From 660f46be13b3e3332b812b78a1bce45b5601fa99 Mon Sep 17 00:00:00 2001 From: Martin Krizek Date: Tue, 27 Nov 2018 22:44:22 +0100 Subject: [PATCH] Fix using vault encrypted data with jinja2_native (#49025) Fixes #48950 (cherry picked from commit d4568d97d4482c383a8814bcf794ac61e43acace) --- .../48950-vault-encrypted-data-native-jinja.yaml | 2 ++ lib/ansible/template/native_helpers.py | 9 ++++++++- .../targets/jinja2_native_types/runme.sh | 1 + .../targets/jinja2_native_types/test_vault.yml | 16 ++++++++++++++++ .../targets/jinja2_native_types/test_vault_pass | 1 + 5 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/48950-vault-encrypted-data-native-jinja.yaml create mode 100644 test/integration/targets/jinja2_native_types/test_vault.yml create mode 100644 test/integration/targets/jinja2_native_types/test_vault_pass diff --git a/changelogs/fragments/48950-vault-encrypted-data-native-jinja.yaml b/changelogs/fragments/48950-vault-encrypted-data-native-jinja.yaml new file mode 100644 index 0000000000..4b28caa78e --- /dev/null +++ b/changelogs/fragments/48950-vault-encrypted-data-native-jinja.yaml @@ -0,0 +1,2 @@ +bugfixes: + - Fix using vault encrypted data with jinja2_native (https://github.com/ansible/ansible/issues/48950) diff --git a/lib/ansible/template/native_helpers.py b/lib/ansible/template/native_helpers.py index d68f849ee7..f9d2537d9f 100644 --- a/lib/ansible/template/native_helpers.py +++ b/lib/ansible/template/native_helpers.py @@ -12,6 +12,8 @@ import types from jinja2._compat import text_type +from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode + def ansible_native_concat(nodes): """Return a native Python type from the list of compiled nodes. If the @@ -30,8 +32,13 @@ def ansible_native_concat(nodes): if len(head) == 1: out = head[0] + + # TODO send unvaulted data to literal_eval? + if isinstance(out, AnsibleVaultEncryptedUnicode): + return out.data + # short circuit literal_eval when possible - if not isinstance(out, list): # FIXME is this needed? + if not isinstance(out, list): return out else: if isinstance(nodes, types.GeneratorType): diff --git a/test/integration/targets/jinja2_native_types/runme.sh b/test/integration/targets/jinja2_native_types/runme.sh index 84d7c299f1..bd05bd5f1f 100755 --- a/test/integration/targets/jinja2_native_types/runme.sh +++ b/test/integration/targets/jinja2_native_types/runme.sh @@ -3,3 +3,4 @@ set -eux ANSIBLE_JINJA2_NATIVE=1 ansible-playbook -i inventory.jinja2_native_types runtests.yml -v "$@" +ANSIBLE_JINJA2_NATIVE=1 ansible-playbook -i inventory.jinja2_native_types --vault-password-file test_vault_pass test_vault.yml -v "$@" diff --git a/test/integration/targets/jinja2_native_types/test_vault.yml b/test/integration/targets/jinja2_native_types/test_vault.yml new file mode 100644 index 0000000000..2daa3c5bd4 --- /dev/null +++ b/test/integration/targets/jinja2_native_types/test_vault.yml @@ -0,0 +1,16 @@ +- hosts: localhost + gather_facts: no + vars: + # ansible-vault encrypt_string root + # vault_password_file = test_vault_pass + vaulted_root_string: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39333565666430306232343266346635373235626564396332323838613063646132653436303239 + 3133363232306334393863343563366131373565616338380a666339383162333838653631663131 + 36633637303862353435643930393664386365323164643831363332666435303436373365393162 + 6535383134323539380a613663366631626534313837313565666665336164353362373431666366 + 3464 + tasks: + - name: make sure group root exists + group: + name: "{{ vaulted_root_string }}" diff --git a/test/integration/targets/jinja2_native_types/test_vault_pass b/test/integration/targets/jinja2_native_types/test_vault_pass new file mode 100644 index 0000000000..9daeafb986 --- /dev/null +++ b/test/integration/targets/jinja2_native_types/test_vault_pass @@ -0,0 +1 @@ +test