DGS-22404 Add AppRole auth for HC Vault

Author: rayokota

src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs

@@ -17,20 +17,22 @@ public class HcVaultKmsClient : IKmsClient
 
         public string KekId { get; }
         public string Namespace { get; }
-        public string TokenId { get; }
-        
+
         public HcVaultKmsClient(string kekId, string ns, string tokenId)
+            : this(kekId, ns, new TokenAuthMethodInfo(tokenId))
+        {
+        }
+
+        public HcVaultKmsClient(string kekId, string ns, IAuthMethodInfo authMethod)
         {
             KekId = kekId;
             Namespace = ns;
-            TokenId = tokenId;
-            
+
             if (!kekId.StartsWith(HcVaultKmsDriver.Prefix))
             {
               throw new ArgumentException(string.Format($"key URI must start with {HcVaultKmsDriver.Prefix}"));
             }
             keyId = KekId.Substring(HcVaultKmsDriver.Prefix.Length);
-            IAuthMethodInfo authMethod = new TokenAuthMethodInfo(tokenId);
             Uri uri = new Uri(keyId);
             if (uri.Segments.Length == 0)
             {

src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs

@@ -1,5 +1,8 @@
 using System;
 using System.Collections.Generic;
+using VaultSharp.V1.AuthMethods;
+using VaultSharp.V1.AuthMethods.AppRole;
+using VaultSharp.V1.AuthMethods.Token;
 
 namespace Confluent.SchemaRegistry.Encryption.HcVault
 {
@@ -13,7 +16,9 @@ public static void Register()
         public static readonly string Prefix = "hcvault://";
         public static readonly string TokenId = "token.id";
         public static readonly string Namespace = "namespace";
-        
+        public static readonly string AppRoleId = "app.role.id";
+        public static readonly string AppRoleSecretId = "app.role.secret.id";
+
         public string GetKeyUrlPrefix()
         {
             return Prefix;
@@ -22,13 +27,42 @@ public string GetKeyUrlPrefix()
         public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl)
         {
             config.TryGetValue(TokenId, out string tokenId);
-            config.TryGetValue(Namespace, out string ns);
             if (tokenId == null)
             {
                 tokenId = Environment.GetEnvironmentVariable("VAULT_TOKEN");
+            }
+            config.TryGetValue(Namespace, out string ns);
+            if (ns == null)
+            {
                 ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE");
             }
-            return new HcVaultKmsClient(keyUrl, ns, tokenId);
+            config.TryGetValue(AppRoleId, out string appRoleId);
+            if (appRoleId == null)
+            {
+                appRoleId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_ID");
+            }
+            config.TryGetValue(AppRoleSecretId, out string appRoleSecretId);
+            if (appRoleSecretId == null)
+            {
+                appRoleSecretId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_SECRET_ID");
+            }
+
+            IAuthMethodInfo authMethod;
+            if (appRoleId != null && appRoleSecretId != null)
+            {
+                authMethod = new AppRoleAuthMethodInfo(appRoleId, appRoleSecretId);
+            }
+            else if (tokenId != null)
+            {
+                authMethod = new TokenAuthMethodInfo(tokenId);
+            }
+            else
+            {
+                throw new ArgumentException($"Either {TokenId} or both {AppRoleId} and {AppRoleSecretId} " +
+                                            $"must be provided in config or environment variables.");
+            }
+
+            return new HcVaultKmsClient(keyUrl, ns, authMethod);
         }
     }
 }