code cleanup and error improvement for hashi_vault (#17824)
Use standard import error handling. Make error messages more specific. Use more python idiomatic code.
This commit is contained in:
parent
ee8ce99bed
commit
1cad0074f5
1 changed files with 20 additions and 13 deletions
|
@ -39,6 +39,12 @@ import os
|
||||||
from ansible.errors import AnsibleError
|
from ansible.errors import AnsibleError
|
||||||
from ansible.plugins.lookup import LookupBase
|
from ansible.plugins.lookup import LookupBase
|
||||||
|
|
||||||
|
HAS_HVAC = False
|
||||||
|
try:
|
||||||
|
import hvac
|
||||||
|
HAS_HVAC = True
|
||||||
|
except ImportError:
|
||||||
|
HAS_HVAC = False
|
||||||
|
|
||||||
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200'
|
||||||
|
|
||||||
|
@ -48,17 +54,17 @@ if os.getenv('VAULT_ADDR') is not None:
|
||||||
|
|
||||||
class HashiVault:
|
class HashiVault:
|
||||||
def __init__(self, **kwargs):
|
def __init__(self, **kwargs):
|
||||||
try:
|
|
||||||
import hvac
|
|
||||||
except ImportError:
|
|
||||||
raise AnsibleError("Please pip install hvac to use this module")
|
|
||||||
|
|
||||||
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
||||||
|
|
||||||
|
self.token = kwargs.get('token')
|
||||||
|
if self.token is None:
|
||||||
|
raise AnsibleError("No Hashicorp Vault Token specified for hash_vault lookup")
|
||||||
|
|
||||||
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
|
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
|
||||||
s = kwargs.get('secret')
|
s = kwargs.get('secret')
|
||||||
if s is None:
|
if s is None:
|
||||||
raise AnsibleError("No secret specified")
|
raise AnsibleError("No secret specified for hashi_vault lookup")
|
||||||
|
|
||||||
s_f = s.split(':')
|
s_f = s.split(':')
|
||||||
self.secret = s_f[0]
|
self.secret = s_f[0]
|
||||||
|
@ -97,22 +103,20 @@ class HashiVault:
|
||||||
|
|
||||||
self.client = hvac.Client(url=self.url, token=self.token)
|
self.client = hvac.Client(url=self.url, token=self.token)
|
||||||
|
|
||||||
if self.client.is_authenticated():
|
if not self.client.is_authenticated():
|
||||||
pass
|
raise AnsibleError("Invalid Hashicorp Vault Token Specified for hashi_vault lookup")
|
||||||
else:
|
|
||||||
raise AnsibleError("Invalid authentication credentials specified")
|
|
||||||
|
|
||||||
def get(self):
|
def get(self):
|
||||||
data = self.client.read(self.secret)
|
data = self.client.read(self.secret)
|
||||||
|
|
||||||
if data is None:
|
if data is None:
|
||||||
raise AnsibleError("The secret %s doesn't seem to exist" % self.secret)
|
raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret)
|
||||||
|
|
||||||
if self.secret_field == '': # secret was specified with trailing ':'
|
if self.secret_field == '': # secret was specified with trailing ':'
|
||||||
return data['data']
|
return data['data']
|
||||||
|
|
||||||
if self.secret_field not in data['data']:
|
if self.secret_field not in data['data']:
|
||||||
raise AnsibleError("The secret %s does not contain the field '%s'. " % (self.secret, self.secret_field))
|
raise AnsibleError("The secret %s does not contain the field '%s'. for hashi_vault lookup" % (self.secret, self.secret_field))
|
||||||
|
|
||||||
return data['data'][self.secret_field]
|
return data['data'][self.secret_field]
|
||||||
|
|
||||||
|
@ -134,6 +138,9 @@ class HashiVault:
|
||||||
|
|
||||||
class LookupModule(LookupBase):
|
class LookupModule(LookupBase):
|
||||||
def run(self, terms, variables, **kwargs):
|
def run(self, terms, variables, **kwargs):
|
||||||
|
if not HAS_HVAC:
|
||||||
|
raise AnsibleError("Please pip install hvac to use the hashi_vault lookup module.")
|
||||||
|
|
||||||
vault_args = terms[0].split(' ')
|
vault_args = terms[0].split(' ')
|
||||||
vault_dict = {}
|
vault_dict = {}
|
||||||
ret = []
|
ret = []
|
||||||
|
@ -141,8 +148,8 @@ class LookupModule(LookupBase):
|
||||||
for param in vault_args:
|
for param in vault_args:
|
||||||
try:
|
try:
|
||||||
key, value = param.split('=')
|
key, value = param.split('=')
|
||||||
except ValueError as e:
|
except ValueError:
|
||||||
raise AnsibleError("hashi_vault plugin needs key=value pairs, but received %s" % terms)
|
raise AnsibleError("hashi_vault lookup plugin needs key=value pairs, but received %s" % terms)
|
||||||
vault_dict[key] = value
|
vault_dict[key] = value
|
||||||
|
|
||||||
vault_conn = HashiVault(**vault_dict)
|
vault_conn = HashiVault(**vault_dict)
|
||||||
|
|
Loading…
Reference in a new issue