DGS-22404 Add AppRole auth for HC Vault (#1478)

* DGS-22404 Add AppRole auth for HC Vault

* Minor cleanup

* go mod tidy on examples

Author: rayokota

examples/go.mod

@@ -7,7 +7,6 @@ toolchain go1.21.0
 replace github.com/confluentinc/confluent-kafka-go/v2 => ../
 
 require (
-	github.com/actgardner/gogen-avro/v10 v10.2.1
 	github.com/alecthomas/kingpin v2.2.6+incompatible
 	github.com/confluentinc/confluent-kafka-go/v2 v2.12.0-RC2
 	github.com/gdamore/tcell v1.4.0
@@ -67,7 +66,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/vault/api v1.15.0 // indirect
-	github.com/heetch/avro v0.4.5 // indirect
+	github.com/hashicorp/vault/api/auth/approle v0.8.0 // indirect
 	github.com/invopop/jsonschema v0.12.0 // indirect
 	github.com/jhump/protoreflect v1.15.6 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

examples/go.sum

@@ -144,8 +144,6 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
-github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/fsnotify/fsevents v0.2.0 h1:BRlvlqjvNTfogHfeBOFvSC9N0Ddy+wzQCQukyoD7o/c=
 github.com/fsnotify/fsevents v0.2.0/go.mod h1:B3eEk39i4hz8y1zaWS/wPrAP4O6wkIl7HQwKBr1qH/w=
 github.com/fvbommel/sortorder v1.0.2 h1:mV4o8B2hKboCdkJm+a7uX/SIpZob4JzUpc5GGnM45eo=
@@ -261,8 +259,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA=
 github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8=
-github.com/heetch/avro v0.4.5 h1:BSnj4wEeUG1IjMTm9/tBwQnV3euuIVa1mRWHnm1t8VU=
-github.com/heetch/avro v0.4.5/go.mod h1:gxf9GnbjTXmWmqxhdNbAMcZCjpye7RV5r9t3Q0dL6ws=
+github.com/hashicorp/vault/api/auth/approle v0.8.0 h1:FuVtWZ0xD6+wz1x0l5s0b4852RmVXQNEiKhVXt6lfQY=
+github.com/hashicorp/vault/api/auth/approle v0.8.0/go.mod h1:NV7O9r5JUtNdVnqVZeMHva81AIdpG0WoIQohNt1VCPM=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/in-toto/in-toto-golang v0.5.0 h1:hb8bgwr0M2hGdDsLjkJ3ZqJ8JFLL/tgYdAxF/XEFBbY=

go.mod

@@ -13,11 +13,13 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.27.10
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.10
 	github.com/aws/aws-sdk-go-v2/service/kms v1.30.1
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
 	github.com/golang/protobuf v1.5.4
 	github.com/google/cel-go v0.20.1
 	github.com/google/uuid v1.6.0
 	github.com/hamba/avro/v2 v2.24.0
 	github.com/hashicorp/vault/api v1.15.0
+	github.com/hashicorp/vault/api/auth/approle v0.8.0
 	github.com/heetch/avro v0.4.5
 	github.com/invopop/jsonschema v0.12.0
 	github.com/jhump/protoreflect v1.15.6
@@ -29,6 +31,7 @@ require (
 	github.com/tink-crypto/tink-go-hcvault/v2 v2.1.0
 	github.com/tink-crypto/tink-go/v2 v2.1.0
 	github.com/xiatechs/jsonata-go v1.8.5
+	golang.org/x/oauth2 v0.18.0
 	google.golang.org/api v0.169.0
 	google.golang.org/genproto v0.0.0-20240325203815-454cdb8f5daa
 	google.golang.org/protobuf v1.33.0
@@ -57,7 +60,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -221,7 +223,6 @@ require (
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
 	golang.org/x/net v0.29.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/term v0.24.0 // indirect

