From d45e27e441ec636884c0d1d16d72d7b41247ff70 Mon Sep 17 00:00:00 2001 From: Jonas Keeling Date: Fri, 14 Jun 2024 17:57:09 +0200 Subject: [PATCH] Support vault prefix depth config (#73) --- .../secrets/config/VaultProviderConfig.scala | 13 ++++++ .../config/VaultProviderSettings.scala | 3 ++ .../secrets/providers/VaultHelper.scala | 3 ++ .../providers/VaultSecretProviderTest.scala | 41 +++++++++++++++++++ 4 files changed, 60 insertions(+) diff --git a/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderConfig.scala b/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderConfig.scala index 72f80c1..7a11d76 100644 --- a/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderConfig.scala +++ b/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderConfig.scala @@ -34,6 +34,7 @@ object VaultProviderConfig { val VAULT_CLIENT_PEM: String = "vault.client.pem" val VAULT_PEM: String = "vault.pem" val VAULT_ENGINE_VERSION = "vault.engine.version" + val VAULT_PREFIX_DEPTH = "vault.prefix.depth" val AUTH_METHOD: String = "vault.auth.method" val VAULT_TRUSTSTORE_LOC: String = @@ -147,6 +148,18 @@ object VaultProviderConfig { Importance.HIGH, "KV Secrets Engine version of the Vault server instance. Defaults to 2", ) + .define( + VAULT_PREFIX_DEPTH, + Type.INT, + 1, + Importance.HIGH, + """ + |Set the path depth of the KV Secrets Engine prefix path. + |Normally this is just 1, to correspond to one path element in the prefix path. + |To use a longer prefix path, set this value + | + |""".stripMargin, + ) // auth mode .define( AUTH_METHOD, diff --git a/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderSettings.scala b/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderSettings.scala index 21e5fab..3af8de8 100644 --- a/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderSettings.scala +++ b/secret-provider/src/main/scala/io/lenses/connect/secrets/config/VaultProviderSettings.scala @@ -50,6 +50,7 @@ case class VaultSettings( pem: String, clientPem: String, engineVersion: Int = 2, + prefixDepth: Int = 1, appRole: Option[AppRole], awsIam: Option[AwsIam], gcp: Option[Gcp], @@ -77,6 +78,7 @@ object VaultSettings extends StrictLogging { val pem = config.getString(VaultProviderConfig.VAULT_PEM) val clientPem = config.getString(VaultProviderConfig.VAULT_CLIENT_PEM) val engineVersion = config.getInt(VaultProviderConfig.VAULT_ENGINE_VERSION) + val prefixDepth = config.getInt(VaultProviderConfig.VAULT_PREFIX_DEPTH) val authMode = VaultAuthMethod.withNameOpt( config.getString(VaultProviderConfig.AUTH_METHOD).toUpperCase, @@ -124,6 +126,7 @@ object VaultSettings extends StrictLogging { pem = pem, clientPem = clientPem, engineVersion = engineVersion, + prefixDepth = prefixDepth, appRole = appRole, awsIam = awsIam, gcp = gcp, diff --git a/secret-provider/src/main/scala/io/lenses/connect/secrets/providers/VaultHelper.scala b/secret-provider/src/main/scala/io/lenses/connect/secrets/providers/VaultHelper.scala index 41189c0..a9642ea 100644 --- a/secret-provider/src/main/scala/io/lenses/connect/secrets/providers/VaultHelper.scala +++ b/secret-provider/src/main/scala/io/lenses/connect/secrets/providers/VaultHelper.scala @@ -110,6 +110,9 @@ object VaultHelper extends StrictLogging { logger.info(s"Setting engine version to ${settings.engineVersion}") config.engineVersion(settings.engineVersion) + logger.info(s"Setting prefix path depth to ${settings.prefixDepth}") + config.prefixPathDepth(settings.prefixDepth) + val vault = new Vault(config.build()) logger.info( diff --git a/secret-provider/src/test/scala/io/lenses/connect/secrets/providers/VaultSecretProviderTest.scala b/secret-provider/src/test/scala/io/lenses/connect/secrets/providers/VaultSecretProviderTest.scala index ac95df4..6fbb0f6 100644 --- a/secret-provider/src/test/scala/io/lenses/connect/secrets/providers/VaultSecretProviderTest.scala +++ b/secret-provider/src/test/scala/io/lenses/connect/secrets/providers/VaultSecretProviderTest.scala @@ -324,6 +324,47 @@ class VaultSecretProviderTest extends AnyWordSpec with Matchers with BeforeAndAf response.getData.asScala("value") shouldBe "mock" } + "should be configured for vault engine prefix depth" in { + + val props = Map( + VaultProviderConfig.VAULT_ADDR -> "https://127.0.0.1:9998", + VaultProviderConfig.VAULT_TOKEN -> "mock_token", + VaultProviderConfig.AUTH_METHOD -> VaultAuthMethod.TOKEN.toString(), + VaultProviderConfig.VAULT_PEM -> pemFile, + VaultProviderConfig.VAULT_CLIENT_PEM -> pemFile, + VaultProviderConfig.VAULT_PREFIX_DEPTH -> 2, + ).asJava + + val config = VaultProviderConfig(props) + val settings = VaultSettings(config) + + settings.prefixDepth shouldBe 2 + val provider = new VaultSecretProvider() + provider.configure(props) + val response = provider.getClient.get.logical.read("secret/hello") + response.getData.asScala("value") shouldBe "mock" + } + + "should be configured for default vault engine prefix depth" in { + + val props = Map( + VaultProviderConfig.VAULT_ADDR -> "https://127.0.0.1:9998", + VaultProviderConfig.VAULT_TOKEN -> "mock_token", + VaultProviderConfig.AUTH_METHOD -> VaultAuthMethod.TOKEN.toString(), + VaultProviderConfig.VAULT_PEM -> pemFile, + VaultProviderConfig.VAULT_CLIENT_PEM -> pemFile, + ).asJava + + val config = VaultProviderConfig(props) + val settings = VaultSettings(config) + + settings.prefixDepth shouldBe 1 + val provider = new VaultSecretProvider() + provider.configure(props) + val response = provider.getClient.get.logical.read("secret/hello") + response.getData.asScala("value") shouldBe "mock" + } + "should get values at a path" in { val props = Map(