diff --git a/src/test/groovy/GetVaultSecretStepTests.groovy b/src/test/groovy/GetVaultSecretStepTests.groovy index 83f924f87..2c648effb 100644 --- a/src/test/groovy/GetVaultSecretStepTests.groovy +++ b/src/test/groovy/GetVaultSecretStepTests.groovy @@ -101,9 +101,19 @@ class GetVaultSecretStepTests extends ApmBasePipelineTest { assertTrue(assertMethodCallContainsPattern('error', 'getVaultSecret: Unable to get the secret.')) } + @Test + void testReadSecretWrapperWithParams() throws Exception { + script.readSecretWrapperWithParams(['role_id': 'dummy-role-id', 'secret_id': 'dummy-secret-id']) { + 'dummy arg' + } + printCallStack() + assertTrue(assertMethodCallContainsPattern('withCredentials', '[{credentialsId=vault-addr, variable=VAULT_ADDR}, {credentialsId=dummy-role-id, variable=VAULT_ROLE_ID}, {credentialsId=dummy-secret-id, variable=VAULT_SECRET_ID}]')) + assertJobStatusSuccess() + } + @Test void testReadSecretWrapper() throws Exception { - script.readSecretWrapper { + script.readSecretWrapper() { // TODO } printCallStack() diff --git a/vars/getVaultSecret.groovy b/vars/getVaultSecret.groovy index d4b916a3b..289f25319 100644 --- a/vars/getVaultSecret.groovy +++ b/vars/getVaultSecret.groovy @@ -24,7 +24,9 @@ import net.sf.json.JSONObject */ def call(Map args = [:]){ def secret = args.containsKey('secret') ? args.secret : error("getVaultSecret: No valid secret to looking for.") - return readSecret(secret) + def role_id = args.containsKey('role_id') ? args.role_id : 'vault-role-id' + def secret_id = args.containsKey('secret_id') ? args.secret_id : 'vault-secret-id' + return readSecret(secret, role_id, secret_id) } /** @@ -39,13 +41,13 @@ def call(secret) { error("getVaultSecret: No valid secret to looking for.") } secret = 'secret/apm-team/ci/' + secret - return readSecret(secret) + return readSecret(secret, 'vault-role-id', 'vault-secret-id') } -def readSecret(secret) { +def readSecret(secret, role_id, secret_id) { def props = null log(level: 'INFO', text: 'getVaultSecret: Getting secrets') - readSecretWrapper() { + readSecretWrapperWithParams(['role_id': role_id, 'secret_id': secret_id]) { // When running in the CI with multiple parallel stages // the access could be considered as a DDOS attack. Let's sleep a bit if it fails. retryWithSleep(retries: 3, seconds: 5, backoff: true) { @@ -58,6 +60,22 @@ def readSecret(secret) { return props } +def readSecretWrapperWithParams(args, body) { + def role_id = args?.role_id + def secret_id = args?.secret_id + withCredentials([ + string(credentialsId: 'vault-addr', variable: 'VAULT_ADDR'), + string(credentialsId: role_id, variable: 'VAULT_ROLE_ID'), + string(credentialsId: secret_id, variable: 'VAULT_SECRET_ID')]) { + withEnv([ + "VAULT_AUTH_METHOD=approle", //Used by Ansible Vault modules + "VAULT_AUTHTYPE=approle" //Used by Ansible Vault modules + ]){ + body() + } + } +} + def readSecretWrapper(body) { withCredentials([ string(credentialsId: 'vault-addr', variable: 'VAULT_ADDR'), diff --git a/vars/withSecretVault.groovy b/vars/withSecretVault.groovy index 9e1b987a3..d93d139e0 100644 --- a/vars/withSecretVault.groovy +++ b/vars/withSecretVault.groovy @@ -30,11 +30,14 @@ def call(Map args = [:], Closure body) { def pass_variable = args?.pass_var_name def pass_key = args.containsKey('pass_key') ? args.pass_key : 'password' + def role_id = args.containsKey('role_id') ? args.role_id : 'vault-role-id' + def secret_id = args.containsKey('secret_id') ? args.secret_id : 'vault-secret-id' + if (!secret || !user_variable || !pass_variable) { error "withSecretVault: Missing variables" } - def props = getVaultSecret(secret: secret) + def props = getVaultSecret(secret: secret, role_id: role_id, secret_id: secret_id) if(props?.errors){ error "withSecretVault: Unable to get credentials from the vault: " + props.errors.toString() }