DGS-22404 Add AppRole auth for HC Vault (#378)

* DGS-22404 Add AppRole auth for HC Vault

* Minor cleanup

Author: rayokota

schemaregistry/rules/encryption/hcvault/hcvault-client.ts

@@ -8,8 +8,10 @@ export class HcVaultClient implements KmsClient {
   private keyUri: string
   private keyId: string
   private keyName: string
+  private authPromise?: Promise<void>
 
-  constructor(keyUri: string, namespace?: string, token?: string) {
+  constructor(keyUri: string, namespace?: string, token?: string,
+              roleId?: string, secretId?: string) {
     if (!keyUri.startsWith(HcVaultDriver.PREFIX)) {
       throw new Error(`key uri must start with ${HcVaultDriver.PREFIX}`)
     }
@@ -27,19 +29,34 @@ export class HcVaultClient implements KmsClient {
       ...token && { token },
       apiVersion: 'v1',
     })
+    if (roleId != null && secretId != null) {
+      this.authPromise = this.kmsClient.approleLogin({role_id: roleId, secret_id: secretId})
+        .then((result) => {
+          this.kmsClient.token = result.auth.client_token
+        })
+    }
   }
 
   supported(keyUri: string): boolean {
     return this.keyUri === keyUri
   }
 
+  private async ensureAuthenticated(): Promise<void> {
+    if (this.authPromise) {
+      await this.authPromise
+      this.authPromise = undefined // Clear after first use
+    }
+  }
+
   async encrypt(plaintext: Buffer): Promise<Buffer> {
+    await this.ensureAuthenticated()
     const response = await this.kmsClient.encryptData({name: this.keyName, plaintext: plaintext.toString('base64') })
     let data = response.data.ciphertext
     return Buffer.from(data, 'utf8')
   }
 
   async decrypt(ciphertext: Buffer): Promise<Buffer> {
+    await this.ensureAuthenticated()
     const response = await this.kmsClient.decryptData({name: this.keyName, ciphertext: ciphertext.toString('utf8') })
     let data = response.data.plaintext
     return Buffer.from(data, 'base64');

schemaregistry/rules/encryption/hcvault/hcvault-driver.ts

@@ -6,6 +6,8 @@ export class HcVaultDriver implements KmsDriver {
   static PREFIX = 'hcvault://'
   static TOKEN_ID = 'token.id'
   static NAMESPACE = 'namespace'
+  static APPROLE_ROLE_ID = 'approle.role.id'
+  static APPROLE_SECRET_ID = 'approle.secret.id'
 
   /**
    * Register the HashiCorp Vault driver with the KMS registry.
@@ -21,12 +23,25 @@ export class HcVaultDriver implements KmsDriver {
   newKmsClient(config: Map<string, string>, keyUrl?: string): KmsClient {
     const uriPrefix = keyUrl != null ? keyUrl : HcVaultDriver.PREFIX
     let tokenId = config.get(HcVaultDriver.TOKEN_ID)
-    let ns = config.get(HcVaultDriver.NAMESPACE)
     if (tokenId == null)
     {
       tokenId = process.env["VAULT_TOKEN"]
+    }
+    let ns = config.get(HcVaultDriver.NAMESPACE)
+    if (ns == null)
+    {
       ns = process.env["VAULT_NAMESPACE"]
     }
-    return new HcVaultClient(uriPrefix, ns, tokenId)
+    let roleId = config.get(HcVaultDriver.APPROLE_ROLE_ID)
+    if (roleId == null)
+    {
+      roleId = process.env["VAULT_APPROLE_ROLE_ID"]
+    }
+    let secretId = config.get(HcVaultDriver.APPROLE_SECRET_ID)
+    if (secretId == null)
+    {
+      secretId = process.env["VAULT_APPROLE_SECRET_ID"]
+    }
+    return new HcVaultClient(uriPrefix, ns, tokenId, roleId, secretId)
   }
 }