Don't ask for password confirm on 'ansible-vault edit'

[alikins]

This is to match the 2.3 behavior on:

    ansible-vault edit encrypted_file.yml

Previously, the above command would consider that a 'new password'
scenario and prompt accordingly, ie:

    $ ansible-vault edit encrypted_file.yml
    New Password:
    Confirm New Password:

The bug was cause by 'create_new_password' being used for
'edit' action. This also causes the previous implicit 'auto prompt'
to get triggered and prompt the user.

Fix is to make auto prompt explicit in the calling code to handle
the 'edit' case where we want to auto prompt but we do not want
to request a password confirm.

Fixes #30491

SUMMARY

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

lib/ansible/cli/

ANSIBLE VERSION

ansible 2.5.0 (vault_edit_30491 c5c5de41b0) last updated 2017/09/18 10:19:40 (GMT -400)
  config file = /home/adrian/src/ansible/ansible.cfg
  configured module search path = [u'/home/adrian/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/adrian/src/ansible/lib/ansible
  executable location = /home/adrian/src/ansible/bin/ansible
  python version = 2.7.13 (default, May 10 2017, 20:04:28) [GCC 6.3.1 20161221 (Red Hat 6.3.1-1)]

ADDITIONAL INFORMATION

output of test case in #30491 after fix

[newswoop:F25:ansible (vault_edit_30491 %)]$ echo "this is a test" > foobar.yml
[newswoop:F25:ansible (vault_edit_30491 %)]$ cat foobar.yml 
this is a test
[newswoop:F25:ansible (vault_edit_30491 %)]$ ansible-vault encrypt foobar.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
[newswoop:F25:ansible (vault_edit_30491 %)]$ cat foobar.yml 
$ANSIBLE_VAULT;1.1;AES256
36613865393032643635646631633830333333373835613361323631613034656235376366643239
3138386136393961303230333139313535316536396134300a316238316266643330656461386238
30303362336630383838323935386436383230333264366136373666316564373335656165626432
6339643738323436370a356534313963623039646132643736316536313239306637376431666335
6661
[newswoop:F25:ansible (vault_edit_30491 %)]$ ansible-vault edit foobar.yml 
Vault password: 
[newswoop:F25:ansible (vault_edit_30491 %)]$ cat foobar.yml 
$ANSIBLE_VAULT;1.1;AES256
33303662343039613166633238613837316232656637306263653237336232383436316662653533
3830366438316565326430663435306438316233636439340a343836633933303164383230313762
35366633316563656435333463633363323439333131323433356637626463373630313538353766
6132623765386266310a316133363665393135643134306233666634396333383130643562353434
34616435643230363866323436623362663137396264343137303132653031643535
[newswoop:F25:ansible (vault_edit_30491 %)]$ ansible-vault view foobar.yml 
Vault password: 
bbthis is a test

[abadger]

For non-existent files, this PR introduces this behaviour:

$ ansible-vault edit new-file.yml                  *[vault_edit_30491]  (07:36:53)
Vault password: 
ERROR! [Errno 2] No such file or directory: u'/srv/ansible/alikins/new-file.yml'

which matches with the 2.3 behaviour. I think because it has precedent, that behaviour is okay. In the future, someone may request the 2.4.0 behaviour is restored, though, wherein ansible-vault edit new-file.yml creates the new file and then opens the editor on it. We probably should have a comment in the code that warns someone that goes to implement that, that they have to be careful not to unfix this case.

Test case would probably also be a good idea. Could be some unittests that check whether the correct prompt function is called the correct number of times.

[alikins]

For non-existent files, this PR introduces this behaviour:

2.4/devel didnt change that behavior, 'ansible-vault edit file-that-doesnt-exist.yml' has always[1] caused an error. The password confirm for 'ansible-vault edit existing-file.yml' was just kind of bogus since it confirms the password by successful decrypt as you mentioned. The extra confirm was not an intentional change and wasnt intended to make 'ansible-vault newfile.yml' work.

