Merge pull request #5 from naphelps/issue-1

Issue 1: Changed more Vault References to OpenBao

.github/workflows/build-push.yml

@@ -103,7 +103,7 @@ jobs:
           cd ${REPO_DIR}
           echo "VERSION=$(sed -n 's/^VERSION ?= //p' Makefile | cut -d '$' -f 1)" >> $GITHUB_OUTPUT
 
-      # Compile Vault and Build Docker Images
+      # Compile Bao and Build Docker Images
       - name: Compile and Build Docker Images
         run: |
           cd ${REPO_DIR}

.gitignore

@@ -1 +1 @@
-/docker/bin/hznvaultauth
+/docker/bin/hznbaoauth

docker/Dockerfile.ubi.amd64

@@ -82,7 +82,7 @@ VOLUME /bao/file
 EXPOSE 8200
 
 # For production derivatives of this container, you shoud add the IPC_LOCK
-# capability so that Vault can mlock memory.
+# capability so that Bao can mlock memory.
 RUN curl -4LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin
@@ -96,7 +96,7 @@ RUN chmod +x /usr/local/bin/entrypoint.sh && \
     chmod +x /usr/local/bin/renewToken.sh
 
 # The entry point script uses dumb-init as the top-level process to reap any
-# zombie processes created by Vault sub-processes.
+# zombie processes created by Bao sub-processes.
 #
 ENTRYPOINT ["entrypoint.sh"]
 

docker/scripts/auto-unseal.sh

@@ -8,8 +8,8 @@ bao_keys=$BAO_KEYS
 
 while true
 do
-  init_status=`vault status  2>/dev/null |grep "Initialized"|awk '{print $2}'|tr -d '\r'`
-  seal_status=`vault status  2>/dev/null |grep "Sealed"|awk '{print $2}'|tr -d '\r'`
+  init_status=`bao status  2>/dev/null |grep "Initialized"|awk '{print $2}'|tr -d '\r'`
+  seal_status=`bao status  2>/dev/null |grep "Sealed"|awk '{print $2}'|tr -d '\r'`
   if [ "$init_status" != "true" ];then
     output="Bao is not initialized"
   elif [ "$seal_status" == "false" ];then
@@ -24,7 +24,7 @@ do
     IFS=$',' keys=( $keys )
     for var in ${keys[@]}  
     do    
-      vault operator unseal $var
+      bao operator unseal $var
     done
     set -x
 

docker/scripts/entrypoint.sh

@@ -57,9 +57,9 @@ fi
 if [ "$1" = 'server' ]; then
     shift
     set -- bao server \
-        -config="$VAULT_CONFIG_DIR" \
-        -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
-        -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
+        -config="$BAO_CONFIG_DIR" \
+        -dev-root-token-id="$BAO_DEV_ROOT_TOKEN_ID" \
+        -dev-listen-address="${BAO_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
         "$@"
 elif [ "$1" = 'version' ]; then
     # This needs a special case because there's no help output.

docker/scripts/renewToken.sh

@@ -5,14 +5,14 @@ export NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
 kubectl=kubectl
 
 if [ "$BAO_CREDENTIAL" == "" ];then
-  BAO_CREDENTIAL=vault-default-deploy-vault-credential
+  BAO_CREDENTIAL=bao-default-deploy-bao-credential
 fi
 bao_credential=$BAO_CREDENTIAL
 
 
 #get root token
 baoToken=`$kubectl get secret $bao_credential -n $NAMESPACE -o=jsonpath={.data.token} | base64 -d`
-#get vault endpoint
+#get bao endpoint
 endpoint=`$kubectl get secret $bao_credential -n $NAMESPACE -o=jsonpath={.data.endpoint} | base64 -d`
 
 #get all BaoAccess CRs, if autoRenewToken == true, then renew

main.go

@@ -8,11 +8,11 @@ import (
 	"os"
 )
 
