Support of wrap/unwrap actions

.github/workflows/build_and_test.yaml

@@ -17,22 +17,18 @@ jobs:
     strategy:
       matrix:
         include:
-          - python-version-short: "3.8"
-            python-version: 3.8.18
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
           - python-version-short: "3.9"
             python-version: 3.9.21
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.10"
             python-version: 3.10.16
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.11"
             python-version: 3.11.11
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
     steps:
       - name: Checkout Pack Repo and CI Repos
         uses: StackStorm-Exchange/ci/.github/actions/checkout@master
@@ -63,8 +59,8 @@ jobs:
         working-directory: pack
         shell: bash
         run: |
-          wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/hashicorp.gpg
-          echo "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+          wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg
+          echo "deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
             | sudo tee /etc/apt/sources.list.d/hashicorp.list
 
           sudo apt update \
@@ -77,6 +73,8 @@ jobs:
           # We disble cap_ipc_lock here as its generally incompatabile with GitHub
           # Actions' runtime environments.
           sudo setcap cap_ipc_lock= /usr/bin/vault
+          sudo systemctl restart consul vault
+          sudo systemctl status consul vault
 
       - name: Setup hvac symlinks
         shell: bash

CHANGES.md

@@ -1,5 +1,10 @@
 # Change Log
 
+## 3.0.0
+
+- Removed pinning of hvac to support Python version >= 3.9 and add the sys.wrap/sys.unwrap methods.
+- Added wrap/unwrap actions
+
 ## 2.1.0
 
 - Support mount_point parameter for profiles config.

actions/unwrap_secret.py

@@ -0,0 +1,13 @@
+from lib import action
+import hvac
+
+
+class VaultUnwrapSecretAction(action.VaultBaseAction):
+    def run(self, token, profile_name=None):
+        super().run(profile_name=profile_name)
+        try:
+            resp = self.vault.sys.unwrap(token)
+        except hvac.exceptions.InvalidRequest as e:
+            return (False, f"{e}")
+
+        return (True, resp)

actions/unwrap_secret.yaml

@@ -0,0 +1,17 @@
+---
+name: unwrap_secret
+runner_type: python-script
+description: "Read secret from Vault Wrap engine"
+enabled: true
+entry_point: "unwrap_secret.py"
+parameters:
+  profile_name:
+    type: "string"
+    description: "The profile to use to run this action."
+    required: false
+  token:
+    type: "string"
+    description: "Wrap token to unwrap"
+    required: true
+    secret: true
+    position: 0

actions/wrap_secret.py

@@ -0,0 +1,8 @@
+from lib import action
+
+
+class VaultWrapSecretAction(action.VaultBaseAction):
+    def run(self, secret, ttl, profile_name=None):
+        super().run(profile_name=profile_name)
+        resp = self.vault.sys.wrap(payload=secret, ttl=ttl)
+        return (True, resp)

actions/wrap_secret.yaml

@@ -0,0 +1,23 @@
+---
+name: wrap_secret
+runner_type: python-script
+description: "Write a secret to the Vault Wrap engine"
+enabled: true
+entry_point: "wrap_secret.py"
+parameters:
+  profile_name:
+    type: "string"
+    description: "The profile to use to run this action."
+    required: false
+  ttl:
+    type: "integer"
+    description: "Time-To-Live before the wrap token expires (Default: 300 seconds)"
+    default: 300
+    required: false
+    position: 1
+  secret:
+    type: "object"
+    description: 'Dictionary with secret {"key": "value", "key2": "value2"}'
+    required: true
+    secret: true
+    position: 0

pack.yaml

@@ -2,7 +2,7 @@
 ref: vault
 name: vault
 description: StackStorm pack integration with HashiCorp Vault
-version: 2.1.0
+version: 3.0.0
 python_versions:
   - "3"
 author: steve.neuharth

requirements.txt

@@ -1 +1 @@
-hvac>=1.1.0,<2.0.0
+hvac