[1] Or at least for a long time:

[newswoop:F25:ansible (vault_edit_30491 %)]$ git checkout stable-2.3
Switched to branch 'stable-2.3'
Your branch is behind 'origin/stable-2.3' by 11 commits, and can be fast-forwarded.
  (use "git pull" to update your local branch)
[newswoop:F25:ansible (stable-2.3 % u-11)]$ ansible-vault edit sdfadfasfsdf.yml
Vault password: 
ERROR! [Errno 2] No such file or directory: u'/home/adrian/src/ansible/sdfadfasfsdf.yml'
[newswoop:F25:ansible (stable-2.3 % u-11)]$ git checkout vault_edit_30491 
Switched to branch 'vault_edit_30491'
[newswoop:F25:ansible (vault_edit_30491 %)]$ ansible-vault edit sdfadfasfsdf.yml
Vault password: 
ERROR! [Errno 2] No such file or directory: u'/home/adrian/src/ansible/sdfadfasfsdf.yml'
[newswoop:F25:ansible (vault_edit_30491 %)]$ git checkout stable-2.3
Switched to branch 'stable-2.3'
Your branch is behind 'origin/stable-2.3' by 11 commits, and can be fast-forwarded.
  (use "git pull" to update your local branch)
[newswoop:F25:ansible (stable-2.3 % u-11)]$ git checkout stable-2.2
Switched to branch 'stable-2.2'
Your branch is up-to-date with 'origin/stable-2.2'.
[newswoop:F25:ansible (stable-2.2 % u=)]$ ansible-vault edit sdfadfasfsdf.yml
Vault password: 
ERROR! [Errno 2] No such file or directory: u'sdfadfasfsdf.yml'
[newswoop:F25:ansible (stable-2.2 % u=)]$ git checkout stable-2.1
Switched to branch 'stable-2.1'
Your branch is up-to-date with 'origin/stable-2.1'.
[newswoop:F25:ansible (stable-2.1 % u=)]$ ansible-vault edit sdfadfasfsdf.yml
Vault password: 
ERROR! [Errno 2] No such file or directory: 'sdfadfasfsdf.yml'
[newswoop:F25:ansible (stable-2.1 % u=)]$ git checkout stable-2.0
Switched to branch 'stable-2.0'
Your branch is up-to-date with 'origin/stable-2.0'.
[newswoop:F25:ansible (stable-2.0 % u=)]$ ansible-vault edit sdfadfasfsdf.yml
Vault password: 
ERROR! [Errno 2] No such file or directory: 'sdfadfasfsdf.yml'
[newswoop:F25:ansible (stable-2.0 % u=)]$ ls sdfadfasfsdf.yml
ls: cannot access 'sdfadfasfsdf.yml': No such file or directory

[bcoca]

We might want to just 'open a new file' w/o errors, just a warning, as a feature enhancement in the future.

[nrwahl2]

Just commented on the issue, pasting here since I hadn't seen this thread yet:

With this pr, if i try to edit an already encrypted file without --ask-vault-pass, I get: [generic help prompt] (comment on #30493)

YES, but the same behavior occurs with decrypt, view, and rekey, which are in the same group. This is due to ask_vault_pass defaulting to None. That behavior can be changed but is not isolated to edit.

A lot of this hinges upon whether we want or expect ansible-vault edit to be able to create or encrypt a new file. This was not the case in 2.3 and is not the case in devel. On both versions, after entering your password (single prompt on 2.3 and double-prompt on devel), it produces ERROR! [Errno 2] No such file or directory: <FILENAME>. As you noted above. This aligns with the man page:

EDIT
$ ansible-vault edit [options] FILE

  The edit sub-command is used to modify a file which was previously encrypted using
  ansible-vault.

  This command will decrypt the file to a temporary file and allow you to edit the file,>
  saving it back when done and removing the temporary file.

That is what create is for. The only thing edit can do is confirm an existing password, but on devel it prompts as though it can and will set a new one. I would not be opposed to seeing a flag for creates where it prompts for a new password if the file does not yet exist.

[nrwahl2]

I like the new auto_prompt defaulting to True. To me, that's intuitive behavior -- to prompt for credentials if they're not provided already. I found a probable bug though:

[reid@laptop ~/git]$ grep vault_password_file /etc/ansible/ansible.cfg 
vault_password_file = /home/reid/.vault_passwords
[reid@laptop ~/git]$ cat ../.vault_passwords 
password
[reid@laptop ~/git]$ ansible-vault create asdf4.txt --ask-vault-pass
New Vault password: [entered 'asdf']
Confirm New Vault password: [entered 'asdf']
[reid@laptop ~/git]$ ansible-vault view asdf4.txt 
test

If the vault_password_file has the incorrect credential, as above, it still decrypts the file and presents it.

On 2.3, it returned a Decryption failed error:

[reid@laptop ~/git]$ ansible-vault create asdf.txt --ask-vault-pass
New Vault password: 
Confirm New Vault password: 
[reid@laptop ~/git]$ ansible-vault view asdf.txt 
ERROR! Decryption failed for asdf.txt

[abadger]

2.4/devel didnt change that behavior, 'ansible-vault edit file-that-doesnt-exist.yml' has always[1] caused an error.

