External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-11 18:09:57 -03:30
Code Issues Packages Projects Releases Wiki Activity

store the public key for HashiVault signing in the plugin metadata

Browse Source
This commit is contained in:
Ryan Petrello 2019-03-01 00:27:03 -05:00 committed by Jake McDermott
parent 2824616ba6
commit 0768c6ac1d
No known key found for this signature in database
GPG Key ID: 9A6F084352C3A0B7
6 changed files with 24 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
awx/api/views/__init__.py
View File

@ -1440,8 +1440,11 @@ class CredentialExternalTest(SubDetailAPIView):
backend_kwargs[field_name] = value
backend_kwargs.update(request.data.get('metadata', {}))
try:
obj.credential_type.plugin.backend(None, **backend_kwargs)
obj.credential_type.plugin.backend(**backend_kwargs)
return Response({}, status=status.HTTP_202_ACCEPTED)
except requests.exceptions.HTTPError as exc:
message = 'HTTP {}\n{}'.format(exc.response.status_code, exc.response.text)
return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
except Exception as exc:
return Response({'inputs': str(exc)}, status=status.HTTP_400_BAD_REQUEST)
@ -1489,8 +1492,11 @@ class CredentialTypeExternalTest(SubDetailAPIView):
backend_kwargs = request.data.get('inputs', {})
backend_kwargs.update(request.data.get('metadata', {}))
try:
obj.plugin.backend(None, **backend_kwargs)
obj.plugin.backend(**backend_kwargs)
return Response({}, status=status.HTTP_202_ACCEPTED)
except requests.exceptions.HTTPError as exc:
message = 'HTTP {}\n{}'.format(exc.response.status_code, exc.response.text)
return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
except Exception as exc:
return Response({'inputs': str(exc)}, status=status.HTTP_400_BAD_REQUEST)

2
awx/main/credential_plugins/azure_kv.py
View File

@ -39,7 +39,7 @@ azure_keyvault_inputs = {
}
def azure_keyvault_backend(raw, **kwargs):
def azure_keyvault_backend(**kwargs):
url = kwargs['url']
def auth_callback(server, resource, scope):

2
awx/main/credential_plugins/conjur.py
View File

@ -47,7 +47,7 @@ conjur_inputs = {
}
def conjur_backend(raw, **kwargs):
def conjur_backend(**kwargs):
url = kwargs['url']
api_key = kwargs['api_key']
account = quote_plus(kwargs['account'])

17
awx/main/credential_plugins/hashivault.py
View File

@ -53,7 +53,12 @@ hashi_kv_inputs['metadata'].extend([{
hashi_kv_inputs['required'].extend(['api_version', 'secret_key'])
hashi_ssh_inputs = copy.deepcopy(base_inputs)
hashi_ssh_inputs['metadata'].extend([{
hashi_ssh_inputs['metadata'] = [{
'id': 'public_key',
'label': _('Unsigned Public Key'),
'type': 'string',
'multiline': True,
}] + hashi_ssh_inputs['metadata'] + [{
'id': 'role',
'label': _('Role Name'),
'type': 'string',
@ -63,11 +68,11 @@ hashi_ssh_inputs['metadata'].extend([{
'label': _('Valid Principals'),
'type': 'string',
'help_text': _('Valid principals (either usernames or hostnames) that the certificate should be signed for.'),
}])
hashi_ssh_inputs['required'].extend(['role'])
}]
hashi_ssh_inputs['required'].extend(['public_key', 'role'])
def kv_backend(raw, **kwargs):
def kv_backend(**kwargs):
token = kwargs['token']
url = urljoin(kwargs['url'], 'v1')
secret_path = kwargs['secret_path']
@ -109,7 +114,7 @@ def kv_backend(raw, **kwargs):
return json['data']
def ssh_backend(raw, **kwargs):
def ssh_backend(**kwargs):
token = kwargs['token']
url = urljoin(kwargs['url'], 'v1')
secret_path = kwargs['secret_path']
@ -118,7 +123,7 @@ def ssh_backend(raw, **kwargs):
sess = requests.Session()
sess.headers['Authorization'] = 'Bearer {}'.format(token)
json = {
'public_key': raw
'public_key': kwargs['public_key']
}
if kwargs.get('valid_principals'):
json['valid_principals'] = kwargs['valid_principals']

8
awx/main/models/credential/__init__.py
View File

@ -1362,13 +1362,7 @@ class CredentialInputSource(PrimordialModel):
backend_kwargs[field_name] = value
backend_kwargs.update(self.metadata)
raw = self.target_credential.inputs.get(self.input_field_name)
if self.input_field_name in self.target_credential.credential_type.secret_fields:
raw = decrypt_field(self.target_credential, self.input_field_name)
return backend(
raw,
**backend_kwargs
)
return backend(**backend_kwargs)
def get_absolute_url(self, request=None):
view_name = 'api:credential_input_source_detail'

20
docs/credential_plugins.md
View File

@ -124,22 +124,6 @@ setuptools.setup(
)
```
Fetching vs. Transforming Credential Data
-----------------------------------------
While _most_ credential plugins will be used to _fetch_ secrets from external
systems, they can also be used to *transform* data from Tower _using_ an
external secret management system. An example use case is generating signed
public keys:
```python
def my_key_signer(unsigned_value_from_awx, **kwargs):
return some_libary.sign(
url=kwargs['url'],
token=kwargs['token'],
public_data=unsigned_value_from_awx
)
```
Programmatic Secret Fetching
----------------------------
If you want to programmatically fetch secrets from a supported external secret
@ -288,7 +272,7 @@ HTTP/1.1 200 OK
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-X POST \
-d '{"user": N, "credential_type": 1, "name": "My SSH", "inputs": {"username": "example", "ssh_key_data": "RSA KEY DATA", "ssh_public_key_data": "UNSIGNED PUBLIC KEY DATA"}}'
-d '{"user": N, "credential_type": 1, "name": "My SSH", "inputs": {"username": "example", "ssh_key_data": "RSA KEY DATA"}}'
HTTP/1.1 201 Created
{
@ -320,7 +304,7 @@ HTTP/1.1 201 Created
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-X POST \
-d '{"source_credential": 2, "input_field_name": "password", "metadata": {"secret_path": "/ssh/", "role": "example-role"}}'
-d '{"source_credential": 2, "input_field_name": "password", "metadata": {"public_key": "UNSIGNED PUBLIC KEY", "secret_path": "/ssh/", "role": "example-role"}}'
HTTP/1.1 201 Created
```