1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
<?php declare(strict_types = 0);
/*
** Copyright (C) 2001-2025 Zabbix SIA
**
** This program is free software: you can redistribute it and/or modify it under the terms of
** the GNU Affero General Public License as published by the Free Software Foundation, version 3.
**
** This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
** without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
** See the GNU Affero General Public License for more details.
**
** You should have received a copy of the GNU Affero General Public License along with this program.
** If not, see <https://www.gnu.org/licenses/>.
**/
/**
* A class for loading secrets from HashiCorp Vault secret manager.
*/
class CVaultHashiCorp extends CVault {
public const TYPE = ZBX_VAULT_TYPE_HASHICORP;
public const NAME = 'HashiCorp';
public const API_ENDPOINT_DEFAULT = 'https://localhost:8200';
public const DB_PREFIX_DEFAULT = '';
public const DB_PREFIX_PLACEHOLDER = '/v1/secret/data/';
public const DB_PATH_PLACEHOLDER = 'path/to/secret';
private string $api_endpoint;
private string $db_prefix;
private string $db_path;
private string $token;
public function __construct(string $api_endpoint, string $db_prefix, string $db_path, string $token) {
$this->api_endpoint = $api_endpoint;
$this->db_prefix = $db_prefix;
$this->db_path = $db_path;
$this->token = $token;
}
public function validateParameters(): bool {
if (parse_url($this->api_endpoint, PHP_URL_HOST) === null) {
$this->addError(_s('Provided API endpoint "%1$s" is invalid.', $this->api_endpoint));
}
$secret_parser = new CVaultSecretParser([
'provider' => ZBX_VAULT_TYPE_HASHICORP,
'with_namespace' => $this->db_prefix == self::DB_PREFIX_DEFAULT,
'with_key' => false
]);
if ($secret_parser->parse($this->db_path) != CParser::PARSE_SUCCESS) {
$this->addError(_s('Provided secret path "%1$s" is invalid.', $this->db_path));
}
if ($this->token === '') {
$this->addError(_s('Provided authentication token "%1$s" is empty.', $this->token));
}
return !$this->getErrors();
}
public function getCredentials(): ?array {
if ($this->db_prefix == self::DB_PREFIX_DEFAULT) {
$path_parts = explode('/', $this->db_path);
array_splice($path_parts, 1, 0, 'data');
$url = $this->api_endpoint.'/v1/'.implode('/', $path_parts);
}
else {
$url = $this->api_endpoint.$this->db_prefix.$this->db_path;
}
$secret = @file_get_contents($url, false, stream_context_create([
'http' => [
'method' => 'GET',
'header' => "X-Vault-Token: $this->token\r\n",
'ignore_errors' => true
]
]));
if ($secret === false) {
$this->addError(_('Vault connection failed.'));
return null;
}
$secret = $secret ? json_decode($secret, true) : null;
if ($secret === null || !isset($secret['data']['data']) || !is_array($secret['data']['data'])) {
$this->addError(_('Unable to load database credentials from Vault.'));
return null;
}
$db_credentials = $secret['data']['data'];
if (!array_key_exists('username', $db_credentials) || !array_key_exists('password', $db_credentials)) {
$this->addError(_('Username and password must be stored in Vault secret keys "username" and "password".'));
return null;
}
return [
'user' => $db_credentials['username'],
'password' => $db_credentials['password']
];
}
}
|
