Skip to content

allow user to control vault decrypt is error #81918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: devel
Choose a base branch
from
Open

allow user to control vault decrypt is error #81918

wants to merge 2 commits into from
+85 −21

Conversation

bcoca
Copy link
Member

@bcoca bcoca commented Oct 5, 2023

new config item avoids requiring vault secret for all encrypted files, user is still responsible for play failing/doing the wrong thing if the data was actually required.

ISSUE TYPE
  • Feature Pull Request

@bcoca bcoca mentioned this pull request Oct 5, 2023
Open
@ansibot ansibot added feature This issue/PR relates to a feature request. needs_triage Needs a first human triage before being processed. labels Oct 5, 2023
@AlanCoding
Copy link
Member

Not working for intended use case at

https://github.com/AlanCoding/Ansible-inventory-file-examples/tree/master/vault/file_vars

ANSIBLE_VAULT_DECRYPT_IS_ERROR=false ansible-inventory -i vault/file_vars/inventory.ini --list --export
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible
engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point.
ERROR! Attempting to decrypt but no vault secrets found

the encrypted file at issue is https://github.com/AlanCoding/Ansible-inventory-file-examples/blob/master/vault/file_vars/group_vars/raleigh

@bcoca
Copy link
Member Author

bcoca commented Oct 5, 2023

i did decryption errors, which require a secret ,missed the 'no secrets provided' one

@bcoca
Copy link
Member Author

bcoca commented Oct 5, 2023

thinking if i should narrow it down to 'no secrets provided'? and keep decryption errors as hard error?

is there a case to pass secrets, decrypt parts but not other parts?

@AlanCoding
Copy link
Member

I re-tested and got this:

$ ANSIBLE_VAULT_DECRYPT_IS_ERROR=false ansible-inventory -i vault/file_vars/inventory.ini --list --export -vvv
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible
engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point.
ansible-inventory [core 2.17.0.dev0] (detached HEAD 6578dc67e8) last updated 2023/10/10 10:18:24 (GMT -400)
  config file = None
  configured module search path = ['/home/alancoding/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/alancoding/repos/ansible/lib/ansible
  ansible collection location = /home/alancoding/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/alancoding/repos/awx/env/bin/ansible-inventory
  python version = 3.11.5 (main, Aug 28 2023, 00:00:00) [GCC 12.3.1 20230508 (Red Hat 12.3.1-1)] (/home/alancoding/repos/awx/env/bin/python)
  jinja version = 3.1.2
  libyaml = True
No config file found; using defaults
host_list declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
script declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
auto declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
yaml declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
Parsed /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini inventory source with ini plugin
[WARNING]: Attempting to decrypt but no vault secrets found
ERROR! failed to combine variables, expected dicts but got a 'dict' and a 'AnsibleUnicode': 
{}
"$ANSIBLE_VAULT;1.1;AES256 35393165633131383065363835633362313035366437646664663733613535333662313837653562 6263623665306663653833303363326364643464623233640a303132393531313037333639313665 64643533623166663033623832333630323462303935343832613434646562383632323534343734 3263353063313433390a376237366230643130333864623263393461613365313962356632643739 32346634623462326164633162646564343365643962336432626531396631636438"

With the -vvv I feel like I should get a traceback here?

@bcoca
Copy link
Member Author

bcoca commented Oct 10, 2023

issues is that while im ignoring the error, im still returning the vaulted text (should be empty dict) .. no clue why no traceback

@bcoca
Copy link
Member Author

bcoca commented Oct 10, 2023

Error:

#$  ANSIBLE_VAULT_DECRYPT_IS_ERROR=true ansible-inventory -i ~/work/inventories/test.ini --list --export -vvv
ansible-inventory [core 2.17.0.dev0] (warn_devault f10ecd529f) last updated 2023/10/10 13:20:55 (GMT -400)
  config file = None
  configured module search path = ['/home/bcoca/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/bcoca/work/ansible/lib/ansible
  ansible collection location = /home/bcoca/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/bcoca/work/ansible/bin/ansible-inventory
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
No config file found; using defaults
host_list declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
script declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
auto declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
yaml declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
Parsed /home/bcoca/work/inventories/test.ini inventory source with ini plugin
ERROR! Attempted to decrypt (b'/home/bcoca/work/inventories/group_vars/all/fullvault.yml') but no vault secrets found

Warning:

#$  ANSIBLE_VAULT_DECRYPT_IS_ERROR=false ansible-inventory -i ~/work/inventories/test.ini --list --export -vvv
ansible-inventory [core 2.17.0.dev0] (warn_devault f10ecd529f) last updated 2023/10/10 13:20:55 (GMT -400)
  config file = None
  configured module search path = ['/home/bcoca/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/bcoca/work/ansible/lib/ansible
  ansible collection location = /home/bcoca/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/bcoca/work/ansible/bin/ansible-inventory
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
No config file found; using defaults
host_list declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
script declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
auto declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
yaml declined parsing /home/bcoca/work/inventories/test.ini as it did not pass its verify_file() method
Parsed /home/bcoca/work/inventories/test.ini inventory source with ini plugin
[WARNING]: Attempted to decrypt (b'/home/bcoca/work/inventories/group_vars/all/fullvault.yml') but no vault secrets found. Skipped
{
    "_meta": {
        "hostvars": {
 ...

