From 00fc5f6b93ac29c1daf64504525dd4e9e859a1ab Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Tue, 25 Aug 2020 17:55:40 +0200 Subject: [PATCH 1/6] hashivault_kv auth_path moved from metadata to inputs The auth_path is used with the approle auth method It's not linked to the secret we are reading but to the auth method, this parameter has to be moved to inputs --- awx/main/credential_plugins/hashivault.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index 2406623231..38fce5501d 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -40,6 +40,12 @@ base_inputs = { 'multiline': False, 'secret': True, 'help_text': _('The Secret ID for AppRole Authentication') + }, { + 'id': 'auth_path', + 'label': _('Path to Auth'), + 'type': 'string', + 'multiline': False, + 'help_text': _('The path where the Authentication method is mounted e.g, approle') } ], 'metadata': [{ @@ -47,11 +53,6 @@ base_inputs = { 'label': _('Path to Secret'), 'type': 'string', 'help_text': _('The path to the secret stored in the secret backend e.g, /some/secret/') - },{ - 'id': 'auth_path', - 'label': _('Path to Auth'), - 'type': 'string', - 'help_text': _('The path where the Authentication method is mounted e.g, approle') }], 'required': ['url', 'secret_path'], } From 7c8e5ace5266f7943355a6aa03cbcd8956216ea7 Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Wed, 26 Aug 2020 09:46:05 +0200 Subject: [PATCH 2/6] fix tests --- .../test/awx/test_credential_input_source.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/awx_collection/test/awx/test_credential_input_source.py b/awx_collection/test/awx/test_credential_input_source.py index a676ab15cb..2662f05c09 100644 --- a/awx_collection/test/awx/test_credential_input_source.py +++ b/awx_collection/test/awx/test_credential_input_source.py @@ -122,7 +122,8 @@ def source_cred_hashi_secret(organization): "url": "https://secret.hash.example.com", "token": "myApiKey", "role_id": "role", - "secret_id": "secret" + "secret_id": "secret", + "auth_path": "/path/to/auth" } ) @@ -142,7 +143,7 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so source_credential=source_cred_hashi_secret.name, target_credential=tgt_cred.name, input_field_name='password', - metadata={"secret_path": "/path/to/secret", "auth_path": "/path/to/auth", "secret_backend": "backend", "secret_key": "a_key"}, + metadata={"secret_path": "/path/to/secret", "secret_backend": "backend", "secret_key": "a_key"}, state='present' ), admin_user) @@ -153,7 +154,6 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so cis = CredentialInputSource.objects.first() assert cis.metadata['secret_path'] == "/path/to/secret" - assert cis.metadata['auth_path'] == "/path/to/auth" assert cis.metadata['secret_backend'] == "backend" assert cis.metadata['secret_key'] == "a_key" assert cis.source_credential.name == source_cred_hashi_secret.name @@ -188,14 +188,14 @@ def test_hashi_ssh_credential_source(run_module, admin_user, organization, sourc name='Test Machine Credential', organization=organization, credential_type=ct, - inputs={'username': 'bob'} + inputs={'username': 'bob', "auth_path": "/path/to/auth"} ) result = run_module('tower_credential_input_source', dict( source_credential=source_cred_hashi_ssh.name, target_credential=tgt_cred.name, input_field_name='password', - metadata={"secret_path": "/path/to/secret", "auth_path": "/path/to/auth", "role": "role", "public_key": "a_key", "valid_principals": "some_value"}, + metadata={"secret_path": "/path/to/secret", "role": "role", "public_key": "a_key", "valid_principals": "some_value"}, state='present' ), admin_user) @@ -206,7 +206,6 @@ def test_hashi_ssh_credential_source(run_module, admin_user, organization, sourc cis = CredentialInputSource.objects.first() assert cis.metadata['secret_path'] == "/path/to/secret" - assert cis.metadata['auth_path'] == "/path/to/auth" assert cis.metadata['role'] == "role" assert cis.metadata['public_key'] == "a_key" assert cis.metadata['valid_principals'] == "some_value" From cf5d1a2d03eca2032343c8e706f744b2f146ec58 Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Thu, 27 Aug 2020 11:06:14 +0200 Subject: [PATCH 3/6] restore previous tests as we need to keep backward compatibility This reverts commit 7c8e5ace5266f7943355a6aa03cbcd8956216ea7. --- .../test/awx/test_credential_input_source.