Doh! Somewhere in the middle of my testing I switched from testing ansible-vault edit to testing ansible-vault create.

[alikins]

@nrwahl2 yeah, that is the default being used as the first secret. The code that checks for multiple secrets on encrypt actions only checks for vault ids before creating the secrets and the config based ones are added later in setup_vault_secrets.

So vault cli .run() could check the number of secrets after setup_vault_secrets() instead of before and raise an error there. To choose which of the vault secrets to use may need something like the first parts of https://github.com/ansible/ansible/pull/27668/files vault.py changes.

[nrwahl2]

(duplicate comment)

[nrwahl2]

@alikins: I don't quite understand. In my test case encryption, I'm using --ask-vault-pass to override what's in the secret file. Then the secret file, which has the wrong password, still works to decrypt the file later. That behavior does not exist on 2.3. It fails as it should. Can you clarify for me how a check for the number of secrets would apply in this case? (see that there are more secrets than there are files and infer that the password was set manually???)

[alikins]

@nrwahl2 --ask-vault-pass does not override what is in the config file, it adds to it. So the first secret is from vault_password_file and is used to encrypt the file.

The view works because it also uses vault_password_file per config and for that file, that is the password it was encrypted with.

[nrwahl2]

Nice....

[alikins]

the default decrypt behavoior is to try all the known secrets in order. In your case, the first one is the vault_password_file from config. It succeeds because that is what the file was encrypted with.

The number of secrets/vault ids comes into play on the encrypt, where there should be an error if there are more than one vault ids provided. But that fails because of a bug where the check is too early (before setup_vault_secrets when the configured secret is addded) so it uses the configured ansible_password_file secret to encrypt with because the config is a higher precendence (setup_vault_secrets prepends it to the list)

[alikins]

ie:

[reid@laptop ~/git]$ grep vault_password_file /etc/ansible/ansible.cfg 
vault_password_file = /home/reid/.vault_passwords
[reid@laptop ~/git]$ cat ../.vault_passwords 
password
[reid@laptop ~/git]$ ansible-vault create asdf4.txt --ask-vault-pass
New Vault password: [entered 'asdf']
Confirm New Vault password: [entered 'asdf']

That last line should raise an error but currently does not.

[alikins]

@nrwahl2 devel...alikins:error_on_config_plug_ask_vault_pass is an example patch changing where the number of vault ids is checked would prevent the case you mentioned in #30514 (review)

[nrwahl2]

Thanks for submitting the patch :)

IMO it would make more sense to make --ask-vault-pass usable as an override to what's in the configured password file, rather than making it unavailable when there's a configured vault password file. With this change, you could still override by unsetting vault_password_file in your config, or by passing a different --vault-password-file at the command line, but that's clunkier and may not fit all use cases.

Sincere question: After this change, would it make sense to use --ask-vault-pass at all (other than to continue supporting legacy code)? If ask and file are mutually exclusive, then ask could be the default behavior if there's no existing secret (as auto_prompt=True here).

I haven't dived too deeply into this code so forgive any misunderstandings.

[alikins]

@abadger cherry-pick candidate

commit 307be59
Author: Adrian Likins alikins@redhat.com
Date: Tue Sep 19 17:39:51 2017 -0400

Don't ask for password confirm on 'ansible-vault edit' (#30514)

* Don't ask for password confirm on 'ansible-vault edit'

This is to match the 2.3 behavior on:

        ansible-vault edit encrypted_file.yml

Previously, the above command would consider that a 'new password'
scenario and prompt accordingly, ie:

        $ ansible-vault edit encrypted_file.yml
        New Password:
        Confirm New Password:

The bug was cause by 'create_new_password' being used for
'edit' action. This also causes the previous implicit 'auto prompt'
to get triggered and prompt the user.

Fix is to make auto prompt explicit in the calling code to handle
the 'edit' case where we want to auto prompt but we do not want
to request a password confirm.

Fixes #30491

[vinoakash]

Hi,

Not sure whether this is the right forum, but the issue stated in this forum is similar to what I am currently facing, hence request your help on the same.

Tried to create the Vault password, below are the step performed

vi target.yml

ansible_user: ansible

ansible_ssh_pass:

ansible_become_pass:

touch target.pass

ansible-vault encrypt target.pass

Enter the Vault password : <password>

Confirm New Vault password : <password>

ansible-vault encrypt target.yml --vault-password-file=target.pass

At this point : Error : 

 [WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data

ERROR! A vault password must be specified to decrypt data

Even tried the below command, but still no luck.

ansible-vault encrypt /home/ansible/playbooks/target.yml --vault-password-file=/home/ansible/playbooks/target.pass

From,
Vino.B