Fixes #12959: Add direct token auth to the auth_modes for the Vault p…

…lugin
Normation · Jul 16, 2018 · 3225dbe · 3225dbe
1 parent 92229ec
commit 3225dbe
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 14 deletions.
diff --git a/vault/packaging/postinst b/vault/packaging/postinst
@@ -4,4 +4,4 @@ cp -a /opt/rudder/share/plugins/vault/* /var/rudder/configuration-repository/ncf
 cd /var/rudder/configuration-repository/ncf/
 rm sample_vault.json
 git add . && git commit -m "Vault plugin installation"
-echo 'A sample config file was provided at /opt/rudder/share/plugins/vault/sample_vault.json'
+echo '[+] A sample config file was provided at /opt/rudder/share/plugins/vault/sample_vault.json'
diff --git a/vault/share/plugins/vault/20_cfe_basics/vault_lib.cf b/vault/share/plugins/vault/20_cfe_basics/vault_lib.cf
@@ -22,6 +22,7 @@
 #   "server_addr": "YOUR_VAULT_SERVER",
 #   "auth":
 #   {
+#     "mode": "userpass",
 #     "userpass":
 #     {
 #       "user": "USER",
@@ -30,7 +31,7 @@
 #   }
 # }
 #
-# The auth field can contain one field for each auth mode, with the latter as key name.
+# The auth field can contain one field for each auth mode, with the latter as key name. It needs a "mode" field to determine which one to use.
 
 bundle agent vault_fetch_config()
 {
@@ -39,31 +40,37 @@ bundle agent vault_fetch_config()
       "vault.config" data => readjson("${config_path}");
 }
 
-bundle agent vault_get_token(auth_mode)
+bundle agent vault_get_token()
 {
   vars:
-      "class_prefix" string => canonify("vault_get_token${auth_mode}");
-
     pass1::
       "vault.server_addr" string => "${vault.config[server_addr]}";
-
+      "vault.auth_mode" string => "${vault.config[auth][mode]}";
+
+    pass2.mode_token.vault_reachable::
+      "vault.auth_token" string => "${vault.config[auth][token]}"; 
+
     pass2.mode_userpass.vault_reachable::
       "vault_apicall_output" string => execresult("/usr/bin/curl -s --request POST --data '{\"password\": \"${vault.config[auth][userpass][password]}\"}' ${vault.server_addr}/v1/auth/userpass/login/${vault.config[auth][userpass][user]}", "noshell");
-      
+
       "data_output" data => "${vault_apicall_output}";
 
     pass2.vault_reachable::
       "vault.auth_token" string => "${data_output[auth][client_token]}",
         ifvarclass => isvariable("data_output[auth][client_token]");
-
+
+      "vault.auth_token" string => "${vault.config[auth][token]}",
+        ifvarclass => "direct_token_correct";
+
   classes:
-    pass1::
+    pass2::
       # We need this to determinate whether an auth error is due to bad credentials or the Vault server being unreachable
-      "vault_reachable" expression => returnszero("/usr/bin/curl -s ${vault.server_addr}", "noshell");
-
+      "vault_reachable" expression => returnszero("/usr/bin/curl -s ${vault.server_addr}", "noshell"); 
+      
       # What auth mode are we using
-      "mode_userpass" expression => strcmp("${auth_mode}", "userpass");
-
+      "mode_userpass" expression => strcmp("${vault.auth_mode}", "userpass");
+      "mode_token" expression => strcmp("${vault.auth_mode}", "token");
+
     any::
       "pass3" expression => "pass2";
       "pass2" expression => "pass1";

diff --git a/vault/share/plugins/vault/30_generic_methods/variable_from_vault.cf b/vault/share/plugins/vault/30_generic_methods/variable_from_vault.cf
@@ -56,7 +56,7 @@ bundle agent variable_from_vault(variable_prefix, variable_name, path)
 
   methods:
     pass1::
-      "Auth" usebundle => vault_get_token("userpass"),
+      "Auth" usebundle => vault_get_token(),
         ifvarclass => not(isvariable("vault.auth_token"));
 
     pass3.variable_defined::