Make vault encrypt/create/etc confirm pass again.

Make the 'write' modes of vault confirm a new password before using, again. This was unintentionally disabled in 309f54b709 previously. Fixes #22438
2017-03-09 12:08:41 -05:00 · 2017-03-09 12:08:41 -05:00 · ae31634c23
parent 6cf8318468
commit ae31634c23
1 changed files with 6 additions and 1 deletions
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@ -133,7 +133,12 @@ class VaultCLI(CLI):
            self.b_new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file, loader)

        if not self.b_vault_pass or self.options.ask_vault_pass:
-            self.b_vault_pass = self.ask_vault_passwords()
+            # the 'read' options dont need to ask for password confirmation.
+            # 'edit' is read/write, but the decrypt will confirm.
+            if self.action in ['decrypt', 'edit', 'view', 'rekey']:
+                self.b_vault_pass = self.ask_vault_passwords()
+            else:
+                self.b_vault_pass = self.ask_new_vault_passwords()

        if not self.b_vault_pass:
            raise AnsibleOptionsError("A password is required to use Ansible's Vault")