External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-12 11:57:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

remove the usage of create_temporary_fifo from credential plugins

Browse Source 
this resolves an issue that causes an endless hang on with Cyberark AIM
lookups when a certificate *and* key are specified

the underlying issue here is that we can't rely on the underyling Python
ssl implementation to *only* read from the fifo that stores the pem data
*only once*; in reality, we need to just use *actual* tempfiles for
stability purposes

see: https://github.com/ansible/awx/issues/6986
see: https://github.com/urllib3/urllib3/issues/1880
This commit is contained in:
Ryan Petrello
2020-05-27 16:03:05 -04:00
parent 3ef07ee5f7
commit 310a0f88e5
4 changed files with 69 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
awx/main/credential_plugins/hashivault.py
View File

@@ -3,16 +3,11 @@ import os
import pathlib
from urllib.parse import urljoin
from .plugin import CredentialPlugin
from .plugin import CredentialPlugin, CertFiles
import requests
from django.utils.translation import ugettext_lazy as _
# AWX
from awx.main.utils import (
create_temporary_fifo,
)
base_inputs = {
'fields': [{
'id': 'url',
@@ -101,8 +96,6 @@ def kv_backend(**kwargs):
'timeout': 30,
'allow_redirects': False,
}
if cacert:
request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
sess = requests.Session()
sess.headers['Authorization'] = 'Bearer {}'.format(token)
@@ -129,7 +122,9 @@ def kv_backend(**kwargs):
path_segments = [secret_path]
request_url = urljoin(url, '/'.join(['v1'] + path_segments)).rstrip('/')
response = sess.get(request_url, **request_kwargs)
with CertFiles(cacert) as cert:
request_kwargs['verify'] = cert
response = sess.get(request_url, **request_kwargs)
response.raise_for_status()
json = response.json()
@@ -157,8 +152,6 @@ def ssh_backend(**kwargs):
'timeout': 30,
'allow_redirects': False,
}
if cacert:
request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
request_kwargs['json'] = {'public_key': kwargs['public_key']}
if kwargs.get('valid_principals'):
@@ -170,7 +163,10 @@ def ssh_backend(**kwargs):
sess.headers['X-Vault-Token'] = token
# https://www.vaultproject.io/api/secret/ssh/index.html#sign-ssh-key
request_url = '/'.join([url, secret_path, 'sign', role]).rstrip('/')
resp = sess.post(request_url, **request_kwargs)
with CertFiles(cacert) as cert:
request_kwargs['verify'] = cert
resp = sess.post(request_url, **request_kwargs)
resp.raise_for_status()
return resp.json()['data']['signed_key']