diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs index 0e9aa4c1a..2d741b549 100644 --- a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs +++ b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs @@ -17,20 +17,22 @@ public class HcVaultKmsClient : IKmsClient public string KekId { get; } public string Namespace { get; } - public string TokenId { get; } - + public HcVaultKmsClient(string kekId, string ns, string tokenId) + : this(kekId, ns, new TokenAuthMethodInfo(tokenId)) + { + } + + public HcVaultKmsClient(string kekId, string ns, IAuthMethodInfo authMethod) { KekId = kekId; Namespace = ns; - TokenId = tokenId; - + if (!kekId.StartsWith(HcVaultKmsDriver.Prefix)) { throw new ArgumentException(string.Format($"key URI must start with {HcVaultKmsDriver.Prefix}")); } keyId = KekId.Substring(HcVaultKmsDriver.Prefix.Length); - IAuthMethodInfo authMethod = new TokenAuthMethodInfo(tokenId); Uri uri = new Uri(keyId); if (uri.Segments.Length == 0) { diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs index b2cfd17ca..abb0883fc 100644 --- a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs +++ b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs @@ -1,5 +1,8 @@ using System; using System.Collections.Generic; +using VaultSharp.V1.AuthMethods; +using VaultSharp.V1.AuthMethods.AppRole; +using VaultSharp.V1.AuthMethods.Token; namespace Confluent.SchemaRegistry.Encryption.HcVault { @@ -13,7 +16,9 @@ public static void Register() public static readonly string Prefix = "hcvault://"; public static readonly string TokenId = "token.id"; public static readonly string Namespace = "namespace"; - + public static readonly string ApproleRoleId = "approle.role.id"; + public static readonly string ApproleSecretId = "approle.secret.id"; + public string GetKeyUrlPrefix() { return Prefix; @@ -22,13 +27,42 @@ public string GetKeyUrlPrefix() public IKmsClient NewKmsClient(IDictionary config, string keyUrl) { config.TryGetValue(TokenId, out string tokenId); - config.TryGetValue(Namespace, out string ns); if (tokenId == null) { tokenId = Environment.GetEnvironmentVariable("VAULT_TOKEN"); + } + config.TryGetValue(Namespace, out string ns); + if (ns == null) + { ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE"); } - return new HcVaultKmsClient(keyUrl, ns, tokenId); + config.TryGetValue(ApproleRoleId, out string roleId); + if (roleId == null) + { + roleId = Environment.GetEnvironmentVariable("VAULT_APPROLE_ROLE_ID"); + } + config.TryGetValue(ApproleSecretId, out string secretId); + if (secretId == null) + { + secretId = Environment.GetEnvironmentVariable("VAULT_APPROLE_SECRET_ID"); + } + + IAuthMethodInfo authMethod; + if (roleId != null && secretId != null) + { + authMethod = new AppRoleAuthMethodInfo(roleId, secretId); + } + else if (tokenId != null) + { + authMethod = new TokenAuthMethodInfo(tokenId); + } + else + { + throw new ArgumentException($"Either {TokenId} or both {ApproleRoleId} and {ApproleSecretId} " + + $"must be provided in config or environment variables."); + } + + return new HcVaultKmsClient(keyUrl, ns, authMethod); } } } \ No newline at end of file