From b3c264bf2115dd8116e36e0f80edfcbee608310e Mon Sep 17 00:00:00 2001
From: Jesse Keating <omgjlk@github.com>
Date: Wed, 18 Sep 2019 12:26:47 -0700
Subject: [PATCH 1/2] Use proper headers to auth with Vault

Reading examples at
https://learn.hashicorp.com/vault/getting-started/apis show needing to
use `X-Vault-Token` header, instead of `Authorization`. Without this
header, the vault server would return a 400 status with an error message
of "missing client token". With this change AWX is now able to interface
with the Hashicorp backend.
---
 awx/main/credential_plugins/hashivault.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index 817eb27b77..216d7ed75f 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -102,7 +102,7 @@ def kv_backend(**kwargs):
         request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
 
     sess = requests.Session()
-    sess.headers['Authorization'] = 'Bearer {}'.format(token)
+    sess.headers['X-Vault-Token'] = token
 
     if api_version == 'v2':
         if kwargs.get('secret_version'):
@@ -157,7 +157,7 @@ def ssh_backend(**kwargs):
         request_kwargs['json']['valid_principals'] = kwargs['valid_principals']
 
     sess = requests.Session()
-    sess.headers['Authorization'] = 'Bearer {}'.format(token)
+    sess.headers['X-Vault-Token'] = token
     # https://www.vaultproject.io/api/secret/ssh/index.html#sign-ssh-key
     request_url = '/'.join([url, secret_path, 'sign', role]).rstrip('/')
     resp = sess.post(request_url, **request_kwargs)

From e1bdbeaa5cae22d1804b38c960ae737f6763f7da Mon Sep 17 00:00:00 2001
From: Jesse Keating <omgjlk@github.com>
Date: Wed, 18 Sep 2019 13:27:55 -0700
Subject: [PATCH 2/2] Restore new style headers

This leads to having both the new style header and the old compatability
header. Best of both worlds!
---
 awx/main/credential_plugins/hashivault.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py
index 216d7ed75f..c9caafba6b 100644
--- a/awx/main/credential_plugins/hashivault.py
+++ b/awx/main/credential_plugins/hashivault.py
@@ -102,6 +102,8 @@ def kv_backend(**kwargs):
         request_kwargs['verify'] = create_temporary_fifo(cacert.encode())
 
     sess = requests.Session()
+    sess.headers['Authorization'] = 'Bearer {}'.format(token)
+    # Compatability header for older installs of Hashicorp Vault
     sess.headers['X-Vault-Token'] = token
 
     if api_version == 'v2':
@@ -157,6 +159,8 @@ def ssh_backend(**kwargs):
         request_kwargs['json']['valid_principals'] = kwargs['valid_principals']
 
     sess = requests.Session()
+    sess.headers['Authorization'] = 'Bearer {}'.format(token)
+    # Compatability header for older installs of Hashicorp Vault
     sess.headers['X-Vault-Token'] = token
     # https://www.vaultproject.io/api/secret/ssh/index.html#sign-ssh-key
     request_url = '/'.join([url, secret_path, 'sign', role]).rstrip('/')