Retrieve secret-id from vault using one-shot token

.travis.yml

@@ -3,4 +3,4 @@ python:
   - "3.6"
 install: pip install tox-travis
 script:
-  - tox
+  - tox -e pep8,py3

src/lib/charm/vault_utils.py

@@ -0,0 +1,25 @@
+# Copyright 2018 Canonical Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import hvac
+
+
+def retrieve_secret_id(url, token):
+    client = hvac.Client(url=url, token=token)
+    # workaround for issue where callng `client.unwrap(token)` results in
+    # "error decrementing wrapping token's use-count: invalid token entry
+    #  provided for use count decrementing"
+    response = client._post('/v1/sys/wrapping/unwrap')
+    if response.status_code == 200:
+        data = response.json()
+        return data['data']['secret_id']

src/reactive/barbican_vault_handlers.py

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 import charmhelpers.core as ch_core
 
 import charms.reactive as reactive
@@ -19,6 +18,8 @@ import charms.reactive as reactive
 import charms_openstack.bus
 import charms_openstack.charm as charm
 
+import charm.vault_utils as vault_utils
+
 charms_openstack.bus.discover()
 
 # Use the charms.openstack defaults for common states and hooks
@@ -39,7 +40,7 @@ def secret_backend_vault_request():
                         level=ch_core.hookenv.INFO)
     with charm.provide_charm_instance() as barbican_vault_charm:
         secrets_storage.request_secret_backend(
-            barbican_vault_charm.secret_backend_name)
+            barbican_vault_charm.secret_backend_name, isolated=False)
 
 
 @reactive.when_all('endpoint.secrets.joined', 'secrets-storage.available')
@@ -47,10 +48,16 @@ def plugin_info_barbican_publish():
     barbican = reactive.endpoint_from_flag('endpoint.secrets.joined')
     secrets_storage = reactive.endpoint_from_flag(
         'secrets-storage.available')
+    ch_core.hookenv.log('Retrieving secret-id from vault ({})'
+                        .format(secrets_storage.vault_url),
+                        level=ch_core.hookenv.INFO)
+    secret_id = vault_utils.retrieve_secret_id(
+        secrets_storage.vault_url,
+        secrets_storage.unit_token)
     with charm.provide_charm_instance() as barbican_vault_charm:
         vault_data = {
             'approle_role_id': secrets_storage.unit_role_id,
-            'approle_secret_id': secrets_storage.unit_token,
+            'approle_secret_id': secret_id,
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
             'use_ssl': 'false',  # XXX

test-requirements.txt

@@ -11,3 +11,4 @@ mock>=1.2
 nose>=1.3.7
 coverage>=3.6
 git+https://github.com/openstack/charms.openstack.git#egg=charms.openstack
+hvac

unit_tests/test_barbican_vault_handlers.py

@@ -78,6 +78,7 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
         barbican = mock.MagicMock()
         secrets_storage = mock.MagicMock()
         self.endpoint_from_flag.side_effect = [barbican, secrets_storage]
+        self.patch_object(handlers.vault_utils, 'retrieve_secret_id')
 
         handlers.plugin_info_barbican_publish()
         self.endpoint_from_flag.assert_has_calls([
@@ -86,7 +87,7 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
         ])
         vault_data = {
             'approle_role_id': secrets_storage.unit_role_id,
-            'approle_secret_id': secrets_storage.unit_token,
+            'approle_secret_id': self.retrieve_secret_id(),
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
             'use_ssl': 'false',  # XXX

unit_tests/test_vault_utils.py

@@ -0,0 +1,34 @@
+# Copyright 2018 Canonical Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import mock
+
+import charm.vault_utils as vault_utils
+
+import charms_openstack.test_utils as test_utils
+
+
+class TestVaultUtils(test_utils.PatchHelper):
+
+    def test_retrieve_secret_id(self):
+        self.patch_object(vault_utils, 'hvac')
+        hvac_client = mock.MagicMock()
+        self.hvac.Client.return_value = hvac_client
+        response = mock.MagicMock()
+        response.status_code = 200
+        response.json.return_value = {'data': {'secret_id': 'FAKE_SECRET_ID'}}
+        hvac_client._post.return_value = response
+        self.assertEqual(
+            vault_utils.retrieve_secret_id('url', 'token'), 'FAKE_SECRET_ID')
+        hvac_client._post.assert_called_with('/v1/sys/wrapping/unwrap')