From 5edd1b0cf1c4cbc27f7ed8fd471a6851fc4a6f54 Mon Sep 17 00:00:00 2001
From: "Gareth J. Greenaway" <gareth@saltstack.com>
Date: Tue, 1 Aug 2023 09:17:29 -0700
Subject: [PATCH] Adding deprecation decorator to the vault modules for 3009.

---
 salt/modules/vault.py | 22 ++++++++++++++--------
 salt/runners/vault.py | 14 ++++++++++----
 salt/states/vault.py  | 18 ++++++++++++------
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/salt/modules/vault.py b/salt/modules/vault.py
index 8abd7bb04d7..c04ea418a82 100644
--- a/salt/modules/vault.py
+++ b/salt/modules/vault.py
@@ -220,6 +220,12 @@ from salt.exceptions import CommandExecutionError
 
 log = logging.getLogger(__name__)
 
+__deprecated__ = (
+    3009,
+    "vault",
+    "https://github.com/saltstack/saltext-vault",
+)
+
 
 def read_secret(path, key=None, metadata=False, default=NOT_SET):
     """
@@ -256,7 +262,7 @@ def read_secret(path, key=None, metadata=False, default=NOT_SET):
         path = version2["data"]
     log.debug("Reading Vault secret for %s at %s", __grains__["id"], path)
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("GET", url)
         if response.status_code != 200:
             response.raise_for_status()
@@ -277,7 +283,7 @@ def read_secret(path, key=None, metadata=False, default=NOT_SET):
     except Exception as err:  # pylint: disable=broad-except
         if default is CommandExecutionError:
             raise CommandExecutionError(
-                "Failed to read secret! {}: {}".format(type(err).__name__, err)
+                f"Failed to read secret! {type(err).__name__}: {err}"
             )
         return default
 
@@ -299,7 +305,7 @@ def write_secret(path, **kwargs):
         path = version2["data"]
         data = {"data": data}
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("POST", url, json=data)
         if response.status_code == 200:
             return response.json()["data"]
@@ -327,7 +333,7 @@ def write_raw(path, raw):
         path = version2["data"]
         raw = {"data": raw}
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("POST", url, json=raw)
         if response.status_code == 200:
             return response.json()["data"]
@@ -354,7 +360,7 @@ def delete_secret(path):
     if version2["v2"]:
         path = version2["data"]
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("DELETE", url)
         if response.status_code != 204:
             response.raise_for_status()
@@ -386,7 +392,7 @@ def destroy_secret(path, *args):
         log.error("Destroy operation is only supported on KV version 2")
         return False
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("POST", url, json=data)
         if response.status_code != 204:
             response.raise_for_status()
@@ -419,7 +425,7 @@ def list_secrets(path, default=NOT_SET):
     if version2["v2"]:
         path = version2["metadata"]
     try:
-        url = "v1/{}".format(path)
+        url = f"v1/{path}"
         response = __utils__["vault.make_request"]("LIST", url)
         if response.status_code != 200:
             response.raise_for_status()
@@ -427,7 +433,7 @@ def list_secrets(path, default=NOT_SET):
     except Exception as err:  # pylint: disable=broad-except
         if default is CommandExecutionError:
             raise CommandExecutionError(
-                "Failed to list secrets! {}: {}".format(type(err).__name__, err)
+                f"Failed to list secrets! {type(err).__name__}: {err}"
             )
         return default
 
diff --git a/salt/runners/vault.py b/salt/runners/vault.py
index f7c5ce37f10..bae2e31e7af 100644
--- a/salt/runners/vault.py
+++ b/salt/runners/vault.py
@@ -25,6 +25,12 @@ from salt.exceptions import SaltRunnerError
 
 log = logging.getLogger(__name__)
 
+__deprecated__ = (
+    3009,
+    "vault",
+    "https://github.com/saltstack/saltext-vault",
+)
+
 
 def generate_token(
     minion_id, signature, impersonated_by_master=False, ttl=None, uses=None
@@ -214,15 +220,15 @@ def _validate_signature(minion_id, signature, impersonated_by_master):
     """
     pki_dir = __opts__["pki_dir"]
     if impersonated_by_master:
-        public_key = "{}/master.pub".format(pki_dir)
+        public_key = f"{pki_dir}/master.pub"
     else:
-        public_key = "{}/minions/{}".format(pki_dir, minion_id)
+        public_key = f"{pki_dir}/minions/{minion_id}"
 
     log.trace("Validating signature for %s", minion_id)
     signature = base64.b64decode(signature)
     if not salt.crypt.verify_signature(public_key, minion_id, signature):
         raise salt.exceptions.AuthenticationError(
-            "Could not validate token request from {}".format(minion_id)
+            f"Could not validate token request from {minion_id}"
         )
     log.trace("Signature ok")
 
@@ -352,7 +358,7 @@ def _selftoken_expired():
         return False
     except Exception as e:  # pylint: disable=broad-except
         raise salt.exceptions.CommandExecutionError(
-            "Error while looking up self token : {}".format(str(e))
+            f"Error while looking up self token : {str(e)}"
         )
 
 
diff --git a/salt/states/vault.py b/salt/states/vault.py
index 54de5b8f435..8adb6c0d869 100644
--- a/salt/states/vault.py
+++ b/salt/states/vault.py
@@ -15,6 +15,12 @@ import logging
 
 log = logging.getLogger(__name__)
 
+__deprecated__ = (
+    3009,
+    "vault",
+    "https://github.com/saltstack/saltext-vault",
+)
+
 
 def policy_present(name, rules):
     """
@@ -41,7 +47,7 @@ def policy_present(name, rules):
                 }
 
     """
-    url = "v1/sys/policy/{}".format(name)
+    url = f"v1/sys/policy/{name}"
     response = __utils__["vault.make_request"]("GET", url)
     try:
         if response.status_code == 200:
@@ -55,7 +61,7 @@ def policy_present(name, rules):
             "name": name,
             "changes": {},
             "result": False,
-            "comment": "Failed to get policy: {}".format(e),
+            "comment": f"Failed to get policy: {e}",
         }
 
 
@@ -69,14 +75,14 @@ def _create_new_policy(name, rules):
         }
 
     payload = {"rules": rules}
-    url = "v1/sys/policy/{}".format(name)
+    url = f"v1/sys/policy/{name}"
     response = __utils__["vault.make_request"]("PUT", url, json=payload)
     if response.status_code not in [200, 204]:
         return {
             "name": name,
             "changes": {},
             "result": False,
-            "comment": "Failed to create policy: {}".format(response.reason),
+            "comment": f"Failed to create policy: {response.reason}",
         }
 
     return {
@@ -108,14 +114,14 @@ def _handle_existing_policy(name, new_rules, existing_rules):
 
     payload = {"rules": new_rules}
 
-    url = "v1/sys/policy/{}".format(name)
+    url = f"v1/sys/policy/{name}"
     response = __utils__["vault.make_request"]("PUT", url, json=payload)
     if response.status_code not in [200, 204]:
         return {
             "name": name,
             "changes": {},
             "result": False,
-            "comment": "Failed to change policy: {}".format(response.reason),
+            "comment": f"Failed to change policy: {response.reason}",
         }
 
     ret["result"] = True