diff options
author | Abhijeet Kasurde <akasurde@redhat.com> | 2020-08-08 02:02:16 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-07 15:32:16 -0500 |
commit | aa58d8c9ed8e0ab43d813e40547ad061396a585f (patch) | |
tree | 6e455dd7a7d934dac79e5d3ffbbd0e2176cbc41d | |
parent | bdcde11f9f3c145c3f44edbd4b672ef33fc69175 (diff) | |
download | ansible-aa58d8c9ed8e0ab43d813e40547ad061396a585f.tar.gz |
[2.9] hashi_vault: Handle equal sign in secret name value (#70169)
Fixes: ansible/ansible#55658
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 files changed, 15 insertions, 5 deletions
diff --git a/changelogs/fragments/55658_hashi_vault.yml b/changelogs/fragments/55658_hashi_vault.yml new file mode 100644 index 0000000000..6b0aeb7f10 --- /dev/null +++ b/changelogs/fragments/55658_hashi_vault.yml @@ -0,0 +1,3 @@ +--- +bugfixes: +- hashi_vault - Handle equal sign in key=value (https://github.com/ansible/ansible/issues/55658). diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py index 473872d4ad..5a26c7c57c 100644 --- a/lib/ansible/plugins/lookup/hashi_vault.py +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -269,7 +269,7 @@ class LookupModule(LookupBase): for param in vault_args: try: - key, value = param.split('=') + key, value = param.split('=', 1) except ValueError: raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms) vault_dict[key] = value diff --git a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml index a97c427cff..f0ef88f701 100644 --- a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml +++ b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml @@ -30,7 +30,7 @@ - name: 'Failure expected when inexistent secret is read' vars: - secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" debug: msg: 'Failure is expected ({{ secret_inexistent }})' register: test_inexistent diff --git a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml index 9bde696c5a..d5b9e93e33 100644 --- a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml +++ b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml @@ -87,10 +87,16 @@ path "{{ vault_base_path }}/secret3" { capabilities = ["deny"] } + path "{{ vault_base_path }}/secret4" { + capabilities = ["read", "update"] + } - name: 'Create secrets' command: '{{ vault_cmd }} kv put {{ vault_base_path_kv }}/secret{{ item }} value=foo{{ item }}' - loop: [1, 2, 3] + loop: [1, 2, 3, 4] + + - name: 'Update KV v2 secret4 with new value to create version' + command: '{{ vault_cmd }} kv put {{ vault_base_path_kv }}/secret4 value=foo5' - name: setup approle auth import_tasks: approle_setup.yml diff --git a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml index 927881da89..aa088c7ae3 100644 --- a/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml +++ b/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml @@ -6,11 +6,12 @@ secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret1 auth_method=token token=' ~ user_token) }}" secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}" secret3: "{{ lookup('hashi_vault', conn_params ~ ' secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}" + secret4: "{{ lookup('hashi_vault', conn_params ~ ' secret=' ~ vault_base_path ~ '/secret4?version=2 token=' ~ user_token) }}" - name: 'Check secret values' fail: msg: 'unexpected secret values' - when: secret1['data']['value'] != 'foo1' or secret2['data']['value'] != 'foo2' or secret3['data']['value'] != 'foo2' + when: secret1['data']['value'] != 'foo1' or secret2['data']['value'] != 'foo2' or secret3['data']['value'] != 'foo2' or secret4['data']['value'] != 'foo5' - name: 'Failure expected when erroneous credentials are used' vars: @@ -30,7 +31,7 @@ - name: 'Failure expected when inexistent secret is read' vars: - secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret4 token=' ~ user_token) }}" + secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/non_existent_secret4 token=' ~ user_token) }}" debug: msg: 'Failure is expected ({{ secret_inexistent }})' register: test_inexistent |