Some improvements in csui application to add app roles

library/servicenow/env_user.py

@@ -2,22 +2,42 @@
 # -*- coding: utf-8 -*-
 import requests
 import base64
+import socket
 from library.vault.client import clientV
 
+
+HOSTNAME = socket.getfqdn()
+IS_DEV = ('.dev.' in HOSTNAME)
+IS_ACC = ('.acc.' in HOSTNAME)
+IS_PRODUCTION = (not IS_DEV and not IS_ACC)
+
 # User Input
 http_proxy = 'http://x50l002:x52503@vip-proxy-l4s.snmc.cec.eu.int:8012'
 
-#TODO -> necessary check via ini files the enviorment - create a specofic ini file for that
 
-#vault
-vault_used = "https://sam-hcavault.cec.eu.int/v1/"
-namespance_used = "EC/DIGIT_C4_SNET_ADMIN-ACC"
-token_used = "hvs.CAESIAf5OKUewOGeIXP2QrUSsH-vxQ_o7MEufKxlyALb02N-GikKImh2cy45cmZWamJWQ0ZJdHZGTktlM29LWW9rbloucHhUUWIQ7IaQDw"
-#snow
+#TODO -> necessary check via ini files the enviorment - create a specofic ini file for that
 username = 'DIGIT-WS-SNET-SMART'
-password = clientV.getKVViaHttp('apps-kv/dev/SNOW', vault_used, namespance_used, token_used)
-password = password['data']['data']['password']
-base_url = "https://digituat.service-now.com/api/emdig/v1/itsm"
+
+
+if IS_DEV or IS_ACC :
+    namespace_used = "EC/DIGIT_C4_SNET_ADMIN-ACC"
+    base_url = "https://digituat.service-now.com/api/emdig/v1/itsm"
+    vault_url = "https://sam-hcavault.cec.eu.int"
+    engine = "acc"
+    #Approle approle-dev-csui-change-mgmt
+    role_id_read = "445043ec-398c-fc4d-39f3-00f915eb3049"
+    secret_approle_read = "f2144b45-2e36-f3b6-1a4c-7a5b05a470bf"
+else :
+    namespace_used = "EC/DIGIT_C4_SNET_ADMIN-PROD"
+    base_url = "https://digit.service-now.com/api/emdig/v1/itsm"
+    vault_url = "https://sam-hcpvault.cec.eu.int"
+    engine = 'prod'
+    #Approle approle-prod-csui-change-mgmt
+    role_id_read = "445043ec-398c-fc4d-39f3-00f915eb3049"
+    secret_approle_read = "f2144b45-2e36-f3b6-1a4c-7a5b05a470bf"
+
+password = clientV.getPasswordByAppRole("apps-kv/"+engine+"/SNOW", vault_url, namespace_used, role_id_read, secret_approle_read)
+
 credentials = f"{username}:{password}"
 encoded_credentials = base64.b64encode(credentials.encode("utf-8")).decode("utf-8")
 authorization = f"Basic {encoded_credentials}"

library/vault/client.py

@@ -7,19 +7,39 @@ from json import dumps as json_dumps
 from datetime import datetime
 import time
 import sys
-#from library.servicenow.env_user import http_proxy
-
+import hvac
+from library.servicenow import env_user
+#https://intragate.ec.europa.eu/snet/wiki/index.php/System/accessing_and_managing_hashicorp_vault
+#https://developer.hashicorp.com/vault/docs/auth/approle
+#https://hvac.readthedocs.io/en/stable/usage/auth_methods/approle.html
 class Vault(object):
 
     def __init__(self):
         self.session = requests.Session()
-        self.path_change = "apps-kv/dev/"
 
-    def getKVViaHttp(self, key, vault_used, namespance_used, token_used):
-        url = vault_used +key
+
+    def getPasswordByAppRole(self, key, vault_url, namespace_used, role_id, secret_id):
+        # Create a client instance
+        client = hvac.Client(url=vault_url, namespace=namespace_used,  verify=False)
+        response = client.auth.approle.login(role_id=role_id, secret_id=secret_id)
+        # Extract the client token from the response
+        client.token = response['auth']['client_token']
+        secret = self.getPasswordViaToken(key, vault_url, namespace_used, client.token )
+        secret_data = False
+        if secret is not None:
+            secret_data = secret['data']['data']['password']
+            #print(secret_data)
+        else:
+            print("Failed to retrieve the secret.")
+        client.logout()
+        return secret_data
+
+
+    def getPasswordViaToken(self, key, vault_used, namespace_used, token_used):
+        url = vault_used + "/v1/" +key
         headers = {
             "X-Vault-Token": token_used,
-            "X-Vault-Namespace": namespance_used
+            "X-Vault-Namespace": namespace_used
         }
         response = requests.get(url, headers=headers, verify=False)
         return response.json()