Add userpass and LDAP support for HashiCorp vault credential_plugin (#14654)

* Add username and password to handle_auth and update exception message Revise naming of ldap username and password * Add url for LDAP and userpass to method_auth * Add information regarding LDAP and username and password to credential plugins documentation Revise ldap_auth to userpass_auth and revised exception to better reflect functionality * Revise method_auth to ensure certs can be used with username and ensure namespace functionality is not hindered
2026-01-09 23:12:08 -03:30 · 2024-01-25 09:50:13 -05:00 · 2024-01-25 09:50:13 -05:00 · 2e168d8177
commit 2e168d8177
parent d4f7bfef18
3 changed files with 33 additions and 3 deletions
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@ -87,6 +87,20 @@ base_inputs = {
                ' see https://www.vaultproject.io/docs/auth/kubernetes#configuration'
            ),
        },
+        {
+            'id': 'username',
+            'label': _('Username'),
+            'type': 'string',
+            'secret': False,
+            'help_text': _('Username for user authentication.'),
+        },
+        {
+            'id': 'password',
+            'label': _('Password'),
+            'type': 'string',
+            'secret': True,
+            'help_text': _('Password for user authentication.'),
+        },
        {
            'id': 'default_auth_path',
            'label': _('Path to Auth'),
@ -185,9 +199,10 @@ hashi_ssh_inputs['required'].extend(['public_key', 'role'])

 def handle_auth(**kwargs):
    token = None
-
    if kwargs.get('token'):
        token = kwargs['token']
+    elif kwargs.get('username') and kwargs.get('password'):
+        token = method_auth(**kwargs, auth_param=userpass_auth(**kwargs))
    elif kwargs.get('role_id') and kwargs.get('secret_id'):
        token = method_auth(**kwargs, auth_param=approle_auth(**kwargs))
    elif kwargs.get('kubernetes_role'):
@ -195,11 +210,14 @@ def handle_auth(**kwargs):
    elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'):
        token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs))
    else:
-        raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set')
-
+        raise Exception('Token, Username/Password, AppRole, Kubernetes, or TLS authentication parameters must be set')
    return token


+def userpass_auth(**kwargs):
+    return {'username': kwargs['username'], 'password': kwargs['password']}
+
+
 def approle_auth(**kwargs):
    return {'role_id': kwargs['role_id'], 'secret_id': kwargs['secret_id']}

@ -233,6 +251,8 @@ def method_auth(**kwargs):
    if kwargs.get('namespace'):
        sess.headers['X-Vault-Namespace'] = kwargs['namespace']
    request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/')
+    if kwargs['auth_param'].get('username'):
+        request_url = request_url + '/' + (kwargs['username'])
    with CertFiles(cacert) as cert:
        request_kwargs['verify'] = cert
        # TLS client certificate support
--- a/awx/main/tests/functional/test_credential_plugins.py
+++ b/awx/main/tests/functional/test_credential_plugins.py
@ -60,6 +60,13 @@ def test_hashivault_client_cert_auth_no_role():
    assert res == expected_res


+def test_hashivault_userpass_auth():
+    kwargs = {'username': 'the_username', 'password': 'the_password'}
+    expected_res = {'username': 'the_username', 'password': 'the_password'}
+    res = hashivault.userpass_auth(**kwargs)
+    assert res == expected_res
+
+
 def test_hashivault_handle_auth_token():
    kwargs = {
        'token': 'the_token',
--- a/docs/docsite/rst/userguide/credential_plugins.rst
+++ b/docs/docsite/rst/userguide/credential_plugins.rst
@ -272,9 +272,12 @@ When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, prov
 - **Kubernetes role** specify the role name when using Kubernetes authentication
 - **Path to Auth**: specify a path if other than the default path of ``/approle``
 - **API Version** (required): select v1 for static lookups and v2 for versioned lookups
+- **Username and Password**: specify the username and password for the user account

 For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_.

+For more detail about the Userpass auth method and its fields, refer to the `Vault documentation for LDAP auth method <https://www.vaultproject.io/docs/auth/userpass>`_.
+
 For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _.

 For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _.