Revoke tokens which have been created ephemerally

plugins/lookup/vault_kv1_get.py

@@ -199,22 +199,25 @@ def run(self, terms, variables=None, **kwargs):
         except (NotImplementedError, HashiVaultValueError) as e:
             raise AnsibleError(e)
 
-        for term in terms:
-            try:
-                raw = client.secrets.kv.v1.read_secret(path=term, mount_point=engine_mount_point)
-            except hvac.exceptions.Forbidden as e:
-                raise_from(AnsibleError("Forbidden: Permission Denied to path ['%s']." % term), e)
-            except hvac.exceptions.InvalidPath as e:
-                if 'Invalid path for a versioned K/V secrets engine' in str(e):
-                    msg = "Invalid path for a versioned K/V secrets engine ['%s']. If this is a KV version 2 path, use community.hashi_vault.vault_kv2_get."
-                else:
-                    msg = "Invalid or missing path ['%s']."
-
-                raise_from(AnsibleError(msg % (term,)), e)
-
-            metadata = raw.copy()
-            data = metadata.pop('data')
-
-            ret.append(dict(raw=raw, data=data, secret=data, metadata=metadata))
+        try:
+            for term in terms:
+                try:
+                    raw = client.secrets.kv.v1.read_secret(path=term, mount_point=engine_mount_point)
+                except hvac.exceptions.Forbidden as e:
+                    raise_from(AnsibleError("Forbidden: Permission Denied to path ['%s']." % term), e)
+                except hvac.exceptions.InvalidPath as e:
+                    if 'Invalid path for a versioned K/V secrets engine' in str(e):
+                        msg = "Invalid path for a versioned K/V secrets engine ['%s']. If this is a KV version 2 path, use community.hashi_vault.vault_kv2_get."
+                    else:
+                        msg = "Invalid or missing path ['%s']."
+
+                    raise_from(AnsibleError(msg % (term,)), e)
+
+                metadata = raw.copy()
+                data = metadata.pop('data')
+
+                ret.append(dict(raw=raw, data=data, secret=data, metadata=metadata))
+        finally:
+            self.authenticator.logout(client)
 
         return ret

plugins/lookup/vault_kv2_get.py

@@ -223,21 +223,24 @@ def run(self, terms, variables=None, **kwargs):
         except (NotImplementedError, HashiVaultValueError) as e:
             raise AnsibleError(e)
 
-        for term in terms:
-            try:
-                raw = client.secrets.kv.v2.read_secret_version(path=term, version=version, mount_point=engine_mount_point)
-            except hvac.exceptions.Forbidden as e:
-                raise_from(AnsibleError("Forbidden: Permission Denied to path ['%s']." % term), e)
-            except hvac.exceptions.InvalidPath as e:
-                raise_from(
-                    AnsibleError("Invalid or missing path ['%s'] with secret version '%s'. Check the path or secret version." % (term, version or 'latest')),
-                    e
-                )
-
-            data = raw['data']
-            metadata = data['metadata']
-            secret = data['data']
-
-            ret.append(dict(raw=raw, data=data, secret=secret, metadata=metadata))
+        try:
+            for term in terms:
+                try:
+                    raw = client.secrets.kv.v2.read_secret_version(path=term, version=version, mount_point=engine_mount_point)
+                except hvac.exceptions.Forbidden as e:
+                    raise_from(AnsibleError("Forbidden: Permission Denied to path ['%s']." % term), e)
+                except hvac.exceptions.InvalidPath as e:
+                    raise_from(
+                        AnsibleError("Invalid or missing path ['%s'] with secret version '%s'. Check the path or secret version." % (term, version or 'latest')),
+                        e
+                    )
+
+                data = raw['data']
+                metadata = data['metadata']
+                secret = data['data']
+
+                ret.append(dict(raw=raw, data=data, secret=secret, metadata=metadata))
+        finally:
+            self.authenticator.logout(client)
 
         return ret

plugins/lookup/vault_read.py

@@ -123,15 +123,18 @@ def run(self, terms, variables=None, **kwargs):
         except (NotImplementedError, HashiVaultValueError) as e:
             raise AnsibleError(e)
 
-        for term in terms:
-            try:
-                data = client.read(term)
-            except hvac.exceptions.Forbidden:
-                raise AnsibleError("Forbidden: Permission Denied to path '%s'." % term)
-
-            if data is None:
-                raise AnsibleError("The path '%s' doesn't seem to exist." % term)
-
-            ret.append(data)
+        try:
+            for term in terms:
+                try:
+                    data = client.read(term)
+                except hvac.exceptions.Forbidden:
+                    raise AnsibleError("Forbidden: Permission Denied to path '%s'." % term)
+
+                if data is None:
+                    raise AnsibleError("The path '%s' doesn't seem to exist." % term)
+
+                ret.append(data)
+        finally:
+            self.authenticator.logout(client)
 
         return ret

plugins/lookup/vault_write.py

@@ -161,31 +161,34 @@ def run(self, terms, variables=None, **kwargs):
         except (NotImplementedError, HashiVaultValueError) as e:
             raise_from(AnsibleError(e), e)
 
