Merge pull request #22 from kenrickles/master

Making Approle Path an Environment variable to cater for Vault
Consensys · Feb 28, 2023 · 7949a06 · 7949a06
2 parents 5d8b653 + 88dd41e
commit 7949a06
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 38 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -32,7 +32,7 @@ Based on this config, Quorum will look for [`quorum-account-plugin-hashicorp-vau
     "authentication": {
         "roleId": "env://HASHICORP_ROLE_ID",
         "secretId": "env://HASHICORP_SECRET_ID",
-        "approlePath": "approle"
+        "approlePath": "env://HASHICORP_APPROLE"
     },
     "tls": {
         "caCert": "file:///path/to/ca.pem",

diff --git a/internal/config/validation.go b/internal/config/validation.go
@@ -55,7 +55,7 @@ func (c VaultClientAuthentication) validate() error {
 		tokenIsSet       = c.Token.IsSet()
 		roleIdIsSet      = c.RoleId.IsSet()
 		secretIdIsSet    = c.SecretId.IsSet()
-		approlePathIsSet = !(c.ApprolePath == "")
+		approlePathIsSet = c.ApprolePath.IsSet()
 	)
 	if !tokenIsSet && roleIdIsSet && secretIdIsSet && approlePathIsSet {
 		return nil

diff --git a/internal/config/validation_vaultclient_test.go b/internal/config/validation_vaultclient_test.go
@@ -28,7 +28,7 @@ func validVaultClientBaseConfig(t *testing.T) VaultClientBase {
 			Token:       &token,
 			RoleId:      envVar(t, "env://"+testutil.MY_ROLE_ID),
 			SecretId:    envVar(t, "env://"+testutil.MY_SECRET_ID),
-			ApprolePath: "myapprole",
+			ApprolePath: envVar(t, "env://"+testutil.MY_APPROLE_PATH),
 		},
 		TLS: VaultClientTLS{
 			CaCert:     emptyUrl,
@@ -42,6 +42,7 @@ func TestVaultClientBase_Validate_validVaultClientBase(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	err := validVaultClientBaseConfig(t).Validate()
 	require.NoError(t, err)
@@ -51,6 +52,7 @@ func TestVaultClientBase_Validate_VaultUrl_Valid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	vaultUrls := []string{
 		"http://vault",
@@ -95,6 +97,7 @@ func TestVaultClientBase_Validate_AccountDirectory_Valid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	vaultClient := validVaultClientBaseConfig(t)
 
@@ -162,21 +165,21 @@ func TestVaultClientBase_Validate_Authentication_Valid(t *testing.T) {
 			roleIdUrl:   "",
 			secretIdUrl: "",
 			approlePath: "",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"approle": {
 			tokenUrl:    "",
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"approle_all_envs": {
 			tokenUrl:    "",
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 	}
 
@@ -191,7 +194,7 @@ func TestVaultClientBase_Validate_Authentication_Valid(t *testing.T) {
 			vaultClient.Authentication.Token = envVar(t, tt.tokenUrl)
 			vaultClient.Authentication.RoleId = envVar(t, tt.roleIdUrl)
 			vaultClient.Authentication.SecretId = envVar(t, tt.secretIdUrl)
-			vaultClient.Authentication.ApprolePath = tt.approlePath
+			vaultClient.Authentication.ApprolePath = envVar(t, tt.approlePath)
 
 			gotErr := vaultClient.Validate()
 
@@ -216,8 +219,8 @@ func TestVaultClientBase_Validate_Authentication_Invalid(t *testing.T) {
 			tokenUrl:    "env://" + testutil.MY_TOKEN,
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"none_set": {
 			tokenUrl:    "",
@@ -231,28 +234,28 @@ func TestVaultClientBase_Validate_Authentication_Invalid(t *testing.T) {
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
 			approlePath: "",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"approle_only_role_id": {
 			tokenUrl:    "",
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "",
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"approle_only_secret_id": {
 			tokenUrl:    "",
 			roleIdUrl:   "",
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"token_approle_path": {
 			tokenUrl:    "env://" + testutil.MY_TOKEN,
 			roleIdUrl:   "",
 			secretIdUrl: "",
-			approlePath: "myapprole",
-			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID},
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
+			setEnvFuncs: []func(){testutil.SetToken, testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"token_no_env": {
 			tokenUrl:    "env://" + testutil.MY_TOKEN,
@@ -266,20 +269,20 @@ func TestVaultClientBase_Validate_Authentication_Invalid(t *testing.T) {
 			roleIdUrl:   "",
 			secretIdUrl: "",
 			approlePath: "",
-			setEnvFuncs: []func(){testutil.SetRoleID, testutil.SetSecretID},
+			setEnvFuncs: []func(){testutil.SetRoleID, testutil.SetSecretID, testutil.SetAppRolePath},
 		},
 		"approle_no_env": {
 			tokenUrl:    "",
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
 			setEnvFuncs: []func(){},
 		},
 		"approle_incorrect_env": {
 			tokenUrl:    "",
 			roleIdUrl:   "env://" + testutil.MY_ROLE_ID,
 			secretIdUrl: "env://" + testutil.MY_SECRET_ID,
-			approlePath: "myapprole",
+			approlePath: "env://" + testutil.MY_APPROLE_PATH,
 			setEnvFuncs: []func(){testutil.SetToken},
 		},
 	}
@@ -295,7 +298,7 @@ func TestVaultClientBase_Validate_Authentication_Invalid(t *testing.T) {
 			vaultClient.Authentication.Token = envVar(t, tt.tokenUrl)
 			vaultClient.Authentication.RoleId = envVar(t, tt.roleIdUrl)
 			vaultClient.Authentication.SecretId = envVar(t, tt.secretIdUrl)
-			vaultClient.Authentication.ApprolePath = tt.approlePath
+			vaultClient.Authentication.ApprolePath = envVar(t, tt.approlePath)
 
 			gotErr := vaultClient.Validate()
 
