mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Fix hashi_vault lookup approle authentication (#1138)
As per the plugin documentation and the Hashicorp Vault documentation (https://www.vaultproject.io/docs/auth/approle#secretid) secret_id is not mandatory. Moreover, using this lookup plugin without a secret_id used to work in Ansible 2.9. Co-authored-by: Jonathan Piron <jonathanpiron@gmail.com>
This commit is contained in:
parent
f4c63ede7f
commit
6cec8759d0
5 changed files with 75 additions and 1 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- hashi_vault - fix approle authentication without ``secret_id`` (https://github.com/ansible-collections/community.general/pull/1138).
|
|
@ -588,7 +588,7 @@ class LookupModule(LookupBase):
|
||||||
self.validate_by_required_fields(auth_method, 'username', 'password')
|
self.validate_by_required_fields(auth_method, 'username', 'password')
|
||||||
|
|
||||||
def validate_auth_approle(self, auth_method):
|
def validate_auth_approle(self, auth_method):
|
||||||
self.validate_by_required_fields(auth_method, 'role_id', 'secret_id')
|
self.validate_by_required_fields(auth_method, 'role_id')
|
||||||
|
|
||||||
def validate_auth_token(self, auth_method):
|
def validate_auth_token(self, auth_method):
|
||||||
if auth_method == 'token':
|
if auth_method == 'token':
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
- name: 'Create an approle policy'
|
||||||
|
shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write approle-policy-2 -"
|
||||||
|
vars:
|
||||||
|
policy: |
|
||||||
|
path "auth/approle/login" {
|
||||||
|
capabilities = [ "create", "read" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
- name: 'Enable the AppRole auth method'
|
||||||
|
command: '{{ vault_cmd }} auth enable approle'
|
||||||
|
register: enable_approle
|
||||||
|
failed_when: "enable_approle.rc!=0 and 'path is already in use' not in enable_approle.stderr"
|
||||||
|
|
||||||
|
- name: 'Create a named role without secret id'
|
||||||
|
command: '{{ vault_cmd }} write auth/approle/role/test-role-2 policies="test-policy,approle-policy-2" bind_secret_id=false secret_id_bound_cidrs="0.0.0.0/0"'
|
||||||
|
|
||||||
|
- name: 'Fetch the RoleID of the AppRole'
|
||||||
|
command: '{{ vault_cmd }} read -field=role_id auth/approle/role/test-role-2/role-id'
|
||||||
|
register: role_id_cmd_2
|
|
@ -0,0 +1,44 @@
|
||||||
|
- vars:
|
||||||
|
role_id: '{{ role_id_cmd_2.stdout }}'
|
||||||
|
block:
|
||||||
|
- name: 'Fetch secrets using "hashi_vault" lookup'
|
||||||
|
set_fact:
|
||||||
|
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=approle role_id=' ~ role_id) }}"
|
||||||
|
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=' ~ role_id) }}"
|
||||||
|
|
||||||
|
- name: 'Check secret values'
|
||||||
|
fail:
|
||||||
|
msg: 'unexpected secret values'
|
||||||
|
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
|
||||||
|
|
||||||
|
- name: 'Failure expected when erroneous credentials are used'
|
||||||
|
vars:
|
||||||
|
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=foobar') }}"
|
||||||
|
debug:
|
||||||
|
msg: 'Failure is expected ({{ secret_wrong_cred }})'
|
||||||
|
register: test_wrong_cred
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: 'Failure expected when unauthorized secret is read'
|
||||||
|
vars:
|
||||||
|
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=approle role_id=' ~ role_id) }}"
|
||||||
|
debug:
|
||||||
|
msg: 'Failure is expected ({{ secret_unauthorized }})'
|
||||||
|
register: test_unauthorized
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: 'Failure expected when inexistent secret is read'
|
||||||
|
vars:
|
||||||
|
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle role_id=' ~ role_id) }}"
|
||||||
|
debug:
|
||||||
|
msg: 'Failure is expected ({{ secret_inexistent }})'
|
||||||
|
register: test_inexistent
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: 'Check expected failures'
|
||||||
|
assert:
|
||||||
|
msg: "an expected failure didn't occur"
|
||||||
|
that:
|
||||||
|
- test_wrong_cred is failed
|
||||||
|
- test_unauthorized is failed
|
||||||
|
- test_inexistent is failed
|
|
@ -146,6 +146,10 @@
|
||||||
import_tasks: approle_setup.yml
|
import_tasks: approle_setup.yml
|
||||||
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||||
|
|
||||||
|
- name: setup approle secret_id_less auth
|
||||||
|
import_tasks: approle_secret_id_less_setup.yml
|
||||||
|
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||||
|
|
||||||
- name: setup token auth
|
- name: setup token auth
|
||||||
import_tasks: token_setup.yml
|
import_tasks: token_setup.yml
|
||||||
|
|
||||||
|
@ -158,6 +162,11 @@
|
||||||
auth_type: approle
|
auth_type: approle
|
||||||
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||||
|
|
||||||
|
- import_tasks: tests.yml
|
||||||
|
vars:
|
||||||
|
auth_type: approle_secret_id_less
|
||||||
|
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||||
|
|
||||||
- import_tasks: tests.yml
|
- import_tasks: tests.yml
|
||||||
vars:
|
vars:
|
||||||
auth_type: token
|
auth_type: token
|
||||||
|
|
Loading…
Reference in a new issue