Fixes #12865: Vault plugin : Add a variable_from_vault generic method.

vault/Makefile

@@ -0,0 +1,13 @@
+#
+# make all : will build .rpkg.
+# make licensed : will build a license limited version of the plugin
+#
+
+FILES = share/
+SCRIPTS = postinst
+
+include ../makefiles/common-plugin.mk
+targets = $(addprefix target/, $(FILES))
+
+$(targets): target/%: %
+	    cp -a $< target/

vault/README.md

@@ -0,0 +1,29 @@
+Plugin for Vault and Rudder
+==============================
+
+This project is part of Rudder - IT automation and compliance made easy.
+See: http://rudder-project.org for more information.
+
+Mailing list, irc : https://www.rudder-project.org/site/community/mailing-lists/
+
+Synposis
+--------
+
+Installation
+------------
+
+Usage
+-----
+
+Authors
+-------
+
+Normation http://normation.com
+Victor Querette victor.querette@normation.com
+
+Contributing
+------------
+
+Thank you for your interest in our project !
+The contribution process is detailed here:
+https://www.rudder-project.org/site/documentation/how-to-contribute/

vault/build.conf

@@ -0,0 +1,29 @@
+#
+# This file defines the release information about the plugin like
+# its version and its ABI compability. 
+#
+# So version are not managed in pom.xml (safe for parent-pom version,
+# which can't be a parameter, and must be equals to rudder-branch here)
+#
+
+# Unique identifier of the plugin
+plugin-name=vault
+# the full name is derived from rudder-plugin-name
+plugin-fullname=rudder-plugin-${plugin-name}
+
+# Human readable short/title descrption (used for one line text)
+plugin-title-description="""Plugin for Vault integration with Rudder"""
+
+# WEB, HTML description. 
+plugin-web-description=<p>Plugin for Vault integartion with Rudder</p>
+
+# Plugin version. It is build as follow: A.B-x.y(.z) with:
+# - A.B: Rudder major.minor
+# - x.y(.z): plugin major.minor.micro. Micro should be omitted. When omitted, z is assumed to be 0. 
+# For the build, we split the information between two properties, rudder branch and plugin version, 
+# which must be concaneted with "-" to build the plugin version. 
+plugin-branch=1.0
+
+# rudder branch comes from parent
+plugin-version=${rudder-branch}-${plugin-branch}
+

vault/metadata

@@ -0,0 +1,10 @@
+{
+  "type": "plugin",
+  "name": "rudder-plugin-vault",
+  "version": "4.3-1.0",
+  "build-date": "2018-04-13T16:59:58+02:00",
+  "build-commit": "447ccaf652d08fb5aa6c2fa51f36fb3a2264077f",
+  "content": {
+    "files.txz": "/opt/rudder/"
+  }
+}

vault/packaging/metadata

@@ -0,0 +1,10 @@
+{
+  "type": "plugin",
+  "name": "${plugin-id}",
+  "version": "${plugin-version}",
+  "build-date": "${maven.build.timestamp}",
+  "build-commit": "${commit-id}",
+  "content": {
+    "files.txz": "/opt/rudder/"
+  }
+}

vault/packaging/postinst

@@ -0,0 +1,6 @@
+#!/bin/sh
+mkdir -p /var/rudder/plugin-resources
+cp -a /opt/rudder/share/plugins/vault/* /var/rudder/configuration-repository/ncf/
+cd /var/rudder/configuration-repository/ncf/
+rm sample_vault.json
+git add . && git commit -m "Vault plugin installation"

