add credential plugin system and minimal working hashivault

Makefile

@@ -575,6 +575,9 @@ docker-compose: docker-auth
 docker-compose-cluster: docker-auth
 	CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose -f tools/docker-compose-cluster.yml up
 
+docker-compose-hashivault: docker-auth
+	CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose -f tools/docker-compose.yml -f tools/docker-hashivault-override.yml up --no-recreate awx
+
 docker-compose-test: docker-auth
 	cd tools && CURRENT_UID=$(shell id -u) TAG=$(COMPOSE_TAG) DEV_DOCKER_TAG_BASE=$(DEV_DOCKER_TAG_BASE) docker-compose run --rm --service-ports awx /bin/bash
 

awx/main/credential_plugins/hashivault.py

@@ -0,0 +1,48 @@
+from .plugin import CredentialPlugin
+
+from hvac import Client
+
+
+hashi_inputs = {
+    'fields': [{
+        'id': 'url',
+        'label': 'Hashivault Server URL',
+        'type': 'string',
+        'help_text': 'The Hashivault server url.'
+    }, {
+        'id': 'secret_path',
+        'label': 'Secret Path',
+        'type': 'string',
+        'help_text': 'The path to the secret.'
+    }, {
+        'id': 'secret_field',
+        'label': 'Secret Field',
+        'type': 'string',
+        'help_text': 'The data field to access on the secret.'
+    }, {
+        'id': 'token',
+        'label': 'Token',
+        'type': 'string',
+        'secret': True,
+        'help_text': 'An access token for the Hashivault server.'
+    }],
+    'required': ['url', 'secret_path', 'token'],
+}
+
+
+def hashi_backend(**kwargs):
+    token = kwargs.get('token')
+    url = kwargs.get('url')
+    secret_path = kwargs.get('secret_path')
+    secret_field = kwargs.get('secret_field', None)
+    verify = kwargs.get('verify', False)
+
+    client = Client(url=url, token=token, verify=verify)
+    response = client.read(secret_path)
+
+    if secret_field:
+        return response['data'][secret_field]
+    return response['data']
+
+
+hashivault_plugin = CredentialPlugin('Hashivault', inputs=hashi_inputs, backend=hashi_backend)

awx/main/credential_plugins/plugin.py

@@ -0,0 +1,3 @@
+from collections import namedtuple
+
+CredentialPlugin = namedtuple('CredentialPlugin', ['name', 'inputs', 'backend'])

awx/main/management/commands/setup_managed_credential_types.py

@@ -0,0 +1,14 @@
+# Copyright (c) 2019 Ansible by Red Hat
+# All Rights Reserved.
+
+from django.core.management.base import BaseCommand
+
+from awx.main.models import CredentialType
+
+
+class Command(BaseCommand):
+
+    help = 'Load default managed credential types.'
+
+    def handle(self, *args, **options):
+        CredentialType.setup_tower_managed_defaults()

awx/main/migrations/0067_v350_credential_plugins.py

@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import taggit.managers
+
+# AWX
+from awx.main.models import CredentialType
+
+
+def setup_tower_managed_defaults(apps, schema_editor):
+    CredentialType.setup_tower_managed_defaults()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('taggit', '0002_auto_20150616_2121'),
+        ('main', '0066_v350_inventorysource_custom_virtualenv'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='CredentialInputSource',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('created', models.DateTimeField(default=None, editable=False)),
+                ('modified', models.DateTimeField(default=None, editable=False)),
+                ('description', models.TextField(blank=True, default='')),
+                ('input_field_name', models.CharField(max_length=1024)),
+                ('created_by', models.ForeignKey(default=None, editable=False, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name="{'class': 'credentialinputsource', 'model_name': 'credentialinputsource', 'app_label': 'main'}(class)s_created+", to=settings.AUTH_USER_MODEL)),
+                ('modified_by', models.ForeignKey(default=None, editable=False, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name="{'class': 'credentialinputsource', 'model_name': 'credentialinputsource', 'app_label': 'main'}(class)s_modified+", to=settings.AUTH_USER_MODEL)),
+                ('source_credential', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='target_input_source', to='main.Credential')),
+                ('tags', taggit.managers.TaggableManager(blank=True, help_text='A comma-separated list of tags.', through='taggit.TaggedItem', to='taggit.Tag', verbose_name='Tags')),
+                ('target_credential', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='input_source', to='main.Credential')),
+            ],
+        ),
+        migrations.AlterField(
+            model_name='credentialtype',
+            name='kind',
+            field=models.CharField(choices=[('ssh', 'Machine'), ('vault', 'Vault'), ('net', 'Network'), ('scm', 'Source Control'), ('cloud', 'Cloud'), ('insights', 'Insights'), ('external', 'External')], max_length=32),
+        ),
+        migrations.AlterUniqueTogether(
+            name='credentialinputsource',
+            unique_together=set([('target_credential', 'input_field_name')]),
+        ),
+        migrations.RunPython(setup_tower_managed_defaults),
+    ]

