Add VAULT_MOUNT_POINT var

IM/REST.py

@@ -30,6 +30,7 @@
 from radl.radl_json import parse_radl as parse_radl_json, dump_radl as dump_radl_json, featuresToSimple, radlToSimple
 from radl.radl import RADL, Features, Feature
 from IM.tosca.Tosca import Tosca
+from IM.openid.JWT import JWT
 
 logger = logging.getLogger('InfrastructureManager')
 
@@ -237,6 +238,11 @@ def get_auth_header():
         vault_auth = {"type": "Vault", "host": Config.VAULT_URL, "token": token}
         if Config.VAULT_PATH:
             vault_auth["path"] = Config.VAULT_PATH
+        if "#USER_SUB#" in Config.VAULT_PATH:
+            decoded_token = JWT().get_info(token)
+            vault_auth["path"] = Config.VAULT_PATH.replace("#USER_SUB#", decoded_token.get("sub"))
+        if Config.VAULT_MOUNT_POINT:
+            vault_auth["mount_point"] = Config.VAULT_MOUNT_POINT
         if Config.VAULT_ROLE:
             vault_auth["role"] = Config.VAULT_ROLE
         return Authentication([im_auth, vault_auth])

IM/config.py

@@ -117,6 +117,7 @@ class Config:
     ENABLE_CORS = False
     CORS_ORIGIN = '*'
     VAULT_URL = None
+    VAULT_MOUNT_POINT = None
     VAULT_PATH = None
     VAULT_ROLE = None
     VM_TAG_USERNAME = None

doc/source/manual.rst

@@ -602,7 +602,14 @@ get the all the credential values from the configured Vault server.
 
 .. confval:: VAULT_PATH 
 
-   Configured path of the KV (ver 1) secret. 
+   Configured path of the KV (ver 1) secret.
+   This field has one special substitution value: ``#USER_SUB#`` that is replaced by the user
+   ID obtained from the OpenID token provided.
+   The default value is ``vault_entity_id``.
+
+.. confval:: VAULT_MOUNT_POINT
+
+   Configured mount point of the KV (ver 1) secret.
    The default value is ``'credentials/'``.
 
 .. confval:: VAULT_ROLE 

etc/im.cfg

@@ -167,6 +167,7 @@ CORS_ORIGIN = *
 # Variables to configure Vault to get user credentials
 #VAULT_URL = 
 #VAULT_PATH = 
+#VAULT_MOUNT_POINT =
 #VAULT_ROLE = 
 
 # Name of the tags that IM will add in the VMs with