go.sum

@@ -332,6 +332,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA=
 github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8=
+github.com/hashicorp/vault/api/auth/approle v0.8.0 h1:FuVtWZ0xD6+wz1x0l5s0b4852RmVXQNEiKhVXt6lfQY=
+github.com/hashicorp/vault/api/auth/approle v0.8.0/go.mod h1:NV7O9r5JUtNdVnqVZeMHva81AIdpG0WoIQohNt1VCPM=
 github.com/heetch/avro v0.4.5 h1:BSnj4wEeUG1IjMTm9/tBwQnV3euuIVa1mRWHnm1t8VU=
 github.com/heetch/avro v0.4.5/go.mod h1:gxf9GnbjTXmWmqxhdNbAMcZCjpye7RV5r9t3Q0dL6ws=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=

schemaregistry/rules/encryption/hcvault/hcvault_client.go

@@ -34,7 +34,7 @@ import (
 // vaultClient represents a client that connects to the HashiCorp Vault backend.
 type vaultClient struct {
 	keyURIPrefix string
-	client       *api.Logical
+	client       *api.Client
 }
 
 var _ registry.KMSClient = (*vaultClient)(nil)
@@ -86,10 +86,15 @@ func NewClient(uriPrefix string, tlsCfg *tls.Config, namespace string, token str
 	client.SetToken(token)
 	return &vaultClient{
 		keyURIPrefix: uriPrefix,
-		client:       client.Logical(),
+		client:       client,
 	}, nil
 }
 
+// Client returns the underlying Vault client.
+func (c *vaultClient) Client() *api.Client {
+    return c.client
+}
+
 // Supported returns true if this client does support keyURI.
 func (c *vaultClient) Supported(keyURI string) bool {
 	return strings.HasPrefix(keyURI, c.keyURIPrefix)
@@ -106,5 +111,5 @@ func (c *vaultClient) GetAEAD(keyURI string) (tink.AEAD, error) {
 		return nil, errors.New("malformed keyURI")
 	}
 	keyPath := u.EscapedPath()
-	return vault.NewAEAD(keyPath, c.client)
+	return vault.NewAEAD(keyPath, c.client.Logical())
 }

schemaregistry/rules/encryption/hcvault/hcvault_driver.go

@@ -17,15 +17,21 @@
 package hcvault
 
 import (
+	"context"
+	"fmt"
 	"github.com/confluentinc/confluent-kafka-go/v2/schemaregistry/rules/encryption"
 	"github.com/tink-crypto/tink-go/v2/core/registry"
 	"os"
+
+	auth "github.com/hashicorp/vault/api/auth/approle"
 )
 
 const (
-	prefix    = "hcvault://"
-	tokenID   = "token.id"
-	namespace = "namespace"
+	prefix          = "hcvault://"
+	tokenID         = "token.id"
+	namespace       = "namespace"
+	approleRoleID   = "approle.role.id"
+	approleSecretID = "approle.secret.id"
 )
 
 func init() {
@@ -50,11 +56,44 @@ func (l *hcvaultDriver) NewKMSClient(config map[string]string, keyURL *string) (
 	if keyURL != nil {
 		uriPrefix = *keyURL
 	}
-	ns := config[namespace]
 	token := config[tokenID]
 	if token == "" {
-		ns = os.Getenv("VAULT_NAMESPACE")
 		token = os.Getenv("VAULT_TOKEN")
 	}
-	return NewClient(uriPrefix, nil, ns, token)
+	ns := config[namespace]
+	if ns == "" {
+		ns = os.Getenv("VAULT_NAMESPACE")
+	}
+	client, err := NewClient(uriPrefix, nil, ns, token)
+	if err != nil {
+		return nil, err
+	}
+	roleID := config[approleRoleID]
+	if roleID == "" {
+		roleID = os.Getenv("VAULT_APPROLE_ROLE_ID")
+	}
+	secretID := config[approleSecretID]
+	if secretID == "" {
+		secretID = os.Getenv("VAULT_APPROLE_SECRET_ID")
+	}
+	if roleID != "" && secretID != "" {
+		roleSecretID := &auth.SecretID{FromString: secretID}
+		appRoleAuth, err := auth.NewAppRoleAuth(
+			roleID,
+			roleSecretID,
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
+		}
+
+		vaultClient := client.(*vaultClient).Client()
+		authInfo, err := vaultClient.Auth().Login(context.Background(), appRoleAuth)
+		if err != nil {
+			return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
+		}
+		if authInfo == nil {
+			return nil, fmt.Errorf("no auth info was returned after login")
+		}
+	}
+	return client, nil
 }