Add userpass and LDAP support for HashiCorp vault credential_plugin (#14654)

* Add username and password to handle_auth and update exception message Revise naming of ldap username and password * Add url for LDAP and userpass to method_auth * Add information regarding LDAP and username and password to credential plugins documentation Revise ldap_auth to userpass_auth and revised exception to better reflect functionality * Revise method_auth to ensure certs can be used with username and ensure namespace functionality is not hindered
2026-03-10 14:09:28 -02:30 · 2024-01-25 09:50:13 -05:00
parent d4f7bfef18
commit 2e168d8177
3 changed files with 33 additions and 3 deletions
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -87,6 +87,20 @@ base_inputs = {
                ' see https://www.vaultproject.io/docs/auth/kubernetes#configuration'
            ),
        },
+        {
+            'id': 'username',
+            'label': _('Username'),
+            'type': 'string',
+            'secret': False,
+            'help_text': _('Username for user authentication.'),
+        },
+        {
+            'id': 'password',
+            'label': _('Password'),
+            'type': 'string',
+            'secret': True,
+            'help_text': _('Password for user authentication.'),
+        },
        {
            'id': 'default_auth_path',
            'label': _('Path to Auth'),
@@ -185,9 +199,10 @@ hashi_ssh_inputs['required'].extend(['public_key', 'role'])

 def handle_auth(**kwargs):
    token = None
-
    if kwargs.get('token'):
        token = kwargs['token']
+    elif kwargs.get('username') and kwargs.get('password'):
+        token = method_auth(**kwargs, auth_param=userpass_auth(**kwargs))
    elif kwargs.get('role_id') and kwargs.get('secret_id'):
        token = method_auth(**kwargs, auth_param=approle_auth(**kwargs))
    elif kwargs.get('kubernetes_role'):
@@ -195,11 +210,14 @@ def handle_auth(**kwargs):
    elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'):
        token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs))
    else:
-        raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set')
-
+        raise Exception('Token, Username/Password, AppRole, Kubernetes, or TLS authentication parameters must be set')
    return token


+def userpass_auth(**kwargs):
+    return {'username': kwargs['username'], 'password': kwargs['password']}
+
+
 def approle_auth(**kwargs):
    return {'role_id': kwargs['role_id'], 'secret_id': kwargs['secret_id']}

@@ -233,6 +251,8 @@ def method_auth(**kwargs):
    if kwargs.get('namespace'):
        sess.headers['X-Vault-Namespace'] = kwargs['namespace']
    request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/')
+    if kwargs['auth_param'].get('username'):
+        request_url = request_url + '/' + (kwargs['username'])
    with CertFiles(cacert) as cert:
        request_kwargs['verify'] = cert
        # TLS client certificate support