-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 'New Vault password' on vault 'edit' #35923
Conversation
The test
|
@@ -181,7 +181,7 @@ def run(self): | |||
if not vault_secrets: | |||
raise AnsibleOptionsError("A vault password is required to use Ansible's Vault") | |||
|
|||
if self.action in ['encrypt', 'encrypt_string', 'create', 'edit']: | |||
if self.action in ['encrypt', 'encrypt_string', 'create']: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So following on from my comment in #35834 I thought you added the edit action in PR #31067 to solve #30491
I'm not saying either way is right or wrong, simply asking the question seeing as an issue of the same type introduced a fix, now that code is being removed. Just trying to provide context here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In #31067 I thought I was going to try to let the encrypt-vault-id be chosen/overridden for 'edit' but have since decided not to allow that and to always use the decrypt vault-id as the encrypt vault-id for 'edit'.
ffe0dde introduce a change on 'ansible-vault edit' that tried to check for --encrypt-vault-id in that mode. But '--encrypt-vault-id' is not intended for 'edit' since the 'edit' should always reuse the vault secret that was used to decrypt the text. Change cli to not check for --encrypt-vault-id on 'edit'. VaultLib.decrypt_and_get_vault_id() was change to return the vault secret used to decrypt (in addition to vault_id and the plaintext). VaultEditor.edit_file() will now use 'vault_secret_used' as returned from decrypt_and_get_vault_id() so that an edited file always gets reencrypted with the same secret, regardless of any vault id configuration or cli options. Fixes #35834
Would love for this to be merged! |
* Fix 'New Vault password' on vault 'edit' ffe0dde introduce a change on 'ansible-vault edit' that tried to check for --encrypt-vault-id in that mode. But '--encrypt-vault-id' is not intended for 'edit' since the 'edit' should always reuse the vault secret that was used to decrypt the text. Change cli to not check for --encrypt-vault-id on 'edit'. VaultLib.decrypt_and_get_vault_id() was change to return the vault secret used to decrypt (in addition to vault_id and the plaintext). VaultEditor.edit_file() will now use 'vault_secret_used' as returned from decrypt_and_get_vault_id() so that an edited file always gets reencrypted with the same secret, regardless of any vault id configuration or cli options. Fixes ansible#35834
* Fix 'New Vault password' on vault 'edit' ffe0dde introduce a change on 'ansible-vault edit' that tried to check for --encrypt-vault-id in that mode. But '--encrypt-vault-id' is not intended for 'edit' since the 'edit' should always reuse the vault secret that was used to decrypt the text. Change cli to not check for --encrypt-vault-id on 'edit'. VaultLib.decrypt_and_get_vault_id() was change to return the vault secret used to decrypt (in addition to vault_id and the plaintext). VaultEditor.edit_file() will now use 'vault_secret_used' as returned from decrypt_and_get_vault_id() so that an edited file always gets reencrypted with the same secret, regardless of any vault id configuration or cli options. Fixes #35834 (cherry picked from commit 6e737c8)
SUMMARY
ffe0dde introduce a
change on 'ansible-vault edit' that tried to check
for --encrypt-vault-id in that mode. But '--encrypt-vault-id'
is not intended for 'edit' since the 'edit' should always
reuse the vault secret that was used to decrypt the text.
Change cli to not check for --encrypt-vault-id on 'edit'.
VaultLib.decrypt_and_get_vault_id() was change to return
the vault secret used to decrypt (in addition to vault_id
and the plaintext).
VaultEditor.edit_file() will now use 'vault_secret_used'
as returned from decrypt_and_get_vault_id() so that
an edited file always gets reencrypted with the same
secret, regardless of any vault id configuration or
cli options.
Fixes #35834
ISSUE TYPE
COMPONENT NAME
lib/ansible/cli/vault.py
lib/ansible/parsing/vault/init.py
ANSIBLE VERSION
ADDITIONAL INFORMATION