From bbdf4c36c1a821ba8e9034f35bfe73ff1935ab8b Mon Sep 17 00:00:00 2001
From: Jay Rogers <jay@521dimensions.com>
Date: Mon, 16 Dec 2024 14:25:36 -0600
Subject: [PATCH] Refactor Ansible vault password validation in functions.sh to
 improve error handling and user feedback. The script now checks if the
 variable file is encrypted before validating the password, and provides
 clearer error messages for invalid passwords.

---
 lib/functions.sh | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 72bb1558..1f8f4966 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1333,18 +1333,26 @@ set_ansible_vault_args() {
 
   if [[ -f .vault-password ]]; then
     # Validate the vault password file using Docker
-    if ! docker run --rm -i \
-      -e "PUID=${SPIN_USER_ID}" \
-      -e "PGID=${SPIN_GROUP_ID}" \
-      -e "RUN_AS_USER=$(whoami)" \
-      -v "$(pwd):/ansible" \
-      "$SPIN_ANSIBLE_IMAGE" \
-      ansible-vault view --vault-password-file=".vault-password" "$variable_file" >/dev/null 2>&1; then
-      echo "${BOLD}${RED}❌ Invalid vault password provided for file .vault-password${RESET}" >&2
-      exit 1
+    if is_encrypted_with_ansible_vault "$variable_file"; then
+     set +e # Disable error checking for the duration of this block
+     docker run --rm -i \
+        -e "PUID=${SPIN_USER_ID}" \
+        -e "PGID=${SPIN_GROUP_ID}" \
+        -e "RUN_AS_USER=$(whoami)" \
+        -v "$(pwd):/ansible" \
+        "$SPIN_ANSIBLE_IMAGE" \
+        ansible-vault view --vault-password-file="/ansible/.vault-password" "$variable_file" > /dev/null 2>&1
+
+      validation_result=$?
+      set -e # Re-enable error checking
+      if [ $validation_result -ne 0 ]; then
+        echo "${BOLD}${RED}❌ Invalid password provided in '.vault-password' file. Please check your password and try again.${RESET}" >&2
+        exit $validation_result
+      fi
     fi
+
     vault_args+=("--vault-password-file" ".vault-password")
-  elif is_encrypted_with_ansible_vault "$variable_file" && is_encrypted_with_ansible_vault ".spin-inventory.ini"; then
+  elif is_encrypted_with_ansible_vault "$variable_file" || is_encrypted_with_ansible_vault ".spin-inventory.ini"; then
     echo "${BOLD}${YELLOW}🔐 '.vault-password' file not found. You will be prompted to enter your vault password.${RESET}" >&2
     vault_args+=("--ask-vault-pass")
   fi