40 | 40 |
|
41 | 41 |
_DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
|
42 | 42 |
_DEFAULT_MOUNTPOINT = "secret"
|
|
43 |
_DEFAULT_VERSION = 2
|
43 | 44 |
|
44 | 45 |
_vault_opts = [
|
45 | 46 |
cfg.StrOpt('root_token_id',
|
|
52 | 53 |
default=_DEFAULT_MOUNTPOINT,
|
53 | 54 |
help='Mountpoint of KV store in Vault to use, for example: '
|
54 | 55 |
'{}'.format(_DEFAULT_MOUNTPOINT)),
|
|
56 |
cfg.IntOpt('kv_version',
|
|
57 |
default=_DEFAULT_VERSION,
|
|
58 |
help='Version of KV store in Vault to use, for example: '
|
|
59 |
'{}'.format(_DEFAULT_VERSION)),
|
55 | 60 |
cfg.StrOpt('vault_url',
|
56 | 61 |
default=_DEFAULT_VAULT_URL,
|
57 | 62 |
help='Use this endpoint to connect to Vault, for example: '
|
|
91 | 96 |
self._approle_token_ttl = None
|
92 | 97 |
self._approle_token_issue = None
|
93 | 98 |
self._kv_mountpoint = self._conf.vault.kv_mountpoint
|
|
99 |
self._kv_version = self._conf.vault.kv_version
|
94 | 100 |
self._vault_url = self._conf.vault.vault_url
|
95 | 101 |
if self._vault_url.startswith("https://"):
|
96 | 102 |
self._verify_server = self._conf.vault.ssl_ca_crt_file or True
|
97 | 103 |
else:
|
98 | 104 |
self._verify_server = False
|
99 | |
self._vault_kv_version = None
|
100 | 105 |
|
101 | 106 |
def _get_url(self):
|
102 | 107 |
if not self._vault_url.endswith('/'):
|
103 | 108 |
self._vault_url += '/'
|
104 | 109 |
return self._vault_url
|
105 | 110 |
|
106 | |
def _get_api_version(self):
|
107 | |
if self._vault_kv_version:
|
108 | |
return self._vault_kv_version
|
109 | |
|
110 | |
resource_url = '{}v1/sys/internal/ui/mounts/{}'.format(
|
111 | |
self._get_url(),
|
112 | |
self._kv_mountpoint
|
113 | |
)
|
114 | |
resp = self._do_http_request(self._session.get, resource_url)
|
115 | |
|
116 | |
if resp.status_code == requests.codes['not_found']:
|
117 | |
self._vault_kv_version = '1'
|
118 | |
else:
|
119 | |
self._vault_kv_version = resp.json()['data']['options']['version']
|
120 | |
|
121 | |
return self._vault_kv_version
|
122 | |
|
123 | 111 |
def _get_resource_url(self, key_id=None):
|
124 | 112 |
return '{}v1/{}/{}{}'.format(
|
125 | 113 |
self._get_url(),
|
126 | 114 |
self._kv_mountpoint,
|
127 | 115 |
|
128 | |
'' if self._get_api_version() == '1' else
|
|
116 |
'' if self._kv_version == 1 else
|
129 | 117 |
'data/' if key_id else
|
130 | 118 |
'metadata/', # no key_id is for listing and 'data/' doesn't works
|
131 | 119 |
|
|
267 | 255 |
'name': value.name,
|
268 | 256 |
'created': value.created
|
269 | 257 |
}
|
270 | |
if self._get_api_version() != '1':
|
|
258 |
if self._kv_version > 1:
|
271 | 259 |
record = {'data': record}
|
272 | 260 |
|
273 | 261 |
self._do_http_request(self._session.post,
|
|
312 | 300 |
raise exception.ManagedObjectNotFoundError(uuid=key_id)
|
313 | 301 |
|
314 | 302 |
record = resp.json()['data']
|
315 | |
if self._get_api_version() != '1':
|
|
303 |
if self._kv_version > 1:
|
316 | 304 |
record = record['data']
|
317 | 305 |
|
318 | 306 |
key = None if metadata_only else binascii.unhexlify(record['value'])
|