Add profile_name to all actions, add revoke_token action, bump hvac t…

…o 1.1.0

.github/workflows/build_and_test.yaml

@@ -17,9 +17,9 @@ jobs:
     strategy:
       matrix:
         include:
-          - python-version-short: "3.6"
-            python-version: 3.6.13
-            vault-version: 1.5.9
+          - python-version-short: "3.8"
+            python-version: 3.8.17
+            vault-version: 1.12.5
     steps:
       - name: Checkout Pack Repo and CI Repos
         uses: StackStorm-Exchange/ci/.github/actions/checkout@master
@@ -99,7 +99,7 @@ jobs:
 
     services:
       mongo:
-        image: mongo:3.4
+        image: mongo:4.4
         ports:
           - 27017:27017
       rabbitmq:

CHANGES.md

@@ -6,6 +6,9 @@
 - Add profile support to pack to define multiple Vault end-points.
 - Updated README with full list of available actions.
 - Fixes TLS support for server and client certificates.
+- Updated HVAC python module dependency v1.1.0
+- Added token revoke action.
+- Updated all actions to use profile name.
 
 ## 1.0.0
 

README.jinja

@@ -77,10 +77,9 @@ The following string sets are available
 
 ### Update tactic
 
-The update tactic allows control of how the action will update existing secrets.  The currently supported
-tactics are:
- - `update`: Overwrite an existing secret.
- - `abstain`: Do not overwrite an existing secret.
+The update tactic controls how the action will update existing secrets.  It's intended to ensure idempotence on multiple runs of the secret generation action.  The currently supported tactics are:
+ - `overwrite`: Overwrite an existing secret.
+ - `refrain`: Do not overwrite an existing secret.
 
 ## Sensors
 {% if sensors | length > 0 %}

README.md

@@ -24,11 +24,21 @@ The following options are required to be configured for the pack to work correct
 
 The pack provides the following actions:
 
-### delete
-_Delete value from Vault server_
+### delete_policy
+_Delete policy from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `path` | string | True | default | _Path to delete from Vault_ |
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `name` | string | True | default | _Policy to delete from Vault_ |
+### read_kv
+_Read a kv value from Vault server_
+| Parameter | Type | Required | Secret | Description |
+|---|---|---|---|---|
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `path` | string | True | default | _Key to read from Vault_ |
+| `kv_version` | number | True | default | _The version of the KV store in vault.  Use 1 for legacy kv stores, 2 for newer kv stores_ |
+| `mount_point` | string | True | default | _The mount point of the kv store_ |
+| `version` | string | True | default | _The version of the kv *data*_ |
 ### generate_secret
 _Generate a secret and write it to vault._
 | Parameter | Type | Required | Secret | Description |
@@ -40,58 +50,70 @@ _Generate a secret and write it to vault._
 | `update_tactic` | string | False | default | _The logic to use when writing secret to Vault.  See readme for details._ |
 | `string_set` | string | default | default | _Unavailable_ |
 | `secret_length` | integer | default | default | _The number of characters to use in the secret._ |
-### read
-_Read value from Vault server_
+### delete
+_Delete value from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `path` | string | True | default | _Key to read from Vault_ |
-### create_token
-_Create a new Token_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `path` | string | True | default | _Path to delete from Vault_ |
+### list_policies
+_List Policies from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `token_id` | string | False | default | _Value for the token. By default, this is an auto-generated value._ |
-| Items are of type |  ||||
-| `policies` | array | False | default | _List of policy names to associate with this token._ |
-| `meta` | string | False | default | _Metadata to associate with the token. This metadata will show in the audit log when the token is used._ |
-| `no_parent` | boolean | False | default | _Unavailable_ |
-| `display_name` | string | False | default | _Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)._ |
-| `num_uses` | string | False | default | _Number of times this token can be used. After the last use, the token is automatically revoked._ |
-| `no_default_policy` | boolean | False | default | _Detach the 'default' policy from the policy set for this token._ |
-| `ttl` | integer | False | default | _Initial TTL to associate with the token._ |
-| `orphan` | boolean | False | default | _Create the token with no parent. This prevents the token from being revoked when the token which created it expires._ |
-| `wrap_ttl` | string | False | default | _Unavailable_ |
-### write
-_Write a key/value to Vault_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+### is_initialized
+_Read initialization status from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `path` | string | True | default | _Path to the Vault secrets_ |
-| `values` | string | True | default | _Keys and values to write in Vault ({"key":"value", "key2": "value2"}_ |
-### get_policy
-_Read policy from Vault server_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+### set_policy
+_Create a new Vault policy_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `name` | string | True | default | _Policy to read from Vault_ |
-### delete_policy
-_Delete policy from Vault server_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `name` | string | True | default | _Name of new Vault Policy_ |
+| `rules` | string | True | default | _Policy rules_ |
+### read
+_Read value from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `name` | string | True | default | _Policy to delete from Vault_ |
-### read_kv
-_Read a kv value from Vault server_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `path` | string | True | default | _Key to read from Vault_ |
+### revoke_token
+_Revoke a token and all child tokens._
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `path` | string | True | default | _Key to read from Vault_ |
-| `kv_version` | number | True | default | _The version of the KV store in vault.  Use 1 for legacy kv stores, 2 for newer kv stores_ |
-| `mount_point` | string | True | default | _The mount point of the kv store_ |
-| `version` | string | True | default | _The version of the kv *data*_ |
-### set_policy
-_Create a new Vault policy_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `token` | string | True | default | _Token to revoke._ |
+| `mount_point` | string | False | default | _The 'path' the method/backend was mounted on._ |
+### get_policy
+_Read policy from Vault server_
 | Parameter | Type | Required | Secret | Description |
 |---|---|---|---|---|
-| `name` | string | True | default | _Name of new Vault Policy_ |
-| `rules` | string | True | default | _Policy rules_ |
-### list_policies
-_List Policies from Vault server_
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `name` | string | True | default | _Policy to read from Vault_ |
+### create_token
+_Create a new Token_
+| Parameter | Type | Required | Secret | Description |
+|---|---|---|---|---|
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `token_id` | string | False | default | _The ID of the client token.  By default, this is an auto-generated value._ |
+| `role_name` | string | False | default | _The name of the token role._ |
+| Items are of type |  ||||
+| `policies` | array | False | default | _List of policy names to associate with this token._ |
+| `meta` | string | False | default | _Metadata to associate with the token. This metadata will show in the audit log when the token is used._ |
+| `no_parent` | boolean | False | default | _This argument only has effect if used by a root or sudo caller._ |
+| `no_default_policy` | boolean | False | default | _Detach the 'default' policy from the policy set for this token._ |
+| `renewable` | boolean | False | default | _True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL._ |
+| `ttl` | string | False | default | _Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds)_ |
+| `token_type` | string | False | default | _The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name._ |
+| `explicit_max_ttl` | string | False | default | _If set, the token will never be able to be renewed or used past the value set at issue time._ |
+| `display_name` | string | False | default | _Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)._ |
+| `num_uses` | string | False | default | _Number of times this token can be used. After the last use, the token is automatically revoked._ |
+| `period` | string | False | default | _If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability._ |
+| `entity_alias` | string | default | default | _Name of the entity alias to associate with during token creation._ |
+| `wrap_ttl` | string | False | default | _Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'._ |
+| `mount_point` | string | False | default | _The 'path' the method/backend was mounted on._ |
 ### write_secret
 _Write a secret to Vault._
 | Parameter | Type | Required | Secret | Description |
@@ -103,8 +125,13 @@ _Write a secret to Vault._
 | `secret` | string | True | True | _Secret contents to be written._ |
 | `decode_json` | boolean | False | default | _Secret is formatted as a json and should be decode to be sent to Vault_ |
 | `update_tactic` | string | False | default | _The logic to use when writing secret to Vault.  See readme for details._ |
-### is_initialized
-_Read initialization status from Vault server_
+### write
+_Write a key/value to Vault_
+| Parameter | Type | Required | Secret | Description |
+|---|---|---|---|---|
+| `profile_name` | string | False | default | _The profile to use to run this action._ |
+| `path` | string | True | default | _Path to the Vault secrets_ |
+| `values` | string | True | default | _Keys and values to write in Vault ({"key":"value", "key2": "value2"}_ |
 
 
 
@@ -132,10 +159,9 @@ The following string sets are available
 
 ### Update tactic
 
-The update tactic allows control of how the action will update existing secrets.  The currently supported
-tactics are:
- - `update`: Overwrite an existing secret.
- - `abstain`: Do not overwrite an existing secret.
+The update tactic controls how the action will update existing secrets.  It's intended to ensure idempotence on multiple runs of the secret generation action.  The currently supported tactics are:
+ - `overwrite`: Overwrite an existing secret.
+ - `refrain`: Do not overwrite an existing secret.
 
 ## Sensors
 

actions/create_token.py

@@ -2,28 +2,48 @@
 
 
 class VaultCreateTokenAction(action.VaultBaseAction):
+    """
+    Request a child token to be created.  Useful for one time use
+    or fixed time.
+    """
+
     def run(
         self,
-        token_id=None,
-        policies=None,
+        display_name=None,
+        entity_alias=None,
+        explicit_max_ttl="1h",
         meta=None,
+        mount_point="token",
+        no_default_policy=False,
         no_parent=False,
-        display_name=None,
         num_uses=None,
-        no_default_policy=False,
+        period=None,
+        policies=None,
+        profile_name=None,
+        renewable=True,
+        role_name=None,
+        token_id=None,
+        token_type=None,
         ttl=None,
-        orphan=False,
         wrap_ttl=None,
     ):
-        return self.vault.create_token(
-            token_id=token_id,
-            policies=policies,
+        super().run(profile_name=profile_name)
+
+        return self.vault.auth.token.create(
+            display_name=display_name,
+            entity_alias=entity_alias,
+            explicit_max_ttl=explicit_max_ttl,
+            id=token_id,
             meta=meta,
+            mount_point=mount_point,
+            no_default_policy=no_default_policy,
             no_parent=no_parent,
-            display_name=display_name,
             num_uses=num_uses,
-            no_default_policy=no_default_policy,
+            period=period,
+            policies=policies,
+            renewable=renewable,
+            role_name=role_name,
             ttl=ttl,
-            orphan=orphan,
+            type=token_type,
             wrap_ttl=wrap_ttl,
         )

actions/create_token.yaml

@@ -6,9 +6,17 @@ description: "Create a new Token"
 enabled: true
 entry_point: "create_token.py"
 parameters:
+  profile_name:
+    description: "The profile to use to run this action."
+    type: "string"
+    required: false
   token_id:
     type: string
-    description: "Value for the token. By default, this is an auto-generated value."
+    description: "The ID of the client token.  By default, this is an auto-generated value."
+    required: false
+  role_name:
+    type: string
+    description: "The name of the token role."
     required: false
   policies:
     type: array
@@ -22,9 +30,31 @@ parameters:
     description: "Metadata to associate with the token. This metadata will show in the audit log when the token is used."
     required: false
   no_parent:
+    description: "This argument only has effect if used by a root or sudo caller."
+    type: boolean
+    required: false
+    default: false
+  no_default_policy:
     type: boolean
+    description: "Detach the 'default' policy from the policy set for this token."
     required: false
     default: false
+  renewable:
+    type: boolean
+    description: "True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL."
+    required: false
+  ttl:
+    type: string
+    description: "Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds)"
+    required: false
+  token_type:
+    type: string
+    description: "The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name."
+    required: false
+  explicit_max_ttl:
+    type: string
+    description: "If set, the token will never be able to be renewed or used past the value set at issue time."
+    required: false
   display_name:
     type: string
     description: "Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)."
@@ -33,20 +63,18 @@ parameters:
     type: string
     description: "Number of times this token can be used. After the last use, the token is automatically revoked."
     required: false
-  no_default_policy:
-    type: boolean
-    description: "Detach the 'default' policy from the policy set for this token."
-    required: false
-    default: false
-  ttl:
-    type: integer
-    description: "Initial TTL to associate with the token."
-    required: false
-  orphan:
-    type: boolean
-    description: "Create the token with no parent. This prevents the token from being revoked when the token which created it expires."
+  period:
+    type: string
+    description: "If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability."
     required: false
-    default: false
+  entity_alias:
+    type: string
+    description: "Name of the entity alias to associate with during token creation."
   wrap_ttl:
     type: string
+    description: "Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'."
+    required: false
+  mount_point:
+    type: string
+    description: "The 'path' the method/backend was mounted on."
     required: false

actions/delete.py

@@ -2,5 +2,9 @@
 
 
 class VaultDeleteAction(action.VaultBaseAction):
-    def run(self, path):
+    """
+    Delete a v1 path.
+    """
+    def run(self, path, profile_name=None):
+        super().run(profile_name=profile_name)
         return self.vault.delete(path)

actions/delete.yaml

@@ -5,8 +5,12 @@ description: "Delete value from Vault server"
 enabled: true
 entry_point: "delete.py"
 parameters:
-    path:
-        type: string
-        description: "Path to delete from Vault"
-        required: true
-        position: 0
+  profile_name:
+    description: "The profile to use to run this action."
+    type: "string"
+    required: false
+  path:
+    type: string
+    description: "Path to delete from Vault"
+    required: true
+    position: 0

actions/delete_policy.py

@@ -2,5 +2,6 @@
 
 
 class VaultPolicyDeleteAction(action.VaultBaseAction):
-    def run(self, name):
+    def run(self, name, profile_name=None):
+        super().run(profile_name=profile_name)
         return self.vault.sys.delete_policy(name)