Skip to content

Integration test: Ansible vault password round-trip #2402

Open
Open
Integration test: Ansible vault password round-trip#2402
Labels
enhancementNew feature or request
@berendt

Description

@berendt
berendt
opened on Jun 19, 2026

Part of #2400. Follow-up to #2368.

What

Exercise the full Ansible-vault-password round-trip through Redis:

  • osism vault set / unset / view (osism/commands/vault.py:46, :57, :210), which set / delete / get the ansible_vault_password Redis key with a Fernet-encrypted value.
  • osism.utils.get_ansible_vault_password() (osism/utils/__init__.py:318), which reads that key, decrypts it with the Fernet key from /share/ansible_vault_password.key, and returns the plaintext.

This is a real crypto + Redis path that cannot be meaningfully unit-tested without a live store.

Scope

  • Store an encrypted password in Redis, read it back via get_ansible_vault_password(), assert the plaintext matches.
  • Missing key → ValueError ("... not set in Redis").
  • Empty / whitespace-only password → ValueError.
  • Round-trip via the actual set → get/viewunset flow where practical.

Notes / Where

New file tests/integration/test_vault.py. The Fernet key file path (/share/ansible_vault_password.key) is not writable in CI — point it at a temp file (monkeypatch the module constant or generate a key into a temp path) so the test is self-contained.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Human Board
    Status
    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions