Feat: excited to release this major update (#9) (#10)

* feat: file based cred resolver

* feat: hashicorp vault integration for ServiceNow

* feat: hashicorp vault integration for ServiceNow

* feat: hashicorp vault integration for ServiceNow

.gitignore

@@ -15,3 +15,5 @@ buildNumber.properties
 .project
 # JDT-specific (Eclipse Java Development Tools)
 .classpath
+/setup/hashicorp-vault-configs/
+/setup/hashicorp-vault/

CHANGELOG.md

@@ -1,4 +1,6 @@
-### Minor Release
-Feat: Added file vault. Now you can manage the credentials locally in midserver
-through properties file
-Feat: refactored the code to support multiple secret vault platform
+### Major Release
+#### Feat: excited to release this major update
+* Added file vault. Now you can manage the credentials locally in midserver through properties file
+* Refactored the code to support multiple secret vault platform
+* ServiceNow External credential resolver support for Hashicorp Vault as secret vault provider
+* Docs: added detailed README for all the components

README.md

@@ -1,2 +1,61 @@
 # servicenow-ecs-azure-key-vault
 ServiceNow External Credential Storage integration with Azure Key Vault
+
+## setup
+* Upload the jar file to servicenow instance under mid server jars
+
+* https://github.com/arumugamsubramanian/servicenow-ecs-multi-secret-vault/releases
+
+
+![img_1.png](images%2Fimg_1.png)
+
+## file based credential setup
+
+* copy [creds.properties](setup%2Ffile-vault%2Fcreds.properties) to mid server
+* Add mid server properties in config.xml
+```text
+<parameter name="ext.cred.file.path" value="/opt/snc_mid_server/creds.properties"/>
+```
+* Create a credential in below format
+
+![img.png](images%2Fimg.png)
+
+* creds in file should have 
+```text
+filevault-linux.ssh_password.user=root
+filevault-linux.ssh_password.pswd=xxx
+
+Pattern:
+credID.credtype.user
+```
+
+### Note: The cred ID should always start with `file`
+
+## Azure Key Vault Setup
+
+### Note: The cred ID should always start with `akv`
+
+## Hashicorp Vault Setup
+
+Credit: Thanks to Hashicorp Vault for the code reference. This integration was forked from https://github.com/hashicorp/vault-servicenow-credential-resolver
+
+* follow [README.md](setup%2Fhashicorp-vault%2FREADME.md) to setup local vault server in docker
+* Add mid-server properties in config.xml 
+* mid.external_credentials.vault.address (string: "") - Address of Vault Agent as resolveable by the MID server. For example, if Vault Agent is on the same server as the MID server it could be https://127.0.0.1:8200. 
+* mid.external_credentials.vault.ca (string: "") - The CA certificate to trust for TLS in PEM format. If unset, the system's trusted CAs will be used.
+* mid.external_credentials.vault.tls_skip_verify (string: "") - When set to true, skips verification of the Vault server TLS certificiate. Setting this to true is not recommended for production.
+```text
+<parameter name="mid.external_credentials.vault.address" value="http://127.0.0.1:8200"/>
+
+<parameter name="mid.external_credentials.vault.ca" value=""/>
+
+<parameter name="mid.external_credentials.vault.tls_skip_verify" value="true"/>
+```
+* credentials ID format in ServiceNow credentials
+```text
+hv/secret/data/linux # always start with 'hv/' without quotes, otherwise it will not consider hashicorp vault as secret provider.
+
+Format: 
+hv/<secret_path_in_vault>
+```
+![img_2.png](images%2Fimg_2.png)

pom.xml

@@ -2,7 +2,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>servicenow.external.vault</groupId>
     <artifactId>ecs-multi-secret-vault-credential-resolver</artifactId>
-    <version>1.1.1-SNAPSHOT</version>
+    <version>2.0.0-SNAPSHOT</version>
 
     <properties>
         <midserver.agent.dir>${basedir}/libs</midserver.agent.dir>
@@ -179,5 +179,11 @@
             <!--			<scope>system</scope>-->
             <!--			<systemPath>${midserver.agent.dir}/gson.jar</systemPath>-->
         </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.5.13</version>
+        </dependency>
     </dependencies>
 </project>

setup/hashicorp-vault/README.md

@@ -0,0 +1,59 @@
+# Hashicorp vault setup
+
+* Install vault in docker as vault server
+```shell
+docker run -d --cap-add=IPC_LOCK \
+-e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' \
+-v $(PWD)/setup/hashicorp-vault:/vault/file \
+-p 8200:8200 \
+--name vault \
+hashicorp/vault server
+```
+* Login to docker container
+```shell
+docker exec -it vault sh
+```
+* Vault setup
+```shell
+export VAULT_ADDR=http://127.0.0.1:8200
+vault status
+vault operator init
+vault operator unseal # three times
+vault login # use root token
+```
+* List the secrets
+```shell
+vault secrets list
+```
+* Enable secret engine and create secrets
+```shell
+vault secrets enable -path=secret kv
+vault kv put -mount=secret linux password="root123" username="root"
+vault kv put -mount=secret foo password="root123" username="root"
+```
+* Create policy to provide access to the above secrets
+```shell
+vault policy write my-policy - << EOF
+    # Dev servers have version 2 of KV secrets engine mounted by default, so will
+    # need these paths to grant permissions:
+    path "secret/data/*" {
+      capabilities = ["read"]
+    }
+    
+    path "secret/data/foo" {
+      capabilities = ["read"]
+    }
+EOF
+
+vault policy list
+vault policy read my-policy
+```
+* create userpass path as 'servicenow'. Use `userpass` as vault auth method
+* username can be anything because you are passing as mid-server config param
+```shell
+vault auth enable -path=servicenow userpass
+
+vault write auth/servicenow/users/servicenow \
+  password=servicenow \
+  policies=my-policy
+```