Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

args[module] throws TypeError with vault-encrypted argument values #4248

Open
corubba opened this issue Jul 6, 2024 · 0 comments
Open

args[module] throws TypeError with vault-encrypted argument values #4248

corubba opened this issue Jul 6, 2024 · 0 comments
Labels
bug

Comments

@corubba
Copy link
Contributor

corubba commented Jul 6, 2024

Summary

When using a vault-encrypted value as argument for a task module, the args rule will throw/raise an TypeError: Object of type AnsibleVaultEncryptedUnicode is not JSON serializable error.

Issue Type
  • Bug Report
OS / ENVIRONMENT
% ansible-lint --version
ansible-lint 24.6.2.dev2 using ansible-core:2.17.1 ansible-compat:24.6.1 ruamel-yaml:0.18.6 ruamel-yaml-clib:0.2.8
You are using a pre-release version of ansible-lint.
  • ansible installation method: pip (as dependency when installing ansible-lint as below)
  • ansible-lint installation method: pip -e the main branch
STEPS TO REPRODUCE

Run ansible-lint using default configuration on the following playbook:

---
- name: My play
  hosts: all
  tasks:
    - name: My error-throwing task
      ansible.builtin.get_url:
        # The required arguments `url` and `dest` are missing
        url_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          00000000
        # Only to satisfy the `risky-file-permissions` rule
        mode: 744

The encrypted or plaintext content does not matter, nor the vault (id) used, because it is never decrypted anyway.

Desired Behavior

ansible-lint should not throw an error, but properly validate the module arguments.

% ansible-lint playbook.yml
WARNING  Listing 1 violation(s) that are fatal
args[module]: missing required arguments: dest, url (warning)
playbook.yml:5 Task/Handler: My error-throwing task

Read documentation for instructions on how to ignore specific rule violations.

                  Rule Violation Summary                   
 count tag          profile rule associated tags           
     1 args[module]         syntax, experimental (warning) 

Passed: 0 failure(s), 1 warning(s) on 1 files. Last profile that met the validation criteria was 'production'. Rating: 5/5 star
You are using a pre-release version of ansible-lint.
Actual Behavior

ansible-lint prints only a warning that an exception occured.

% ansible-lint -vvv playbook.yml
[...]
DEBUG    Running rule yaml
DEBUG    Running rule args
WARNING  Ignored exception from ArgsRule.matchtasks while processing playbook.yml (playbook): Object of type AnsibleVaultEncryptedUnicode is not JSON serializable
DEBUG    Ignored exception details
Traceback (most recent call last):
  File "/tmp/ansiblelint-vaultencrypt-repro/ansible-lint/src/ansiblelint/_internal/rules.py", line 94, in getmatches
    matches.extend(method(file))
                   ^^^^^^^^^^^^
  File "/tmp/ansiblelint-vaultencrypt-repro/ansible-lint/src/ansiblelint/rules/__init__.py", line 178, in matchtasks
    result = self.matchtask(task, file=file)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/ansiblelint-vaultencrypt-repro/ansible-lint/src/ansiblelint/rules/args.py", line 173, in matchtask
    ["", json.dumps({"ANSIBLE_MODULE_ARGS": clean_json(module_args)})],
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/json/__init__.py", line 231, in dumps
    return _default_encoder.encode(obj)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/json/encoder.py", line 200, in encode
    chunks = self.iterencode(o, _one_shot=True)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/json/encoder.py", line 258, in iterencode
    return _iterencode(o, 0)
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/json/encoder.py", line 180, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type AnsibleVaultEncryptedUnicode is not JSON serializable
DEBUG    Running rule avoid-implicit
DEBUG    Running rule command-instead-of-module
[...]
Passed: 0 failure(s), 0 warning(s) on 1 files. Last profile that met the validation criteria was 'production'.
You are using a pre-release version of ansible-lint.

% ansible-playbook --syntax-check playbook.yml                                      
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

playbook: playbook.yml
Ideas for a solution
  • Implement and use a custom JSONEncoder which handles AnsibleVaultEncryptedUnicode instances, for example by encoding them as a fixed plain string
    • May cause validation errors in the task module, if the argument value is further validated (e.g. when expecting an url string, check it starts with the protocol:// format)
  • Extend the clean_json function to replace any AnsibleVaultEncryptedUnicode instances, for example with a fixed plain string
    • Same caveat as above
  • Call json.dumps(...) with skipkeys=True
    • Leaving keys out altogether is probably a bad idea, they may be required arguments and then trigger a false-positive

I would be happy to create a PR, but require an outline of the desired solution to implement.
@corubba corubba added bug new Triage required labels Jul 6, 2024
@audgirka audgirka removed the new Triage required label Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
🧰 devtools project board
Status: Roadmap
Milestone
No milestone
Development

No branches or pull requests
2 participants
@audgirka @corubba