From d3d4ce3804d77cf2404cde139295b54f3be3b0c7 Mon Sep 17 00:00:00 2001
From: kawsark <kawsar@hashicorp.com>
Date: Fri, 6 Mar 2020 17:37:37 -0500
Subject: [PATCH 1/7] Modified hashivault.py to support approle

---
 awx/main/credential_plugins/hashivault.py | 63 +++++++++++++++++++++--
 1 file changed, 59 insertions(+), 4 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index c9caafba6b..41213f45cd 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -32,14 +32,33 @@ base_inputs = {
         'type': 'string',
         'multiline': True,
         'help_text': _('The CA certificate used to verify the SSL certificate of the Vault server')
-    }],
+    }, {
+        'id': 'role_id',
+        'label': _('AppRole role_id'),
+        'type': 'string',
+        'multiline': False,
+        'help_text': _('The Role ID for AppRole Authentication')
+    }, {
+        'id': 'secret_id',
+        'label': _('AppRole secret_id'),
+        'type': 'string',
+        'multiline': False,
+        'secret': True,
+        'help_text': _('The Secret ID for AppRole Authentication')
+    }
+    ],
     'metadata': [{
         'id': 'secret_path',
         'label': _('Path to Secret'),
         'type': 'string',
         'help_text': _('The path to the secret stored in the secret backend e.g, /some/secret/')
+    },{
+        'id': 'auth_path',
+        'label': _('Path to Auth'),
+        'type': 'string',
+        'help_text': _('The path where the Authentication method is mounted e.g, approle')
     }],
-    'required': ['url', 'token', 'secret_path'],
+    'required': ['url', 'secret_path'],
 }
 
 hashi_kv_inputs = copy.deepcopy(base_inputs)
@@ -87,9 +106,45 @@ hashi_ssh_inputs['metadata'] = [{
 }]
 hashi_ssh_inputs['required'].extend(['public_key', 'role'])
 
+def handle_auth(**kwargs):
+    result = None
+
+    if bool(kwargs.get('token')):
+      result = kwargs['token']
+    else:
+      if bool(kwargs.get('role_id')) and bool(kwargs.get('secret_id')):
+        result = approle_auth(**kwargs)
+      else:
+        raise Exception('Either Vault token or Auth parameters must be set')
+
+    return result
+
+def approle_auth(**kwargs):
+    role_id = kwargs['role_id']
+    secret_id = kwargs['secret_id']
+    auth_path = "approle"
+
+    if bool(kwargs.get('auth_path')):
+      auth_path = kwargs.get('auth_path', "approle")
+
+    url = urljoin(kwargs['url'], 'v1')
+    cacert = kwargs.get('cacert', None)
+
+    request_kwargs = {'timeout': 30}
+    if cacert:
+        request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
+
+    # AppRole Login
+    request_kwargs['json'] = {'role_id': role_id, 'secret_id': secret_id}
+    sess = requests.Session()
+    request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/')
+    resp = sess.post(request_url, **request_kwargs)
+    resp.raise_for_status()
+    token = resp.json()['auth']['client_token']
+    return token
 
 def kv_backend(**kwargs):
-    token = kwargs['token']
+    token = handle_auth(**kwargs)
     url = kwargs['url']
     secret_path = kwargs['secret_path']
     secret_backend = kwargs.get('secret_backend', None)
@@ -144,7 +199,7 @@ def kv_backend(**kwargs):
 
 
 def ssh_backend(**kwargs):
-    token = kwargs['token']
+    token = handle_auth(**kwargs)
     url = urljoin(kwargs['url'], 'v1')
     secret_path = kwargs['secret_path']
     role = kwargs['role']

From 9fdd9061d3f7dd5bc63f77dd5e5f54283574d508 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:20:18 +0100
Subject: [PATCH 2/7] Remove extraneous call to bool built-in function

---
 awx/main/credential_plugins/hashivault.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index 41213f45cd..dccc6b30ae 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -109,10 +109,10 @@ hashi_ssh_inputs['required'].extend(['public_key', 'role'])
 def handle_auth(**kwargs):
     result = None
 
-    if bool(kwargs.get('token')):
+    if kwargs.get('token'):
       result = kwargs['token']
     else:
-      if bool(kwargs.get('role_id')) and bool(kwargs.get('secret_id')):
+      if kwargs.get('role_id') and kwargs.get('secret_id'):
         result = approle_auth(**kwargs)
       else:
         raise Exception('Either Vault token or Auth parameters must be set')
@@ -124,7 +124,7 @@ def approle_auth(**kwargs):
     secret_id = kwargs['secret_id']
     auth_path = "approle"
 
-    if bool(kwargs.get('auth_path')):
+    if kwargs.get('auth_path'):
       auth_path = kwargs.get('auth_path', "approle")
 
     url = urljoin(kwargs['url'], 'v1')

From 9d85e8655dff554acec7c0b29796547ebb01122a Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:21:46 +0100
Subject: [PATCH 3/7] Both methods return a token: rename variable

---
 awx/main/credential_plugins/hashivault.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index dccc6b30ae..0736ccc4f1 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -107,17 +107,17 @@ hashi_ssh_inputs['metadata'] = [{
 hashi_ssh_inputs['required'].extend(['public_key', 'role'])
 
 def handle_auth(**kwargs):
-    result = None
+    token = None
 
     if kwargs.get('token'):
-      result = kwargs['token']
+        token = kwargs['token']
     else:
       if kwargs.get('role_id') and kwargs.get('secret_id'):
-        result = approle_auth(**kwargs)
+        token = approle_auth(**kwargs)
       else:
         raise Exception('Either Vault token or Auth parameters must be set')
 
-    return result
+    return token
 
 def approle_auth(**kwargs):
     role_id = kwargs['role_id']

From 139384acc48fc0811a082c16fc516edab96a16c6 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:22:43 +0100
Subject: [PATCH 4/7] Simplify test branches

---
 awx/main/credential_plugins/hashivault.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index 0736ccc4f1..c428ee61a0 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -111,10 +111,9 @@ def handle_auth(**kwargs):
 
     if kwargs.get('token'):
         token = kwargs['token']
-    else:
-      if kwargs.get('role_id') and kwargs.get('secret_id'):
+    elif kwargs.get('role_id') and kwargs.get('secret_id'):
         token = approle_auth(**kwargs)
-      else:
+    else:
         raise Exception('Either Vault token or Auth parameters must be set')
 
     return token

From fdae3cd0929c3b8104f9982c8e5c8cf11783b628 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:25:39 +0100
Subject: [PATCH 5/7] Explicitly references AppRole

---
 awx/main/credential_plugins/hashivault.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index c428ee61a0..e1370e00b9 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -114,7 +114,7 @@ def handle_auth(**kwargs):
     elif kwargs.get('role_id') and kwargs.get('secret_id'):
         token = approle_auth(**kwargs)
     else:
-        raise Exception('Either Vault token or Auth parameters must be set')
+        raise Exception('Either token or AppRole parameters must be set')
 
     return token
 

From d8ac2f52639a4ec1c99636c139eb0a0b6bf1ead6 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:28:03 +0100
Subject: [PATCH 6/7] Avoid to repeat default value

---
 awx/main/credential_plugins/hashivault.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index e1370e00b9..c207acf941 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -121,10 +121,7 @@ def handle_auth(**kwargs):
 def approle_auth(**kwargs):
     role_id = kwargs['role_id']
     secret_id = kwargs['secret_id']
-    auth_path = "approle"
-
-    if kwargs.get('auth_path'):
-      auth_path = kwargs.get('auth_path', "approle")
+    auth_path = kwargs.get('auth_path') or 'approle'
 
     url = urljoin(kwargs['url'], 'v1')
     cacert = kwargs.get('cacert', None)

From f9d5860d6332a93a49439f9ebcf4dc50eacd664b Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Date: Wed, 11 Mar 2020 17:30:07 +0100
Subject: [PATCH 7/7] Fix pylint errors

---
 awx/main/credential_plugins/hashivault.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index c207acf941..a4bae17ac3 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -106,6 +106,7 @@ hashi_ssh_inputs['metadata'] = [{
 }]
 hashi_ssh_inputs['required'].extend(['public_key', 'role'])
 
+
 def handle_auth(**kwargs):
     token = None
 
@@ -118,6 +119,7 @@ def handle_auth(**kwargs):
 
     return token
 
+
 def approle_auth(**kwargs):
     role_id = kwargs['role_id']
     secret_id = kwargs['secret_id']
@@ -139,6 +141,7 @@ def approle_auth(**kwargs):
     token = resp.json()['auth']['client_token']
     return token
 
+
 def kv_backend(**kwargs):
     token = handle_auth(**kwargs)
     url = kwargs['url']