diff options
| -rw-r--r-- | lib/ansible/cli/__init__.py | 5 | ||||
| -rw-r--r-- | lib/ansible/config/data/config.yml | 2 | ||||
| -rwxr-xr-x | test/integration/targets/vault/runme.sh | 12 |
3 files changed, 18 insertions, 1 deletions
diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py index 3faf3450f6..89f2cd1a02 100644 --- a/lib/ansible/cli/__init__.py +++ b/lib/ansible/cli/__init__.py @@ -210,6 +210,11 @@ class CLI(with_metaclass(ABCMeta, object)): # we need to show different prompts. This is for compat with older Towers that expect a # certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format. prompt_formats = {} + + vault_password_files = vault_password_files or [] + if C.DEFAULT_VAULT_PASSWORD_FILE: + vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE) + if create_new_password: prompt_formats['prompt'] = ['New vault password (%(vault_id)s): ', 'Confirm vew vault password (%(vault_id)s): '] diff --git a/lib/ansible/config/data/config.yml b/lib/ansible/config/data/config.yml index cc04be2bf2..8c70d7b037 100644 --- a/lib/ansible/config/data/config.yml +++ b/lib/ansible/config/data/config.yml @@ -1089,7 +1089,7 @@ DEFAULT_VAULT_IDENTITY: vars: [] yaml: {key: defaults.vault_identity} DEFAULT_VAULT_PASSWORD_FILE: - default: ~ + default: desc: 'TODO: write it' env: [{name: ANSIBLE_VAULT_PASSWORD_FILE}] ini: diff --git a/test/integration/targets/vault/runme.sh b/test/integration/targets/vault/runme.sh index e0a9984454..c5ce2764ae 100755 --- a/test/integration/targets/vault/runme.sh +++ b/test/integration/targets/vault/runme.sh @@ -87,6 +87,15 @@ echo "rc was $WRONG_RC (1 is expected)" # new 1.2 format, view, using password script with vault-id, ENFORCE_IDENTITY_MATCH=true, 'test_vault_id' provided should work ANSIBLE_VAULT_ID_MATCH=1 ansible-vault view "$@" --vault-id=test_vault_id@password-script.py format_1_2_AES256.yml +# test with a default vault password set via config/env, right password +ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-vault view "$@" format_1_1_AES256.yml + +# test with a default vault password set via config/env, wrong password +ANSIBLE_VAULT_PASSWORD_FILE=vault-password-wrong ansible-vault view "$@" format_1_1_AES.yml && : +WRONG_RC=$? +echo "rc was $WRONG_RC (1 is expected)" +[ $WRONG_RC -eq 1 ] + # encrypt it ansible-vault encrypt "$@" --vault-password-file vault-password "${TEST_FILE}" @@ -214,6 +223,9 @@ ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-pass ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --vault-password-file vault-password-wrong --syntax-check ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong --vault-password-file vault-password +# test with a default vault password file set in config +ANSIBLE_VAULT_PASSWORD_FILE=vault-password ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password-wrong + # test that we can have a vault encrypted yaml file that includes embedded vault vars # that were encrypted with a different vault secret ansible-playbook test_vault_file_encrypted_embedded.yml -i ../../inventory "$@" --vault-id encrypted_file_encrypted_var_password --vault-id vault-password |