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Oct 10, 2023
@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Oct 11, 2023
@AlanCoding
Copy link
Member

With current branch I get this

$ ANSIBLE_VAULT_DECRYPT_IS_ERROR=false ansible-inventory -i vault/file_vars/inventory.ini --list --export -vvv
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible
engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point.
ansible-inventory [core 2.17.0.dev0] (detached HEAD 17325b189a) last updated 2023/10/13 09:47:11 (GMT -400)
  config file = None
  configured module search path = ['/home/alancoding/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/alancoding/repos/ansible/lib/ansible
  ansible collection location = /home/alancoding/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/alancoding/repos/awx/env/bin/ansible-inventory
  python version = 3.11.5 (main, Aug 28 2023, 00:00:00) [GCC 12.3.1 20230508 (Red Hat 12.3.1-1)] (/home/alancoding/repos/awx/env/bin/python)
  jinja version = 3.1.2
  libyaml = True
No config file found; using defaults
host_list declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
script declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
auto declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
yaml declined parsing /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini as it did not pass its verify_file() method
Parsed /home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/inventory.ini inventory source with ini plugin
ERROR! Attempted to decrypt (b'/home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/group_vars/raleigh') but no vault secrets found

Just to show it here quickly, we have:

$ cat vault/file_vars/group_vars/raleigh
$ANSIBLE_VAULT;1.1;AES256
35393165633131383065363835633362313035366437646664663733613535333662313837653562
6263623665306663653833303363326364643464623233640a303132393531313037333639313665
64643533623166663033623832333630323462303935343832613434646562383632323534343734
3263353063313433390a376237366230643130333864623263393461613365313962356632643739
32346634623462326164633162646564343365643962336432626531396631636438

This is the issue that I'm interested in - ignoring an encrypted file that can't be decrypted. Since it's a vars file, it should contain a key-value mapping when decrypted. The request is to ignore the file, so that any group variables that would have been included if secrets were available are simply not included.

@bcoca
Copy link
Member Author

bcoca commented Oct 13, 2023

@AlanCoding you might have not noticed, I changed the setting and config option names as we changed the scope of what it affects, use ANSIBLE_VAULT_DECRYPT_VARSFILE_FAIL now.

@ansibot ansibot removed the ci_verified Changes made in this PR are causing tests to fail. label Oct 13, 2023
@AlanCoding
Copy link
Member

Thanks, that does seem to be working, and also manages to not interfere with other types of encrypted variables.

$ ANSIBLE_VAULT_DECRYPT_VARSFILE_FAIL=false ansible-inventory -i vault/file_vars/inventory.ini --list --export
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible
engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point.
[WARNING]: Attempted to decrypt (b'/home/alancoding/repos/Ansible-inventory-file-examples/vault/file_vars/group_vars/raleigh') but no
vault secrets found. Skipped
{
    "_meta": {
        "hostvars": {}
    },
    "all": {
        "children": [

@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Oct 13, 2023
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Oct 17, 2023
@bcoca bcoca requested a review from nitzmahone October 17, 2023 15:23
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Oct 24, 2023
@bcoca bcoca force-pushed the warn_devault branch 2 times, most recently from 91492b3 to d1e9d67 Compare November 17, 2023 21:01
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Nov 17, 2023
@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Nov 27, 2023
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 5, 2023
@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 14, 2023
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jan 2, 2024
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Oct 10, 2024
@bcoca bcoca mentioned this pull request Dec 9, 2024
Open
1 task
@ansibot ansibot removed needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Dec 9, 2024
@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Dec 9, 2024
@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Dec 17, 2024
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 31, 2024
@bcoca
allow user to control vault decrypt is error
4d03529 
  move vault error/warning handling just for dl
  fix test to new text
@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Feb 4, 2025
@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Feb 4, 2025
@ansibot
Copy link
Contributor

ansibot commented Feb 4, 2025

The test ansible-test sanity --test pep8 [explain] failed with 1 error:

lib/ansible/utils/display.py:573:5: E303: too many blank lines (2)

click here for bot help

@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Feb 5, 2025
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Feb 19, 2025
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nitzmahone nitzmahone Awaiting requested review from nitzmahone

Assignees
No one assigned
Labels
ci_verified Changes made in this PR are causing tests to fail. data_tagging feature This issue/PR relates to a feature request. needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bcoca @AlanCoding @ansibot @webknjaz