fixup! initial draft for vault_pki

salt-extensions · May 9, 2024 · 2776523 · 2776523
1 parent 4d991e0
commit 2776523
Show file tree

Hide file tree

Showing 5 changed files with 268 additions and 223 deletions.
diff --git a/docs/ref/modules/saltext.vault.modules.debug.rst b/docs/ref/modules/saltext.vault.modules.debug.rst
diff --git a/src/saltext/vault/modules/vault_pki.py b/src/saltext/vault/modules/vault_pki.py
@@ -6,13 +6,15 @@
 .. important::
     This module requires the general :ref:`Vault setup <vault-setup>`.
 """
+
 import logging
 
 import salt.utils.x509 as x509util
-import saltext.vault.utils.vault as vault
 from cryptography.hazmat.primitives import serialization
 from salt.exceptions import CommandExecutionError
 
+import saltext.vault.utils.vault as vault
+
 log = logging.getLogger(__name__)
 
 
@@ -29,7 +31,7 @@ def list_roles(mount="pki"):
             salt '*' vault_pki.list_roles
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/roles"
     try:
@@ -56,7 +58,7 @@ def read_role(name, mount="pki"):
         The name of the role.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
 
     endpoint = f"{mount}/roles/{name}"
@@ -74,7 +76,7 @@ def read_role(name, mount="pki"):
 def write_role(
     name,
     mount="pki",
-    issuer_ref="default",
+    issuer_ref=None,
     ttl=None,
     max_ttl=None,
     allow_localhost=None,
@@ -101,7 +103,7 @@ def write_role(
         The name of the role.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     issuer_ref
         Name or id of the issuer which will be used with this role. If not set, default issuer will be used.
@@ -153,7 +155,6 @@ def write_role(
     """
 
     endpoint = f"{mount}/roles/{name}"
-
     method = "POST"
     headers = {}
 
@@ -163,7 +164,8 @@ def write_role(
 
     payload = {k: v for k, v in kwargs.items() if not k.startswith("_")}
 
-    payload["issuer_ref"] = issuer_ref
+    if issuer_ref is not None:
+        payload["issuer_ref"] = issuer_ref
     if ttl is not None:
         payload["ttl"] = ttl
     if max_ttl is not None:
@@ -187,14 +189,15 @@ def write_role(
     if require_cn is not None:
         payload["require_cn"] = require_cn
 
-    for m in [method, "POST"]:
-        try:
-            vault.query(m, endpoint, __opts__, __context__, payload=payload, add_headers=headers)
-            return True
-        except vault.VaultUnsupportedOperationError:
-            continue
-        except vault.VaultException as err:
-            raise CommandExecutionError(f"{err.__class__}: {err}") from err
+    try:
+        vault.query(method, endpoint, __opts__, __context__, payload=payload, add_headers=headers)
+        return True
+    except vault.VaultUnsupportedOperationError as err:
+        raise CommandExecutionError(
+            f"Vault version too old. Please upgrade to v1.11.0+: {err}"
+        ) from err
+    except vault.VaultException as err:
+        raise CommandExecutionError(f"{err.__class__}: {err}") from err
 
 
 def delete_role(name, mount="pki"):
@@ -213,7 +216,7 @@ def delete_role(name, mount="pki"):
         The name of the role.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
 
     endpoint = f"{mount}/roles/{name}"
@@ -242,7 +245,7 @@ def list_issuers(mount="pki"):
             salt '*' vault_pki.list_issuers
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/issuers"
 
@@ -272,13 +275,13 @@ def read_issuer(ref="default", mount="pki"):
         which means default issuer. Defaults to ``default``.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     """
     endpoint = f"{mount}/issuer/{ref}/json"
 
     try:
-        return vault.query("GET", endpoint, __opts__, __context__, is_unauthd=False)["data"]
+        return vault.query("GET", endpoint, __opts__, __context__, is_unauthd=True)["data"]
     except vault.VaultNotFoundError:
         return None
     except vault.VaultException as err:
@@ -310,7 +313,7 @@ def update_issuer(
         which means default issuer. Defaults to ``default``.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     manual_chain
         Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
@@ -384,7 +387,7 @@ def read_issuer_certificate(name="default", mount="pki", include_chain=False):
         which means default issuer. Defaults to ``default``.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     include_chain
         If set to true will append the CA chain to the certificate (in case of intermediate issuer)
@@ -474,7 +477,7 @@ def generate_root(
         The common name to be used for the CA
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     type
         Specifies the type of the root to create. If exported, the private key will be returned in the response;
@@ -557,7 +560,7 @@ def delete_key(ref, mount="pki"):
         Ref of the key. Could be name or key_id.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
 
     endpoint = f"{mount}/key/{ref}"
@@ -586,7 +589,7 @@ def delete_issuer(ref, mount="pki"):
         Ref of the issuer. Could be name or issuer_id.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
 
     endpoint = f"{mount}/issuer/{ref}"
@@ -618,7 +621,7 @@ def read_issuer_crl(ref="default", mount="pki", delta=False):
         Ref of the issuer. Could be name or issuer_id. Defaults to default issuer.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     delta
         If set to true, will return delta CRL instead of complete one.
@@ -662,7 +665,7 @@ def list_revoked_certificates(mount="pki"):
             salt '*' vault_pki.list_revoked_certificates
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/certs/revoked"
 
@@ -685,7 +688,7 @@ def list_certificates(mount="pki"):
             salt '*' vault_pki.list_certificates
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/certs"
 
@@ -716,7 +719,7 @@ def read_certificate(serial, mount="pki"):
         ``ca_chain`` for the default issuer's CA trust chain.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/cert/{serial}"
 
@@ -755,7 +758,7 @@ def issue_certificate(
         Common name to be set for the certificate.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     issuer
         Override role's issuer. Can be issuer_name or issuer_id.
@@ -839,7 +842,7 @@ def sign_certificate(
         Common name to be set for the certificate.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
 
     csr
         Pass the CSR which will be used for issuing the certificate. Either ``csr`` or ``private_key`` parameter can be set, not both.
@@ -955,7 +958,7 @@ def revoke_certificate(serial=None, certificate=None, mount="pki"):
         Specifies the certificate (PEM or path) to revoke. Either ``serial`` or ``certificate`` must be specified.
 
     mount
-        The mount path the DB backend is mounted to. Defaults to ``pki``.
+        The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
     endpoint = f"{mount}/revoke/"
     payload = {}