archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[2.9] hashi_vault: Handle equal sign in secret name value (#70169)

Browse Source 
Fixes: ansible/ansible#55658

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
pull/71166/head
Abhijeet Kasurde 4 years ago committed by GitHub
parent bdcde11f9f
commit aa58d8c9ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File

3
changelogs/fragments/55658_hashi_vault.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
bugfixes:
- hashi_vault - Handle equal sign in key=value (https://github.com/ansible/ansible/issues/55658).

2
lib/ansible/plugins/lookup/hashi_vault.py
Unescape Escape View File

@ -269,7 +269,7 @@ class LookupModule(LookupBase):
for param in vault_args:
try:
key, value = param.split('=')
key, value = param.split('=', 1)
except ValueError:
raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
vault_dict[key] = value

2
test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml
Unescape Escape View File

@ -30,7 +30,7 @@
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent

8
test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml
Unescape Escape View File

@ -87,10 +87,16 @@
path "{{ vault_base_path }}/secret3" {
capabilities = ["deny"]
}
path "{{ vault_base_path }}/secret4" {
capabilities = ["read", "update"]
}
- name: 'Create secrets'
command: '{{ vault_cmd }} kv put {{ vault_base_path_kv }}/secret{{ item }} value=foo{{ item }}'
loop: [1, 2, 3]
loop: [1, 2, 3, 4]
- name: 'Update KV v2 secret4 with new value to create version'
command: '{{ vault_cmd }} kv put {{ vault_base_path_kv }}/secret4 value=foo5'
- name: setup approle auth
import_tasks: approle_setup.yml

5
test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml
Unescape Escape View File

@ -6,11 +6,12 @@
secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}"
secret3: "{{ lookup('hashi_vault', conn_params ~ ' secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}"
secret4: "{{ lookup('hashi_vault', conn_params ~ ' secret=' ~ vault_base_path ~ '/secret4?version=2 token=' ~ user_token) }}"
- name: 'Check secret values'
fail:
msg: 'unexpected secret values'
when: secret1['data']['value'] != 'foo1' or secret2['data']['value'] != 'foo2' or secret3['data']['value'] != 'foo2'
when: secret1['data']['value'] != 'foo1' or secret2['data']['value'] != 'foo2' or secret3['data']['value'] != 'foo2' or secret4['data']['value'] != 'foo5'
- name: 'Failure expected when erroneous credentials are used'
vars:
@ -30,7 +31,7 @@
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret4 token=' ~ user_token) }}"
secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/non_existent_secret4 token=' ~ user_token) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent

Write Preview
Loading…
Cancel
Save