From ba5b86cf4a689302011da69e96451ee8f2e1eebf Mon Sep 17 00:00:00 2001
From: Brian Scholer <1260690+briantist@users.noreply.github.com>
Date: Fri, 18 Sep 2020 15:59:25 -0400
Subject: [PATCH] hashi_vault - Change token_path env var loading precedence
 (#902)

* Change how vault token is loaded

* Add changelog for PR #902

* Update changelogs/fragments/902-hashi_vault-token-path.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/hashi_vault.py

Add version_added

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/lookup/hashi_vault.py

Add version_added

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
---
 changelogs/fragments/902-hashi_vault-token-path.yml |  5 +++++
 plugins/lookup/hashi_vault.py                       | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/902-hashi_vault-token-path.yml

diff --git a/changelogs/fragments/902-hashi_vault-token-path.yml b/changelogs/fragments/902-hashi_vault-token-path.yml
new file mode 100644
index 0000000000..5233b3d105
--- /dev/null
+++ b/changelogs/fragments/902-hashi_vault-token-path.yml
@@ -0,0 +1,5 @@
+minor_changes:
+  - hashi_vault lookup - add ``VAULT_TOKEN_PATH`` as env option to specify ``token_path`` param (https://github.com/ansible-collections/community.general/issues/373).
+  - hashi_vault lookup - add ``VAULT_TOKEN_FILE`` as env option to specify ``token_file`` param (https://github.com/ansible-collections/community.general/issues/373).
+bugfixes:
+  - hashi_vault lookup - ``token_path`` in config file overridden by env ``HOME`` (https://github.com/ansible-collections/community.general/issues/373).
diff --git a/plugins/lookup/hashi_vault.py b/plugins/lookup/hashi_vault.py
index 5ace528e44..4886dbfbcc 100644
--- a/plugins/lookup/hashi_vault.py
+++ b/plugins/lookup/hashi_vault.py
@@ -38,13 +38,17 @@ DOCUMENTATION = """
     token_path:
       description: If no token is specified, will try to read the token file from this path.
       env:
-        - name: HOME
+        - name: VAULT_TOKEN_PATH
+          version_added: 1.2.0
       ini:
         - section: lookup_hashi_vault
           key: token_path
       version_added: '0.2.0'
     token_file:
       description: If no token is specified, will try to read the token from this file in C(token_path).
+      env:
+        - name: VAULT_TOKEN_FILE
+          version_added: 1.2.0
       ini:
         - section: lookup_hashi_vault
           key: token_file
@@ -537,6 +541,11 @@ class LookupModule(LookupBase):
 
     def validate_auth_token(self, auth_method):
         if auth_method == 'token':
+            if not self.get_option('token_path'):
+                # generally we want env vars defined in the spec, but in this case we want
+                # the env var HOME to have lower precedence than any other value source,
+                # including ini, so we're doing it here after all other processing has taken place
+                self.set_option('token_path', os.environ.get('HOME'))
             if not self.get_option('token') and self.get_option('token_path'):
                 token_filename = os.path.join(
                     self.get_option('token_path'),