add credential plugin system and minimal working hashivault

This commit is contained in:
Jake McDermott
2019-01-21 18:20:24 -05:00
parent 6e2c04e16c
commit c209955400
17 changed files with 453 additions and 4 deletions

View File

@@ -4,6 +4,7 @@ import functools
import inspect
import logging
import os
from pkg_resources import iter_entry_points
import re
import stat
import tempfile
@@ -26,7 +27,11 @@ from awx.main.fields import (ImplicitRoleField, CredentialInputField,
from awx.main.utils import decrypt_field, classproperty
from awx.main.utils.safe_yaml import safe_dump
from awx.main.validators import validate_ssh_private_key
from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel
from awx.main.models.base import (
CommonModelNameNotUnique,
PasswordFieldsModel,
PrimordialModel
)
from awx.main.models.mixins import ResourceMixin
from awx.main.models.rbac import (
ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
@@ -35,9 +40,10 @@ from awx.main.models.rbac import (
from awx.main.utils import encrypt_field
from . import injectors as builtin_injectors
__all__ = ['Credential', 'CredentialType', 'V1Credential', 'build_safe_env']
__all__ = ['Credential', 'CredentialType', 'CredentialInputSource', 'V1Credential', 'build_safe_env']
logger = logging.getLogger('awx.main.models.credential')
credential_plugins = [ep.load() for ep in iter_entry_points('awx.credential_plugins')]
HIDDEN_PASSWORD = '**********'
@@ -220,7 +226,6 @@ class V1Credential(object):
}
class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
'''
A credential contains information about how to talk to a remote resource
@@ -275,6 +280,10 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
'admin_role',
])
def __init__(self, *args, **kwargs):
super(Credential, self).__init__(*args, **kwargs)
self.dynamic_input_fields = self._get_dynamic_input_field_names()
def __getattr__(self, item):
if item != 'inputs':
if item in V1Credential.FIELDS:
@@ -441,6 +450,8 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
:param field_name(str): The name of the input field.
:param default(optional[str]): A default return value to use.
"""
if field_name in self.dynamic_input_fields:
return self._get_dynamic_input(field_name)
if field_name in self.credential_type.secret_fields:
try:
return decrypt_field(self, field_name)
@@ -461,8 +472,18 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
raise AttributeError(field_name)
def has_input(self, field_name):
if field_name in self.dynamic_input_fields:
return True
return field_name in self.inputs and self.inputs[field_name] not in ('', None)
def _get_dynamic_input_field_names(self):
input_sources = CredentialInputSource.objects.filter(target_credential=self)
return [obj.input_field_name for obj in input_sources]
def _get_dynamic_input(self, field_name):
input_sources = CredentialInputSource.objects.filter(target_credential=self)
return input_sources.filter(input_field_name=field_name).first().get_input_value()
class CredentialType(CommonModelNameNotUnique):
'''
@@ -484,6 +505,7 @@ class CredentialType(CommonModelNameNotUnique):
('scm', _('Source Control')),
('cloud', _('Cloud')),
('insights', _('Insights')),
('external', _('External')),
)
kind = models.CharField(
@@ -583,6 +605,15 @@ class CredentialType(CommonModelNameNotUnique):
created.inputs = created.injectors = {}
created.save()
@classmethod
def load_plugin(cls, plugin):
ManagedCredentialType(
namespace=plugin.name.lower(),
name=plugin.name,
kind='external',
inputs=plugin.inputs
)
@classmethod
def from_v1_kind(cls, kind, data={}):
match = None
@@ -1253,3 +1284,61 @@ ManagedCredentialType(
}
},
)
class CredentialInputSource(PrimordialModel):
class Meta:
app_label = 'main'
unique_together = (('target_credential', 'input_field_name'),)
target_credential = models.ForeignKey(
'Credential',
related_name='input_source',
on_delete=models.CASCADE,
null=True,
)
source_credential = models.ForeignKey(
'Credential',
related_name='target_input_source',
on_delete=models.CASCADE,
null=True,
)
input_field_name = models.CharField(
max_length=1024,
)
def clean_target_credential(self):
if self.target_credential.kind == 'external':
raise ValidationError(_('Target must be a non-external credential'))
return self.target_credential
def clean_source_credential(self):
if self.source_credential.kind != 'external':
raise ValidationError(_('Source must be an external credential'))
return self.source_credential
def clean_input_field_name(self):
if self.input_field_name not in self.target_credential.credential_type.defined_fields:
raise ValidationError(_('Input field must be defined on target credential.'))
return self.input_field_name
def save(self, *args, **kwargs):
self.full_clean()
super(CredentialInputSource, self).save(*args, **kwargs)
def get_input_value(self):
plugin_name = self.source_credential.credential_type.name
[backend] = [p.backend for p in credential_plugins if p.name == plugin_name]
backend_kwargs = {}
for field_name, value in self.source_credential.inputs.items():
if field_name in self.source_credential.credential_type.secret_fields:
backend_kwargs[field_name] = decrypt_field(self.source_credential, field_name)
else:
backend_kwargs[field_name] = value
return backend(**backend_kwargs)
for plugin in credential_plugins:
CredentialType.load_plugin(plugin)