add credential plugin system and minimal working hashivault

2026-05-19 23:07:42 -02:30 · 2019-01-21 18:20:24 -05:00
parent 6e2c04e16c
commit c209955400
17 changed files with 453 additions and 4 deletions
--- a/awx/main/credential_plugins/init.py
+++ b/awx/main/credential_plugins/init.py
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -0,0 +1,48 @@
+from .plugin import CredentialPlugin
+
+from hvac import Client
+
+
+hashi_inputs = {
+    'fields': [{
+        'id': 'url',
+        'label': 'Hashivault Server URL',
+        'type': 'string',
+        'help_text': 'The Hashivault server url.'
+    }, {
+        'id': 'secret_path',
+        'label': 'Secret Path',
+        'type': 'string',
+        'help_text': 'The path to the secret.'
+    }, {
+        'id': 'secret_field',
+        'label': 'Secret Field',
+        'type': 'string',
+        'help_text': 'The data field to access on the secret.'
+    }, {
+        'id': 'token',
+        'label': 'Token',
+        'type': 'string',
+        'secret': True,
+        'help_text': 'An access token for the Hashivault server.'
+    }],
+    'required': ['url', 'secret_path', 'token'],
+}
+
+
+def hashi_backend(**kwargs):
+    token = kwargs.get('token')
+    url = kwargs.get('url')
+    secret_path = kwargs.get('secret_path')
+    secret_field = kwargs.get('secret_field', None)
+    verify = kwargs.get('verify', False)
+
+    client = Client(url=url, token=token, verify=verify)
+    response = client.read(secret_path)
+
+    if secret_field:
+        return response['data'][secret_field]
+    return response['data']
+
+
+hashivault_plugin = CredentialPlugin('Hashivault', inputs=hashi_inputs, backend=hashi_backend)
--- a/awx/main/credential_plugins/plugin.py
+++ b/awx/main/credential_plugins/plugin.py
@@ -0,0 +1,3 @@
+from collections import namedtuple
+
+CredentialPlugin = namedtuple('CredentialPlugin', ['name', 'inputs', 'backend'])
--- a/awx/main/management/commands/setup_managed_credential_types.py
+++ b/awx/main/management/commands/setup_managed_credential_types.py
@@ -0,0 +1,14 @@
+# Copyright (c) 2019 Ansible by Red Hat
+# All Rights Reserved.
+
+from django.core.management.base import BaseCommand
+
+from awx.main.models import CredentialType
+
+
+class Command(BaseCommand):
+
+    help = 'Load default managed credential types.'
+
+    def handle(self, *args, **options):
+        CredentialType.setup_tower_managed_defaults()
--- a/awx/main/migrations/0067_v350_credential_plugins.py
+++ b/awx/main/migrations/0067_v350_credential_plugins.py
@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import taggit.managers
+
+# AWX
+from awx.main.models import CredentialType
+
+
+def setup_tower_managed_defaults(apps, schema_editor):
+    CredentialType.setup_tower_managed_defaults()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('taggit', '0002_auto_20150616_2121'),
+        ('main', '0066_v350_inventorysource_custom_virtualenv'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='CredentialInputSource',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('created', models.DateTimeField(default=None, editable=False)),
+                ('modified', models.DateTimeField(default=None, editable=False)),
+                ('description', models.TextField(blank=True, default='')),
+                ('input_field_name', models.CharField(max_length=1024)),
+                ('created_by', models.ForeignKey(default=None, editable=False, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name="{'class': 'credentialinputsource', 'model_name': 'credentialinputsource', 'app_label': 'main'}(class)s_created+", to=settings.AUTH_USER_MODEL)),
+                ('modified_by', models.ForeignKey(default=None, editable=False, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name="{'class': 'credentialinputsource', 'model_name': 'credentialinputsource', 'app_label': 'main'}(class)s_modified+", to=settings.AUTH_USER_MODEL)),
+                ('source_credential', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='target_input_source', to='main.Credential')),
+                ('tags', taggit.managers.TaggableManager(blank=True, help_text='A comma-separated list of tags.', through='taggit.TaggedItem', to='taggit.Tag', verbose_name='Tags')),
+                ('target_credential', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='input_source', to='main.Credential')),
+            ],
+        ),
+        migrations.AlterField(
+            model_name='credentialtype',
+            name='kind',
+            field=models.CharField(choices=[('ssh', 'Machine'), ('vault', 'Vault'), ('net', 'Network'), ('scm', 'Source Control'), ('cloud', 'Cloud'), ('insights', 'Insights'), ('external', 'External')], max_length=32),
+        ),
+        migrations.AlterUniqueTogether(
+            name='credentialinputsource',
+            unique_together=set([('target_credential', 'input_field_name')]),
+        ),
+        migrations.RunPython(setup_tower_managed_defaults),
+    ]
--- a/awx/main/models/init.py
+++ b/awx/main/models/init.py
@@ -16,7 +16,7 @@ from awx.main.models.organization import (  # noqa
    Organization, Profile, Team, UserSessionMembership
 )
 from awx.main.models.credential import (  # noqa
-    Credential, CredentialType, ManagedCredentialType, V1Credential, build_safe_env
+    Credential, CredentialType, CredentialInputSource, ManagedCredentialType, V1Credential, build_safe_env
 )
 from awx.main.models.projects import Project, ProjectUpdate  # noqa
 from awx.main.models.inventory import (  # noqa
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@@ -4,6 +4,7 @@ import functools
 import inspect
 import logging
 import os
+from pkg_resources import iter_entry_points
 import re
 import stat
 import tempfile
@@ -26,7 +27,11 @@ from awx.main.fields import (ImplicitRoleField, CredentialInputField,
 from awx.main.utils import decrypt_field, classproperty
 from awx.main.utils.safe_yaml import safe_dump
 from awx.main.validators import validate_ssh_private_key
-from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel
+from awx.main.models.base import (
+    CommonModelNameNotUnique,
+    PasswordFieldsModel,
+    PrimordialModel
+)
 from awx.main.models.mixins import ResourceMixin
 from awx.main.models.rbac import (
    ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
@@ -35,9 +40,10 @@ from awx.main.models.rbac import (
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors

