Simple Vault resolver to generate tokens (#11)

Author: danielcoman

himl/secret_resolvers.py

@@ -11,6 +11,7 @@
 import logging
 from .simplessm import SimpleSSM
 from .simples3 import SimpleS3
+from .simplevault import SimpleVault
 
 
 class SecretResolver:
@@ -65,17 +66,18 @@ def resolve(self, secret_type, secret_params):
         return s3.get(bucket, path, base64Encode)
 
 
-# TODO - vault resolver
 class VaultSecretResolver(SecretResolver):
     def supports(self, secret_type):
-        return False
+        return secret_type == "vault"
 
     def resolve(self, secret_type, secret_params):
-        return None
+        # Generate a token for a policy
+        policy = self.get_param_or_exception("token_policy", secret_params)
+        vault = SimpleVault
+        return vault().get_token(policy)
 
 
 class AggregatedSecretResolver(SecretResolver):
-
     def __init__(self, default_aws_profile=None):
         self.secret_resolvers = (SSMSecretResolver(default_aws_profile), S3SecretResolver(default_aws_profile), VaultSecretResolver())
 

himl/simplessm.py

@@ -13,9 +13,9 @@
 import os
 from botocore.exceptions import ClientError
 
-
 logger = logging.getLogger(__name__)
 
+
 class SimpleSSM(object):
     def __init__(self, aws_profile, region_name):
         self.initial_aws_profile = os.getenv('AWS_PROFILE', None)

himl/simplevault.py

@@ -0,0 +1,58 @@
+# Copyright 2019 Adobe. All rights reserved.
+# This file is licensed to you under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+# OF ANY KIND, either express or implied. See the License for the specific language
+# governing permissions and limitations under the License.
+
+import os
+import logging
+import hvac
+
+
+logger = logging.getLogger(__name__)
+
+
+class SimpleVault:
+    def __init__(self):
+        pass
+
+    def get_vault_client(self):
+        url = os.getenv('VAULT_ADDR')
+        namespace = os.getenv('VAULT_NAMESPACE')
+        username = os.getenv('VAULT_USERNAME')
+        password = os.getenv('VAULT_PASSWORD')
+        logger.info("Vault using url: {}, namespace: {}, username: {}".format(url, namespace, username))
+
+        client = hvac.Client(
+            url=url,
+            namespace=namespace,
+        )
+
+        try:
+            client.auth.ldap.login(
+                username=username,
+                password=password,
+            )
+            assert client.is_authenticated()
+            logger.info("Vault LDAP authenticated")
+        except Exception as e:
+            raise Exception("Error authenticating Vault over LDAP")
+
+        return client
+
+    def get_token(self, policy):
+        role = os.getenv('VAULT_ROLE')
+        client = self.get_vault_client()
+        logger.info("Generating token for policy: {} using role: {}".format(policy, role))
+
+        token = client.create_token(
+            policies=[policy],
+            role=role,
+            lease='24h',
+       )
+
+        return token['auth']['client_token']

requirements.txt

@@ -4,3 +4,5 @@ backports.functools_lru_cache>=1.5
 pathlib2>=2.3.4
 boto3>=1.9.110
 pyyaml>=5.1
+botocore>=1.12
+hvac>=0.9.3