barbican/barbican/plugin/vault_secret_store.py
Takashi Kajinami 82e1782b39 vault: Hide values used for authentication
The following options are used for authentication with Vault, so should
be hidden from logs.

1) root_token_id
This is not actually an id but a token string

2) approle_role_id and approle_secret_id
These are used together to obtain token

Closes-Bug: #2058397
Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea
2024-03-20 00:24:17 +09:00

103 lines
3.6 KiB
Python

# Copyright (c) 2018 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from barbican.common import config
import barbican.plugin.castellan_secret_store as css
from castellan.i18n import _
from castellan import options
from oslo_config import cfg
from oslo_log import log
LOG = log.getLogger(__name__)
DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
DEFAULT_MOUNTPOINT = "secret"
vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
vault_opts = [
cfg.StrOpt('root_token_id',
secret=True,
help='root token for vault'),
cfg.StrOpt('approle_role_id',
secret=True,
help='AppRole role_id for authentication with vault'),
cfg.StrOpt('approle_secret_id',
secret=True,
help='AppRole secret_id for authentication with vault'),
cfg.StrOpt('kv_mountpoint',
default=DEFAULT_MOUNTPOINT,
help='Mountpoint of KV store in Vault to use, for example: '
'{}'.format(DEFAULT_MOUNTPOINT)),
cfg.StrOpt('vault_url',
default=DEFAULT_VAULT_URL,
help='Use this endpoint to connect to Vault, for example: '
'"%s"' % DEFAULT_VAULT_URL),
cfg.StrOpt('ssl_ca_crt_file',
help='Absolute path to ca cert file'),
cfg.BoolOpt('use_ssl',
default=False,
help=_('SSL Enabled/Disabled')),
cfg.StrOpt("namespace",
help=_("Vault Namespace to use for all requests. "
"Namespaces is a feature available in HasiCorp Vault "
"Enterprise only.")),
]
CONF = config.new_config()
CONF.register_group(vault_opt_group)
CONF.register_opts(vault_opts, group=vault_opt_group)
config.parse_args(CONF)
def list_opts():
yield vault_opt_group, vault_opts # pragma: no cover
class VaultSecretStore(css.CastellanSecretStore):
def __init__(self, conf=CONF):
"""Constructor - create the vault secret store."""
vault_conf = self.get_conf(conf)
self._set_params(vault_conf)
def get_plugin_name(self):
return "VaultSecretStore"
def get_conf(self, conf=CONF):
"""Convert secret store conf into oslo conf
Returns an oslo.config() object to pass to keymanager.API(conf)
"""
vault_conf = cfg.ConfigOpts()
options.set_defaults(
vault_conf,
backend='vault',
vault_root_token_id=conf.vault_plugin.root_token_id,
vault_approle_role_id=conf.vault_plugin.approle_role_id,
vault_approle_secret_id=conf.vault_plugin.approle_secret_id,
vault_kv_mountpoint=conf.vault_plugin.kv_mountpoint,
vault_url=conf.vault_plugin.vault_url,
vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file,
vault_use_ssl=conf.vault_plugin.use_ssl,
vault_namespace=conf.vault_plugin.namespace
)
return vault_conf
def store_secret_supports(self, key_spec):
return True
def generate_supports(self, key_spec):
return True