1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Fix hashi_vault lookup approle authentication (#1138)

As per the plugin documentation and the Hashicorp Vault documentation (https://www.vaultproject.io/docs/auth/approle#secretid)
secret_id is not mandatory.
Moreover, using this lookup plugin without a secret_id used to work in
Ansible 2.9.

Co-authored-by: Jonathan Piron <jonathanpiron@gmail.com>
This commit is contained in:
Jonathan Piron 2020-11-16 16:42:42 +01:00 committed by GitHub
parent f4c63ede7f
commit 6cec8759d0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 75 additions and 1 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- hashi_vault - fix approle authentication without ``secret_id`` (https://github.com/ansible-collections/community.general/pull/1138).

View file

@ -588,7 +588,7 @@ class LookupModule(LookupBase):
self.validate_by_required_fields(auth_method, 'username', 'password') self.validate_by_required_fields(auth_method, 'username', 'password')
def validate_auth_approle(self, auth_method): def validate_auth_approle(self, auth_method):
self.validate_by_required_fields(auth_method, 'role_id', 'secret_id') self.validate_by_required_fields(auth_method, 'role_id')
def validate_auth_token(self, auth_method): def validate_auth_token(self, auth_method):
if auth_method == 'token': if auth_method == 'token':

View file

@ -0,0 +1,19 @@
- name: 'Create an approle policy'
shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write approle-policy-2 -"
vars:
policy: |
path "auth/approle/login" {
capabilities = [ "create", "read" ]
}
- name: 'Enable the AppRole auth method'
command: '{{ vault_cmd }} auth enable approle'
register: enable_approle
failed_when: "enable_approle.rc!=0 and 'path is already in use' not in enable_approle.stderr"
- name: 'Create a named role without secret id'
command: '{{ vault_cmd }} write auth/approle/role/test-role-2 policies="test-policy,approle-policy-2" bind_secret_id=false secret_id_bound_cidrs="0.0.0.0/0"'
- name: 'Fetch the RoleID of the AppRole'
command: '{{ vault_cmd }} read -field=role_id auth/approle/role/test-role-2/role-id'
register: role_id_cmd_2

View file

@ -0,0 +1,44 @@
- vars:
role_id: '{{ role_id_cmd_2.stdout }}'
block:
- name: 'Fetch secrets using "hashi_vault" lookup'
set_fact:
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=approle role_id=' ~ role_id) }}"
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=' ~ role_id) }}"
- name: 'Check secret values'
fail:
msg: 'unexpected secret values'
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
- name: 'Failure expected when erroneous credentials are used'
vars:
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=foobar') }}"
debug:
msg: 'Failure is expected ({{ secret_wrong_cred }})'
register: test_wrong_cred
ignore_errors: true
- name: 'Failure expected when unauthorized secret is read'
vars:
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=approle role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_unauthorized }})'
register: test_unauthorized
ignore_errors: true
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent
ignore_errors: true
- name: 'Check expected failures'
assert:
msg: "an expected failure didn't occur"
that:
- test_wrong_cred is failed
- test_unauthorized is failed
- test_inexistent is failed

View file

@ -146,6 +146,10 @@
import_tasks: approle_setup.yml import_tasks: approle_setup.yml
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>') when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- name: setup approle secret_id_less auth
import_tasks: approle_secret_id_less_setup.yml
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- name: setup token auth - name: setup token auth
import_tasks: token_setup.yml import_tasks: token_setup.yml
@ -158,6 +162,11 @@
auth_type: approle auth_type: approle
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>') when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- import_tasks: tests.yml
vars:
auth_type: approle_secret_id_less
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- import_tasks: tests.yml - import_tasks: tests.yml
vars: vars:
auth_type: token auth_type: token