From 6c33e669849f0dbf578f05154b9384e95916033e Mon Sep 17 00:00:00 2001 From: Luis Toledo Date: Mon, 10 Dec 2018 13:28:55 -0300 Subject: [PATCH] fixing error with a non-default backend name (secret). For issue https://github.com/rundeck-plugins/vault-storage/issues/8 --- README.md | 14 ++++++++++++++ .../rundeck/plugin/vault/KeyObjectBuilder.java | 11 +++++++---- .../rundeck/plugin/vault/VaultStoragePlugin.java | 8 +++++++- test/docker/docker-compose-existing-vault.yml | 6 ++++-- test/docker/docker-compose-vault.yml | 2 +- .../templates/rundeck-config-storage.properties | 3 +++ .../existing-vault/existing-vault-keys-test.sh | 6 +++--- test/docker/dockers/vault/run.sh | 10 +++++++++- 8 files changed, 48 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 874d82a..9e1c60e 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,20 @@ rundeck.storage.provider.1.config.address=$VAULT_URL rundeck.storage.provider.1.config.token=$VAULT_TOKEN ``` +For existing vault storage, probably you will need to remove the default `keys` path added by default for rundeck. +You can use these settings for an existing vault storage: + +``` +rundeck.storage.provider.1.type=vault-storage +rundeck.storage.provider.1.path=keys +rundeck.storage.provider.1.removePathPrefix=true +rundeck.storage.provider.1.config.prefix=someprefix +rundeck.storage.provider.1.config.secretBackend=mybackend +rundeck.storage.provider.1.config.address=$VAULT_URL +rundeck.storage.provider.1.config.token=$VAULT_TOKEN +rundeck.storage.provider.1.config.storageBehaviour=vault +``` + ## Minimal version requirements * Java 1.8 * Rundeck 2.10.0 diff --git a/src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObjectBuilder.java b/src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObjectBuilder.java index bb2c6cd..382c614 100644 --- a/src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObjectBuilder.java +++ b/src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObjectBuilder.java @@ -11,6 +11,7 @@ public class KeyObjectBuilder { Path path; Logical vault; String vaultPrefix; + String vaultSecretBackend; static KeyObjectBuilder builder() { return new KeyObjectBuilder(); @@ -31,15 +32,17 @@ KeyObjectBuilder vaultPrefix(String vaultPrefix){ return this; } - private String getVaultPath(String rawPath) { - return String.format("secret/%s/%s", vaultPrefix, rawPath); + KeyObjectBuilder vaultSecretBackend(String vaultSecretBackend){ + this.vaultSecretBackend = vaultSecretBackend; + return this; } + KeyObject build(){ LogicalResponse response; KeyObject object; try { - response = vault.read(getVaultPath(path.getPath())); + response = vault.read(VaultStoragePlugin.getVaultPath(path.getPath(),vaultSecretBackend,vaultPrefix)); String data = response.getData().get(VaultStoragePlugin.VAULT_STORAGE_KEY); if(data !=null) { @@ -83,7 +86,7 @@ public KeyObject getVaultParentObject(Path path){ Path parentPath = PathUtil.parentPath(path); try { - response = vault.read(getVaultPath(parentPath.getPath())); + response = vault.read(VaultStoragePlugin.getVaultPath(parentPath.getPath(),vaultSecretBackend,vaultPrefix)); parentObject=new VaultKey(response, parentPath); } catch (VaultException e) { diff --git a/src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultStoragePlugin.java b/src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultStoragePlugin.java index 8ddaf53..79d7a23 100644 --- a/src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultStoragePlugin.java +++ b/src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultStoragePlugin.java @@ -76,7 +76,8 @@ public void configure(Properties configuration) throws ConfigurationException { } public static String getVaultPath(String rawPath, String vaultSecretBackend, String vaultPrefix) { - return String.format("%s/%s/%s", vaultSecretBackend, vaultPrefix, rawPath); + String path= String.format("%s/%s/%s", vaultSecretBackend, vaultPrefix, rawPath); + return path; } private boolean isDir(String key) { @@ -181,6 +182,7 @@ private Set> listResources(Path path, KeyType type) { try { response = vault.list(getVaultPath(path.getPath(),vaultSecretBackend,vaultPrefix)); + } catch (VaultException e) { throw StorageException.listException( path, @@ -211,12 +213,15 @@ private Set> listResources(Path path, KeyType type) { } for (String item : filtered) { + Path itemPath = PathUtil.appendPath(path, item); + Resource resource=null; if (isDir(item)) { resource = loadDir(itemPath); } else { KeyObject object = this.getVaultObject(itemPath); + if(rundeckObject){ //normal case with rundeck format if(object.isRundeckObject()){ @@ -408,6 +413,7 @@ public KeyObject getVaultObject(Path path){ .path(path) .vault(vault) .vaultPrefix(vaultPrefix) + .vaultSecretBackend(vaultSecretBackend) .build(); return value; diff --git a/test/docker/docker-compose-existing-vault.yml b/test/docker/docker-compose-existing-vault.yml index bd09b72..ef7718e 100644 --- a/test/docker/docker-compose-existing-vault.yml +++ b/test/docker/docker-compose-existing-vault.yml @@ -4,7 +4,7 @@ services: vault: build: dockers/vault ports: - - "8200:8200" + - "8200" cap_add: - IPC_LOCK environment: @@ -25,7 +25,9 @@ services: - SETUP_TEST_PROJECT=vaulttest - RUNDECK_STORAGE_PROVIDER_1_TYPE=vault-storage - RUNDECK_STORAGE_PROVIDER_1_PATH=keys - - RUNDECK_STORAGE_PROVIDER_1_CONFIG_PREFIX=rundeck + - RUNDECK_STORAGE_PROVIDER_1_REMOVEPATHPREFIX=true + - RUNDECK_STORAGE_PROVIDER_1_CONFIG_SECRETBACKEND=rundeckbackend + - RUNDECK_STORAGE_PROVIDER_1_CONFIG_PREFIX=app - RUNDECK_STORAGE_PROVIDER_1_CONFIG_ADDRESS=http://vault:8200 - RUNDECK_STORAGE_PROVIDER_1_CONFIG_TOKEN=${VAULT_TOKEN} - RUNDECK_STORAGE_PROVIDER_1_CONFIG_BEHAVIOUR=vault diff --git a/test/docker/docker-compose-vault.yml b/test/docker/docker-compose-vault.yml index 9f51c37..f1901e0 100644 --- a/test/docker/docker-compose-vault.yml +++ b/test/docker/docker-compose-vault.yml @@ -4,7 +4,7 @@ services: vault: build: dockers/vault ports: - - "8200:8200" + - "8200" cap_add: - IPC_LOCK environment: diff --git a/test/docker/dockers/rundeckvault/remco/templates/rundeck-config-storage.properties b/test/docker/dockers/rundeckvault/remco/templates/rundeck-config-storage.properties index e00b1c7..deafebc 100644 --- a/test/docker/dockers/rundeckvault/remco/templates/rundeck-config-storage.properties +++ b/test/docker/dockers/rundeckvault/remco/templates/rundeck-config-storage.properties @@ -4,10 +4,13 @@ {%- set index = provider | base %} rundeck.storage.provider.{{index}}.type={% set type = printf("%s/type", provider) %}{{ getv(type, "db")}} rundeck.storage.provider.{{index}}.path={% set path = printf("%s/path", provider) %}{{ getv(path, "keys")}} +rundeck.storage.provider.{{index}}.removePathPrefix={% set removepathprefix = printf("%s/removepathprefix", provider) %}{{ getv(removepathprefix, "false")}} + rundeck.storage.provider.{{index}}.config.prefix={% set prefix = printf("%s/config/prefix", provider) %}{{ getv(prefix, "")}} rundeck.storage.provider.{{index}}.config.address={% set address = printf("%s/config/address", provider) %}{{ getv(address, "")}} rundeck.storage.provider.{{index}}.config.token={% set token = printf("%s/config/token", provider) %}{{ getv(token, "")}} rundeck.storage.provider.{{index}}.config.storageBehaviour={% set behaviour = printf("%s/config/behaviour", provider) %}{{ getv(behaviour, "rundeck")}} +rundeck.storage.provider.{{index}}.config.secretBackend={% set secretbackend = printf("%s/config/secretbackend", provider) %}{{ getv(secretbackend, "secret")}} rundeck.storage.provider.{{index}}.config.maxRetries={% set maxRetries = printf("%s/config/maxRetries", provider) %}{{ getv(maxRetries, "3")}} rundeck.storage.provider.{{index}}.config.retryIntervalMilliseconds={% set retryInterval = printf("%s/config/retryInterval", provider) %}{{ getv(retryInterval, "100")}} diff --git a/test/docker/dockers/rundeckvault/tests/existing-vault/existing-vault-keys-test.sh b/test/docker/dockers/rundeckvault/tests/existing-vault/existing-vault-keys-test.sh index fd435b4..68b10e9 100644 --- a/test/docker/dockers/rundeckvault/tests/existing-vault/existing-vault-keys-test.sh +++ b/test/docker/dockers/rundeckvault/tests/existing-vault/existing-vault-keys-test.sh @@ -41,7 +41,7 @@ it_check_key_value_job() { bash -c "rd run -i $JOBID -p $RUNDECK_PROJECT" cmdout=($(bash -c "rd executions follow -e 1 | grep -v '^#' ")) - expout=($(curl -s -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/secret/rundeck/keys/node/vault.password | jq .data.value)) + expout=($(curl -s -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/rundeckbackend/app/keys/node/vault.password | jq .data.value)) echo "${cmdout[@]}" if ! test ${#expout[*]} = ${#cmdout[*]} then @@ -112,7 +112,7 @@ END exit 1 fi - cmdout=($(curl -s -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/secret/rundeck/keys/node/vault.password > test.output)) + cmdout=($(curl -s -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/rundeckbackend/app/keys/node/vault.password > test.output)) # diff with expected cat >expected.output < log.out sleep 10 #create files -echo "************ creating test keys" +echo "************ creating test keys (default)" vault write secret/rundeck/keys/simple.secret foo=world vault write secret/rundeck/keys/multiples name=admin password=admin server=rundeck vault write secret/rundeck/keys/folder/another.secret test=hello @@ -15,5 +15,13 @@ vault write secret/rundeck/keys/folder/multiple2 name=admin password=admin serve echo "************ end" +#create files +echo "************ creating custom backend keys" +vault secrets enable -path=rundeckbackend kv +vault write rundeckbackend/app/simple.secret foo=world +vault write rundeckbackend/app/multiples name=admin password=admin server=rundeck +vault write rundeckbackend/app/folder/another.secret test=hello +vault write rundeckbackend/app/folder/multiple2 name=admin password=admin server=rundeck +echo "************ end" tail -f log.out \ No newline at end of file