? |
keeps context of the symlink instead of original file path fixes ansible#18320
ISSUE TYPE
COMPONENT NAME
--vault-password-file
ANSIBLE VERSION
(but also occurs in Ansible 2)
DESCRIPTION
When specifying an executable vault password file, Ansible invokes it by its "real" path, not by the path as specified. This matters if what's passed is actually a symlink to an executable, and the executable uses the path by which it is invoked to determine the password to produce.
For example:
secrets.yml
is a dummy variables vault file created byansible-vault create
with the passwordfoo-bar-ansible
.This script produces the password
foo-bar
if invoked directly, but produces a different password when invoked through a symlink that begins withget-password-
, e.g.,foo-bar-quux
when invoked asget-password-quux
. This script is a synthetic example, but I actually use this mechanism with a more complicated password retrieval script that installs various symlinks for different applications, Ansible being one of them.Now lets create a symlink with a suitable name:
Oops. We're invoking
get-password-ansible
, which as we just saw, produces the correct password,foo-bar-ansible
. What gives?Well, now let's try replacing the symlink with a straight-up copy of the real file:
Oh, hey, this time it worked!
And this is consistent with how the
real_vault_password_file
function is defined in https://github.com/ansible/ansible/blob/devel/lib/ansible/cli/__init__.py#L613. It callsos.path.realpath()
on the file name provided and then invokes the script by that name.It would be more useful if the vault password file's executability was determined by its real path, etc., but then invoked by its original path.