-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restore client-side support for working with ansible vaults #177
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jeinwag Thank you for re-adding the vault feature and apologies that it was removed during the refactoring.
For achieving feature parity with the older plugin this PR looks good to me.
However, in long term, we can explore the possibility of supporting this functionality in the ansible-language-server https://github.com/ansible/ansible-language-server so that other clients can also use it.
@jeinwag one mistake that I observed is that you forgot to run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to encrypt a vars file and I observed an unnamed input box which I expected to be the password but entering something there did not had any effect. Few seconds later I got an error popup reporting: "Command 'Ansible Vault: Encrypt/Decrypt' resulted in an error (Running the contributed command: 'extension.ansible.vault' failed.)"
By looking at the Log (Extension Host) output I seen some weird messaging:
[2021-09-09 12:33:07.598] [exthost] [error] Error: Command failed: ansible-vault encrypt "/var/folders/3q/pc1jcyjj3qqbj6_x7n4kbtqw0000gn/T/tmp-43559-JYoNwmt0OU03" --encrypt-vault-id="default"
/Users/ssbarnea/.pyenv/versions/3.9.6/lib/python3.9/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
New Vault password: �[1;35m[WARNING]: Error in vault password prompt (default): EOFError (ctrl-d) on�[0m
�[1;35mprompt for (default)�[0m
�[0;31mERROR! EOFError (ctrl-d) on prompt for (default)�[0m
at checkExecSyncError (child_process.js:625:11)
at Object.execSync (child_process.js:661:15)
at Object.<anonymous> (electron/js2c/asar_bundle.js:5:12288)
at exec (/Users/ssbarnea/c/a/vscode-ansible/out/client/features/vault.js:194:15)
at encryptFile (/Users/ssbarnea/c/a/vscode-ansible/out/client/features/vault.js:176:9)
at encryptInline (/Users/ssbarnea/c/a/vscode-ansible/out/client/features/vault.js:144:5)
at toggleEncrypt (/Users/ssbarnea/c/a/vscode-ansible/out/client/features/vault.js:95:48)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async _executeContributedCommand (/Applications/Visual Studio Code.app/Contents/Resources/app/out/vs/workbench/services/extensions/node/extensionHostProcess.js:94:110871) extension.ansible.vault
I think that this encountered some interactive ansible output which is something that can easily go wrong. I think we should do our best to avoid any interactive prompts from ansible (run it in non interactive mode).
@ssbarnea it's not asking for the password, but for the vault identity to use to encrypt the file. I added a fix to display an error message if there are no identities defined. |
@webknjaz I'll take a look at your proposed changes tomorrow. |
ansible-vault
Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
@jeinwag Please rebase and try to run extension again, open the play1.yml playbook from examples folder and try to decrypt the secret or encrypt a new one. Sadly that did not work for me and was the first feature I was expecting to get from the vaulting: ability to encrypt/decrypt. Probably you seen that via https://github.com/ansible/vscode-ansible/pull/270/files I added test files specially for that. If you try to run |
@ssbarnea It does not work because there is no identity list configured. The ansible-vault functionality in the extension has, as far as I know, always required that you make use of vault IDs, see https://docs.ansible.com/ansible/latest/user_guide/vault.html#managing-multiple-passwords-with-vault-ids. I will look into making it work without the usage of vault IDs. |
I hope you can. The most basic way to use vaulting in Ansible is using the setup I added as example as it does not even require any input, being fully unattended. The second issue was that when it failed for me to encrypt it gave a relatively cryptic error and I did not had any idea on how to make it work, especially as there is no place where user can configure which vault to use for current project. The only configurable settings related to vault is the ansible-vault executable, something that I hope nobody will have to customize. Maybe you could give me some hints on how to test the way it is supposed to work now?, preferably in context of the newly introduced I mention this because I plan to add ui-tests for all features, so we prevent regressions and that folder would the place where these tests will happen. |
for more information, see https://pre-commit.ci
@ssbarnea I changed the code so the en-/decrypting now works when only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested it and it worked round-trip. The indentation was not perfect but that can be sorted in a follow-up. I think that now it ok to be merged.
ansible-vault
A quick & dirty "backport" of the original ansible vault code which got lost when PR #142 was merged. Fixes #171.