potiuk commented on a change in pull request #8974: URL: https://github.com/apache/airflow/pull/8974#discussion_r434754888
########## File path: airflow/providers/hashicorp/common/vault_client.py ########## @@ -0,0 +1,389 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from typing import List, Optional + +import hvac +from cached_property import cached_property +from hvac.api.auth_methods import github, kubernetes, ldap, radius, userpass +from hvac.api.secrets_engines import aws, azure, gcp, kv_v1, kv_v2 +from hvac.exceptions import InvalidPath, VaultError +from requests import Response + +from airflow.utils.log.logging_mixin import LoggingMixin + +VALID_KV_VERSIONS: List[int] = [1, 2] +VALID_AUTH_TYPES: List[str] = [ + 'approle', + 'aws_iam', + 'azure', + 'github', + 'gcp', + 'kubernetes', + 'ldap', + 'radius', + 'token', + 'userpass' +] + + +class VaultClient(LoggingMixin): # pylint: disable=too-many-instance-attributes + """ + Retrieves Authenticated client from Hashicorp Vault + + :param url: Base URL for the Vault instance being addressed. + :type url: str + :param auth_type: Authentication Type for Vault. Default is ``token``. Available values are in + :py:const:`airflow.providers.hashicorp.common.vault_client.VALID_AUTH_TYPES`. + :type auth_type: str + :param mount_point: The "path" the secret engine was mounted on. Default depends on the engine used. + :type mount_point: str + :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``) + :type kv_engine_version: int + :param token: Authentication token to include in requests sent to Vault. + (for ``token`` and ``github`` auth_type) + :type token: str + :param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_types) + :type username: str + :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_types) + :type password: str + :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type) + :type key_id: str + :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types) + :type secret_id: str + :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` and ``kubernetes`` auth_types) + :type role_id: str + :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type) + :type kubernetes_role: str + :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: + ``/var/run/secrets/kubernetes.io/serviceaccount/token``) + :type kubernetes_jwt_path: str + :param gcp_key_path: Path to GCP Credential JSON file (for ``gcp`` auth_type). + Mutually exclusive with gcp_keyfile_dict + :type gcp_key_path: str + :param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type). + Mutually exclusive with gcp_key_path + :type gcp_keyfile_dict: dict + :param gcp_scopes: Comma-separated string containing GCP scopes (for ``gcp`` auth_type) + :type gcp_scopes: str + :param azure_tenant_id: Tenant of azure (for ``azure`` auth_type) + :type azure_tenant_id: str + :param azure_resource: Resource if of azure (for ``azure`` auth_type) + :type azure_resource: str + :param radius_host: Host for radius (for ``radius`` auth_type) + :type radius_host: str + :param radius_secret: Secret for radius (for ``radius`` auth_type) + :type radius_secret: str + :param radius_port: Port for radius (for ``radius`` auth_type) + :type radius_port: int + """ + def __init__( # pylint: disable=too-many-arguments + self, + url: Optional[str] = None, + auth_type: str = 'token', + mount_point: Optional[str] = None, + kv_engine_version: Optional[int] = None, + token: Optional[str] = None, + username: Optional[str] = None, + password: Optional[str] = None, + key_id: Optional[str] = None, + secret_id: Optional[str] = None, + role_id: Optional[str] = None, + kubernetes_role: Optional[str] = None, + kubernetes_jwt_path: Optional[str] = '/var/run/secrets/kubernetes.io/serviceaccount/token', + gcp_key_path: Optional[str] = None, + gcp_keyfile_dict: Optional[dict] = None, + gcp_scopes: Optional[str] = None, + azure_tenant_id: Optional[str] = None, + azure_resource: Optional[str] = None, + radius_host: Optional[str] = None, + radius_secret: Optional[str] = None, + radius_port: Optional[int] = None, + **kwargs + ): + super().__init__(**kwargs) + if kv_engine_version and kv_engine_version not in VALID_KV_VERSIONS: + raise VaultError(f"The version is not supported: {kv_engine_version}. " + f"It should be one of {VALID_KV_VERSIONS}") + if auth_type not in VALID_AUTH_TYPES: + raise VaultError(f"The auth_type is not supported: {auth_type}. " + f"It should be one of {VALID_AUTH_TYPES}") + if auth_type == "token" and not token: + raise VaultError("The 'token' authentication type requires 'token'") + if auth_type == "github" and not token: + raise VaultError("The 'github' authentication type requires 'token'") + if auth_type == "approle" and not role_id: + raise VaultError("The 'approle' authentication type requires 'role_id'") + if auth_type == "kubernetes": + if not kubernetes_role: + raise VaultError("The 'kubernetes' authentication type requires 'kubernetes_role'") + if not kubernetes_jwt_path: + raise VaultError("The 'kubernetes' authentication type requires 'kubernetes_jwt_path'") + if auth_type == "azure": + if not azure_resource: + raise VaultError("The 'azure' authentication type requires 'azure_resource'") + if not azure_tenant_id: + raise VaultError("The 'azure' authentication type requires 'azure_tenant_id'") + if auth_type == "radius": + if not radius_host: + raise VaultError("The 'radius' authentication type requires 'radius_host'") + if not radius_secret: + raise VaultError("The 'radius' authentication type requires 'radius_secret'") + + self.kv_engine_version = kv_engine_version if kv_engine_version else 2 + self.url = url + self.auth_type = auth_type + self.kwargs = kwargs + self.token = token + self.mount_point = mount_point if mount_point else\ + self.get_default_mount_point(auth_type=self.auth_type, + kv_engine_version=self.kv_engine_version) + self.username = username + self.password = password + self.key_id = key_id + self.secret_id = secret_id + self.role_id = role_id + self.kubernetes_role = kubernetes_role + self.kubernetes_jwt_path = kubernetes_jwt_path + self.gcp_key_path = gcp_key_path + self.gcp_keyfile_dict = gcp_keyfile_dict + self.gcp_scopes = gcp_scopes + self.azure_tenant_id = azure_tenant_id + self.azure_resource = azure_resource + self.radius_host = radius_host + self.radius_secret = radius_secret + self.radius_port = radius_port + + @staticmethod + def get_default_mount_point(auth_type: str, kv_engine_version: int) -> str: Review comment: Right. It did not matter as it was only used internally but the description told otherwise. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
