Make transit engine path configurable (spiffe#5058)

Author: InverseIntegral

pkg/server/plugin/keymanager/hashicorpvault/hashicorp_vault.go

@@ -53,6 +53,8 @@ type Config struct {
 	VaultAddr string `hcl:"vault_addr" json:"vault_addr"`
 	// Name of the Vault namespace
 	Namespace string `hcl:"namespace" json:"namespace"`
+	// TransitEnginePath specifies the path to the transit engine to perform key operations.
+	TransitEnginePath string `hcl:"transit_engine_path" json:"transit_engine_path"`
 
 	// Configuration for the Token authentication method
 	TokenAuth *TokenAuthConfig `hcl:"token_auth" json:"token_auth,omitempty"`
@@ -174,8 +176,9 @@ func checkForAuthMethodConfigured(authMethod AuthMethod) error {
 
 func (p *Plugin) genClientParams(method AuthMethod, config *Config) (*ClientParams, error) {
 	cp := &ClientParams{
-		VaultAddr: p.getEnvOrDefault(envVaultAddr, config.VaultAddr),
-		Namespace: p.getEnvOrDefault(envVaultNamespace, config.Namespace),
+		VaultAddr:         p.getEnvOrDefault(envVaultAddr, config.VaultAddr),
+		Namespace:         p.getEnvOrDefault(envVaultNamespace, config.Namespace),
+		TransitEnginePath: p.getEnvOrDefault(envVaultTransitEnginePath, config.TransitEnginePath),
 	}
 
 	switch method {

pkg/server/plugin/keymanager/hashicorpvault/vault_client.go

@@ -21,17 +21,19 @@ import (
 // TODO: Delete everything that is unused in here
 
 const (
-	envVaultAddr            = "VAULT_ADDR"
-	envVaultToken           = "VAULT_TOKEN"
-	envVaultClientCert      = "VAULT_CLIENT_CERT"
-	envVaultClientKey       = "VAULT_CLIENT_KEY"
-	envVaultCACert          = "VAULT_CACERT"
-	envVaultAppRoleID       = "VAULT_APPROLE_ID"
-	envVaultAppRoleSecretID = "VAULT_APPROLE_SECRET_ID" // #nosec G101
-	envVaultNamespace       = "VAULT_NAMESPACE"
+	envVaultAddr              = "VAULT_ADDR"
+	envVaultToken             = "VAULT_TOKEN"
+	envVaultClientCert        = "VAULT_CLIENT_CERT"
+	envVaultClientKey         = "VAULT_CLIENT_KEY"
+	envVaultCACert            = "VAULT_CACERT"
+	envVaultAppRoleID         = "VAULT_APPROLE_ID"
+	envVaultAppRoleSecretID   = "VAULT_APPROLE_SECRET_ID" // #nosec G101
+	envVaultNamespace         = "VAULT_NAMESPACE"
+	envVaultTransitEnginePath = "VAULT_TRANSIT_ENGINE_PATH"
 
 	defaultCertMountPoint    = "cert"
 	defaultPKIMountPoint     = "pki"
+	defaultTransitEnginePath = "transit"
 	defaultAppRoleMountPoint = "approle"
 	defaultK8sMountPoint     = "kubernetes"
 )
@@ -93,6 +95,8 @@ type ClientParams struct {
 	MaxRetries *int
 	// Name of the Vault namespace
 	Namespace string
+	// TransitEnginePath specifies the path to the transit engine to perform key operations.
+	TransitEnginePath string
 }
 
 type Client struct {
@@ -110,6 +114,7 @@ func NewClientConfig(cp *ClientParams, logger hclog.Logger) (*ClientConfig, erro
 		AppRoleAuthMountPoint: defaultAppRoleMountPoint,
 		K8sAuthMountPoint:     defaultK8sMountPoint,
 		PKIMountPoint:         defaultPKIMountPoint,
+		TransitEnginePath:     defaultTransitEnginePath,
 	}
 	if err := mergo.Merge(cp, defaultParams); err != nil {
 		return nil, status.Errorf(codes.Internal, "unable to merge client params: %v", err)
@@ -370,15 +375,13 @@ func (c *Client) CreateKey(ctx context.Context, spireKeyID string, keyType Trans
 	}
 
