yaml: add new option to ignore "!ansible" tags

This new option for the yaml checker modify ruamel to remove the "!" from the "!vault" tag if it is found. Removing that part allows the file to be parsed correctly, so other errors could be found. fixes: #273
2026-03-30 18:26:53 +00:00 · 2022-12-02 09:07:12 +01:00 · 2022-12-02 09:07:12 +01:00 · f60596972c
commit f60596972c
parent 6336b8e792
2 changed files with 37 additions and 0 deletions
--- a/pre_commit_hooks/check_yaml.py
+++ b/pre_commit_hooks/check_yaml.py
@ -52,11 +52,29 @@ def main(argv: Sequence[str] | None = None) -> int:
            'Implies --allow-multiple-documents'
        ),
    )
+    parser.add_argument(
+        '--ignore-ansible-vault', action='store_true',
+        help=(
+            'Ignore keys that look like ansible vault encrypted values.  '
+            'This works by removing the "!" from the "!vault" value prefix.'
+        ),
+    )
    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
    args = parser.parse_args(argv)

    load_fn = LOAD_FNS[Key(multi=args.multi, unsafe=args.unsafe)]

+    if args.ignore_ansible_vault:
+        def ignore_ansible_vault(loader: ruamel.yaml.Loader,
+                                 node: ruamel.yaml.Node) -> Any:
+            if node.value.startswith('!vault'):
+                node.value = node.value[1:]
+            return loader.construct_yaml_str(node)
+
+        ruamel.yaml.add_constructor(u'!vault',
+                                    ignore_ansible_vault,
+                                    constructor=ruamel.yaml.SafeConstructor)
+
    retval = 0
    for filename in args.filenames:
        try:
--- a/tests/check_yaml_test.py
+++ b/tests/check_yaml_test.py
@ -51,3 +51,22 @@ def test_main_unsafe_still_fails_on_syntax_errors(tmpdir):
    f = tmpdir.join('test.yaml')
    f.write('[')
    assert main(('--unsafe', str(f)))
+
+
+def test_main_ignore_ansible_vault(tmpdir):
+    f = tmpdir.join('test.yaml')
+    f.write(
+        'some_foo: !vault |\n'
+        '    $ANSIBLE_VAULT;1.1;AES256\n'
+        '    deadbeefdeadbeefdeadbeef\n',
+    )
+    # should fail "safe" check
+    assert main((str(f),))
+    # should pass when we allow unsafe documents
+    assert not main(('--ignore-ansible-vault', str(f)))
+
+
+def test_main_ignore_ansible_vault_still_fails_on_syntax_errors(tmpdir):
+    f = tmpdir.join('test.yaml')
+    f.write('[')
+    assert main(('--ignore-ansible-vault', str(f)))