awx/main/models/__init__.py

@@ -16,7 +16,7 @@ from awx.main.models.organization import (  # noqa
     Organization, Profile, Team, UserSessionMembership
 )
 from awx.main.models.credential import (  # noqa
-    Credential, CredentialType, ManagedCredentialType, V1Credential, build_safe_env
+    Credential, CredentialType, CredentialInputSource, ManagedCredentialType, V1Credential, build_safe_env
 )
 from awx.main.models.projects import Project, ProjectUpdate  # noqa
 from awx.main.models.inventory import (  # noqa

awx/main/models/credential/__init__.py

@@ -4,6 +4,7 @@ import functools
 import inspect
 import logging
 import os
+from pkg_resources import iter_entry_points
 import re
 import stat
 import tempfile
@@ -26,7 +27,11 @@ from awx.main.fields import (ImplicitRoleField, CredentialInputField,
 from awx.main.utils import decrypt_field, classproperty
 from awx.main.utils.safe_yaml import safe_dump
 from awx.main.validators import validate_ssh_private_key
-from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel
+from awx.main.models.base import (
+    CommonModelNameNotUnique,
+    PasswordFieldsModel,
+    PrimordialModel
+)
 from awx.main.models.mixins import ResourceMixin
 from awx.main.models.rbac import (
     ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
@@ -35,9 +40,10 @@ from awx.main.models.rbac import (
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors
 
-__all__ = ['Credential', 'CredentialType', 'V1Credential', 'build_safe_env']
+__all__ = ['Credential', 'CredentialType', 'CredentialInputSource', 'V1Credential', 'build_safe_env']
 
 logger = logging.getLogger('awx.main.models.credential')
+credential_plugins = [ep.load() for ep in iter_entry_points('awx.credential_plugins')]
 
 HIDDEN_PASSWORD = '**********'
 
@@ -220,7 +226,6 @@ class V1Credential(object):
     }
 
 
-
 class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
     '''
     A credential contains information about how to talk to a remote resource
@@ -275,6 +280,10 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         'admin_role',
     ])
 
+    def __init__(self, *args, **kwargs):
+        super(Credential, self).__init__(*args, **kwargs)
+        self.dynamic_input_fields = self._get_dynamic_input_field_names()
+
     def __getattr__(self, item):
         if item != 'inputs':
             if item in V1Credential.FIELDS:
@@ -441,6 +450,8 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         :param field_name(str):        The name of the input field.
         :param default(optional[str]): A default return value to use.
         """
+        if field_name in self.dynamic_input_fields:
+            return self._get_dynamic_input(field_name)
         if field_name in self.credential_type.secret_fields:
             try:
                 return decrypt_field(self, field_name)
@@ -461,8 +472,18 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         raise AttributeError(field_name)
 
     def has_input(self, field_name):
+        if field_name in self.dynamic_input_fields:
+            return True
         return field_name in self.inputs and self.inputs[field_name] not in ('', None)
 
+    def _get_dynamic_input_field_names(self):
+        input_sources = CredentialInputSource.objects.filter(target_credential=self)
+        return [obj.input_field_name for obj in input_sources]
+
+    def _get_dynamic_input(self, field_name):
+        input_sources = CredentialInputSource.objects.filter(target_credential=self)
+        return input_sources.filter(input_field_name=field_name).first().get_input_value()
+
 
 class CredentialType(CommonModelNameNotUnique):
     '''
@@ -484,6 +505,7 @@ class CredentialType(CommonModelNameNotUnique):
         ('scm', _('Source Control')),
         ('cloud', _('Cloud')),
         ('insights', _('Insights')),
+        ('external', _('External')),
     )
 
     kind = models.CharField(
@@ -583,6 +605,15 @@ class CredentialType(CommonModelNameNotUnique):
             created.inputs = created.injectors = {}
             created.save()
 