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/awx_collection/test/awx/test_credential_input_source.py b/awx_collection/test/awx/test_credential_input_source.py index 2662f05c09..a676ab15cb 100644 --- a/awx_collection/test/awx/test_credential_input_source.py +++ b/awx_collection/test/awx/test_credential_input_source.py @@ -122,8 +122,7 @@ def source_cred_hashi_secret(organization): "url": "https://secret.hash.example.com", "token": "myApiKey", "role_id": "role", - "secret_id": "secret", - "auth_path": "/path/to/auth" + "secret_id": "secret" } ) @@ -143,7 +142,7 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so source_credential=source_cred_hashi_secret.name, target_credential=tgt_cred.name, input_field_name='password', - metadata={"secret_path": "/path/to/secret", "secret_backend": "backend", "secret_key": "a_key"}, + metadata={"secret_path": "/path/to/secret", "auth_path": "/path/to/auth", "secret_backend": "backend", "secret_key": "a_key"}, state='present' ), admin_user) @@ -154,6 +153,7 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so cis = CredentialInputSource.objects.first() assert cis.metadata['secret_path'] == "/path/to/secret" + assert cis.metadata['auth_path'] == "/path/to/auth" assert cis.metadata['secret_backend'] == "backend" assert cis.metadata['secret_key'] == "a_key" assert cis.source_credential.name == source_cred_hashi_secret.name @@ -188,14 +188,14 @@ def test_hashi_ssh_credential_source(run_module, admin_user, organization, sourc name='Test Machine Credential', organization=organization, credential_type=ct, - inputs={'username': 'bob', "auth_path": "/path/to/auth"} + inputs={'username': 'bob'} ) result = run_module('tower_credential_input_source', dict( source_credential=source_cred_hashi_ssh.name, target_credential=tgt_cred.name, input_field_name='password', - metadata={"secret_path": "/path/to/secret", "role": "role", "public_key": "a_key", "valid_principals": "some_value"}, + metadata={"secret_path": "/path/to/secret", "auth_path": "/path/to/auth", "role": "role", "public_key": "a_key", "valid_principals": "some_value"}, state='present' ), admin_user) @@ -206,6 +206,7 @@ def test_hashi_ssh_credential_source(run_module, admin_user, organization, sourc cis = CredentialInputSource.objects.first() assert cis.metadata['secret_path'] == "/path/to/secret" + assert cis.metadata['auth_path'] == "/path/to/auth" assert cis.metadata['role'] == "role" assert cis.metadata['public_key'] == "a_key" assert cis.metadata['valid_principals'] == "some_value" From 16fdf0e28fa55d0d710bf3cf9a8d1e77d7f0c6c5 Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Fri, 28 Aug 2020 17:22:07 +0200 Subject: [PATCH 4/6] [credential_plugin/hashivault] add approle_auth_path in inputs --- awx/main/credential_plugins/hashivault.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index 38fce5501d..a61c80ecf4 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -41,11 +41,11 @@ base_inputs = { 'secret': True, 'help_text': _('The Secret ID for AppRole Authentication') }, { - 'id': 'auth_path', - 'label': _('Path to Auth'), + 'id': 'approle_auth_path', + 'label': _('Path to Approle Auth'), 'type': 'string', 'multiline': False, - 'help_text': _('The path where the Authentication method is mounted e.g, approle') + 'help_text': _('The path where the AppRole Authentication method is mounted e.g, approle') } ], 'metadata': [{ @@ -53,6 +53,12 @@ base_inputs = { 'label': _('Path to Secret'), 'type': 'string', 'help_text': _('The path to the secret stored in the secret backend e.g, /some/secret/') + }, { + 'id': 'auth_path', + 'label': _('Path to Auth'), + 'type': 'string', + 'multiline': False, + 'help_text': _('The path where the Authentication method is mounted e.g, approle') }], 'required': ['url', 'secret_path'], } @@ -119,7 +125,11 @@ def handle_auth(**kwargs): def approle_auth(**kwargs): role_id = kwargs['role_id'] secret_id = kwargs['secret_id'] - auth_path = kwargs.get('auth_path') or 'approle' + # we first try to use the 'auth_path' from the metadata + # if not found we try to fetch the 'approle_auth_path' from inputs + # if not found we use the default value 'approle' + auth_path = \ + kwargs.get('auth_path', kwargs.get('approle_auth_path', "approle")) url = urljoin(kwargs['url'], 'v1') cacert = kwargs.get('cacert', None) From e8b54abec452d86a3b6a5aea9a4e8eb90813c6aa Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Fri, 28 Aug 2020 17:29:11 +0200 Subject: [PATCH 5/6] [credential_plugin/hashivault] edit tests --- awx_collection/test/awx/test_credential_input_source.