Cannot use strings for the certificate login call.

[kcarlisle42]

When using the community.hashi_vault.vault_login ansible task to authenticate with a certificate, you are unable to utilize strings in the 'cert_auth_public_key' and 'cert_auth_private_key' parameters. If you pass strings in those parameters, it will throw the following error

Traceback (most recent call last):
  File \"/home/kcarlisle/.ansible/tmp/ansible-tmp-1702042732.8348033-2443588-94827708411070/AnsiballZ_vault_login.py\", line 107, in <module>
    _ansiballz_main()
  File \"/home/kcarlisle/.ansible/tmp/ansible-tmp-1702042732.8348033-2443588-94827708411070/AnsiballZ_vault_login.py\", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/home/kcarlisle/.ansible/tmp/ansible-tmp-1702042732.8348033-2443588-94827708411070/AnsiballZ_vault_login.py\", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.community.hashi_vault.plugins.modules.vault_login', init_globals=dict(_module_fqn='ansible_collections.community.hashi_vault.plugins.modules.vault_login', _modlib_path=modlib_path),
  File \"/usr/lib/python3.8/runpy.py\", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File \"/usr/lib/python3.8/runpy.py\", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File \"/usr/lib/python3.8/runpy.py\", line 87, in _run_code
    exec(code, run_globals)
  File \"/tmp/ansible_community.hashi_vault.vault_login_payload_rl3s14s5/ansible_community.hashi_vault.vault_login_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_login.py\", line 177, in <module>
  File \"/tmp/ansible_community.hashi_vault.vault_login_payload_rl3s14s5/ansible_community.hashi_vault.vault_login_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_login.py\", line 173, in main
  File \"/tmp/ansible_community.hashi_vault.vault_login_payload_rl3s14s5/ansible_community.hashi_vault.vault_login_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_login.py\", line 165, in run_module
  File \"/tmp/ansible_community.hashi_vault.vault_login_payload_rl3s14s5/ansible_community.hashi_vault.vault_login_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_authenticator.py\", line 102, in authenticate
  File \"/tmp/ansible_community.hashi_vault.vault_login_payload_rl3s14s5/ansible_community.hashi_vault.vault_login_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_auth_method_cert.py\", line 38, in authenticate
  File \"/home/kcarlisle/.local/lib/python3.8/site-packages/hvac/api/auth_methods/cert.py\", line 316, in login
    if tls_update:
UnboundLocalError: local variable 'tls_update' referenced before assignment

I am using the following versions

ubuntu 20.04.6 LTS
ansible [core 2.13.8]
python version = 3.8.10 (default, Nov 22 2023, 10:22:35) [GCC 9.4.0]
jinja version = 3.1.2
pypi hvac==2.0.0

I went through the code in hvac/api/auth_methods/cert.py and hvac/utils.py and found two issues.

Issue 1

file: hvac/api/auth_methods/cert.py
method: def login(self,name="",cacert=False,cert_pem="",key_pem="",mount_point="cert",use_token=True,):

The local variable tls_update is not initialized. It appears that this variable is being used two different ways. One way is to be a boolean with a value of True. The other way is to be a dictionary containing the crt/key values. Resolving the next issue should technically fix this issue, but the tls_update variable should probably still set to False by default.

Issue 2

file: hvac/utils.py
method: def validate_pem_format(param_name, param_argument):

The method is used as a conditional, but it does not return a boolean value; instead, it returns None.

[briantist]

@kcarlisle42 thank you for reporting this! I'm going to try to get a fix out soon.

[briantist]

@kcarlisle42 could you show me your ansible? I want to see how you're invoking community.hashi_vault.vault_login.
If I'm not mistaken, after going over the code, I think you might be passing in the PEM contents into these options instead of the PEM path. The options as described in the documentation are meant to be paths: https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/vault_login_module.html#parameter-cert_auth_private_key
I'd like to confirm if that's the case, since it's the only way possible that I can figure you've reached the used-before-assignment code path.

---

That being said, the issues you've raised are in fact issues, and in going over the code I've found several more, including unreachable code.

For example, when using the options correctly as paths, it's impossible for the validation to ever not raise an exception because the validation function is meant to work against PEM contents, but no part of our code reads the file contents, instead the path is passed directly to the validation function. That's why we've never seen used-before-assignment path reached before.

Before I start fixing this stuff or rewriting it, I want to be sure that I understand all the conditions, the desired outcomes, and the exceptional outcomes, and start with some tests to catch those conditions.

Thanks for your help and patience!