Namespace and prefix path support on credentials (#129)

* Namespace and prefix path support on credentials

Add "namespace" and "prefixPath" configuration options to all vault credential types (string/username password/ssh).

Add "namespace" configuration option to vault auth credentials to handle case where auth provider is mounted
in a different namespace (i.e. root) than the credential.

Add missing getters on vault credentials so they are
displayed in the ui forms.

* fix: Remove redundant null check

* chore: refactor auth token namespace management

Introduce new AbstractAuthenticatingVaultTokenCredential. This specialization of the AbstractVaultTokenCredential is specific to vault credential types that retrieve the auth client token by using one of the vault auth login methods.

This new abstraction takes care of two issues from the previous implementation:
1. the auth namespace property only applies to auth methods that use it (i.e. VaultTokenCredential should not inherit that property).
2. the auth namespace can be safely scoped to the auth client and not effect the underlying VaultConfig namespace setting.

* fix: invalid javadoc syntax

* chore: remove unused vault argument

The vault argument for the abstract getToken method is
not necessary, all the implementations use the provided
auth client.

* fix: remove unused imports

Author: cronik

Diff for: .gitignore

@@ -9,3 +9,4 @@ work/
 *.sublime*
 tmp/
 src/test/resources/com/datapipe/jenkins/vault/util/ssl/
+.DS_Store

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/AbstractAuthenticatingVaultTokenCredential.java

@@ -0,0 +1,70 @@
+package com.datapipe.jenkins.vault.credentials;
+
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.api.Auth;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.datapipe.jenkins.vault.exception.VaultPluginException;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Util;
+import org.kohsuke.stapler.DataBoundSetter;
+
+/**
+ * Abstract Vault token credential that authenticates with the vault server to retrieve the
+ * authentication token. This credential type can explicitly configure the namespace which
+ * the authentication method is mounted.
+ */
+public abstract class AbstractAuthenticatingVaultTokenCredential extends AbstractVaultTokenCredential {
+
+    @CheckForNull
+    private String namespace;
+
+    protected AbstractAuthenticatingVaultTokenCredential(CredentialsScope scope, String id,
+        String description) {
+        super(scope, id, description);
+    }
+
+    /**
+     * Get Vault namespace.
+     * @return vault namespace or null
+     */
+    @CheckForNull
+    public String getNamespace() {
+        return namespace;
+    }
+
+    /**
+     * Set namespace where auth method is mounted. If set to "/"
+     * the root namespace is explicitly forced, otherwise the
+     * namespace from the secret credential vault config is used.
+     * @param namespace vault namespace
+     */
+    @DataBoundSetter
+    public void setNamespace(String namespace) {
+        this.namespace = Util.fixEmptyAndTrim(namespace);
+    }
+
+    @Override
+    protected final String getToken(Vault vault) {
+        // set authentication namespace if configured for this credential.
+        // importantly, this will not effect the underlying VaultConfig namespace.
+        Auth auth = vault.auth();
+        if (namespace != null) {
+            if (!namespace.trim().equals("/")) {
+                auth.withNameSpace(namespace);
+            } else {
+                auth.withNameSpace(null);
+            }
+        }
+        return getToken(auth);
+    }
+
+    /**
+     * Authenticate with vault using this credential and return the token. The {@code auth} client
+     * will be configured with this credentials namespace.
+     * @param auth vault auth client
+     * @return authentication token
+     * @throws VaultPluginException if failed to authenticate with vault
+     */
+    protected abstract String getToken(@NonNull Auth auth);
+}

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential.java

@@ -1,7 +1,7 @@
 package com.datapipe.jenkins.vault.credentials;
 
-import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.api.Auth;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -12,7 +12,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 
-public class VaultAppRoleCredential extends AbstractVaultTokenCredential {
+public class VaultAppRoleCredential extends AbstractAuthenticatingVaultTokenCredential {
 
     private final @NonNull
     Secret secretId;
@@ -48,9 +48,9 @@ public String getPath() {
     }
 
     @Override
-    public String getToken(Vault vault) {
+    public String getToken(Auth auth) {
         try {
-            return vault.auth().loginByAppRole(path, roleId, Secret.toString(secretId))
+            return auth.loginByAppRole(path, roleId, Secret.toString(secretId))
                 .getAuthClientToken();
         } catch (VaultException e) {
             throw new VaultPluginException("could not log in into vault", e);

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultGCPCredential.java

@@ -1,7 +1,7 @@
 package com.datapipe.jenkins.vault.credentials;
 
-import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.api.Auth;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -18,7 +18,7 @@
 import java.nio.charset.StandardCharsets;
 import org.kohsuke.stapler.DataBoundConstructor;
 
-public class VaultGCPCredential extends AbstractVaultTokenCredential {
+public class VaultGCPCredential extends AbstractAuthenticatingVaultTokenCredential {
 
     @NonNull
     private final String role;
@@ -38,8 +38,13 @@ public String getRole() {
         return role;
     }
 
+    @NonNull
+    public String getAudience() {
+        return audience;
+    }
+
     @Override
-    public String getToken(Vault vault) {
+    public String getToken(Auth auth) {
         String jwt;
         try {
             jwt = retrieveGoogleJWT();
@@ -48,7 +53,7 @@ public String getToken(Vault vault) {
         }
 
         try {
-            return vault.withRetries(5, 500).auth().loginByGCP(role, jwt).getAuthClientToken();
+            return auth.loginByGCP(role, jwt).getAuthClientToken();
         } catch (VaultException e) {
             throw new VaultPluginException("could not log in into vault", e);
         }

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential.java

@@ -1,7 +1,7 @@
 package com.datapipe.jenkins.vault.credentials;
 
-import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.api.Auth;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -10,7 +10,7 @@
 import hudson.util.Secret;
 import org.kohsuke.stapler.DataBoundConstructor;
 
-public class VaultGithubTokenCredential extends AbstractVaultTokenCredential {
+public class VaultGithubTokenCredential extends AbstractAuthenticatingVaultTokenCredential {
 
     // https://www.vaultproject.io/docs/auth/github.html#generate-a-github-personal-access-token
     private final @NonNull
@@ -31,9 +31,9 @@ public Secret getAccessToken() {
     }
 
     @Override
-    public String getToken(Vault vault) {
+    public String getToken(Auth auth) {
         try {
-            return vault.auth().loginByGithub(Secret.toString(accessToken)).getAuthClientToken();
+            return auth.loginByGithub(Secret.toString(accessToken)).getAuthClientToken();
         } catch (VaultException e) {
             throw new VaultPluginException("could not log in into vault", e);
         }

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential.java

@@ -1,7 +1,7 @@
 package com.datapipe.jenkins.vault.credentials;
 
-import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.api.Auth;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
@@ -16,7 +16,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 
-public class VaultKubernetesCredential extends AbstractVaultTokenCredential {
+public class VaultKubernetesCredential extends AbstractAuthenticatingVaultTokenCredential {
 
     private static final String SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
 
@@ -43,9 +43,14 @@ public void setMountPath(@NonNull String mountPath) {
         this.mountPath = mountPath;
     }
 
+    @NonNull
+    public String getRole() {
+        return this.role;
+    }
+
     @Override
     @SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME")
-    public String getToken(Vault vault) {
+    protected String getToken(Auth auth) {
         String jwt;
         try (Stream<String> input =  Files.lines(Paths.get(SERVICE_ACCOUNT_TOKEN_PATH)) ) {
             jwt = input.collect(Collectors.joining());
@@ -54,13 +59,10 @@ public String getToken(Vault vault) {
         }
 
         try {
-            return vault
-                .withRetries(5, 500)
-                .auth()
-                .loginByJwt(mountPath, role, jwt)
+            return auth.loginByJwt(mountPath, role, jwt)
                 .getAuthClientToken();
         } catch (VaultException e) {
-            throw new VaultPluginException("could not log in into vault", e);
+            throw new VaultPluginException("could not log in into vault: " + e.getMessage(), e);
         }
     }
 

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/VaultTokenCredential.java

@@ -19,6 +19,10 @@ public VaultTokenCredential(@CheckForNull CredentialsScope scope, @CheckForNull
         this.token = token;
     }
 
+    @NonNull
+    public Secret getToken() {
+        return token;
+    }
 
     @Override
     public String getToken(Vault vault) {

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/common/AbstractVaultBaseStandardCredentials.java

