From 25b771ef3afc63e9c732484fa4aa8f31dc3dd367 Mon Sep 17 00:00:00 2001
From: Miguel Caballer <micafer1@upv.es>
Date: Wed, 28 Jun 2023 09:20:38 +0200
Subject: [PATCH] Add VAULT_MOUNT_POINT var

---
 IM/REST.py            | 6 ++++++
 IM/config.py          | 1 +
 doc/source/manual.rst | 9 ++++++++-
 etc/im.cfg            | 1 +
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/IM/REST.py b/IM/REST.py
index 431403713..2d69150af 100644
--- a/IM/REST.py
+++ b/IM/REST.py
@@ -30,6 +30,7 @@
 from radl.radl_json import parse_radl as parse_radl_json, dump_radl as dump_radl_json, featuresToSimple, radlToSimple
 from radl.radl import RADL, Features, Feature
 from IM.tosca.Tosca import Tosca
+from IM.openid.JWT import JWT
 
 logger = logging.getLogger('InfrastructureManager')
 
@@ -237,6 +238,11 @@ def get_auth_header():
         vault_auth = {"type": "Vault", "host": Config.VAULT_URL, "token": token}
         if Config.VAULT_PATH:
             vault_auth["path"] = Config.VAULT_PATH
+        if "#USER_SUB#" in Config.VAULT_PATH:
+            decoded_token = JWT().get_info(token)
+            vault_auth["path"] = Config.VAULT_PATH.replace("#USER_SUB#", decoded_token.get("sub"))
+        if Config.VAULT_MOUNT_POINT:
+            vault_auth["mount_point"] = Config.VAULT_MOUNT_POINT
         if Config.VAULT_ROLE:
             vault_auth["role"] = Config.VAULT_ROLE
         return Authentication([im_auth, vault_auth])
diff --git a/IM/config.py b/IM/config.py
index 177cebe94..18249f272 100644
--- a/IM/config.py
+++ b/IM/config.py
@@ -117,6 +117,7 @@ class Config:
     ENABLE_CORS = False
     CORS_ORIGIN = '*'
     VAULT_URL = None
+    VAULT_MOUNT_POINT = None
     VAULT_PATH = None
     VAULT_ROLE = None
     VM_TAG_USERNAME = None
diff --git a/doc/source/manual.rst b/doc/source/manual.rst
index ea25dd5e0..bf1fe471a 100644
--- a/doc/source/manual.rst
+++ b/doc/source/manual.rst
@@ -602,7 +602,14 @@ get the all the credential values from the configured Vault server.
 
 .. confval:: VAULT_PATH 
 
-   Configured path of the KV (ver 1) secret. 
+   Configured path of the KV (ver 1) secret.
+   This field has one special substitution value: ``#USER_SUB#`` that is replaced by the user
+   ID obtained from the OpenID token provided.
+   The default value is ``vault_entity_id``.
+
+.. confval:: VAULT_MOUNT_POINT
+
+   Configured mount point of the KV (ver 1) secret.
    The default value is ``'credentials/'``.
 
 .. confval:: VAULT_ROLE 
diff --git a/etc/im.cfg b/etc/im.cfg
index ec251e25a..a6525ae4f 100644
--- a/etc/im.cfg
+++ b/etc/im.cfg
@@ -167,6 +167,7 @@ CORS_ORIGIN = *
 # Variables to configure Vault to get user credentials
 #VAULT_URL = 
 #VAULT_PATH = 
+#VAULT_MOUNT_POINT =
 #VAULT_ROLE = 
 
 # Name of the tags that IM will add in the VMs with