Update Hashi Vault fetcher to suppor token authmp/11963

Token-based auth is common in automated environments, so this
change adds support for token-based authentication to the Hashi Vault
secret fetcher.

A new configuration item has been added `:auth_method`, which must be
one of `:iam_role` or `:token`.  When `auth_method` is not specified, it
defaults to `:iam_role` for backward compatibility with the initial
implementation.

All authentication methods require a `:vault_addr` configuration entry

If using `auth_method: :token`, a :token configuration entry must also
be provided.

If using `auth_method: :iam_role`, a :role_name configuration entry must
also be provided.

Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>

2 files changed, 87 insertions, 23 deletions

diff --git a/lib/chef/secret_fetcher/hashi_vault.rb b/lib/chef/secret_fetcher/hashi_vault.rb
index be975fc34f..89dce01b67 100644
--- a/lib/chef/secret_fetcher/hashi_vault.rb
+++ b/lib/chef/secret_fetcher/hashi_vault.rb
@@ -19,7 +19,6 @@
 require_relative "base"
 require "aws-sdk-core" # Support for aws instance profile auth
 require "vault"
-
 class Chef
   class SecretFetcher
     # == Chef::SecretFetcher::HashiVault
@@ -29,32 +28,74 @@ class Chef
     # In this initial iteration the only supported authentication is IAM role-based
     #
     # Required config:
+    # :auth_method - one of :iam_role, :token.  default: :iam_role
     # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
-    # If not explicitly provided, the environment variable VAULT_ADDR will be used.
-    # :role_name - the name of the role in Vault that was created to support authentication
-    # via IAM.  See the Vault documentation for details[1]. A Terraform example is also available[2]
+    #
+    # For `:token` auth: `:token` - a Vault token valid for authentication.
+    #
+    # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
+    # to support authentication via IAM.  See the Vault documentation for details[1].
+    # A Terraform example is also available[2]
+    #
     #
     # [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
     # [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
     #             an IAM principal ARN bound to it.
     #
+    # Optional config
+    # :namespace - the namespace under which secrets are kept.  Only supported in with Vault Enterprise
+    #
     # @example
     #
     # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
     # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
     class HashiVault < Base
+
+      # Validate and authenticate the current session using the configurated auth strategy and parameters
       def validate!
-        if config[:role_name].nil?
-          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name ")
-        end
         if config[:vault_addr].nil?
           raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
         end
 
-        # Note that the token here is cached internal to the Vault implementation.
-        Vault.auth.aws_iam(config[:role_name],
-                           Aws::InstanceProfileCredentials.new,
-                           config[:vault_addr] || ENV["VAULT_ADDR"])
+        Vault.address = config[:vault_addr]
+        Vault.namespace = config[:namespace] unless config[:namespace].nil?
+
+        case config[:auth_method]
+        when :token
+          validate_token_auth!(config[:token])
+        when :iam_role, nil
+          validate_iam_role_auth!(config[:role_name])
+        else
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
+        end
+      end
+
+      # Validates IAM role auth configuration and obtains token via IAM auth
+      #
+      # @param role_name [String] the name of the Vault role associated with the IAM profile .
+      def validate_iam_role_auth!(role_name)
+        if role_name.nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
+        end
+
+        Vault.auth.aws_iam(role_name, Aws::InstanceProfileCredentials.new)
+      end
+
+      # Validates that a token is provided and authenticates to Hashi Vault using the provided
+      # token.
+      # @param token [String] a value Vault token authorized to access the secrets needed. b
+      def validate_token_auth!(token)
+        if token.nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
+        end
+
+        Vault.auth.token(token)
       end
 
       # @param identifier [String] Identifier of the secret to be fetched, which should
diff --git a/spec/unit/secret_fetcher/hashi_vault_spec.rb b/spec/unit/secret_fetcher/hashi_vault_spec.rb
index db93a051e4..c4d953ce97 100644
--- a/spec/unit/secret_fetcher/hashi_vault_spec.rb
+++ b/spec/unit/secret_fetcher/hashi_vault_spec.rb
@@ -15,7 +15,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-#
 
 require_relative "../../spec_helper"
 require "chef/secret_fetcher/hashi_vault"
@@ -24,23 +23,47 @@ describe Chef::SecretFetcher::HashiVault do
   let(:node) { {} }
   let(:run_context) { double("run_context", node: node) }
 
-  context "when validating HashiVault provided configuration" do
-    it "raises ConfigurationInvalid when the role_name is not provided" do
-      fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com" }, run_context)
-      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+  context "when validating provided HashiVault configuration" do
+    it "raises ConfigurationInvalid when the :auth_method is not valid" do
+      fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com" }, run_context)
+      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/)
     end
 
     it "raises ConfigurationInvalid when the vault_addr is not provided" do
-      fetcher = Chef::SecretFetcher::HashiVault.new( { role_name: "vault.example.com" }, run_context)
+      fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context)
       expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
     end
 
-    it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
-      fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com", role_name: "example-role" }, run_context)
-      auth_stub =
-      allow(Aws::InstanceProfileCredentials).to receive(:new).and_return double("credentials")
-      allow(Vault).to receive(:auth).and_return(instance_double(Vault::Authenticate, aws_iam: nil))
-      fetcher.validate!
+    context "and using auth_method: :iam_role" do
+      it "raises ConfigurationInvalid when the role_name is not provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "vault.example.com" }, run_context)
+        expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+      end
+
+      it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "vault.example.com", role_name: "example-role" }, run_context)
+        allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials)
+        auth_double = instance_double(Vault::Authenticate)
+        expect(auth_double).to receive(:aws_iam)
+        allow(Vault).to receive(:auth).and_return(auth_double)
+        fetcher.validate!
+      end
+    end
+
+    context "and using auth_method: :token" do
+      it "raises ConfigurationInvalid when no token is provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "vault.example.com" }, run_context)
+        expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+      end
+
+      it "authenticates using the token during validation when all configuration is correct" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "vault.example.com" }, run_context)
+        auth = instance_double(Vault::Authenticate)
+        auth_double = instance_double(Vault::Authenticate)
+        expect(auth_double).to receive(:token)
+        allow(Vault).to receive(:auth).and_return(auth_double)
+        fetcher.validate!
+      end
     end
   end
 end