mirror of
https://github.com/ansible/awx.git
synced 2026-07-06 22:08:08 -02:30
add credential plugin system and minimal working hashivault
This commit is contained in:
@@ -4,6 +4,7 @@ import functools
|
||||
import inspect
|
||||
import logging
|
||||
import os
|
||||
from pkg_resources import iter_entry_points
|
||||
import re
|
||||
import stat
|
||||
import tempfile
|
||||
@@ -26,7 +27,11 @@ from awx.main.fields import (ImplicitRoleField, CredentialInputField,
|
||||
from awx.main.utils import decrypt_field, classproperty
|
||||
from awx.main.utils.safe_yaml import safe_dump
|
||||
from awx.main.validators import validate_ssh_private_key
|
||||
from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel
|
||||
from awx.main.models.base import (
|
||||
CommonModelNameNotUnique,
|
||||
PasswordFieldsModel,
|
||||
PrimordialModel
|
||||
)
|
||||
from awx.main.models.mixins import ResourceMixin
|
||||
from awx.main.models.rbac import (
|
||||
ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
|
||||
@@ -35,9 +40,10 @@ from awx.main.models.rbac import (
|
||||
from awx.main.utils import encrypt_field
|
||||
from . import injectors as builtin_injectors
|
||||
|
||||
__all__ = ['Credential', 'CredentialType', 'V1Credential', 'build_safe_env']
|
||||
__all__ = ['Credential', 'CredentialType', 'CredentialInputSource', 'V1Credential', 'build_safe_env']
|
||||
|
||||
logger = logging.getLogger('awx.main.models.credential')
|
||||
credential_plugins = [ep.load() for ep in iter_entry_points('awx.credential_plugins')]
|
||||
|
||||
HIDDEN_PASSWORD = '**********'
|
||||
|
||||
@@ -220,7 +226,6 @@ class V1Credential(object):
|
||||
}
|
||||
|
||||
|
||||
|
||||
class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
|
||||
'''
|
||||
A credential contains information about how to talk to a remote resource
|
||||
@@ -275,6 +280,10 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
|
||||
'admin_role',
|
||||
])
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(Credential, self).__init__(*args, **kwargs)
|
||||
self.dynamic_input_fields = self._get_dynamic_input_field_names()
|
||||
|
||||
def __getattr__(self, item):
|
||||
if item != 'inputs':
|
||||
if item in V1Credential.FIELDS:
|
||||
@@ -441,6 +450,8 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
|
||||
:param field_name(str): The name of the input field.
|
||||
:param default(optional[str]): A default return value to use.
|
||||
"""
|
||||
if field_name in self.dynamic_input_fields:
|
||||
return self._get_dynamic_input(field_name)
|
||||
if field_name in self.credential_type.secret_fields:
|
||||
try:
|
||||
return decrypt_field(self, field_name)
|
||||
@@ -461,8 +472,18 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
|
||||
raise AttributeError(field_name)
|
||||
|
||||
def has_input(self, field_name):
|
||||
if field_name in self.dynamic_input_fields:
|
||||
return True
|
||||
return field_name in self.inputs and self.inputs[field_name] not in ('', None)
|
||||
|
||||
def _get_dynamic_input_field_names(self):
|
||||
input_sources = CredentialInputSource.objects.filter(target_credential=self)
|
||||
return [obj.input_field_name for obj in input_sources]
|
||||
|
||||
def _get_dynamic_input(self, field_name):
|
||||
input_sources = CredentialInputSource.objects.filter(target_credential=self)
|
||||
return input_sources.filter(input_field_name=field_name).first().get_input_value()
|
||||
|
||||
|
||||
class CredentialType(CommonModelNameNotUnique):
|
||||
'''
|
||||
@@ -484,6 +505,7 @@ class CredentialType(CommonModelNameNotUnique):
|
||||
('scm', _('Source Control')),
|
||||
('cloud', _('Cloud')),
|
||||
('insights', _('Insights')),
|
||||
('external', _('External')),
|
||||
)
|
||||
|
||||
kind = models.CharField(
|
||||
@@ -583,6 +605,15 @@ class CredentialType(CommonModelNameNotUnique):
|
||||
created.inputs = created.injectors = {}
|
||||
created.save()
|
||||
|
||||
@classmethod
|
||||
def load_plugin(cls, plugin):
|
||||
ManagedCredentialType(
|
||||
namespace=plugin.name.lower(),
|
||||
name=plugin.name,
|
||||
kind='external',
|
||||
inputs=plugin.inputs
|
||||
)
|
||||
|
||||
@classmethod
|
||||
def from_v1_kind(cls, kind, data={}):
|
||||
match = None
|
||||
@@ -1253,3 +1284,61 @@ ManagedCredentialType(
|
||||
}
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
class CredentialInputSource(PrimordialModel):
|
||||
|
||||
class Meta:
|
||||
app_label = 'main'
|
||||
unique_together = (('target_credential', 'input_field_name'),)
|
||||
|
||||
target_credential = models.ForeignKey(
|
||||
'Credential',
|
||||
related_name='input_source',
|
||||
on_delete=models.CASCADE,
|
||||
null=True,
|
||||
)
|
||||
source_credential = models.ForeignKey(
|
||||
'Credential',
|
||||
related_name='target_input_source',
|
||||
on_delete=models.CASCADE,
|
||||
null=True,
|
||||
)
|
||||
input_field_name = models.CharField(
|
||||
max_length=1024,
|
||||
)
|
||||
|
||||
def clean_target_credential(self):
|
||||
if self.target_credential.kind == 'external':
|
||||
raise ValidationError(_('Target must be a non-external credential'))
|
||||
return self.target_credential
|
||||
|
||||
def clean_source_credential(self):
|
||||
if self.source_credential.kind != 'external':
|
||||
raise ValidationError(_('Source must be an external credential'))
|
||||
return self.source_credential
|
||||
|
||||
def clean_input_field_name(self):
|
||||
if self.input_field_name not in self.target_credential.credential_type.defined_fields:
|
||||
raise ValidationError(_('Input field must be defined on target credential.'))
|
||||
return self.input_field_name
|
||||
|
||||
def save(self, *args, **kwargs):
|
||||
self.full_clean()
|
||||
super(CredentialInputSource, self).save(*args, **kwargs)
|
||||
|
||||
def get_input_value(self):
|
||||
plugin_name = self.source_credential.credential_type.name
|
||||
[backend] = [p.backend for p in credential_plugins if p.name == plugin_name]
|
||||
|
||||
backend_kwargs = {}
|
||||
for field_name, value in self.source_credential.inputs.items():
|
||||
if field_name in self.source_credential.credential_type.secret_fields:
|
||||
backend_kwargs[field_name] = decrypt_field(self.source_credential, field_name)
|
||||
else:
|
||||
backend_kwargs[field_name] = value
|
||||
return backend(**backend_kwargs)
|
||||
|
||||
|
||||
for plugin in credential_plugins:
|
||||
CredentialType.load_plugin(plugin)
|
||||
|
||||
Reference in New Issue
Block a user