Decrypting Dialog Fields



Is there a standard way to decrypt protected text box fields in service dialogs? MiqPassword doesn’t seem to be available within automate, and dialog_parser doesn’t seem to decrypt these fields. I suppose I could require miq-password using its full path, but I’d rather not do that if it’s possible to avoid it.



Hi @01100010011001010110

password   = $evm.object.decrypt('password')


Looks like there is no way to decrypt protected dialog fields :joy: I want to raise related BZ. Crazy developers…



require 'util/miq-password'

Non documented way to do this.


Still way better than requiring the miq-password gem using the fully qualified path, which is what I had been doing, thank you. Unsure if this is still an issue in Gapri?


There is some hidden from world BZ and I have currently a discussion about this with RH Tech Support.


Can’t you use something like:




Hi Peter

dialog_my_password present in $evm.root[‘miq_provision’].get_option(‘dialog_my_password’), so, looks like I cannot access it directly by root $evm.root.decrypt(‘dialog_my_password’) ?


Why don’t you try saving the password to a variable and call decrpyt on it? Something like

encrypted_password = $evm.root['miq_provision'].get_option('dialog_my_password')
password = $evm.root.decrypt(encrypted_password)

or you can make it a one-liner without using the variable (substituting encrypted_variable).


@xian @pemcg

From @tinaafitz post about this:

The method validates the <attribute_name> is a “password” datatype before any decryption can be done.


Aah, ok, I think the problem is that you’re trying to decrypt the password in the VM provision state machine, and the password value here is a “v2:{O3tPHdsg…” style string. You need MiqPassword::decrypt to be able to decrypt this as you’ve discovered.

If you are able to decrypt the string in the service provision state machine, the password object is copied to $evm.root (along with the ‘_id’ string equivalent), i.e.

 |    $evm.root['dialog_option_0_root_password'] = ********   (type: String)
 |    $evm.root['dialog_option_0_root_password_id'] = v2:{O3tPHdsgSh....   (type: String)

You’d be able to decrypt this using $evm.root.decrypt(‘dialog_option_0_root_password’)



I discovered yesterday (thanks @bevans!) that all you need is a require 'miq-password'. For example you can use the following to decrypt a password from the VM provision state machine:

require 'miq-password'
prov = $evm.root['miq_provision']
root_password_decrypted = MiqPassword.decrypt(prov.get_option(:"password::root_password"))

Hope this helps,


Hi @pemcg

Thank you for investigation. Can you please explain also what is difference between get_option(“root_password”) and get_option(:“password::root_password”) notation ?


That was how the field appeared in the options hash:

|    $evm.root['miq_provision'].options[:password::dialog_root_password] = v2:{O3tPHdsg...}   (type: String)
|    $evm.root['miq_provision'].options[:password::root_password] = v2:{O3tPHdsg...}   (type: String)


@pemcg Thank you again, so as a result I am using password field to configure Oracle sys through ansible tower and I want to change launch_ansible_job method to the following:

def ansible_vars_from_options(ext_vars)
  options = @handle.root["miq_provision"].try(:options) || {}
  options.each_with_object(ext_vars) do |(key, value), hash|
    match_data = ANSIBLE_DIALOG_VAR_REGEX.match(key.to_s)
    if match_data
       if match_data[1].include? 'password'
           require 'miq-password'
           value = MiqPassword::decrypt(value) rescue value
       hash[match_data[1]] = value

right ?