vault app roles

d2681554 · Andre Marcelo FERREIRA FREIRE TEIXEIRA · a2e7b9b7 · d2681554 · d2681554 · d2681554
Commit d2681554 authored 1 year ago by Andre Marcelo FERREIRA FREIRE TEIXEIRA
--- a/library/servicenow/connector.py
+++ b/library/servicenow/connector.py
@@ -18,6 +18,7 @@ class ServiceNow(object):


    def _get(self, url, url_params={}, **json_kwargs):
+        print('GET {}'.format(url))
        log.debug('GET {}'.format(url))
        try:
            request = self.session.get(self.base + url, params=url_params, verify=True, headers=self.headers, proxies=self.proxies)

--- a/library/servicenow/env_user.py
+++ b/library/servicenow/env_user.py
@@ -60,10 +60,8 @@ vault_url = "https://sam-hcavault.cec.eu.int"
 #approle:   csui-change-mgmt-prod
 #role_id    331d3f1d-2361-e30b-9ac0-3a48a0f1e473
 #secret_id  b741c6c9-5536-6a8e-32a2-159be4a4297c
-
-#IS_DEV = False
-#IS_ACC = False
-
+IS_DEV = False
+IS_ACC = False
 #enviorment
 if IS_DEV:
    print('IS DEV')
@@ -84,9 +82,9 @@ else :
    role_id_read = '331d3f1d-2361-e30b-9ac0-3a48a0f1e473'
    secret_approle_read = 'b741c6c9-5536-6a8e-32a2-159be4a4297c'

-#necessary check with Javier
-password = clientV.getPasswordByAppRole(engine+"/SNOW/csui", vault_url, namespace_used, role_id_read, secret_approle_read, "apps-kv")
-print(password, "password")
+
+password = clientV.getPasswordByAppRole(engine+"/SNOW/csui", vault_url, namespace_used, role_id_read, secret_approle_read, "apps-kv", engine)
+
 credentials = f"{username}:{password}"
 encoded_credentials = base64.b64encode(credentials.encode("utf-8")).decode("utf-8")
 authorization = f"Basic {encoded_credentials}"

--- a/library/vault/client.py
+++ b/library/vault/client.py
@@ -12,27 +12,25 @@ from library.servicenow import env_user
 #https://intragate.ec.europa.eu/snet/wiki/index.php/System/accessing_and_managing_hashicorp_vault
 #https://developer.hashicorp.com/vault/docs/auth/approle
 #https://hvac.readthedocs.io/en/stable/usage/auth_methods/approle.html
+#https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html#read-secret-metadata
+#curl -H "X-Vault-Namespace: EC/DIGIT_C4_SNET_ADMIN-ACC" -X POST --tlsv1.2 --data '{"password": "password"}' https://sam-hcavault.cec.eu.int/v1/auth/userpass/login/fandrem
 class Vault(object):

    def __init__(self):
        self.session = requests.Session()
-    #https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html#read-secret-metadata
-    #curl -H "X-Vault-Namespace: EC/DIGIT_C4_SNET_ADMIN-ACC" -X POST --tlsv1.2 --data '{"password": "password"}' https://sam-hcavault.cec.eu.int/v1/auth/userpass/login/fandrem
-    def getPasswordByAppRole(self, key, vault_url, namespace_used, role_id, secret_id, mount_point):
+
+    def getPasswordByAppRole(self, key, vault_url, namespace_used, role_id, secret_id, mount_point, engine):
        # Create a client instance
-        client = hvac.Client(url=vault_url, namespace=namespace_used,  verify=False)
+        client = hvac.Client(url=vault_url, namespace=namespace_used,  verify="/etc/ssl/certs/")
        response = client.auth.approle.login(role_id=role_id, secret_id=secret_id)
        # Extract the client token from the response
        client.token = response['auth']['client_token']
-        print(client.token, "client.token")
-        secret = client.secrets.kv.v1.read_secret(path=key,mount_point=mount_point)
-        #secret = client.secrets.kv.v2.read_secret_version(path=key, version=2)
-        print(secret, "secret")
-        #secret = self.getPasswordViaToken(key, vault_url, namespace_used, client.token )
+        #TODO : Acc using version 1 in the past now all is uniform
+        #secret = client.secrets.kv.v1.read_secret(path=key,mount_point=mount_point)
+        secret = client.secrets.kv.v2.read_secret_version(path=key ,mount_point=mount_point)
        secret_data = False
-        #print(secret,"secret")
        if secret is not None  and 'data' in secret and secret['data'] is not None:
-            secret_data = secret['data']['data']['password']
+            secret_data =secret['data']['data']['data']['password']
            #print(secret_data)
        else:
            print(secret, "secret")
@@ -40,17 +38,5 @@ class Vault(object):
        client.logout()
        return secret_data

-
-    def getPasswordViaToken(self, key, vault_used, namespace_used, token_used):
-        url = vault_used + "/v1/" +key
-        print(url, "url")
-        headers = {
-            "X-Vault-Token": token_used,
-            "X-Vault-Namespace": namespace_used
-        }
-        response = requests.get(url, headers=headers, verify=False)
-        return response.json()
-
-
 log = logging.getLogger(__name__)
 clientV = Vault()