diff options
| author | Lila Yasin <lyasin@redhat.com> | 2024-01-25 15:50:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-25 15:50:13 +0100 |
| commit | 2e168d817730fc9609127c57c0ed5158e8ca013b (patch) | |
| tree | 3edd43bd65ba900e0d9941bbad9b10ef88f74d0b | |
| parent | feat: Add retries to requests sessions (diff) | |
| download | awx-2e168d817730fc9609127c57c0ed5158e8ca013b.tar.xz awx-2e168d817730fc9609127c57c0ed5158e8ca013b.zip | |
Add userpass and LDAP support for HashiCorp vault credential_plugin (#14654)
* Add username and password to handle_auth and update exception message
Revise naming of ldap username and password
* Add url for LDAP and userpass to method_auth
* Add information regarding LDAP and username and password to credential plugins documentation
Revise ldap_auth to userpass_auth and revised exception to better reflect functionality
* Revise method_auth to ensure certs can be used with username and ensure namespace functionality is not hindered
| -rw-r--r-- | awx/main/credential_plugins/hashivault.py | 26 | ||||
| -rw-r--r-- | awx/main/tests/functional/test_credential_plugins.py | 7 | ||||
| -rw-r--r-- | docs/docsite/rst/userguide/credential_plugins.rst | 3 |
3 files changed, 33 insertions, 3 deletions
diff --git a/awx/main/credential_plugins/hashivault.py b/awx/main/credential_plugins/hashivault.py index b993db88f1..f3dcd53b5d 100644 --- a/awx/main/credential_plugins/hashivault.py +++ b/awx/main/credential_plugins/hashivault.py @@ -88,6 +88,20 @@ base_inputs = { ), }, { + 'id': 'username', + 'label': _('Username'), + 'type': 'string', + 'secret': False, + 'help_text': _('Username for user authentication.'), + }, + { + 'id': 'password', + 'label': _('Password'), + 'type': 'string', + 'secret': True, + 'help_text': _('Password for user authentication.'), + }, + { 'id': 'default_auth_path', 'label': _('Path to Auth'), 'type': 'string', @@ -185,9 +199,10 @@ hashi_ssh_inputs['required'].extend(['public_key', 'role']) def handle_auth(**kwargs): token = None - if kwargs.get('token'): token = kwargs['token'] + elif kwargs.get('username') and kwargs.get('password'): + token = method_auth(**kwargs, auth_param=userpass_auth(**kwargs)) elif kwargs.get('role_id') and kwargs.get('secret_id'): token = method_auth(**kwargs, auth_param=approle_auth(**kwargs)) elif kwargs.get('kubernetes_role'): @@ -195,11 +210,14 @@ def handle_auth(**kwargs): elif kwargs.get('client_cert_public') and kwargs.get('client_cert_private'): token = method_auth(**kwargs, auth_param=client_cert_auth(**kwargs)) else: - raise Exception('Either a token or AppRole, Kubernetes, or TLS authentication parameters must be set') - + raise Exception('Token, Username/Password, AppRole, Kubernetes, or TLS authentication parameters must be set') return token +def userpass_auth(**kwargs): + return {'username': kwargs['username'], 'password': kwargs['password']} + + def approle_auth(**kwargs): return {'role_id': kwargs['role_id'], 'secret_id': kwargs['secret_id']} @@ -233,6 +251,8 @@ def method_auth(**kwargs): if kwargs.get('namespace'): sess.headers['X-Vault-Namespace'] = kwargs['namespace'] request_url = '/'.join([url, 'auth', auth_path, 'login']).rstrip('/') + if kwargs['auth_param'].get('username'): + request_url = request_url + '/' + (kwargs['username']) with CertFiles(cacert) as cert: request_kwargs['verify'] = cert # TLS client certificate support diff --git a/awx/main/tests/functional/test_credential_plugins.py b/awx/main/tests/functional/test_credential_plugins.py index 9d199c31f5..3ee29e9ce3 100644 --- a/awx/main/tests/functional/test_credential_plugins.py +++ b/awx/main/tests/functional/test_credential_plugins.py @@ -60,6 +60,13 @@ def test_hashivault_client_cert_auth_no_role(): assert res == expected_res +def test_hashivault_userpass_auth(): + kwargs = {'username': 'the_username', 'password': 'the_password'} + expected_res = {'username': 'the_username', 'password': 'the_password'} + res = hashivault.userpass_auth(**kwargs) + assert res == expected_res + + def test_hashivault_handle_auth_token(): kwargs = { 'token': 'the_token', diff --git a/docs/docsite/rst/userguide/credential_plugins.rst b/docs/docsite/rst/userguide/credential_plugins.rst index 9bd9655df8..a2cc436282 100644 --- a/docs/docsite/rst/userguide/credential_plugins.rst +++ b/docs/docsite/rst/userguide/credential_plugins.rst @@ -272,9 +272,12 @@ When **HashiCorp Vault Secret Lookup** is selected for **Credential Type**, prov - **Kubernetes role** specify the role name when using Kubernetes authentication - **Path to Auth**: specify a path if other than the default path of ``/approle`` - **API Version** (required): select v1 for static lookups and v2 for versioned lookups +- **Username and Password**: specify the username and password for the user account For more detail about the Approle auth method and its fields, refer to the `Vault documentation for Approle Auth Method <https://www.vaultproject.io/docs/auth/approle>`_. +For more detail about the Userpass auth method and its fields, refer to the `Vault documentation for LDAP auth method <https://www.vaultproject.io/docs/auth/userpass>`_. + For more detail about the Kubernetes auth method and its fields, refer to the `Vault documentation for Kubernetes auth method <https://developer.hashicorp.com/vault/docs/auth/kubernetes>` _. For more detail about the TLS certificate auth method and its fields, refer to the `Vault documentation for TLS certificates auth method <https://developer.hashicorp.com/vault/docs/auth/cert>` _. |