Package list python-castellan / 68c1eb5
Replaces _get_api_version with config option This patch fixes the issue when guessing the KV API version fails. From now on, a configuration option should be used to set vault's API version. Change-Id: I962b29519c189dddf9723689e6aaeed2cac3ff2c Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com> Moisés Guimarães de Medeiros 1 year, 3 months ago
2 changed file(s) with 19 addition(s) and 21 deletion(s). Raw diff Collapse all Expand all
4040
4141 _DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
4242 _DEFAULT_MOUNTPOINT = "secret"
43 _DEFAULT_VERSION = 2
4344
4445 _vault_opts = [
4546 cfg.StrOpt('root_token_id',
5253 default=_DEFAULT_MOUNTPOINT,
5354 help='Mountpoint of KV store in Vault to use, for example: '
5455 '{}'.format(_DEFAULT_MOUNTPOINT)),
56 cfg.IntOpt('kv_version',
57 default=_DEFAULT_VERSION,
58 help='Version of KV store in Vault to use, for example: '
59 '{}'.format(_DEFAULT_VERSION)),
5560 cfg.StrOpt('vault_url',
5661 default=_DEFAULT_VAULT_URL,
5762 help='Use this endpoint to connect to Vault, for example: '
9196 self._approle_token_ttl = None
9297 self._approle_token_issue = None
9398 self._kv_mountpoint = self._conf.vault.kv_mountpoint
99 self._kv_version = self._conf.vault.kv_version
94100 self._vault_url = self._conf.vault.vault_url
95101 if self._vault_url.startswith("https://"):
96102 self._verify_server = self._conf.vault.ssl_ca_crt_file or True
97103 else:
98104 self._verify_server = False
99 self._vault_kv_version = None
100105
101106 def _get_url(self):
102107 if not self._vault_url.endswith('/'):
103108 self._vault_url += '/'
104109 return self._vault_url
105110
106 def _get_api_version(self):
107 if self._vault_kv_version:
108 return self._vault_kv_version
109
110 resource_url = '{}v1/sys/internal/ui/mounts/{}'.format(
111 self._get_url(),
112 self._kv_mountpoint
113 )
114 resp = self._do_http_request(self._session.get, resource_url)
115
116 if resp.status_code == requests.codes['not_found']:
117 self._vault_kv_version = '1'
118 else:
119 self._vault_kv_version = resp.json()['data']['options']['version']
120
121 return self._vault_kv_version
122
123111 def _get_resource_url(self, key_id=None):
124112 return '{}v1/{}/{}{}'.format(
125113 self._get_url(),
126114 self._kv_mountpoint,
127115
128 '' if self._get_api_version() == '1' else
116 '' if self._kv_version == 1 else
129117 'data/' if key_id else
130118 'metadata/', # no key_id is for listing and 'data/' doesn't works
131119
267255 'name': value.name,
268256 'created': value.created
269257 }
270 if self._get_api_version() != '1':
258 if self._kv_version > 1:
271259 record = {'data': record}
272260
273261 self._do_http_request(self._session.post,
312300 raise exception.ManagedObjectNotFoundError(uuid=key_id)
313301
314302 record = resp.json()['data']
315 if self._get_api_version() != '1':
303 if self._kv_version > 1:
316304 record = record['data']
317305
318306 key = None if metadata_only else binascii.unhexlify(record['value'])
0 ---
1 fixes:
2 - |
3 In some situations, vault will not provide KV API version in the options
4 structure. Vault documentation [1] doesn't cover cases when KV API version
5 is not provided. A new configuration option, with default value equivalent
6 to the latest KV API version available (kv_version=2) was added to allow
7 precise configuration of the KV API being used.
8
9 [1] https://learn.hashicorp.com/vault/secrets-management/sm-versioned-kv