diff options
| author | Adrian Likins <alikins@redhat.com> | 2017-08-15 11:01:46 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-08-15 11:01:46 -0400 |
| commit | e287af1ac8fb614a0dd2f6e8cf7475ef721fbce1 (patch) | |
| tree | 28b295a8728b9e42bf324235ca85fb042e4e2a36 /test/integration/targets/vault/runme.sh | |
| parent | 271127113f6da2814db33b015568c25ae2ae8568 (diff) | |
| download | ansible-e287af1ac8fb614a0dd2f6e8cf7475ef721fbce1.tar.gz | |
Vault secrets empty password (#28186)
* Better handling of empty/invalid passwords
empty password files are global error and cause an
exit. A warning is also emitted with more detail.
ie, if any of the password/secret sources provide
a bogus password (ie, empty) or fail (exception,
ctrl-d, EOFError), we stop at the first error and exit.
This makes behavior when entering empty password at
prompt match 2.3 (ie, an error)
Diffstat (limited to 'test/integration/targets/vault/runme.sh')
| -rwxr-xr-x | test/integration/targets/vault/runme.sh | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/test/integration/targets/vault/runme.sh b/test/integration/targets/vault/runme.sh index c5ce2764ae..9b81c58ea8 100755 --- a/test/integration/targets/vault/runme.sh +++ b/test/integration/targets/vault/runme.sh @@ -14,6 +14,7 @@ echo "This is a test file for format 1.2" > "${TEST_FILE_1_2}" TEST_FILE_OUTPUT="${MYTMPDIR}/test_file_output" + # old format ansible-vault view "$@" --vault-password-file vault-password-ansible format_1_0_AES.yml @@ -38,6 +39,7 @@ echo "rc was $WRONG_RC (1 is expected)" set -eux + # new format, view ansible-vault view "$@" --vault-password-file vault-password format_1_1_AES256.yml @@ -184,6 +186,24 @@ ansible-vault encrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --outpu ansible-vault view "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" - < "${TEST_FILE_OUTPUT}" ansible-vault decrypt "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --output=- < "${TEST_FILE_OUTPUT}" +# test using an empty vault password file +ansible-vault view "$@" --vault-password-file empty-password format_1_1_AES256.yml && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + +ansible-vault view "$@" --vault-id=empty@empty-password --vault-password-file empty-password format_1_1_AES256.yml && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + +echo 'foo' > some_file.txt +ansible-vault encrypt "$@" --vault-password-file empty-password some_file.txt && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + + ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" "a test string" ansible-vault encrypt_string "$@" --vault-password-file "${NEW_VAULT_PASSWORD}" --name "blippy" "a test string names blippy" @@ -280,3 +300,9 @@ WRONG_RC=$? echo "rc was $WRONG_RC (1 is expected)" [ $WRONG_RC -eq 1 ] +# with empty password file +ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-id empty@empty-password && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + |