add support for CyberArk Conjur (API v5)

Makefile

@@ -575,8 +575,9 @@ docker-compose: docker-auth
 docker-compose-cluster: docker-auth
 	CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose -f tools/docker-compose-cluster.yml up
 
-docker-compose-hashivault: docker-auth
+docker-compose-credential-plugins: docker-auth
-	CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose -f tools/docker-compose.yml -f tools/docker-hashivault-override.yml up --no-recreate awx
+	echo -e "\033[0;31mTo generate a CyberArk Conjur API key: docker exec -it tools_conjur_1 conjurctl account create quick-start\033[0m"
+	CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose -f tools/docker-compose.yml -f tools/docker-credential-plugins-override.yml up --no-recreate awx
 
 docker-compose-test: docker-auth
 	cd tools && CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose run --rm --service-ports awx /bin/bash

awx/main/credential_plugins/conjur.py

@@ -0,0 +1,92 @@
+from .plugin import CredentialPlugin
+
+import base64
+import io
+from urllib.parse import urljoin, quote_plus
+
+from django.utils.translation import ugettext_lazy as _
+import requests
+
+
+conjur_inputs = {
+    'fields': [{
+        'id': 'url',
+        'label': _('Conjur URL'),
+        'type': 'string',
+    }, {
+        'id': 'api_key',
+        'label': _('API Key'),
+        'type': 'string',
+        'secret': True,
+    }, {
+        'id': 'account',
+        'label': _('Account'),
+        'type': 'string',
+    }, {
+        'id': 'username',
+        'label': _('Username'),
+        'type': 'string',
+    }, {
+        'id': 'cacert',
+        'label': _('Public Key Certificate'),
+        'type': 'string',
+        'multiline': True
+    }],
+    'metadata': [{
+        'id': 'secret_path',
+        'label': _('Secret Identifier'),
+        'type': 'string',
+        'help_text': _('The identifier for the secret e.g., /some/identifier'),
+    }, {
+        'id': 'secret_version',
+        'label': _('Secret Version'),
+        'type': 'string',
+        'help_text': _('Used to specify a specific secret version (if left empty, the latest version will be used).'),
+    }],
+    'required': ['url', 'api_key', 'account', 'username'],
+}
+
+
+def conjur_backend(raw, **kwargs):
+    url = kwargs['url']
+    api_key = kwargs['api_key']
+    account = quote_plus(kwargs['account'])
+    username = quote_plus(kwargs['username'])
+    secret_path = quote_plus(kwargs['secret_path'])
+    version = kwargs.get('secret_version')
+    cert = io.StringIO()
+    cert.write(kwargs.get('cacert', ''))
+
+    # https://www.conjur.org/api.html#authentication-authenticate-post
+    resp = requests.post(
+        urljoin(url, '/'.join(['authn', account, username, 'authenticate'])),
+        headers={'Content-Type': 'text/plain'},
+        data=api_key,
+        verify=cert
+    )
+    resp.raise_for_status()
+    token = base64.b64encode(resp.content).decode('utf-8')
+
+    # https://www.conjur.org/api.html#secrets-retrieve-a-secret-get
+    path = urljoin(url, '/'.join([
+        'secrets',
+        account,
+        'variable',
+        secret_path
+    ]))
+    if version:
+        path = '?'.join([path, version])
+    resp = requests.get(
+        path,
+        headers={'Authorization': 'Token token="{}"'.format(token)},
+        verify=cert
+    )
+    resp.raise_for_status()
+    return resp.text
+
+
+conjur_plugin = CredentialPlugin(
+    'CyberArk Conjur Secret Lookup',
+    inputs=conjur_inputs,
+    backend=conjur_backend
+)

setup.py

@@ -115,6 +115,7 @@ setup(
             'awx-manage = awx:manage',
         ],
         'awx.credential_plugins': [
+            'conjur = awx.main.credential_plugins.conjur:conjur_plugin',
             'hashivault_kv = awx.main.credential_plugins.hashivault:hashivault_kv_plugin',
             'hashivault_ssh = awx.main.credential_plugins.hashivault:hashivault_ssh_plugin',
             'azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin',

tools/docker-compose/awx.egg-info/entry_points.txt

@@ -3,6 +3,7 @@ tower-manage = awx:manage
 awx-manage = awx:manage
 
 [awx.credential_plugins]
+conjur = awx.main.credential_plugins.conjur:conjur_plugin
 hashivault_kv = awx.main.credential_plugins.hashivault:hashivault_kv_plugin
 hashivault_ssh = awx.main.credential_plugins.hashivault:hashivault_ssh_plugin
 azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin

tools/docker-credential-plugins-override.yml

@@ -0,0 +1,28 @@
+version: '2'
+services:
+  # Primary Tower Development Container link
+  awx:
+    links:
+      - hashivault
+      - conjur
+  hashivault:
+    image: vault:1.0.1
+    container_name: tools_hashivault_1
+    ports:
+      - '8200:8200'
+    cap_add:
+      - IPC_LOCK
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: 'vaultdev'
+
+  conjur:
+    image: cyberark/conjur
+    command: server -p 8300
+    environment:
+      DATABASE_URL: postgres://postgres@postgres/postgres
+      CONJUR_DATA_KEY: 'dveUwOI/71x9BPJkIgvQRRBF3SdASc+HP4CUGL7TKvM='
+    depends_on: [ postgres ]
+    links:
+      - postgres
+    ports:
+      - "8300:8300"

tools/docker-hashivault-override.yml

@@ -1,15 +0,0 @@
-version: '2'
-services:
-  # Primary Tower Development Container link
-  awx:
-    links:
-      - hashivault
-  hashivault:
-    image: vault:1.0.1
-    container_name: tools_hashivault_1
-    ports:
-      - '8200:8200'
-    cap_add:
-      - IPC_LOCK
-    environment:
-      VAULT_DEV_ROOT_TOKEN_ID: 'vaultdev'