Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hashi_vault lookup plugin behavior on option duplication #349

Closed
vladislav-sharapov opened this issue Feb 25, 2023 · 2 comments · Fixed by #350
Closed

hashi_vault lookup plugin behavior on option duplication #349

vladislav-sharapov opened this issue Feb 25, 2023 · 2 comments · Fixed by #350
Labels
bug Something isn't working

Comments

@vladislav-sharapov
Copy link
Contributor

SUMMARY

hashi_vault lookup plugin allows defining option duplicates.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

hashi_vault lookup plugin

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = None
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/ansible-vault-lookup/lib/python3.10/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/ansible-vault-lookup/bin/ansible
  python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] (/home/user/ansible-vault-lookup/bin/python3)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection            Version
--------------------- -------
community.hashi_vault 4.1.0
CONFIGURATION
CONFIG_FILE() = None
OS / ENVIRONMENT
STEPS TO REPRODUCE

Requirements:

  • Vault instance with secrets: secret1: value1, secret2: value2.
  • Environment variable VAULT_TOKEN.
- hosts: localhost
  gather_facts: false
  tasks:
    - debug:
        msg: >-
          {{ lookup('hashi_vault',
          'secret=secret/data/test:secret1 secret=secret/data/test:secret2
          url=http://127.0.0.1:8200/') }}
EXPECTED RESULTS

Option duplication error.

ACTUAL RESULTS

Plugin returns second secret value.

PLAY [localhost] ***********************************************************************************************************************************************************

TASK [debug] ***************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "value2"
}

PLAY RECAP *****************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
@briantist briantist added the bug Something isn't working label Feb 26, 2023
@briantist
Copy link
Collaborator

Hi @vladislav-sharapov and welcome!

This is one of many downsides of putting these options in the term string, something I don't recommend. The plugin also supports direct (I'll say, correct) specification of options; the term-string based way is kept for compatibility. But in this case since the secret path itself is meant to be the term string, this ends up not being very helpful in catching duplicates.

This collection now has other content besides the hashi_vault lookup, and I actively recommend using the others instead as they're more intentional. None of the newer content supports this term-string method of providing options. Have a look at this page for help on migrating from hashi_vault if you'd like to do that:

Because I'm recommending the use of other content, I'm generally not making changes to the hashi_vault lookup anymore. It would be possible, and I would accept a PR for it, but it would be low on my personal list to address it.

If you're interested in putting up a PR, the place to modify would be here:
https://github.com/ansible-collections/community.hashi_vault/blob/main/plugins/plugin_utils/_hashi_vault_lookup_base.py#L30-L47

As a quick brainstorm of a fix, I'd probably check for key existence in the dict and then raise an exception if the key is already set.

Just note that it would still be possible to provide duplicates in a way that doesn't/shouldn't fail:

- hosts: localhost
  gather_facts: false
  tasks:
    - debug:
        msg: >-
          {{ lookup('hashi_vault',
          'secret=secret/data/test:secret1',
          secret='secret/data/test:secret2',
          url='http://127.0.0.1:8200/') }}

This provides secret both as a term string param, and as a direct option. In general, it's not an error in Ansible to supply plugin options in multiple places and have a clear precedence order, but I do agree supplying the same one from the same source is an error.

If you're interested in putting up a PR we have a Contributor guide that can help you get started. Don't hesitate to ask any additional questions as needed.

@vladislav-sharapov
Copy link
Contributor Author

Hello, @briantist!

Thanks for such a detailed answer. I'll create a PR.

@vladislav-sharapov vladislav-sharapov mentioned this issue Feb 26, 2023
Merged
@briantist briantist mentioned this issue Mar 5, 2023
Closed
@briantist briantist mentioned this issue May 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Raise error on option duplication in term string
2 participants
@briantist @vladislav-sharapov