-__all__ = ['Credential', 'CredentialType', 'V1Credential', 'build_safe_env']
+__all__ = ['Credential', 'CredentialType', 'CredentialInputSource', 'V1Credential', 'build_safe_env']

 logger = logging.getLogger('awx.main.models.credential')
+credential_plugins = [ep.load() for ep in iter_entry_points('awx.credential_plugins')]

 HIDDEN_PASSWORD = '**********'

@@ -220,7 +226,6 @@ class V1Credential(object):
    }


-
 class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    '''
    A credential contains information about how to talk to a remote resource
@@ -275,6 +280,10 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        'admin_role',
    ])

+    def __init__(self, *args, **kwargs):
+        super(Credential, self).__init__(*args, **kwargs)
+        self.dynamic_input_fields = self._get_dynamic_input_field_names()
+
    def __getattr__(self, item):
        if item != 'inputs':
            if item in V1Credential.FIELDS:
@@ -441,6 +450,8 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        :param field_name(str):        The name of the input field.
        :param default(optional[str]): A default return value to use.
        """
+        if field_name in self.dynamic_input_fields:
+            return self._get_dynamic_input(field_name)
        if field_name in self.credential_type.secret_fields:
            try:
                return decrypt_field(self, field_name)
@@ -461,8 +472,18 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
        raise AttributeError(field_name)

    def has_input(self, field_name):
+        if field_name in self.dynamic_input_fields:
+            return True
        return field_name in self.inputs and self.inputs[field_name] not in ('', None)

