hashi_vault lookup - raise exception on duplicate term string optio…

…ns (ansible-collections#375) * raise exception on duplicate term string option * add changelog fragment
flatironhealth · May 15, 2023 · 855d081 · 855d081
1 parent a5be0b4
commit 855d081
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 30 deletions.
diff --git a/changelogs/fragments/356-duplicate-term-options.yml b/changelogs/fragments/356-duplicate-term-options.yml
@@ -0,0 +1,3 @@
+---
+breaking_changes:
+  - hashi_vault lookup - duplicate option entries in the term string now raises an exception instead of a warning (https://github.com/ansible-collections/community.hashi_vault/issues/356).
diff --git a/plugins/plugin_utils/_hashi_vault_lookup_base.py b/plugins/plugin_utils/_hashi_vault_lookup_base.py
@@ -12,7 +12,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
-from ansible.errors import AnsibleError
+from ansible.errors import AnsibleError, AnsibleOptionsError
 from ansible.plugins.lookup import LookupBase
 from ansible.utils.display import Display
 
@@ -43,11 +43,8 @@ def parse_kev_term(self, term, plugin_name, first_unqualified=None):
                     raise AnsibleError("%s lookup plugin needs key=value pairs, but received %s" % (plugin_name, term))
 
             if key in param_dict:
-                removed_in = '5.0.0'
                 msg = "Duplicate key '%s' in the term string '%s'." % (key, term)
-                display.deprecated(msg + "\nIn version %s of the collection, this will raise an exception." % (removed_in, ), removed_in)
-                # TODO: v5.0.0: remove deprecation message, uncomment: https://github.com/ansible-collections/community.hashi_vault/pull/350
-                # raise AnsibleOptionsError(msg)
+                raise AnsibleOptionsError(msg)
 
             param_dict[key] = value
 

diff --git a/tests/integration/targets/lookup_hashi_vault/tasks/lookup_test.yml b/tests/integration/targets/lookup_hashi_vault/tasks/lookup_test.yml
@@ -92,21 +92,20 @@
           - test_inexistent.msg is search("doesn't seem to exist")
         fail_msg: "Expected failure but got success or wrong failure message."
 
-    # TODO: v5.0.0 - uncomment below: https://github.com/ansible-collections/community.hashi_vault/pull/350
-    # - name: Failure expected when duplicate terms are used in the term string
-    #   vars:
-    #     duplicate_terms: >-
-    #       {{
-    #         lookup('community.hashi_vault.hashi_vault',
-    #         vault_kv2_api_path ~ '/secrets secret=' ~ vault_kv2_api_path ~ '/secret2',
-    #         **kwargs)
-    #       }}
-    #   ansible.builtin.debug:
-    #     msg: 'Failure is expected ({{ duplicate_terms }})'
-    #   register: test_duplicate
-    #   ignore_errors: true
+    - name: Failure expected when duplicate terms are used in the term string
+      vars:
+        duplicate_terms: >-
+          {{
+            lookup('community.hashi_vault.hashi_vault',
+            vault_kv2_api_path ~ '/secrets secret=' ~ vault_kv2_api_path ~ '/secret2',
+            **kwargs)
+          }}
+      ansible.builtin.debug:
+        msg: 'Failure is expected ({{ duplicate_terms }})'
+      register: test_duplicate
+      ignore_errors: true
 
-    # - assert:
-    #     that:
-    #       - test_duplicate is failed
-    #       - test_duplicate.msg is search("^Duplicate key 'secret' in term string")
+    - assert:
+        that:
+          - test_duplicate is failed
+          - test_duplicate.msg is search("Duplicate key 'secret' in the term string")
diff --git a/tests/unit/plugins/plugin_utils/base/test_hashi_vault_lookup_base.py b/tests/unit/plugins/plugin_utils/base/test_hashi_vault_lookup_base.py
@@ -8,10 +8,11 @@
 
 import pytest
 
-from ansible.errors import AnsibleError
+from re import escape as re_escape
+
+from ansible.errors import AnsibleError, AnsibleOptionsError
 from ansible.plugins.lookup import LookupBase
 
-from ....compat import mock
 from ......plugins.plugin_utils._hashi_vault_plugin import HashiVaultPlugin
 from ......plugins.plugin_utils._hashi_vault_lookup_base import HashiVaultLookupBase
 
@@ -72,18 +73,16 @@ def test_parse_kev_term_plugin_name_required(self, hashi_vault_lookup_module):
         with pytest.raises(TypeError):
             parsed = hashi_vault_lookup_module.parse_kev_term('key1=value1', first_unqualified='fake')
 
-    # TODO: v5.0.0 - should raise not warn: https://github.com/ansible-collections/community.hashi_vault/pull/350
     @pytest.mark.parametrize('term', [
         'one secret=two a=1 b=2',
         'a=1 secret=one b=2 secret=two',
         'secret=one secret=two a=z b=y',
     ])
     def test_parse_kev_term_duplicate_option(self, term, hashi_vault_lookup_module):
         dup_key = 'secret'
-        removed_in = '5.0.0'
-        expected_template = "Duplicate key '%s' in the term string '%s'.\nIn version %s of the collection, this will raise an exception."
-        expected_msg = expected_template % (dup_key, term, removed_in)
+        expected_template = "Duplicate key '%s' in the term string '%s'."
+        expected_msg = expected_template % (dup_key, term)
+        expected_re = re_escape(expected_msg)
 
-        with mock.patch('ansible_collections.community.hashi_vault.plugins.plugin_utils._hashi_vault_lookup_base.display') as display:
+        with pytest.raises(AnsibleOptionsError, match=f"^{expected_re}$"):
             hashi_vault_lookup_module.parse_kev_term(term, plugin_name='fake', first_unqualified=dup_key)
-            display.deprecated.assert_called_once_with(expected_msg, removed_in)