82e1782b39
The following options are used for authentication with Vault, so should be hidden from logs. 1) root_token_id This is not actually an id but a token string 2) approle_role_id and approle_secret_id These are used together to obtain token Closes-Bug: #2058397 Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea
103 lines
3.6 KiB
Python
103 lines
3.6 KiB
Python
# Copyright (c) 2018 Red Hat Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from barbican.common import config
|
|
import barbican.plugin.castellan_secret_store as css
|
|
from castellan.i18n import _
|
|
from castellan import options
|
|
from oslo_config import cfg
|
|
from oslo_log import log
|
|
|
|
LOG = log.getLogger(__name__)
|
|
|
|
DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
|
|
DEFAULT_MOUNTPOINT = "secret"
|
|
|
|
vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
|
|
vault_opts = [
|
|
cfg.StrOpt('root_token_id',
|
|
secret=True,
|
|
help='root token for vault'),
|
|
cfg.StrOpt('approle_role_id',
|
|
secret=True,
|
|
help='AppRole role_id for authentication with vault'),
|
|
cfg.StrOpt('approle_secret_id',
|
|
secret=True,
|
|
help='AppRole secret_id for authentication with vault'),
|
|
cfg.StrOpt('kv_mountpoint',
|
|
default=DEFAULT_MOUNTPOINT,
|
|
help='Mountpoint of KV store in Vault to use, for example: '
|
|
'{}'.format(DEFAULT_MOUNTPOINT)),
|
|
cfg.StrOpt('vault_url',
|
|
default=DEFAULT_VAULT_URL,
|
|
help='Use this endpoint to connect to Vault, for example: '
|
|
'"%s"' % DEFAULT_VAULT_URL),
|
|
cfg.StrOpt('ssl_ca_crt_file',
|
|
help='Absolute path to ca cert file'),
|
|
cfg.BoolOpt('use_ssl',
|
|
default=False,
|
|
help=_('SSL Enabled/Disabled')),
|
|
cfg.StrOpt("namespace",
|
|
help=_("Vault Namespace to use for all requests. "
|
|
"Namespaces is a feature available in HasiCorp Vault "
|
|
"Enterprise only.")),
|
|
]
|
|
|
|
CONF = config.new_config()
|
|
CONF.register_group(vault_opt_group)
|
|
CONF.register_opts(vault_opts, group=vault_opt_group)
|
|
config.parse_args(CONF)
|
|
|
|
|
|
def list_opts():
|
|
yield vault_opt_group, vault_opts # pragma: no cover
|
|
|
|
|
|
class VaultSecretStore(css.CastellanSecretStore):
|
|
|
|
def __init__(self, conf=CONF):
|
|
"""Constructor - create the vault secret store."""
|
|
vault_conf = self.get_conf(conf)
|
|
self._set_params(vault_conf)
|
|
|
|
def get_plugin_name(self):
|
|
return "VaultSecretStore"
|
|
|
|
def get_conf(self, conf=CONF):
|
|
"""Convert secret store conf into oslo conf
|
|
|
|
Returns an oslo.config() object to pass to keymanager.API(conf)
|
|
"""
|
|
vault_conf = cfg.ConfigOpts()
|
|
options.set_defaults(
|
|
vault_conf,
|
|
backend='vault',
|
|
vault_root_token_id=conf.vault_plugin.root_token_id,
|
|
vault_approle_role_id=conf.vault_plugin.approle_role_id,
|
|
vault_approle_secret_id=conf.vault_plugin.approle_secret_id,
|
|
vault_kv_mountpoint=conf.vault_plugin.kv_mountpoint,
|
|
vault_url=conf.vault_plugin.vault_url,
|
|
vault_ssl_ca_crt_file=conf.vault_plugin.ssl_ca_crt_file,
|
|
vault_use_ssl=conf.vault_plugin.use_ssl,
|
|
vault_namespace=conf.vault_plugin.namespace
|
|
)
|
|
return vault_conf
|
|
|
|
def store_secret_supports(self, key_spec):
|
|
return True
|
|
|
|
def generate_supports(self, key_spec):
|
|
return True
|