code cleanup and error improvement for hashi_vault (#17824)

Use standard import error handling.
Make error messages more specific.
Use more python idiomatic code.
This commit is contained in:
Adrian Likins 2017-07-07 10:17:18 -04:00 committed by Jonathan Davila
parent ee8ce99bed
commit 1cad0074f5

View file

@ -39,6 +39,12 @@ import os
from ansible.errors import AnsibleError from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase from ansible.plugins.lookup import LookupBase
HAS_HVAC = False
try:
import hvac
HAS_HVAC = True
except ImportError:
HAS_HVAC = False
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200' ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
@ -48,17 +54,17 @@ if os.getenv('VAULT_ADDR') is not None:
class HashiVault: class HashiVault:
def __init__(self, **kwargs): def __init__(self, **kwargs):
try:
import hvac
except ImportError:
raise AnsibleError("Please pip install hvac to use this module")
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR) self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
self.token = kwargs.get('token')
if self.token is None:
raise AnsibleError("No Hashicorp Vault Token specified for hash_vault lookup")
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value' # split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
s = kwargs.get('secret') s = kwargs.get('secret')
if s is None: if s is None:
raise AnsibleError("No secret specified") raise AnsibleError("No secret specified for hashi_vault lookup")
s_f = s.split(':') s_f = s.split(':')
self.secret = s_f[0] self.secret = s_f[0]
@ -97,22 +103,20 @@ class HashiVault:
self.client = hvac.Client(url=self.url, token=self.token) self.client = hvac.Client(url=self.url, token=self.token)
if self.client.is_authenticated(): if not self.client.is_authenticated():
pass raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
else:
raise AnsibleError("Invalid authentication credentials specified")
def get(self): def get(self):
data = self.client.read(self.secret) data = self.client.read(self.secret)
if data is None: if data is None:
raise AnsibleError("The secret %s doesn't seem to exist" % self.secret) raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret)
if self.secret_field == '': # secret was specified with trailing ':' if self.secret_field == '': # secret was specified with trailing ':'
return data['data'] return data['data']
if self.secret_field not in data['data']: if self.secret_field not in data['data']:
raise AnsibleError("The secret %s does not contain the field '%s'. " % (self.secret, self.secret_field)) raise AnsibleError("The secret %s does not contain the field '%s'. for hashi_vault lookup" % (self.secret, self.secret_field))
return data['data'][self.secret_field] return data['data'][self.secret_field]
@ -134,6 +138,9 @@ class HashiVault:
class LookupModule(LookupBase): class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs): def run(self, terms, variables, **kwargs):
if not HAS_HVAC:
raise AnsibleError("Please pip install hvac to use the hashi_vault lookup module.")
vault_args = terms[0].split(' ') vault_args = terms[0].split(' ')
vault_dict = {} vault_dict = {}
ret = [] ret = []
@ -141,8 +148,8 @@ class LookupModule(LookupBase):
for param in vault_args: for param in vault_args:
try: try:
key, value = param.split('=') key, value = param.split('=')
except ValueError as e: except ValueError:
raise AnsibleError("hashi_vault plugin needs key=value pairs, but received %s" % terms) raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
vault_dict[key] = value vault_dict[key] = value
vault_conn = HashiVault(**vault_dict) vault_conn = HashiVault(**vault_dict)