vault/share/plugins/vault/20_cfe_basics/vault_lib.cf

@@ -0,0 +1,60 @@
+#####################################################################################
+# Copyright 2018 Normation SAS
+#####################################################################################
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, Version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#####################################################################################
+
+bundle agent vault_fetch_config()
+{
+  vars:
+      "config_path" string => "/var/rudder/plugin-resources/vault.json";
+      "vault.config" data => readjson("${config_path}");
+}
+
+bundle agent vault_get_token(auth_mode)
+{
+  vars:
+      "class_prefix" string => canonify("vault_get_token${auth_mode}");
+
+    pass1::
+      "vault.server_addr" string => "${vault.config[server_addr]}";
+
+    pass2.mode_userpass.vault_reachable::
+      "vault_apicall_output" string => execresult("/usr/bin/curl -s --request POST --data '{\"password\": \"${vault.config[auth][userpass][password]}\"}' ${vault.server_addr}/v1/auth/userpass/login/${vault.config[auth][userpass][user]}", "noshell");
+
+      "data_output" data => "${vault_apicall_output}";
+
+    pass2.vault_reachable::
+      "vault.auth_token" string => "${data_output[auth][client_token]}",
+        ifvarclass => isvariable("data_output[auth][client_token]");
+
+  classes:
+    pass1::
+      # We need this to determinate whether an auth error is due to bad credentials or the Vault server being unreachable
+      "vault_reachable" expression => returnszero("/usr/bin/curl -s ${vault.server_addr}", "noshell");
+
+      # What auth mode are we using
+      "mode_userpass" expression => strcmp("${auth_mode}", "userpass");
+
+    any::
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1";
+
+  methods:
+    pass1::
+      "Vault config" usebundle => vault_fetch_config(),
+        ifvarclass => not(isvariable("vault.config"));
+}

vault/share/plugins/vault/30_generic_methods/variable_from_vault.cf

@@ -0,0 +1,77 @@
+#####################################################################################
+# Copyright 2018 Normation SAS
+#####################################################################################
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, Version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#####################################################################################
+#
+# @name Variable from Vault
+# @description Gets a key-value dictionnary from Vault given the secret path
+#
+# @documentation To use the generated variable, you must use the form `${variable_prefix.variable_name}` with each name replaced with the parameters of this method.
+#
+# Access to the vault has to be configured on each agent in /var/rudder/plugin-resources/vault.json. A sample config file is provided in /opt/rudder/share/plugins/vault/sample_vault.json
+#
+# @parameter variable_prefix The prefix of the variable name
+# @parameter variable_name   The variable to define, the full name will be variable_prefix.variable_name
+# @parameter path            The path of the secret
+#
+# @class_prefix variable_from_vault
+# @class_parameter path
+
+bundle agent variable_from_vault(variable_prefix, variable_name, path)
+{
+  vars:
+      "old_class_prefix" string => canonify("variable_from_vault_${path}");
+      "promisers" slist => { @{this.callers_promisers}, cf_null }, policy => "ifdefined";
+      "class_prefix" string => canonify(join("_", "promisers"));
+      "args" slist => {"${variable_prefix}", "${variable_name}", "${path}"};
+
+    pass2::
+      "vault_apicall_ouput" string => execresult("/usr/bin/curl -s -H 'X-Vault-Token: ${vault.auth_token}' ${vault.server_addr}/v1/secret/${path}", "noshell");
+
+      "${variable_prefix}.${variable_name}" data => "${vault_apicall_ouput}";
+
+  classes:
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1";
+
+    pass3::
+      "variable_defined" expression => isvariable("${variable_prefix}.${variable_name}");  
+      "config_defined" expression => isvariable("vault.config");
+
+  methods:
+    pass1::
+      "Auth" usebundle => vault_get_token("userpass"),
+        ifvarclass => not(isvariable("vault.auth_token"));
+
+    pass3.variable_defined::
+      "success" usebundle => _classes_repaired("${old_class_prefix}");
+      "success" usebundle => _classes_repaired("${class_prefix}");
+      "report" usebundle => _log("Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args});
+
+    pass3.!variable_defined.!vault_reachable::
+      "failure" usebundle => _classes_failure("${old_class_prefix}");
+      "failure" usebundle => _classes_failure("${class_prefix}");
+      "report" usebundle => _log("Vault server unreachable. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}),
+        ifvarclass => "config_defined";
+      "report" usebundle => _log("Undefined configuration. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args}),
+        ifvarclass => "!config_defined";
+
+    pass3.!variable_defined.vault_reachable::
+      "failure" usebundle => _classes_failure("${old_class_prefix}");
+      "failure" usebundle => _classes_failure("${class_prefix}");
+      "report" usebundle => _log("Vault server is reachable, but your request failed. Check your auth and secret path. Variable definition from the ${path} secret path in Vault", "${old_class_prefix}", "${class_prefix}", @{args});
+}

vault/share/plugins/vault/sample_vault.json

@@ -0,0 +1,11 @@
+{
+  "server_addr": "YOUR_VAULT_SERVER",
+  "auth":
+  {
+    "userpass":
+    {
+      "user": "USER",
+      "password": "PASSWD"
+    }
+  }
+}