(GH-87) Stop logging secret not found in hiera lookup as warning (#88)

TraGicCode · web-flow · commit 68c2e2376bb3 · 2022-08-03T22:52:57.000-05:00
diff --git a/lib/puppet/functions/azure_key_vault/lookup.rb b/lib/puppet/functions/azure_key_vault/lookup.rb
@@ -49,8 +49,11 @@ def lookup_key(secret_name, options, context)
       Puppet.warning(e.message)
       secret_value = nil
     end
-    context.not_found if secret_value.nil?
-    return if secret_value.nil?
+
+    if secret_value.nil?
+      context.not_found
+      return
+    end
     context.cache(normalized_secret_name, secret_value)
   end
 end
diff --git a/lib/puppet/functions/azure_key_vault/secret.rb b/lib/puppet/functions/azure_key_vault/secret.rb
@@ -34,6 +34,8 @@ def secret(cache, vault_name, secret_name, api_versions_hash, secret_version = '
       secret_version,
     )
 
+    raise Puppet::Error, "The secret named #{secret_name} could not be found in a vault named #{vault_name}" if secret_value.nil?
+
     Puppet::Pops::Types::PSensitiveType::Sensitive.new(secret_value)
   end
 end
diff --git a/lib/puppet_x/tragiccode/azure.rb b/lib/puppet_x/tragiccode/azure.rb
@@ -27,6 +27,7 @@ def self.get_secret(vault_name, secret_name, vault_api_version, access_token, se
       res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
         http.request(req)
       end
+      return nil if res.is_a?(Net::HTTPNotFound)
       raise res.body unless res.is_a?(Net::HTTPSuccess)
       JSON.parse(res.body)['value']
     end
diff --git a/spec/functions/azure_key_vault_lookup_spec.rb b/spec/functions/azure_key_vault_lookup_spec.rb
@@ -106,4 +106,16 @@
       'profile::windows::sqlserver::sensitive_sql_user_password', options.merge({ 'confine_to_keys' => ['^sensitive_azure.*$'] }), lookup_context
     )
   end
+
+  it 'calls context.not_found when secret is not found in vault' do
+    access_token_value = 'access_value'
+
+    expect(lookup_context).to receive(:not_found)
+    expect(TragicCode::Azure).to receive(:get_access_token).and_return(access_token_value)
+    expect(TragicCode::Azure).to receive(:get_secret).and_return(nil)
+
+    is_expected.to run.with_params(
+      'profile::windows::sqlserver::sensitive_azure_sql_user_password', options.merge({ 'confine_to_keys' => ['^.*sensitive_azure.*'] }), lookup_context
+    )
+  end
 end
diff --git a/spec/functions/azure_key_vault_secret_spec.rb b/spec/functions/azure_key_vault_secret_spec.rb
@@ -23,7 +23,7 @@
   context 'when getting the latest version of a secret' do
     it 'defaults to using an empty string as the latest version' do
       expect(TragicCode::Azure).to receive(:get_access_token).with(api_versions_hash['metadata_api_version']).and_return(access_token)
-      expect(TragicCode::Azure).to receive(:get_secret).with(vault_name, secret_name, api_versions_hash['vault_api_version'], access_token, '')
+      expect(TragicCode::Azure).to receive(:get_secret).with(vault_name, secret_name, api_versions_hash['vault_api_version'], access_token, '').and_return(secret_value)
 
       is_expected.to run.with_params(vault_name, secret_name, api_versions_hash)
     end
@@ -32,12 +32,23 @@
   context 'when getting a specific version of a secret' do
     it 'uses the secret version when retreiving the secret' do
       expect(TragicCode::Azure).to receive(:get_access_token).with(api_versions_hash['metadata_api_version']).and_return(access_token)
-      expect(TragicCode::Azure).to receive(:get_secret).with(vault_name, secret_name, api_versions_hash['vault_api_version'], access_token, secret_version)
+      expect(TragicCode::Azure).to receive(:get_secret).with(vault_name, secret_name, api_versions_hash['vault_api_version'], access_token, secret_version).and_return(secret_value)
 
       is_expected.to run.with_params(vault_name, secret_name, api_versions_hash, secret_version)
     end
   end
 
+  context 'when getting a secret that does not exist in the vault' do
+    it 'throws an error' do
+      expect(TragicCode::Azure).to receive(:get_access_token).with(api_versions_hash['metadata_api_version']).and_return(access_token)
+      expect(TragicCode::Azure).to receive(:get_secret).with(vault_name, secret_name, api_versions_hash['vault_api_version'], access_token, secret_version).and_return(nil)
+
+      is_expected.to run.with_params(
+        vault_name, secret_name, api_versions_hash, secret_version
+      ).and_raise_error(Puppet::Error, %r{The secret named #{secret_name} could not be found in a vault named #{vault_name}}i)
+    end
+  end
+
   # rubocop:disable RSpec/NamedSubject
   it 'returns the secret' do
     expect(TragicCode::Azure).to receive(:get_access_token).with(api_versions_hash['metadata_api_version']).and_return(access_token)

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ def secret(cache, vault_name, secret_name, api_versions_hash, secret_version = '`
`34`	`34`	`secret_version,`
`35`	`35`	`)`
`36`	`36`
	`37`	`+ raise Puppet::Error, "The secret named #{secret_name} could not be found in a vault named #{vault_name}" if secret_value.nil?`
	`38`	`+`
`37`	`39`	`Puppet::Pops::Types::PSensitiveType::Sensitive.new(secret_value)`
`38`	`40`	`end`
`39`	`41`	`end`