Vault general fixes and security hardening#83697
Open
bcoca wants to merge 39 commits intoansible:develfrom
Open
Vault general fixes and security hardening#83697bcoca wants to merge 39 commits intoansible:develfrom
bcoca wants to merge 39 commits intoansible:develfrom
Conversation
ansibot
added
bug
Naya1217
removed
the
needs_triage
ansibot
added
the
needs_revision
ansibot
removed
the
ci_verified
ansibot
added
the
needs_ci
ansibot
removed
the
needs_ci
webknjaz
added
the
ci_verified
ansibot
removed
the
ci_verified
webknjaz
added
the
ci_verified
ansibot
removed
the
ci_verified
bcoca
force-pushed
the
vault_ciphers
branch
2 times, most recently
from
2caac12 to
84a53e6
Compare
* enable type checking on more public vault API
can remove adding exc test as it would now be dupe ansible.parsing.vault.AnsibleVaultError: Unable to encrypt vault with unsupported method. Invalid value "rotten" for configuration option "setting: VAULT_METHOD ", valid values are: aes256, v2
Also fix docstring.
When config is used to specify the vault method, config reports the error. When the CLI is used, argparse handles the error because choices is set. When the API is used, load_vault_method reports the error. This ensures the error message is appropriate for the context in which the invalid method was specified.
also some fixes
Also fix x2 exception reporting Only caches on decrypt, encrypt won't hit cache due to salt generation note: w/o cache, decrypt takes same time as encrypt
bcoca
force-pushed
the
vault_ciphers
branch
2 times, most recently
from
d3773fe to
3f9dab2
Compare
ansibot
added
the
stale_ci
|
@bcoca how does this affect existing secrets encrypted with an older version of vault (and the old cipher)? Do I now need to specify If so, I wonder if this would also require changes in Ansible Tower to handle existing secrets gracefully. |
Member
Author
|
Decryption takes the info from the vault itself, so as not to impose any additional requirements on the user. The existing vaults will keep working until we fully retire the old encryption method in the 'far off' future, there will be a full deprecation cycle then. The new method becomes the default for encrypting in this PR, so if you want to continue using the old method to encrypt, then you do need to pass that explicitly, either on the CLI or via configuration. There is a documentation update that will go out at the time this PR is merged to ensure all this is explained to users. |
ansibot
added
the
needs_rebase
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Set new default Vault cipher to take the place of the, now deemed week, AES256 cipher, which is still kept for backwards compatibility.
also fixes #51862
ISSUE TYPE