Refactor defaults generation, credential creation, and inventory management

### Overview This commit introduces a broad set of improvements across the defaults generator, credential creation subsystem, inventory creation workflow, and InventoryManager core logic. ### Major Changes - Support empty or config/main.yml in defaults generator and ensure that applications with empty configs are still included in defaults_applications. - Add '--snippet' and '--allow-empty-plain' modes to create/credentials.py with non-destructive merging and correct plain-secret handling. - Ensure empty strings for 'plain' credentials are never encrypted. - Update InventoryManager to fully support allow_empty_plain and prevent accidental overwriting or encrypting existing VaultScalar or dict values. - Add full-size implementation of cli/create/inventory.py including dynamic inventory building, role filtering, host_vars management, and parallelised credential snippet generation. - Fix schemas (Magento, Nextcloud, OAuth2-Proxy, keyboard-color, etc.) to align with the new credential model and avoid test failures. - Improve get_app_conf consistency by ensuring credentials.* paths are always resolvable for applications even when config/main.yml is empty. ### Added Test Coverage - Unit tests for defaults generator handling empty configs. - Full test suite for create/inventory.py including merge logic and vault-safe host_vars loading. - Extensive tests for InventoryManager: plain-secret behavior, vault handling, and recursion logic. - Update or remove outdated tests referencing old schema behaviour. ### Context This commit is associated with a refactoring and debugging session documented here: https://chatgpt.com/share/692ec0e1-5018-800f-b568-d09a53e9d0ee
2025-12-13 20:54:16 +00:00 · 2025-12-02 11:54:55 +01:00
parent 5320a5d20c
commit c0e26275f8
22 changed files with 1566 additions and 186 deletions
--- a/tests/unit/cli/create/test_credentials.py
+++ b/tests/unit/cli/create/test_credentials.py
@@ -98,5 +98,66 @@ class TestCreateCredentials(unittest.TestCase):
                self.assertIsInstance(creds['api_key'], str)
                self.assertTrue(creds['api_key'].lstrip().startswith('$ANSIBLE_VAULT'))

-if __name__ == '__main__':
-    unittest.main()
+    def test_main_plain_algorithm_allow_empty_plain_sets_empty_string_without_vault(self):
+        """
+        When --allow-empty-plain is used, a 'plain' credential without override
+        should be set to "" and *not* encrypted (no ansible-vault calls).
+        """
+        with tempfile.TemporaryDirectory() as tmpdir:
+            role_path = os.path.join(tmpdir, 'role')
+            os.makedirs(os.path.join(role_path, 'config'))
+            os.makedirs(os.path.join(role_path, 'schema'))
+            os.makedirs(os.path.join(role_path, 'vars'))
+
+            # vars/main.yml with application_id
+            main_vars = {'application_id': 'app_empty_plain'}
+            with open(os.path.join(role_path, 'vars', 'main.yml'), 'w') as f:
+                yaml.dump(main_vars, f)
+
+            # config/main.yml
+            config = {'features': {'central_database': False}}
+            with open(os.path.join(role_path, "config", "main.yml"), 'w') as f:
+                yaml.dump(config, f)
+
+            # schema/main.yml: plain credential *without* overrides
+            schema = {
+                'credentials': {
+                    'api_key': {
+                        'description': 'API key',
+                        'algorithm': 'plain',
+                        'validation': {}
+                    }
+                }
+            }
+            with open(os.path.join(role_path, 'schema', 'main.yml'), 'w') as f:
+                yaml.dump(schema, f)
+
+            # Empty inventory file
+            inventory_file = os.path.join(tmpdir, 'inventory.yml')
+            with open(inventory_file, 'w') as f:
+                yaml.dump({}, f)
+
+            # Vault password file
+            vault_pw_file = os.path.join(tmpdir, 'pw.txt')
+            with open(vault_pw_file, 'w') as f:
+                f.write('pw')
+
+            # Ensure ansible-vault is *not* called at all in this scenario
+            def fail_run(*_args, **_kwargs):
+                raise AssertionError("ansible-vault must not be called for allow_empty_plain + empty plain")
+
+            with mock.patch('subprocess.run', side_effect=fail_run):
+                sys.argv = [
+                    'create/credentials.py',
+                    '--role-path', role_path,
+                    '--inventory-file', inventory_file,
+                    '--vault-password-file', vault_pw_file,
+                    '--allow-empty-plain',
+                ]
+                main()
+
+            data = yaml.safe_load(open(inventory_file))
+            creds = data['applications']['app_empty_plain']['credentials']
+            # api_key should exist and be an empty string, not a vault block
+            self.assertIn('api_key', creds)
+            self.assertEqual(creds['api_key'], "")