+    def _get_dynamic_input_field_names(self):
+        input_sources = CredentialInputSource.objects.filter(target_credential=self)
+        return [obj.input_field_name for obj in input_sources]
+
+    def _get_dynamic_input(self, field_name):
+        input_sources = CredentialInputSource.objects.filter(target_credential=self)
+        return input_sources.filter(input_field_name=field_name).first().get_input_value()
+

 class CredentialType(CommonModelNameNotUnique):
    '''
@@ -484,6 +505,7 @@ class CredentialType(CommonModelNameNotUnique):
        ('scm', _('Source Control')),
        ('cloud', _('Cloud')),
        ('insights', _('Insights')),
+        ('external', _('External')),
    )

    kind = models.CharField(
@@ -583,6 +605,15 @@ class CredentialType(CommonModelNameNotUnique):
            created.inputs = created.injectors = {}
            created.save()

+    @classmethod
+    def load_plugin(cls, plugin):
+        ManagedCredentialType(
+            namespace=plugin.name.lower(),
+            name=plugin.name,
+            kind='external',
+            inputs=plugin.inputs
+        )
+
    @classmethod
    def from_v1_kind(cls, kind, data={}):
        match = None
@@ -1253,3 +1284,61 @@ ManagedCredentialType(
        }
    },
 )
+
+
+class CredentialInputSource(PrimordialModel):
+
+    class Meta:
+        app_label = 'main'
+        unique_together = (('target_credential', 'input_field_name'),)
+
+    target_credential = models.ForeignKey(
+        'Credential',
+        related_name='input_source',
+        on_delete=models.CASCADE,
+        null=True,
+    )
+    source_credential = models.ForeignKey(
+        'Credential',
+        related_name='target_input_source',
+        on_delete=models.CASCADE,
+        null=True,
+    )
+    input_field_name = models.CharField(
+        max_length=1024,
+    )
+
+    def clean_target_credential(self):
+        if self.target_credential.kind == 'external':
+            raise ValidationError(_('Target must be a non-external credential'))
+        return self.target_credential
+
+    def clean_source_credential(self):
+        if self.source_credential.kind != 'external':
+            raise ValidationError(_('Source must be an external credential'))
+        return self.source_credential
+
+    def clean_input_field_name(self):
+        if self.input_field_name not in self.target_credential.credential_type.defined_fields:
+            raise ValidationError(_('Input field must be defined on target credential.'))
+        return self.input_field_name
+
+    def save(self, *args, **kwargs):
+        self.full_clean()
+        super(CredentialInputSource, self).save(*args, **kwargs)
+
+    def get_input_value(self):
+        plugin_name = self.source_credential.credential_type.name
+        [backend] = [p.backend for p in credential_plugins if p.name == plugin_name]
+
+        backend_kwargs = {}
+        for field_name, value in self.source_credential.inputs.items():
+            if field_name in self.source_credential.credential_type.secret_fields:
+                backend_kwargs[field_name] = decrypt_field(self.source_credential, field_name)
+            else:
+                backend_kwargs[field_name] = value
+        return backend(**backend_kwargs)
+
+
+for plugin in credential_plugins:
+    CredentialType.load_plugin(plugin)
--- a/awx/main/tests/conftest.py
+++ b/awx/main/tests/conftest.py
@@ -4,6 +4,7 @@ import pytest
 from unittest import mock
 from contextlib import contextmanager

+from awx.main.models import Credential
 from awx.main.tests.factories import (
    create_organization,
    create_job_template,
@@ -139,3 +140,10 @@ def pytest_runtest_teardown(item, nextitem):
    # this is a local test cache, so we want every test to start with empty cache
    cache.clear()

+@pytest.fixture(scope='session', autouse=True)
+def mock_external_credential_input_sources():
+    # Credential objects query their related input sources on initialization.
+    # We mock that behavior out of credentials by default unless we need to
+    # test it explicitly.
+    with mock.patch.object(Credential, '_get_dynamic_input_field_names', new=lambda _: []) as _fixture:
+        yield _fixture
--- a/awx/main/tests/functional/test_credential.py
+++ b/awx/main/tests/functional/test_credential.py
@@ -79,6 +79,7 @@ def test_default_cred_types():
        'azure_rm',
        'cloudforms',
        'gce',
+        'hashivault',
        'insights',
        'net',
        'openstack',