@@ -0,0 +1,89 @@
+package com.datapipe.jenkins.vault.credentials.common;
+
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
+import com.datapipe.jenkins.vault.exception.VaultPluginException;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Util;
+import org.kohsuke.stapler.DataBoundSetter;
+
+import static com.datapipe.jenkins.vault.credentials.common.VaultHelper.getVaultSecret;
+
+/**
+ * Base Vault credentials that contain a {@code path}, {@code prefixPath}, {@code namespace},
+ * and {@code engineVersion}.
+ */
+public abstract class AbstractVaultBaseStandardCredentials extends BaseStandardCredentials {
+
+    private String path;
+    private String prefixPath;
+    private String namespace;
+    private Integer engineVersion;
+
+    AbstractVaultBaseStandardCredentials(CredentialsScope scope, String id, String description) {
+        super(scope, id, description);
+    }
+
+    @NonNull
+    public String getPrefixPath() {
+        return prefixPath;
+    }
+
+    @DataBoundSetter
+    public void setPrefixPath(String prefixPath) {
+        this.prefixPath = Util.fixEmptyAndTrim(prefixPath);
+    }
+
+    @NonNull
+    public String getPath() {
+        return path;
+    }
+
+    @DataBoundSetter
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    @CheckForNull
+    public String getNamespace() {
+        return namespace;
+    }
+
+    @DataBoundSetter
+    public void setNamespace(String namespace) {
+        this.namespace = Util.fixEmptyAndTrim(namespace);
+    }
+
+    @CheckForNull
+    public Integer getEngineVersion() {
+        return engineVersion;
+    }
+
+    @DataBoundSetter
+    public void setEngineVersion(Integer engineVersion) {
+        this.engineVersion = engineVersion;
+    }
+
+    /**
+     * Look up secret key value.
+     * @param key secret key name
+     * @return vault secret value
+     */
+    @NonNull
+    protected String getVaultSecretKeyValue(String key) {
+        String s = getVaultSecret(this.path, key, this.prefixPath, this.namespace, this.engineVersion);
+        if (s == null) {
+            throw new VaultPluginException("Fetching from Vault failed for key '" + key + "'");
+        }
+        return s;
+    }
+
+    /**
+     * Get credential display name. Defaults to secret path.
+     * @return display name
+     */
+    public String getDisplayName() {
+        return this.path;
+    }
+}

Diff for: src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultHelper.java

@@ -13,6 +13,7 @@
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Util;
 import hudson.remoting.Channel;
 import hudson.security.ACL;
 import java.io.IOException;
@@ -29,10 +30,10 @@ public class VaultHelper {
 
     private static final Logger LOGGER = Logger.getLogger(VaultHelper.class.getName());
 
-    static String getVaultSecret(@NonNull String secretPath, @NonNull String secretKey, @CheckForNull Integer engineVersion) {
+    static String getVaultSecret(@NonNull String secretPath, @NonNull String secretKey, @CheckForNull String prefixPath, @CheckForNull String namespace, @CheckForNull Integer engineVersion) {
         try {
             String secret;
-            SecretRetrieve retrieve = new SecretRetrieve(secretPath, secretKey, engineVersion);
+            SecretRetrieve retrieve = new SecretRetrieve(secretPath, secretKey, prefixPath, namespace, engineVersion);
 
             Channel channel = Channel.current();
             if (channel == null) {
@@ -54,11 +55,17 @@ private static class SecretRetrieve extends SlaveToMasterCallable<String, IOExce
         private final String secretPath;
         private final String secretKey;
         @CheckForNull
+        private final String prefixPath;
+        @CheckForNull
+        private final String namespace;
+        @CheckForNull
         private Integer engineVersion;
 
-        SecretRetrieve(String secretPath, String secretKey, Integer engineVersion) {
+        SecretRetrieve(String secretPath, String secretKey, String prefixPath, String namespace, Integer engineVersion) {
             this.secretPath = secretPath;
             this.secretKey = secretKey;
+            this.prefixPath = Util.fixEmptyAndTrim(prefixPath);
+            this.namespace = Util.fixEmptyAndTrim(namespace);
             this.engineVersion = engineVersion;
         }
 
@@ -85,6 +92,14 @@ public String call() throws IOException {
             try {
                 VaultConfig vaultConfig = configuration.getVaultConfig();
 
+                if (prefixPath != null) {
+                    vaultConfig.prefixPath(prefixPath);
+                }
+
+                if (namespace != null) {
+                    vaultConfig.nameSpace(namespace);
+                }
+
                 VaultCredential vaultCredential = configuration.getVaultCredential();
                 if (vaultCredential == null) vaultCredential = retrieveVaultCredentials(configuration.getVaultCredentialId());
 
@@ -103,6 +118,8 @@ public String call() throws IOException {
                 }
 
                 return values.get(secretKey);
+            } catch (VaultPluginException vpe) {
+              throw vpe;
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }