From dd1df7a42b5dd1cf46f212828f03af3d577ac870 Mon Sep 17 00:00:00 2001
From: Frode Nordahl <frode.nordahl@canonical.com>
Date: Fri, 19 Oct 2018 14:42:38 +0200
Subject: [PATCH] Retrieve secret-id from vault using one-shot token

---
 .travis.yml                                |  2 +-
 src/lib/charm/vault_utils.py               | 25 ++++++++++++++++
 src/reactive/barbican_vault_handlers.py    | 13 +++++++--
 test-requirements.txt                      |  1 +
 unit_tests/test_barbican_vault_handlers.py |  3 +-
 unit_tests/test_vault_utils.py             | 34 ++++++++++++++++++++++
 6 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 src/lib/charm/vault_utils.py
 create mode 100644 unit_tests/test_vault_utils.py

diff --git a/.travis.yml b/.travis.yml
index b80d71d..e1feabf 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,4 +3,4 @@ python:
   - "3.6"
 install: pip install tox-travis
 script:
-  - tox
+  - tox -e pep8,py3
diff --git a/src/lib/charm/vault_utils.py b/src/lib/charm/vault_utils.py
new file mode 100644
index 0000000..ab281fb
--- /dev/null
+++ b/src/lib/charm/vault_utils.py
@@ -0,0 +1,25 @@
+# Copyright 2018 Canonical Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import hvac
+
+
+def retrieve_secret_id(url, token):
+    client = hvac.Client(url=url, token=token)
+    # workaround for issue where callng `client.unwrap(token)` results in
+    # "error decrementing wrapping token's use-count: invalid token entry
+    #  provided for use count decrementing"
+    response = client._post('/v1/sys/wrapping/unwrap')
+    if response.status_code == 200:
+        data = response.json()
+        return data['data']['secret_id']
diff --git a/src/reactive/barbican_vault_handlers.py b/src/reactive/barbican_vault_handlers.py
index f4bd49a..1939189 100644
--- a/src/reactive/barbican_vault_handlers.py
+++ b/src/reactive/barbican_vault_handlers.py
@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 import charmhelpers.core as ch_core
 
 import charms.reactive as reactive
@@ -19,6 +18,8 @@ import charms.reactive as reactive
 import charms_openstack.bus
 import charms_openstack.charm as charm
 
+import charm.vault_utils as vault_utils
+
 charms_openstack.bus.discover()
 
 # Use the charms.openstack defaults for common states and hooks
@@ -39,7 +40,7 @@ def secret_backend_vault_request():
                         level=ch_core.hookenv.INFO)
     with charm.provide_charm_instance() as barbican_vault_charm:
         secrets_storage.request_secret_backend(
-            barbican_vault_charm.secret_backend_name)
+            barbican_vault_charm.secret_backend_name, isolated=False)
 
 
 @reactive.when_all('endpoint.secrets.joined', 'secrets-storage.available')
@@ -47,10 +48,16 @@ def plugin_info_barbican_publish():
     barbican = reactive.endpoint_from_flag('endpoint.secrets.joined')
     secrets_storage = reactive.endpoint_from_flag(
         'secrets-storage.available')
+    ch_core.hookenv.log('Retrieving secret-id from vault ({})'
+                        .format(secrets_storage.vault_url),
+                        level=ch_core.hookenv.INFO)
+    secret_id = vault_utils.retrieve_secret_id(
+        secrets_storage.vault_url,
+        secrets_storage.unit_token)
     with charm.provide_charm_instance() as barbican_vault_charm:
         vault_data = {
             'approle_role_id': secrets_storage.unit_role_id,
-            'approle_secret_id': secrets_storage.unit_token,
+            'approle_secret_id': secret_id,
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
             'use_ssl': 'false',  # XXX
diff --git a/test-requirements.txt b/test-requirements.txt
index ca62003..7ac3a08 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -11,3 +11,4 @@ mock>=1.2
 nose>=1.3.7
 coverage>=3.6
 git+https://github.com/openstack/charms.openstack.git#egg=charms.openstack
+hvac
diff --git a/unit_tests/test_barbican_vault_handlers.py b/unit_tests/test_barbican_vault_handlers.py
index 3005598..32aa571 100644
--- a/unit_tests/test_barbican_vault_handlers.py
+++ b/unit_tests/test_barbican_vault_handlers.py
@@ -78,6 +78,7 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
         barbican = mock.MagicMock()
         secrets_storage = mock.MagicMock()
         self.endpoint_from_flag.side_effect = [barbican, secrets_storage]
+        self.patch_object(handlers.vault_utils, 'retrieve_secret_id')
 
         handlers.plugin_info_barbican_publish()
         self.endpoint_from_flag.assert_has_calls([
@@ -86,7 +87,7 @@ class TestBarbicanVaultHandlers(test_utils.PatchHelper):
         ])
         vault_data = {
             'approle_role_id': secrets_storage.unit_role_id,
-            'approle_secret_id': secrets_storage.unit_token,
+            'approle_secret_id': self.retrieve_secret_id(),
             'vault_url': secrets_storage.vault_url,
             'kv_mountpoint': barbican_vault_charm.secret_backend_name,
             'use_ssl': 'false',  # XXX
diff --git a/unit_tests/test_vault_utils.py b/unit_tests/test_vault_utils.py
new file mode 100644
index 0000000..7dfd12a
--- /dev/null
+++ b/unit_tests/test_vault_utils.py
@@ -0,0 +1,34 @@
+# Copyright 2018 Canonical Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import mock
+
+import charm.vault_utils as vault_utils
+
+import charms_openstack.test_utils as test_utils
+
+
+class TestVaultUtils(test_utils.PatchHelper):
+
+    def test_retrieve_secret_id(self):
+        self.patch_object(vault_utils, 'hvac')
+        hvac_client = mock.MagicMock()
+        self.hvac.Client.return_value = hvac_client
+        response = mock.MagicMock()
+        response.status_code = 200
+        response.json.return_value = {'data': {'secret_id': 'FAKE_SECRET_ID'}}
+        hvac_client._post.return_value = response
+        self.assertEqual(
+            vault_utils.retrieve_secret_id('url', 'token'), 'FAKE_SECRET_ID')
+        hvac_client._post.assert_called_with('/v1/sys/wrapping/unwrap')