-        for term in terms:
-            try:
-                response = client.write(path=term, wrap_ttl=wrap_ttl, **data)
-            except hvac.exceptions.Forbidden as e:
-                raise_from(AnsibleError("Forbidden: Permission Denied to path '%s'." % term), e)
-            except hvac.exceptions.InvalidPath as e:
-                raise_from(AnsibleError("The path '%s' doesn't seem to exist." % term), e)
-            except hvac.exceptions.InternalServerError as e:
-                raise_from(AnsibleError("Internal Server Error: %s" % str(e)), e)
-
-            # https://github.com/hvac/hvac/issues/797
-            # HVAC returns a raw response object when the body is not JSON.
-            # That includes 204 responses, which are successful with no body.
-            # So we will try to detect that and a act accordingly.
-            # A better way may be to implement our own adapter for this
-            # collection, but it's a little premature to do that.
-            if hasattr(response, 'json') and callable(response.json):
-                if response.status_code == 204:
-                    output = {}
+        try:
+            for term in terms:
+                try:
+                    response = client.write(path=term, wrap_ttl=wrap_ttl, **data)
+                except hvac.exceptions.Forbidden as e:
+                    raise_from(AnsibleError("Forbidden: Permission Denied to path '%s'." % term), e)
+                except hvac.exceptions.InvalidPath as e:
+                    raise_from(AnsibleError("The path '%s' doesn't seem to exist." % term), e)
+                except hvac.exceptions.InternalServerError as e:
+                    raise_from(AnsibleError("Internal Server Error: %s" % str(e)), e)
+
+                # https://github.com/hvac/hvac/issues/797
+                # HVAC returns a raw response object when the body is not JSON.
+                # That includes 204 responses, which are successful with no body.
+                # So we will try to detect that and a act accordingly.
+                # A better way may be to implement our own adapter for this
+                # collection, but it's a little premature to do that.
+                if hasattr(response, 'json') and callable(response.json):
+                    if response.status_code == 204:
+                        output = {}
+                    else:
+                        display.warning('Vault returned status code %i and an unparsable body.' % response.status_code)
+                        output = response.content
                 else:
-                    display.warning('Vault returned status code %i and an unparsable body.' % response.status_code)
-                    output = response.content
-            else:
-                output = response
+                    output = response
 
-            ret.append(output)
+                ret.append(output)
+        finally:
+            self.authenticator.logout(client)
 
         return ret

plugins/modules/vault_kv1_get.py

@@ -169,16 +169,19 @@ def run_module():
         module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
     try:
-        raw = client.secrets.kv.v1.read_secret(path=path, mount_point=engine_mount_point)
-    except hvac.exceptions.Forbidden as e:
-        module.fail_json(msg="Forbidden: Permission Denied to path ['%s']." % path, exception=traceback.format_exc())
-    except hvac.exceptions.InvalidPath as e:
-        if 'Invalid path for a versioned K/V secrets engine' in to_native(e):
-            msg = "Invalid path for a versioned K/V secrets engine ['%s']. If this is a KV version 2 path, use community.hashi_vault.vault_kv2_get."
-        else:
-            msg = "Invalid or missing path ['%s']."
-
-        module.fail_json(msg=msg % (path,), exception=traceback.format_exc())
+        try:
+            raw = client.secrets.kv.v1.read_secret(path=path, mount_point=engine_mount_point)
+        except hvac.exceptions.Forbidden as e:
+            module.fail_json(msg="Forbidden: Permission Denied to path ['%s']." % path, exception=traceback.format_exc())
+        except hvac.exceptions.InvalidPath as e:
+            if 'Invalid path for a versioned K/V secrets engine' in to_native(e):
+                msg = "Invalid path for a versioned K/V secrets engine ['%s']. If this is a KV version 2 path, use community.hashi_vault.vault_kv2_get."
+            else:
+                msg = "Invalid or missing path ['%s']."
+
+            module.fail_json(msg=msg % (path,), exception=traceback.format_exc())
+    finally:
+        module.authenticator.logout(client)
 
     metadata = raw.copy()
     data = metadata.pop('data')

plugins/modules/vault_kv2_get.py

@@ -185,14 +185,17 @@ def run_module():
         module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
     try:
-        raw = client.secrets.kv.v2.read_secret_version(path=path, version=version, mount_point=engine_mount_point)
-    except hvac.exceptions.Forbidden as e:
-        module.fail_json(msg="Forbidden: Permission Denied to path ['%s']." % path, exception=traceback.format_exc())
-    except hvac.exceptions.InvalidPath as e:
-        module.fail_json(
-            msg="Invalid or missing path ['%s'] with secret version '%s'. Check the path or secret version." % (path, version or 'latest'),
-            exception=traceback.format_exc()
-        )
+        try:
+            raw = client.secrets.kv.v2.read_secret_version(path=path, version=version, mount_point=engine_mount_point)
+        except hvac.exceptions.Forbidden as e:
+            module.fail_json(msg="Forbidden: Permission Denied to path ['%s']." % path, exception=traceback.format_exc())
+        except hvac.exceptions.InvalidPath as e:
+            module.fail_json(
+                msg="Invalid or missing path ['%s'] with secret version '%s'. Check the path or secret version." % (path, version or 'latest'),
+                exception=traceback.format_exc()
+            )
+    finally:
+        module.authenticator.logout(client)
 