+    @classmethod
+    def load_plugin(cls, plugin):
+        ManagedCredentialType(
+            namespace=plugin.name.lower(),
+            name=plugin.name,
+            kind='external',
+            inputs=plugin.inputs
+        )
+
     @classmethod
     def from_v1_kind(cls, kind, data={}):
         match = None
@@ -1253,3 +1284,61 @@ ManagedCredentialType(
         }
     },
 )
+
+
+class CredentialInputSource(PrimordialModel):
+
+    class Meta:
+        app_label = 'main'
+        unique_together = (('target_credential', 'input_field_name'),)
+
+    target_credential = models.ForeignKey(
+        'Credential',
+        related_name='input_source',
+        on_delete=models.CASCADE,
+        null=True,
+    )
+    source_credential = models.ForeignKey(
+        'Credential',
+        related_name='target_input_source',
+        on_delete=models.CASCADE,
+        null=True,
+    )
+    input_field_name = models.CharField(
+        max_length=1024,
+    )
+
+    def clean_target_credential(self):
+        if self.target_credential.kind == 'external':
+            raise ValidationError(_('Target must be a non-external credential'))
+        return self.target_credential
+
+    def clean_source_credential(self):
+        if self.source_credential.kind != 'external':
+            raise ValidationError(_('Source must be an external credential'))
+        return self.source_credential
+
+    def clean_input_field_name(self):
+        if self.input_field_name not in self.target_credential.credential_type.defined_fields:
+            raise ValidationError(_('Input field must be defined on target credential.'))
+        return self.input_field_name
+
+    def save(self, *args, **kwargs):
+        self.full_clean()
+        super(CredentialInputSource, self).save(*args, **kwargs)
+
+    def get_input_value(self):
+        plugin_name = self.source_credential.credential_type.name
+        [backend] = [p.backend for p in credential_plugins if p.name == plugin_name]
+
+        backend_kwargs = {}
+        for field_name, value in self.source_credential.inputs.items():
+            if field_name in self.source_credential.credential_type.secret_fields:
+                backend_kwargs[field_name] = decrypt_field(self.source_credential, field_name)
+            else:
+                backend_kwargs[field_name] = value
+        return backend(**backend_kwargs)
+
+
+for plugin in credential_plugins:
+    CredentialType.load_plugin(plugin)

awx/main/tests/conftest.py

@@ -4,6 +4,7 @@ import pytest
 from unittest import mock
 from contextlib import contextmanager
 
+from awx.main.models import Credential
 from awx.main.tests.factories import (
     create_organization,
     create_job_template,
@@ -139,3 +140,10 @@ def pytest_runtest_teardown(item, nextitem):
     # this is a local test cache, so we want every test to start with empty cache
     cache.clear()
 
+@pytest.fixture(scope='session', autouse=True)
+def mock_external_credential_input_sources():
+    # Credential objects query their related input sources on initialization.
+    # We mock that behavior out of credentials by default unless we need to
+    # test it explicitly.
+    with mock.patch.object(Credential, '_get_dynamic_input_field_names', new=lambda _: []) as _fixture:
+        yield _fixture

awx/main/tests/functional/test_credential.py

@@ -79,6 +79,7 @@ def test_default_cred_types():
         'azure_rm',
         'cloudforms',
         'gce',
+        'hashivault',
         'insights',
         'net',
         'openstack',

docs/credential_plugins.md

@@ -0,0 +1,9 @@
+Credential Plugins
+================================
+### Development
+```shell
+# The vault server will be available at localhost:8200.
+# From within the awx container, the vault server is reachable at hashivault:8200.
+# See docker-hashivault-override.yml for the development root token.
+make docker-compose-hashivault
+```

docs/licenses/hvac.txt

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

requirements/requirements.in

@@ -49,3 +49,4 @@ uWSGI==2.0.17
 uwsgitop==0.10.0
 pip==9.0.1
 setuptools==36.0.1
+hvac==0.7.1

requirements/requirements.txt

@@ -39,6 +39,7 @@ django==1.11.16
 djangorestframework-yaml==1.0.3
 djangorestframework==3.7.7
 future==0.16.0            # via django-radius
+hvac==0.7.1
 hyperlink==18.0.0         # via twisted
 idna==2.8                 # via hyperlink
 incremental==17.5.0       # via twisted

setup.py

@@ -114,6 +114,9 @@ setup(
         'console_scripts': [
             'awx-manage = awx:manage',
         ],
+        'awx.credential_plugins': [
+            'hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin',
+        ]
     },
     data_files = proc_data_files([
         ("%s" % homedir,        ["config/wsgi.py",

tools/docker-compose/awx.egg-info/entry_points.txt

@@ -2,3 +2,5 @@
 tower-manage = awx:manage
 awx-manage = awx:manage
 
+[awx.credential_plugins]
+hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin

tools/docker-hashivault-override.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+  # Primary Tower Development Container link
+  awx:
+    links:
+      - hashivault
+  hashivault:
+    image: vault:1.0.1
+    container_name: tools_hashivault_1
+    ports:
+      - '8200:8200'
+    cap_add:
+      - IPC_LOCK
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: 'vaultdev'