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/awx_collection/test/awx/test_credential_input_source.py b/awx_collection/test/awx/test_credential_input_source.py index a676ab15cb..96d768275e 100644 --- a/awx_collection/test/awx/test_credential_input_source.py +++ b/awx_collection/test/awx/test_credential_input_source.py @@ -122,7 +122,8 @@ def source_cred_hashi_secret(organization): "url": "https://secret.hash.example.com", "token": "myApiKey", "role_id": "role", - "secret_id": "secret" + "secret_id": "secret", + "approle_auth_path": "path-to-approle" } ) @@ -157,6 +158,8 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so assert cis.metadata['secret_backend'] == "backend" assert cis.metadata['secret_key'] == "a_key" assert cis.source_credential.name == source_cred_hashi_secret.name + assert cis.source_credential.approle_auth_path == \ + source_cred_hashi_secret.inputs["approle_auth_path"] assert cis.target_credential.name == tgt_cred.name assert cis.input_field_name == 'password' assert result['id'] == cis.pk From 08c9219f48d850a10e25d541cd32dee1d4f3e416 Mon Sep 17 00:00:00 2001 From: Benoit Bayszczak Date: Mon, 7 Sep 2020 14:40:30 +0200 Subject: [PATCH 6/6] rename 'approle_auth_path' to 'default_auth_path' & fix kwargs.get --- awx/main/credential_plugins/hashivault.py | 11 +++++------ .../test/awx/test_credential_input_source.py | 4 +--- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index a61c80ecf4..82b34dd0ec 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -41,11 +41,12 @@ base_inputs = { 'secret': True, 'help_text': _('The Secret ID for AppRole Authentication') }, { - 'id': 'approle_auth_path', + 'id': 'default_auth_path', 'label': _('Path to Approle Auth'), 'type': 'string', 'multiline': False, - 'help_text': _('The path where the AppRole Authentication method is mounted e.g, approle') + 'default': 'approle', + 'help_text': _('The AppRole Authentication path to use if one isn\'t provided in the metadata when linking to an input field. Defaults to \'approle\'') } ], 'metadata': [{ @@ -126,10 +127,8 @@ def approle_auth(**kwargs): role_id = kwargs['role_id'] secret_id = kwargs['secret_id'] # we first try to use the 'auth_path' from the metadata - # if not found we try to fetch the 'approle_auth_path' from inputs - # if not found we use the default value 'approle' - auth_path = \ - kwargs.get('auth_path', kwargs.get('approle_auth_path', "approle")) + # if not found we try to fetch the 'default_auth_path' from inputs + auth_path = kwargs.get('auth_path') or kwargs['default_auth_path'] url = urljoin(kwargs['url'], 'v1') cacert = kwargs.get('cacert', None) diff --git a/awx_collection/test/awx/test_credential_input_source.py b/awx_collection/test/awx/test_credential_input_source.py index 96d768275e..703ad4adb3 100644 --- a/awx_collection/test/awx/test_credential_input_source.py +++ b/awx_collection/test/awx/test_credential_input_source.py @@ -123,7 +123,7 @@ def source_cred_hashi_secret(organization): "token": "myApiKey", "role_id": "role", "secret_id": "secret", - "approle_auth_path": "path-to-approle" + "default_auth_path": "path-to-approle" } ) @@ -158,8 +158,6 @@ def test_hashi_secret_credential_source(run_module, admin_user, organization, so assert cis.metadata['secret_backend'] == "backend" assert cis.metadata['secret_key'] == "a_key" assert cis.source_credential.name == source_cred_hashi_secret.name - assert cis.source_credential.approle_auth_path == \ - source_cred_hashi_secret.inputs["approle_auth_path"] assert cis.target_credential.name == tgt_cred.name assert cis.input_field_name == 'password' assert result['id'] == cis.pk