hashi_vault - enable use of tokens without lookup-self

[briantist]

SUMMARY

Fixes #18

The issue has most of the technical information.

The method we use to determine if a token is valid relies on the token having the ability to lookup itself. By default, all tokens inherit the "default" policy in Vault, and by default the default policy contains that capability.

However when you create a token you may request that it doesn't include the default policy. You may also modify an installation's default policy to remove this capability.

In these cases, it would be impossible to use that (perfectly valid) token with this plugin, because it would fail early attempts to validate it.

This PR adds a new option allowing you to optionally disable that early validation.

When disabled, the token will be used to query a secret without any other checks. This means that if your token is expired or otherwise invalid, you will see the same error message as if your token wasn't granted the right permission.

• Adds a new boolean option token_validate to control whether a token should be validated
• Adds tests to ensure that a no-default-policy token fails with validation on and works with validation off
• Updated docs and examples

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

hashi_vault.py

ADDITIONAL INFORMATION

[codecov]

Codecov Report

Merging #24 (45474c6) into main (052c724) will decrease coverage by 0.74%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main      #24      +/-   ##
==========================================
- Coverage   64.73%   63.98%   -0.75%     
==========================================
  Files           1        1              
  Lines         224      236      +12     
  Branches       44       42       -2     
==========================================
+ Hits          145      151       +6     
- Misses         64       71       +7     
+ Partials       15       14       -1     

Impacted Files	Coverage Δ
...ommunity/hashi_vault/plugins/lookup/hashi_vault.py	63.98% <0.00%> (-0.75%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 052c724...45474c6. Read the comment docs.

[briantist]

@rasta-rocket could you try out this change?

[rasta-rocket]

Just a little change
Great job 👍 💪👍 💪👍 💪👍 💪

[briantist]

Thanks @rasta-rocket good catch!
Were you able to try out the code itself?

[briantist]

Hey @rasta-rocket looking to get this merged and released, if you have a moment do you mind reviewing once more?

[felixfontein]

Rest looks fine (didn't look at tests).