Merge pull request #25 from reecetech/bugfix/FC-3427-refresh-credentials-on-expiry

jwettenhall · web-flow · commit 90ff2f58de02 · 2024-12-18T12:57:23.000+11:00
Refresh credentials from Vault every hour or as specified in settings
diff --git a/README.rst b/README.rst
@@ -23,14 +23,15 @@ Settings Required
 
 Do not provide `USER` and `PASSWORD`.  Instead provide these settings:
 
-============================  ===========  ===========
-Setting                       Required     Description
-============================  ===========  ===========
-`VAULT_ADDR`                  Yes          The HTTPS endpoint for Vault
-`VAULT_PATH`                  Yes          The path in Vault to the KV v2 secret storing the Informix credentials
-`VAULT_K8S_AUTH_MOUNT_POINT`  No           The Vault mount point to use for Kubernetes authentication, default value: ``kubernetes``
-`VAULT_K8S_JWT`               No           The path to the JWT in a K8s container, default vault: ``/var/run/secrets/kubernetes.io/serviceaccount/token``
-`VAULT_K8S_ROLE`              Conditional  Provide the K8s role *if* using K8s JWT authentication to Vault
-`VAULT_KVV2_MOUNT_POINT`      No           The Vault mount point to use for KVv2 secrets, default value: ``secret``
-`VAULT_TOKEN`                 Conditional  Provide the token *if* using basic token authentication to Vault
-============================  ===========  ===========
+=================================== ===========  ===========
+Setting                             Required     Description
+=================================== ===========  ===========
+`VAULT_ADDR`                        Yes          The HTTPS endpoint for Vault
+`VAULT_PATH`                        Yes          The path in Vault to the KV v2 secret storing the Informix credentials
+`VAULT_K8S_AUTH_MOUNT_POINT`        No           The Vault mount point to use for Kubernetes authentication, default value: ``kubernetes``
+`VAULT_K8S_JWT`                     No           The path to the JWT in a K8s container, default value: ``/var/run/secrets/kubernetes.io/serviceaccount/token``
+`VAULT_K8S_ROLE`                    Conditional  Provide the K8s role *if* using K8s JWT authentication to Vault
+`VAULT_KVV2_MOUNT_POINT`            No           The Vault mount point to use for KVv2 secrets, default value: ``secret``
+`VAULT_TOKEN`                       Conditional  Provide the token *if* using basic token authentication to Vault
+`VAULT_MAXIMUM_CREDENTIAL_LIFETIME` No           Time interval (seconds) to force retrieving credentials from Vault, default value: ``3600``
+=================================== ===========  ===========
diff --git a/django_informixdb_vault/base.py b/django_informixdb_vault/base.py
@@ -4,6 +4,7 @@
 
 import logging
 import os
+from datetime import datetime
 
 import hvac
 
@@ -172,7 +173,19 @@ def get_connection_params(self):
         username = self.settings_dict['USER']
         password = self.settings_dict['PASSWORD']
 
-        if (username and password):
+        maximum_credential_lifetime = \
+            self.settings_dict.get('VAULT_MAXIMUM_CREDENTIAL_LIFETIME', 3600)
+        if maximum_credential_lifetime and 'CREDENTIALS_START_TIME' in self.settings_dict:
+            elapsed = datetime.now() - self.settings_dict['CREDENTIALS_START_TIME']
+            credentials_need_refresh = elapsed.seconds >= maximum_credential_lifetime
+        elif maximum_credential_lifetime:
+            # Settings configured for refreshes but we don't yet have a credential start time
+            credentials_need_refresh = True
+        else:
+            # Don't refresh if VAULT_MAXIMUM_CREDENTIAL_LIFETIME is set to None
+            credentials_need_refresh = False
+
+        if username and password and not credentials_need_refresh:
             conn_params['USER'] = username
             conn_params['PASSWORD'] = password
 
@@ -185,6 +198,7 @@ def get_connection_params(self):
         )
         self.settings_dict['USER'] = username
         self.settings_dict['PASSWORD'] = password
+        self.settings_dict['CREDENTIALS_START_TIME'] = datetime.now()
 
         conn_params['USER'] = username
         conn_params['PASSWORD'] = password
