diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index b993db88f1..f3dcd53b5d 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -87,6 +87,20 @@ base_inputs = { ' see https://www.vaultproject.io/docs/auth/kubernetes#configuration' ), }, + { + 'id': 'username', + 'label': _('Username'), + 'type': 'string', + 'secret': False, + 'help_text': _('Username for user authentication.'), + }, + { + 'id': 'password', + 'label': _('Password'), + 'type': 'string', + 'secret': True, + 'help_text': _('Password for user authentication.'), + }, { 'id': 'default_auth_path', 'label': _('Path to Auth'), @@ -185,9 +199,10 @@ hashi_ssh_inputs['required'].extend(['public_key', 'role']) def handle_auth(**kwargs): token = None - if kwargs.get('token'): token = kwargs['token'] + elif kwargs.get('username') and kwargs.get('password'): + token = method_auth(**kwargs, auth_param=userpass_auth(**kwargs)) elif kwargs.get('role_id') and kwargs.get('secret_id'): token = method_auth(**kwargs, auth_param=approle_auth(**kwargs)) elif kwargs.get('kubernetes_role'): @@ -195,11 +210,14 @@ def handle_auth(**kwargs): elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'): token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs)) else: - raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set') - + raise Exception('Token, Username/Password, AppRole, Kubernetes, or TLS authentication parameters must be set') return token +def userpass_auth(**kwargs): + return {'username': kwargs['username'], 'password': kwargs['password']} + + def approle_auth(**kwargs): return {'role_id': kwargs['role_id'], 'secret_id': kwargs['secret_id']} @@ -233,6 +251,8 @@ def method_auth(**kwargs): if kwargs.get('namespace'): sess.headers['X-Vault-Namespace'] = kwargs['namespace'] request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/') + if kwargs['auth_param'].get('username'): + request_url = request_url + '/' + (kwargs['username']) with CertFiles(cacert) as cert: request_kwargs['verify'] = cert # TLS client certificate support diff --git a/awx/main/tests/functional/test_credential_plugins.py b/awx/main/tests/functional/test_credential_plugins.py index 9d199c31f5..3ee29e9ce3 100644 --- a/awx/main/tests/functional/test_credential_plugins.py +++ b/awx/main/tests/functional/test_credential_plugins.py @@ -60,6 +60,13 @@ def test_hashivault_client_cert_auth_no_role(): assert res == expected_res +def test_hashivault_userpass_auth(): + kwargs = {'username': 'the_username', 'password': 'the_password'} + expected_res = {'username': 'the_username', 'password': 'the_password'} + res = hashivault.userpass_auth(**kwargs) + assert res == expected_res + + def test_hashivault_handle_auth_token(): kwargs = { 'token': 'the_token', diff --git a/docs/docsite/rst/userguide/credential_plugins.rst b/docs/docsite/rst/userguide/credential_plugins.rst index 9bd9655df8..a2cc436282 100644 --- a/docs/docsite/rst/userguide/credential_plugins.rst +++ b/docs/docsite/rst/userguide/credential_plugins.rst @@ -272,9 +272,12 @@ When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, prov - **Kubernetes role** specify the role name when using Kubernetes authentication - **Path to Auth**: specify a path if other than the default path of ``/approle`` - **API Version** (required): select v1 for static lookups and v2 for versioned lookups +- **Username and Password**: specify the username and password for the user account For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method `_. +For more detail about the Userpass auth method and its fields, refer to the `Vault documentation for LDAP auth method `_. + For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method ` _. For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method ` _.