Respect VAULT_SKIP_VERIFY envionment variable setting in hashi_vault lookup plugin (#1024) (#1062)

* add skip_certificate_validation from env VAULT_SKIP_VERIFY

* use os.envrion.env instead of skip_certificat_validation

* fix typo in test

* add tests for different truthy options

* fix linting

* add changelog

* change precedence for validate_certs

* add precedence test

* fix inverted logic

* Fix documentation

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/hashi_vault.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix linting

* Update plugins/lookup/hashi_vault.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/hashi_vault.py

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 3af4be34b2)

Co-authored-by: markafarrell <mark.andrew.farrell@gmail.com>

changelogs/fragments/1024-vault-skip-verify-support.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - hashi_vault - support ``VAULT_SKIP_VERIFY`` environment variable for determining if to verify certificates (in addition to the ``validate_certs=`` flag supported today) (https://github.com/ansible-collections/community.general/pull/1024).

plugins/lookup/hashi_vault.py

@@ -116,9 +116,12 @@ DOCUMENTATION = """
       description: Path to certificate to use for authentication.
       aliases: [ cacert ]
     validate_certs:
-      description: Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
+      description:
+        - Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
+        - Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs) is not explicitly
+          provided (added in community.general 1.3.0).
+        - Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are set.
       type: boolean
-      default: True
     namespace:
       description: Namespace where secrets reside. Requires HVAC 0.7.0+ and Vault 0.11+.
       env:
@@ -257,6 +260,7 @@ import os
 from ansible.errors import AnsibleError
 from ansible.plugins.lookup import LookupBase
 from ansible.utils.display import Display
+from ansible.module_utils.parsing.convert_bool import boolean
 
 HAS_HVAC = False
 try:
@@ -486,8 +490,28 @@ class LookupModule(LookupBase):
         #
         '''' return a bool or cacert '''
         ca_cert = self.get_option('ca_cert')
+
         validate_certs = self.get_option('validate_certs')
 
+        if validate_certs is None:
+            # Validate certs option was not explicitly set
+
+            # Check if VAULT_SKIP_VERIFY is set
+            vault_skip_verify = os.environ.get('VAULT_SKIP_VERIFY')
+
+            if vault_skip_verify is not None:
+                # VAULT_SKIP_VERIFY is set
+                try:
+                    # Check that we have a boolean value
+                    vault_skip_verify = boolean(vault_skip_verify)
+                    # Use the inverse of VAULT_SKIP_VERIFY
+                    validate_certs = not vault_skip_verify
+                except TypeError:
+                    # Not a boolean value fallback to default value (True)
+                    validate_certs = True
+            else:
+                validate_certs = True
+
         if not (validate_certs and ca_cert):
             self.set_option('ca_cert', validate_certs)
 

tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml

@@ -30,7 +30,7 @@
 
     - name: 'Failure expected when inexistent secret is read'
       vars:
-          secret_inexistent: "{{ lookup('community.general.:qhashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
+          secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
       debug:
         msg: 'Failure is expected ({{ secret_inexistent }})'
       register: test_inexistent

tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml

@@ -33,3 +33,44 @@
       include_tasks: '{{ auth_type }}_test.yml'
       vars:
         conn_params: 'url=https://localhost:8201 validate_certs=False '
+
+    - name: 'test {{ auth_type }} auth with certs (validation using env VAR, lookup parameters)'
+      include_tasks: '{{ auth_type }}_test.yml'
+      args:
+        apply:
+          vars:
+            conn_params: ''
+          environment:
+            VAULT_ADDR: 'https://localhost:8201'
+            VAULT_SKIP_VERIFY: 1
+
+    - name: 'test {{ auth_type }} auth with certs (validation using env VAR (True), lookup parameters)'
+      include_tasks: '{{ auth_type }}_test.yml'
+      args:
+        apply:
+          vars:
+            conn_params: ''
+          environment:
+            VAULT_ADDR: 'https://localhost:8201'
+            VAULT_SKIP_VERIFY: True
+
+    - name: 'test {{ auth_type }} auth with certs (validation using env VAR (y), lookup parameters)'
+      include_tasks: '{{ auth_type }}_test.yml'
+      args:
+        apply:
+          vars:
+            conn_params: ''
+          environment:
+            VAULT_ADDR: 'https://localhost:8201'
+            VAULT_SKIP_VERIFY: y
+
+    - name: 'test {{ auth_type }} auth with certs (precedence of validate_certs over env VAR, lookup parameters)'
+      include_tasks: '{{ auth_type }}_test.yml'
+      args:
+        apply:
+          vars:
+            conn_params: 'validate_certs=False '
+          environment:
+            VAULT_ADDR: 'https://localhost:8201'
+            VAULT_SKIP_VERIFY: False
+