     data = raw['data']
     metadata = data['metadata']

plugins/modules/vault_pki_generate_certificate.py

@@ -261,15 +261,18 @@ def run_module():
         module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
     try:
-        if module.check_mode:
-            data = {}
-        else:
-            data = client.secrets.pki.generate_certificate(
-                name=role_name, common_name=common_name,
-                extra_params=extra_params, mount_point=engine_mount_point
-            )
-    except hvac.exceptions.VaultError as e:
-        module.fail_json(msg=to_native(e), exception=traceback.format_exc())
+        try:
+            if module.check_mode:
+                data = {}
+            else:
+                data = client.secrets.pki.generate_certificate(
+                    name=role_name, common_name=common_name,
+                    extra_params=extra_params, mount_point=engine_mount_point
+                )
+        except hvac.exceptions.VaultError as e:
+            module.fail_json(msg=to_native(e), exception=traceback.format_exc())
+    finally:
+        module.authenticator.logout(client)
 
     # generate_certificate is a write operation which always return a new certificate
     module.exit_json(changed=True, data=data)

plugins/modules/vault_read.py

@@ -111,12 +111,15 @@ def run_module():
         module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
     try:
-        data = client.read(path)
-    except hvac.exceptions.Forbidden as e:
-        module.fail_json(msg="Forbidden: Permission Denied to path '%s'." % path, exception=traceback.format_exc())
-
-    if data is None:
-        module.fail_json(msg="The path '%s' doesn't seem to exist." % path)
+        try:
+            data = client.read(path)
+        except hvac.exceptions.Forbidden as e:
+            module.fail_json(msg="Forbidden: Permission Denied to path '%s'." % path, exception=traceback.format_exc())
+
+        if data is None:
+            module.fail_json(msg="The path '%s' doesn't seem to exist." % path)
+    finally:
+        module.authenticator.logout(client)
 
     module.exit_json(data=data)
 

plugins/modules/vault_write.py

@@ -146,31 +146,34 @@ def run_module():
         module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
     try:
-        if module.check_mode:
-            response = {}
+        try:
+            if module.check_mode:
+                response = {}
+            else:
+                response = client.write(path=path, wrap_ttl=wrap_ttl, **data)
+        except hvac.exceptions.Forbidden:
+            module.fail_json(msg="Forbidden: Permission Denied to path '%s'." % path, exception=traceback.format_exc())
+        except hvac.exceptions.InvalidPath:
+            module.fail_json(msg="The path '%s' doesn't seem to exist." % path, exception=traceback.format_exc())
+        except hvac.exceptions.InternalServerError as e:
+            module.fail_json(msg="Internal Server Error: %s" % to_native(e), exception=traceback.format_exc())
+
+        # https://github.com/hvac/hvac/issues/797
+        # HVAC returns a raw response object when the body is not JSON.
+        # That includes 204 responses, which are successful with no body.
+        # So we will try to detect that and a act accordingly.
+        # A better way may be to implement our own adapter for this
+        # collection, but it's a little premature to do that.
+        if hasattr(response, 'json') and callable(response.json):
+            if response.status_code == 204:
+                output = {}
+            else:
+                module.warn('Vault returned status code %i and an unparsable body.' % response.status_code)
+                output = response.content
         else:
-            response = client.write(path=path, wrap_ttl=wrap_ttl, **data)
-    except hvac.exceptions.Forbidden:
-        module.fail_json(msg="Forbidden: Permission Denied to path '%s'." % path, exception=traceback.format_exc())
-    except hvac.exceptions.InvalidPath:
-        module.fail_json(msg="The path '%s' doesn't seem to exist." % path, exception=traceback.format_exc())
-    except hvac.exceptions.InternalServerError as e:
-        module.fail_json(msg="Internal Server Error: %s" % to_native(e), exception=traceback.format_exc())
-
-    # https://github.com/hvac/hvac/issues/797
-    # HVAC returns a raw response object when the body is not JSON.
-    # That includes 204 responses, which are successful with no body.
-    # So we will try to detect that and a act accordingly.
-    # A better way may be to implement our own adapter for this
-    # collection, but it's a little premature to do that.
-    if hasattr(response, 'json') and callable(response.json):
-        if response.status_code == 204:
-            output = {}
-        else:
-            module.warn('Vault returned status code %i and an unparsable body.' % response.status_code)
-            output = response.content
-    else:
-        output = response
+            output = response
+    finally:
+        module.authenticator.logout(client)
 
     module.exit_json(changed=True, data=output)