@@ -310,6 +313,7 @@ func TestVaultClientBase_Validate_TLS_Valid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	var tls = map[string]struct {
 		caCert     string
@@ -355,6 +359,7 @@ func TestVaultClientBase_Validate_TLS_Invalid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	var tls = map[string]struct {
 		caCert     string
@@ -442,7 +447,6 @@ func TestVaultClientBase_Validate_TLS_Invalid(t *testing.T) {
 			vaultClient.TLS.ClientKey = clientKey
 
 			gotErr := vaultClient.Validate()
-
 			require.EqualError(t, gotErr, tt.wantErr)
 		})
 	}
@@ -452,6 +456,7 @@ func TestVaultClient_Validate_UsesVaultClientBase(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	wantErrMsg := "vault must be a valid HTTP/HTTPS url"
 
@@ -471,6 +476,7 @@ func TestVaultClient_Validate_NoEngineName_Invalid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	wantErrMsg := "either kvEngineName or quorumSignerEngineName must be set"
 
@@ -488,6 +494,7 @@ func TestVaultClient_Validate_MoreThanOneEngineName_Invalid(t *testing.T) {
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	wantErrMsg := "either kvEngineName or quorumSignerEngineName must be set"
 
@@ -505,6 +512,7 @@ func TestVaultClient_Validate_QuorumSignerEngineName_UnlockInvalid(t *testing.T)
 	defer testutil.UnsetAll()
 	testutil.SetRoleID()
 	testutil.SetSecretID()
+	testutil.SetAppRolePath()
 
 	wantErrMsg := "unlock is not supported when using quorumSignerEngine"
 

diff --git a/internal/config/vaultclient.go b/internal/config/vaultclient.go
@@ -77,7 +77,7 @@ type VaultClientAuthentication struct {
 	Token       *EnvironmentVariable
 	RoleId      *EnvironmentVariable
 	SecretId    *EnvironmentVariable
-	ApprolePath string
+	ApprolePath *EnvironmentVariable
 }
 
 type VaultClientTLS struct {
@@ -182,18 +182,23 @@ func (c vaultClientAuthenticationJSON) vaultClientAuthentication() (VaultClientA
 	if err != nil {
 		return VaultClientAuthentication{}, err
 	}
+	approlePath, err := url.Parse(c.ApprolePath)
+	if err != nil {
+		return VaultClientAuthentication{}, err
+	}
 
 	var (
 		tEnv = EnvironmentVariable(*token)
 		rEnv = EnvironmentVariable(*roleId)
 		sEnv = EnvironmentVariable(*secretId)
+		aEnv = EnvironmentVariable(*approlePath)
 	)
 
 	return VaultClientAuthentication{
 		Token:       &tEnv,
 		RoleId:      &rEnv,
 		SecretId:    &sEnv,
-		ApprolePath: c.ApprolePath,
+		ApprolePath: &aEnv,
 	}, nil
 }
 
@@ -237,7 +242,7 @@ func (c VaultClientAuthentication) vaultClientAuthenticationJSON() vaultClientAu
 		Token:       c.Token.String(),
 		RoleId:      c.RoleId.String(),
 		SecretId:    c.SecretId.String(),
-		ApprolePath: c.ApprolePath,
+		ApprolePath: c.ApprolePath.String(),
 	}
 }
 

diff --git a/internal/config/vaultclient_test.go b/internal/config/vaultclient_test.go
@@ -23,7 +23,7 @@ func TestVaultClient_UnmarshalJSON(t *testing.T) {
 			"token": "env://MY_TOKEN",
 			"roleId": "env://MY_ROLE_ID",
 			"secretId": "env://MY_SECRET_ID",
-			"approlePath": "my-role"
+			"approlePath": "env://MY_APPROLE_PATH"
 		},
 		"tls": {
 			"caCert": "file:///path/to/ca.pem",
@@ -55,7 +55,10 @@ func TestVaultClient_UnmarshalJSON(t *testing.T) {
 					Scheme: "env",
 					Host:   "MY_SECRET_ID",
 				},
-				ApprolePath: "my-role",
+				ApprolePath: &EnvironmentVariable{
+					Scheme: "env",
+					Host:   "MY_APPROLE_PATH",
+				},
 			},
 			TLS: VaultClientTLS{
 				CaCert: &url.URL{
@@ -102,7 +105,7 @@ func TestVaultClient_UnmarshalJSON_AddsTrailingSlashToAcctDir(t *testing.T) {
 			"token": "env://MY_TOKEN",
 			"roleId": "env://MY_ROLE_ID",
 			"secretId": "env://MY_SECRET_ID",
-			"approlePath": "my-role"
+			"approlePath": "env://MY_APPROLE_PATH"
 		},
 		"tls": {
 			"caCert": "file:///path/to/ca.pem",
@@ -134,7 +137,10 @@ func TestVaultClient_UnmarshalJSON_AddsTrailingSlashToAcctDir(t *testing.T) {
 					Scheme: "env",
 					Host:   "MY_SECRET_ID",
 				},
-				ApprolePath: "my-role",
+				ApprolePath: &EnvironmentVariable{
+					Scheme: "env",
+					Host:   "MY_APPROLE_PATH",
+				},
 			},
 			TLS: VaultClientTLS{
 				CaCert: &url.URL{