From 713e386c66213e0dd119972467536c95b547a999 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Fri, 9 Oct 2020 15:30:11 +0200 Subject: [PATCH] Respect VAULT_SKIP_VERIFY envionment variable setting in hashi_vault lookup plugin (#1024) (#1062) * add skip_certificate_validation from env VAULT_SKIP_VERIFY * use os.envrion.env instead of skip_certificat_validation * fix typo in test * add tests for different truthy options * fix linting * add changelog * change precedence for validate_certs * add precedence test * fix inverted logic * Fix documentation Co-authored-by: Felix Fontein * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein * fix linting * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein Co-authored-by: Felix Fontein (cherry picked from commit 3af4be34b230af74d47f9c9411d037da08357f4a) Co-authored-by: markafarrell --- .../1024-vault-skip-verify-support.yml | 3 ++ plugins/lookup/hashi_vault.py | 28 ++++++++++++- .../lookup_hashi_vault/tasks/approle_test.yml | 2 +- .../lookup_hashi_vault/tasks/tests.yml | 41 +++++++++++++++++++ 4 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/1024-vault-skip-verify-support.yml diff --git a/changelogs/fragments/1024-vault-skip-verify-support.yml b/changelogs/fragments/1024-vault-skip-verify-support.yml new file mode 100644 index 0000000000..fe275bcfd0 --- /dev/null +++ b/changelogs/fragments/1024-vault-skip-verify-support.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - hashi_vault - support ``VAULT_SKIP_VERIFY`` environment variable for determining if to verify certificates (in addition to the ``validate_certs=`` flag supported today) (https://github.com/ansible-collections/community.general/pull/1024). diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py index 0c3d7a6808..2a86c0d740 100644 --- a/plugins/lookup/hashi_vault.py +++ b/plugins/lookup/hashi_vault.py @@ -116,9 +116,12 @@ DOCUMENTATION = """ description: Path to certificate to use for authentication. aliases: [ cacert ] validate_certs: - description: Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. + description: + - Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. + - Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs) is not explicitly + provided (added in community.general 1.3.0). + - Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are set. type: boolean - default: True namespace: description: Namespace where secrets reside. Requires HVAC 0.7.0+ and Vault 0.11+. env: @@ -257,6 +260,7 @@ import os from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase from ansible.utils.display import Display +from ansible.module_utils.parsing.convert_bool import boolean HAS_HVAC = False try: @@ -486,8 +490,28 @@ class LookupModule(LookupBase): # '''' return a bool or cacert ''' ca_cert = self.get_option('ca_cert') + validate_certs = self.get_option('validate_certs') + if validate_certs is None: + # Validate certs option was not explicitly set + + # Check if VAULT_SKIP_VERIFY is set + vault_skip_verify = os.environ.get('VAULT_SKIP_VERIFY') + + if vault_skip_verify is not None: + # VAULT_SKIP_VERIFY is set + try: + # Check that we have a boolean value + vault_skip_verify = boolean(vault_skip_verify) + # Use the inverse of VAULT_SKIP_VERIFY + validate_certs = not vault_skip_verify + except TypeError: + # Not a boolean value fallback to default value (True) + validate_certs = True + else: + validate_certs = True + if not (validate_certs and ca_cert): self.set_option('ca_cert', validate_certs) diff --git a/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml b/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml index 36d0896fe9..7bb0d83d4a 100644 --- a/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml +++ b/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml @@ -30,7 +30,7 @@ - name: 'Failure expected when inexistent secret is read' vars: - secret_inexistent: "{{ lookup('community.general.:qhashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" debug: msg: 'Failure is expected ({{ secret_inexistent }})' register: test_inexistent diff --git a/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml b/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml index 198f587a77..53ec682719 100644 --- a/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml +++ b/tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml @@ -33,3 +33,44 @@ include_tasks: '{{ auth_type }}_test.yml' vars: conn_params: 'url=https://localhost:8201 validate_certs=False ' + + - name: 'test {{ auth_type }} auth with certs (validation using env VAR, lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: '' + environment: + VAULT_ADDR: 'https://localhost:8201' + VAULT_SKIP_VERIFY: 1 + + - name: 'test {{ auth_type }} auth with certs (validation using env VAR (True), lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: '' + environment: + VAULT_ADDR: 'https://localhost:8201' + VAULT_SKIP_VERIFY: True + + - name: 'test {{ auth_type }} auth with certs (validation using env VAR (y), lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: '' + environment: + VAULT_ADDR: 'https://localhost:8201' + VAULT_SKIP_VERIFY: y + + - name: 'test {{ auth_type }} auth with certs (precedence of validate_certs over env VAR, lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: 'validate_certs=False ' + environment: + VAULT_ADDR: 'https://localhost:8201' + VAULT_SKIP_VERIFY: False + \ No newline at end of file