def main():
argspec = hvault_argument_spec()
argspec.update(
dict(
name=dict(required=True),
state=dict(choices=['present', 'absent'], default='present'),
policy=dict(type='raw'),
))
module = AnsibleModule(
supports_check_mode=True,
argument_spec=argspec,
required_if=[
['state', 'present', ['policy']],
],
)
client = HVaultClient(module.params, module)
pol_path = 'sys/policies/acl/{0}'.format(module.params['name'])
try:
result = client.get(pol_path, fatal=False)
result = result['data']
except URLError:
result = None
if module.params['state'] == 'absent':
if not result:
module.exit_json(changed=False)
if not module.check_mode:
client.delete(pol_path)
module.exit_json(changed=True)
policy = module.params['policy']
if not isinstance(policy, string_types):
if not isinstance(policy, dict):
module.fail_json(
msg='policy must be either a dict or a string, got {0}'.format(
type(policy)))
# allow people to write policies with less typing
if 'path' not in policy:
policy = {'path': policy}
for key in policy['path']:
if isinstance(policy['path'][key], list):
policy['path'][key] = {'capabilities': policy['path'][key]}
policy = jsonify(policy, indent=2, sort_keys=True)
changed = False
if not result or result['policy'] != policy:
changed = True
if not module.check_mode:
client.put(pol_path, data={'policy': policy})
result = client.get(pol_path)['data']
module.exit_json(changed=changed, policy=result)
def check_type_jsonarg(value):
"""Return a jsonified string. Sometimes the controller turns a json string
into a dict/list so transform it back into json here
Raises TypeError if unable to covert the value
"""
if isinstance(value, (text_type, binary_type)):
return value.strip()
elif isinstance(value, (list, tuple, dict)):
return jsonify(value)
raise TypeError('%s cannot be converted to a json string' % type(value))
def _open_url(self, path, method, data=None, fatal=True):
url = '{0}/v1/{1}'.format(self.params['vault_addr'], path)
headers = {}
if self.params.get('token'):
headers['X-Vault-Token'] = self.params['token']
if data:
headers['Content-type'] = 'application/json'
try:
result = open_url(
url,
headers=headers,
method=method,
data=jsonify(data),
timeout=self.params['timeout'],
http_agent=self.params['http_agent'],
use_proxy=self.params['use_proxy'],
validate_certs=self.params['validate_certs'],
client_cert=self.params['client_cert'],
client_key=self.params['client_key'],
).read()
if result:
return json.loads(result)
return None
except HTTPError as e:
if fatal and self._module:
msg = 'Failed to {0} {1}: {2} (HTTP {3})'.format(
method, path, e.reason, e.code)
result = {}
try:
result = json.loads(e.read())
except Exception: # oop
pass
failure = {
'msg': msg,
'headers': str(e.headers),
'result': result,
}
self._module.fail_json(**failure)
raise
except URLError as e:
if fatal and self._module:
self._module.fail_json(msg='Failed to {0} {1}: {2}'.format(
method, path, e.reason))
raise
def exit_raw_json(module, **kwargs):
"""
Print the raw parameters in JSON format, without masking.
Due to Ansible filtering out values in the output that match values
in variables which has `no_log` set, if a module need to return user
defined dato to the controller, it cannot rely on
AnsibleModule.exit_json, as there is a chance that a partial match may
occur, masking the data returned.
This method is a replacement for AnsibleModule.exit_json. It has
nearly the same implementation as exit_json, but does not filter
data. Beware that this data will be logged by Ansible, and if it
contains sensible data, it will be appear in the logs.
"""
module.do_cleanup_files()
print(jsonify(kwargs))
sys.exit(0)
def test_jsonify(test_input, expected):
"""Test for jsonify()."""
assert jsonify(test_input) == expected
