Vault secret calls should return an error if they fail

zerok · zerok · commit c4dbcf708c6e · 2019-10-15T17:20:43.000+02:00
diff --git a/internal/world/vault.go b/internal/world/vault.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/pkg/errors"
+
 	"github.com/Sirupsen/logrus"
 	vault "github.com/hashicorp/vault/api"
 )
@@ -52,9 +54,9 @@ type Vault struct {
 	KeyMapping map[string]string
 }
 
-func (v *Vault) Secret(path, field string) string {
+func (v *Vault) Secret(path, field string) (string, error) {
 	if v.client == nil {
-		return ""
+		return "", errors.New("no vault client available")
 	}
 	prefixPath := fmt.Sprintf("%s%s", v.Prefix, path)
 	mapped, ok := v.KeyMapping[prefixPath]
@@ -63,23 +65,14 @@ func (v *Vault) Secret(path, field string) string {
 	}
 	sec, err := v.client.Logical().Read(mapped)
 	if err != nil {
-		if v.logger != nil {
-			v.logger.WithError(err).Errorf("Failed to access Vault path %s", mapped)
-		}
-		return ""
+		return "", errors.Wrapf(err, "failed to access Vault path %s", mapped)
 	}
 	if sec == nil {
-		if v.logger != nil {
-			v.logger.Errorf("Vault path %s contained no secret", mapped)
-		}
-		return ""
+		return "", errors.Errorf("Vault path %s contained no secret", mapped)
 	}
 	raw, ok := sec.Data[field]
 	if !ok {
-		if v.logger != nil {
-			v.logger.Errorf("%s has no field named '%s'", mapped, field)
-		}
-		return ""
+		return "", errors.Errorf("%s has no field named '%s'", mapped, field)
 	}
-	return fmt.Sprintf("%s", raw)
+	return fmt.Sprintf("%s", raw), nil
 }
diff --git a/internal/world/vault_test.go b/internal/world/vault_test.go
@@ -0,0 +1,21 @@
+package world_test
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/zerok/tpl/internal/world"
+)
+
+func TestVaultSecret(t *testing.T) {
+	w := world.New(nil)
+	os.Setenv("VAULT_ADDR", "http://127.0.0.1:54000")
+	os.Setenv("VAULT_TOKEN", "")
+	var out bytes.Buffer
+	in := bytes.NewBufferString("{{ .Vault.Secret \"secret/path\" \"value\" }}")
+	err := w.Render(&out, in)
+	t.Logf("[[[ %s ]]]", out.String())
+	require.Error(t, err)
+}
diff --git a/internal/world/world.go b/internal/world/world.go
@@ -80,7 +80,7 @@ func (w *World) Render(out io.Writer, in io.Reader) error {
 
 func (w *World) Funcs() template.FuncMap {
 	funcs := template.FuncMap(sprig.FuncMap())
-	funcs["vault"] = func(path, field string) string {
+	funcs["vault"] = func(path, field string) (string, error) {
 		return w.Vault().Secret(path, field)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func (w *World) Render(out io.Writer, in io.Reader) error {`
`80`	`80`
`81`	`81`	`func (w *World) Funcs() template.FuncMap {`
`82`	`82`	`funcs := template.FuncMap(sprig.FuncMap())`
`83`		`- funcs["vault"] = func(path, field string) string {`
	`83`	`+ funcs["vault"] = func(path, field string) (string, error) {`
`84`	`84`	`return w.Vault().Secret(path, field)`
`85`	`85`	`}`
`86`	`86`