 	// TODO: Handle errors here such as key already exists
-	// TODO: Make the transit engine path configurable
-	_, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/transit/keys/%s", spireKeyID), arguments)
+	_, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/%s/keys/%s", c.clientParams.TransitEnginePath, spireKeyID), arguments)
 	return err
 }
 
 func (c *Client) GetKey(ctx context.Context, spireKeyID string) (string, error) {
 	// TODO: Handle errors here
-	// TODO: Make the transit engine path configurable
-	res, err := c.vaultClient.Logical().ReadWithContext(ctx, fmt.Sprintf("/transit/keys/%s", spireKeyID))
+	res, err := c.vaultClient.Logical().ReadWithContext(ctx, fmt.Sprintf("/%s/keys/%s", c.clientParams.TransitEnginePath, spireKeyID))
 	if err != nil {
 		return "", err
 	}
@@ -428,8 +431,7 @@ func (c *Client) SignData(ctx context.Context, spireKeyID string, data []byte, h
 	}
 
 	// TODO: Handle errors here
-	// TODO: Make the transit engine path configurable
-	sigResp, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/transit/sign/%s/%s", spireKeyID, hashAlgo), body)
+	sigResp, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/%s/sign/%s/%s", c.clientParams.TransitEnginePath, spireKeyID, hashAlgo), body)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "transit engine sign call failed: %v", err)
 	}

pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go

@@ -26,6 +26,7 @@ func TestNewClientConfigWithDefaultValues(t *testing.T) {
 		CertAuthMountPoint:    "", // Expect the default value to be used.
 		AppRoleAuthMountPoint: "", // Expect the default value to be used.
 		K8sAuthMountPoint:     "", // Expect the default value to be used.
+		TransitEnginePath:     "", // Expect the default value to be used.
 	}
 
 	cc, err := NewClientConfig(p, hclog.Default())
@@ -34,6 +35,7 @@ func TestNewClientConfigWithDefaultValues(t *testing.T) {
 	require.Equal(t, defaultCertMountPoint, cc.clientParams.CertAuthMountPoint)
 	require.Equal(t, defaultAppRoleMountPoint, cc.clientParams.AppRoleAuthMountPoint)
 	require.Equal(t, defaultK8sMountPoint, cc.clientParams.K8sAuthMountPoint)
+	require.Equal(t, defaultTransitEnginePath, cc.clientParams.TransitEnginePath)
 }
 
 func TestNewClientConfigWithGivenValuesInsteadOfDefaults(t *testing.T) {
@@ -44,6 +46,7 @@ func TestNewClientConfigWithGivenValuesInsteadOfDefaults(t *testing.T) {
 		CertAuthMountPoint:    "test-tls-cert",
 		AppRoleAuthMountPoint: "test-approle",
 		K8sAuthMountPoint:     "test-k8s",
+		TransitEnginePath:     "test-transit",
 	}
 
 	cc, err := NewClientConfig(p, hclog.Default())
@@ -52,6 +55,7 @@ func TestNewClientConfigWithGivenValuesInsteadOfDefaults(t *testing.T) {
 	require.Equal(t, "test-tls-cert", cc.clientParams.CertAuthMountPoint)
 	require.Equal(t, "test-approle", cc.clientParams.AppRoleAuthMountPoint)
 	require.Equal(t, "test-k8s", cc.clientParams.K8sAuthMountPoint)
+	require.Equal(t, "test-transit", cc.clientParams.TransitEnginePath)
 }
 
 func TestNewAuthenticatedClientTokenAuth(t *testing.T) {