diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index c7582eadd6..a5ca93f82c 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -1,10 +1,11 @@ import copy import os import pathlib +from urllib.parse import urljoin from .plugin import CredentialPlugin -from hvac import Client +import requests base_inputs = { @@ -67,63 +68,65 @@ hashi_ssh_inputs['required'].extend(['role']) def kv_backend(raw, **kwargs): token = kwargs['token'] - url = kwargs['url'] + url = urljoin(kwargs['url'], 'v1') secret_path = kwargs['secret_path'] secret_key = kwargs.get('secret_key', None) api_version = kwargs['api_version'] - client = Client(url=url, token=token, verify=True) + sess = requests.Session() + sess.headers['Authorization'] = 'Bearer {}'.format(token) if api_version == 'v2': + params = {} + if kwargs.get('secret_version'): + params['version'] = kwargs['secret_version'] try: mount_point, *path = pathlib.Path(secret_path.lstrip(os.sep)).parts - os.path.join(*path) - response = client.secrets.kv.v2.read_secret_version( - mount_point=mount_point, - path=os.path.join(*path), - version=kwargs.get('secret_version', None) - )['data'] + '/'.join(*path) except Exception: - raise RuntimeError( - 'could not read secret {} from {}'.format(secret_path, url) - ) - else: - try: - response = client.read(secret_path) - except Exception: - raise RuntimeError( - 'could not read secret {} from {}'.format(secret_path, url) - ) - - if response is None: - raise RuntimeError( - 'could not read secret {} from {}'.format(secret_path, url) + mount_point, path = secret_path, [] + # https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version + response = sess.get( + '/'.join([url, mount_point, 'data'] + path).rstrip('/'), + params=params ) + response.raise_for_status() + json = response.json()['data'] + else: + # https://www.vaultproject.io/api/secret/kv/kv-v1.html#read-secret + response = sess.get('/'.join([url, secret_path]).rstrip('/')) + response.raise_for_status() + json = response.json() if secret_key: try: - return response['data'][secret_key] + return json['data'][secret_key] except KeyError: raise RuntimeError( '{} is not present at {}'.format(secret_key, secret_path) ) - return response['data'] + return json['data'] def ssh_backend(raw, **kwargs): token = kwargs['token'] - url = kwargs['url'] + url = urljoin(kwargs['url'], 'v1') + secret_path = kwargs['secret_path'] + role = kwargs['role'] - client = Client(url=url, token=token, verify=True) + sess = requests.Session() + sess.headers['Authorization'] = 'Bearer {}'.format(token) json = { 'public_key': raw } if kwargs.get('valid_principals'): json['valid_principals'] = kwargs['valid_principals'] - resp = client._adapter.post( - '/v1/{}/sign/{}'.format(kwargs['secret_path'], kwargs['role']), - json=json, + # https://www.vaultproject.io/api/secret/ssh/index.html#sign-ssh-key + resp = sess.post( + '/'.join([url, secret_path, 'sign', role]).rstrip('/'), + json=json ) + resp.raise_for_status() return resp.json()['data']['signed_key'] diff --git a/docs/credential_plugins.md b/docs/credential_plugins.md index 3067bb6de2..15aa882e1b 100644 --- a/docs/credential_plugins.md +++ b/docs/credential_plugins.md @@ -173,3 +173,22 @@ def my_key_signer(unsigned_value_from_awx, **kwargs): public_data=unsigned_value_from_awx ) ``` + +Programmatic Secret Fetching +---------------------------- +If you want to programmatically fetch secrets from a supported external secret +management system (for example, if you wanted to compose an AWX database connection +string in `/etc/tower/conf.d/postgres.py` using an external system rather than +storing the password in plaintext on your disk), doing so is fairly easy: + +```python +from awx.main.credential_plugins import hashivault +hashivault.hashivault_kv_plugin.backend( + '', + url='https://hcv.example.org', + token='some-valid-token', + api_version='v2', + secret_path='/path/to/secret', + secret_key='dbpass' +) +``` diff --git a/docs/licenses/hvac.txt b/docs/licenses/hvac.txt deleted file mode 100644 index 8dada3edaf..0000000000 --- a/docs/licenses/hvac.txt +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/requirements/requirements.in b/requirements/requirements.in index b9be785eae..0fa2258ebf 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -50,4 +50,3 @@ uWSGI==2.0.17 uwsgitop==0.10.0 pip==9.0.1 setuptools==36.0.1 -hvac==0.7.1 diff --git a/requirements/requirements.txt b/requirements/requirements.txt index fbc87110a1..7816cfe85c 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -45,7 +45,6 @@ django==1.11.16 djangorestframework-yaml==1.0.3 djangorestframework==3.7.7 future==0.16.0 # via django-radius -hvac==0.7.1 hyperlink==18.0.0 # via twisted idna==2.8 # via hyperlink, requests incremental==17.5.0 # via twisted