related #4274 - added option to verify server certificate with a specific CA

2026-01-16 04:10:44 -03:30 · 2019-07-09 13:59:11 +02:00 · 2019-07-09 13:59:11 +02:00 · 7a5efa1adc
commit 7a5efa1adc
parent f77298643f
1 changed files with 23 additions and 41 deletions
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@ -104,43 +104,33 @@ def kv_backend(**kwargs):
    secret_path = kwargs['secret_path']
    secret_key = kwargs.get('secret_key', None)
    cacert = kwargs.get('cacert', None)
-
    api_version = kwargs['api_version']

+    request_kwargs = { 'timeout': 30 }
+    if cacert:
+        request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
+
    sess = requests.Session()
    sess.headers['Authorization'] = 'Bearer {}'.format(token)

    if api_version == 'v2':
-        params = {}
        if kwargs.get('secret_version'):
-            params['version'] = kwargs['secret_version']
+            request_kwargs['params'] = { 'version': kwargs['secret_version'] }
        try:
            mount_point, *path = pathlib.Path(secret_path.lstrip(os.sep)).parts
-            '/'.join(path)
+            '/'.join(path) 
        except Exception:
            mount_point, path = secret_path, []
        # https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
-        if cacert:
-            response = sess.get(
-                '/'.join([url, mount_point, 'data'] + path).rstrip('/'),
-                params=params,
-                verify=create_temporary_fifo(cacert.encode()) ,
-                timeout=30
-            )
-        else:
-            response = sess.get(
-                '/'.join([url, mount_point, 'data'] + path).rstrip('/'),
-                params=params,
-                timeout=30
-            )
+        request_url = '/'.join([url, mount_point, 'data'] + path).rstrip('/')
+        response = sess.get(request_url, **request_kwargs)
+
        response.raise_for_status()
        json = response.json()['data']
    else:
-        # https://www.vaultproject.io/api/secret/kv/kv-v1.html#read-secret
-        if cacert:
-            response = sess.get('/'.join([url, secret_path]).rstrip('/'), verify=create_temporary_fifo(cacert.encode()), timeout=30)
-        else:
-            response = sess.get('/'.join([url, secret_path]).rstrip('/'), timeout=30)
+        request_url = '/'.join([url, secret_path]).rstrip('/')
+        response = sess.get(request_url, **request_kwargs)
+
        response.raise_for_status()
        json = response.json()

@ -161,28 +151,20 @@ def ssh_backend(**kwargs):
    role = kwargs['role']
    cacert = kwargs.get('cacert', None)

+    request_kwargs = { 'timeout': 30 }
+    if cacert:
+        request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
+
+    request_kwargs['json'] = { 'public_key': kwargs['public_key'] }
+    if kwargs.get('valid_principals'):
+        request_kwargs['json']['valid_principals'] = kwargs['valid_principals']
+
    sess = requests.Session()
    sess.headers['Authorization'] = 'Bearer {}'.format(token)
-    json = {
-        'public_key': kwargs['public_key']
-    }
-    if kwargs.get('valid_principals'):
-        json['valid_principals'] = kwargs['valid_principals']
-
    # https://www.vaultproject.io/api/secret/ssh/index.html#sign-ssh-key
-    if cacert:
-        resp = sess.post(
-            '/'.join([url, secret_path, 'sign', role]).rstrip('/'),
-            json=json,
-            verify=create_temporary_fifo(cacert.encode()),
-            timeout=30
-        )
-    else:
-        resp = sess.post(
-            '/'.join([url, secret_path, 'sign', role]).rstrip('/'),
-            json=json,
-            timeout=30
-        )
+    request_url = '/'.join([url, secret_path, 'sign', role]).rstrip('/')
+    resp = sess.post(request_url, **request_kwargs)
+
    resp.raise_for_status()
    return resp.json()['data']['signed_key']