From 7c9305418cbe4ca781be87cb8f42408dec43d006 Mon Sep 17 00:00:00 2001
From: Hristo Voyvodov <hristo.voyvodov@redsift.io>
Date: Tue, 12 Mar 2024 16:16:17 +0200
Subject: [PATCH] Fixing vault client unwrap function to respect server.verify
 option.

Currently VaultClient.unwrap is doing own request call without respecting verify option.
Any other function is reusing self.request or self.raw_request function which are respecting correctly verify opt.
This will change unwrap function to also utilize self.post() which is reusing self.request.
---
 changelog/66213.fixed.md   | 1 +
 salt/utils/vault/client.py | 7 ++-----
 2 files changed, 3 insertions(+), 5 deletions(-)
 create mode 100644 changelog/66213.fixed.md

diff --git a/changelog/66213.fixed.md b/changelog/66213.fixed.md
new file mode 100644
index 00000000000..96f3a3139e8
--- /dev/null
+++ b/changelog/66213.fixed.md
@@ -0,0 +1 @@
+Fix vault module doesn't respect `server.verify` option during unwrap if verify is set to `False` or CA file on the disk
diff --git a/salt/utils/vault/client.py b/salt/utils/vault/client.py
index 0553646ae74..5dfa84673a1 100644
--- a/salt/utils/vault/client.py
+++ b/salt/utils/vault/client.py
@@ -240,17 +240,14 @@ class VaultClient:
                     namespace=self.namespace,
                     verify=self.verify,
                 )
-        url = self._get_url("sys/wrapping/unwrap")
+        endpoint = "sys/wrapping/unwrap"
         headers = self._get_headers()
         payload = {}
         if "X-Vault-Token" not in headers:
             headers["X-Vault-Token"] = str(wrapped)
         else:
             payload["token"] = str(wrapped)
-        res = self.session.request("POST", url, headers=headers, json=payload)
-        if not res.ok:
-            self._raise_status(res)
-        return res.json()
+        return self.post(endpoint=endpoint, add_headers=headers, payload=payload)
 
     def wrap_info(self, wrapped):
         """