-// This plugin provides authentication support for openhorizon users within the vault.
+// This plugin provides authentication support for openhorizon users within the bao.
 //
-// It uses the Vault's framework to interact with the plugin system.
+// It uses the bao's framework to interact with the plugin system.
 //
-// This plugin must be configured by a vault admin through the /config API. Without the config, the plugin
+// This plugin must be configured by a bao admin through the /config API. Without the config, the plugin
 // is unable to function properly.
 
 func main() {

plugin/auth.go

@@ -12,7 +12,7 @@ import (
 // The exchange root user id.
 const EX_ROOT_USER = "root"
 
-// The vault plugin framework calls this method to process login requests.
+// The bao plugin framework calls this method to process login requests.
 func (o *ohAuthPlugin) pathAuthLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 
 	// Extract the user authentication info from the request.
@@ -28,7 +28,7 @@ func (o *ohAuthPlugin) pathAuthLogin(ctx context.Context, req *logical.Request,
 		o.Logger().Info(ohlog(fmt.Sprintf("handling login for user (%s/%s)", userOrg, userId)))
 	}
 
-	// Extract the exchange URL and vault token from plugin storage. The values are stored in plugin storage when the
+	// Extract the exchange URL and bao token from plugin storage. The values are stored in plugin storage when the
 	// config API is invoked.
 	exURL, tok, renewal, err := o.getConfig(ctx, req)
 

plugin/auth_agbot.go

@@ -48,7 +48,7 @@ func (o *ohAuthPlugin) AuthenticateAsAgbot(exURL string, tok string, renewal int
 		// The caller is an Agbot.
 		foundAgbot = true
 
-		// Ensure that the vault ACL policies needed by the agbot are defined in the vault.
+		// Ensure that the bao ACL policies needed by the agbot are defined in the bao.
 		err = o.setupAgbotPolicies(tok)
 		if err != nil {
 			o.Logger().Error(ohlog(fmt.Sprintf("unable to setup ACL policies for agbot (%s), error: %v", agbotId, err)))

plugin/auth_user.go

@@ -72,7 +72,7 @@ func (o *ohAuthPlugin) AuthenticateAsUser(exURL, tok, userOrg, userId, password
 			// The user is an org admin.
 			foundAdminUser = true
 
-			// Ensure that the vault ACL policies needed by this user are defined in the vault.
+			// Ensure that the bao ACL policies needed by this user are defined in the bao.
 			policyName, err = o.setupUserPolicies(userOrg, orgAndUsername[1], foundAdminUser, tok)
 			if err != nil {
 				o.Logger().Error(ohlog(fmt.Sprintf("unable to setup ACL policies for user (%s) as an admin, error: %v", fullOrgUser, err)))
@@ -84,7 +84,7 @@ func (o *ohAuthPlugin) AuthenticateAsUser(exURL, tok, userOrg, userId, password
 			// The user is a regular user.
 			foundUser = true
 
-			// Ensure that the vault ACL policies needed by this user are defined in the vault.
+			// Ensure that the bao ACL policies needed by this user are defined in the bao.
 			policyName, err = o.setupUserPolicies(userOrg, orgAndUsername[1], !foundUser, tok)
 			if err != nil {
 				o.Logger().Error(ohlog(fmt.Sprintf("unable to setup ACL policies for user (%s), error: %v", fullOrgUser, err)))

plugin/backend.go

@@ -18,13 +18,13 @@ const CONFIG_VAULT_API_KEY = "apiurl"
 
 type ohAuthPlugin struct {
 
-	// The vault auth plugin framework.
+	// The bao auth plugin framework.
 	*framework.Backend
 
 	// An HTTP client used to call the openhorizon exchange.
 	httpClient *http.Client
 
-	// A vault client used to interact with the system.
+	// A bao client used to interact with the system.
 	vc *api.Client
 }
 
@@ -39,7 +39,7 @@ func OHAuthPlugin(c *logical.BackendConfig) *ohAuthPlugin {
 
 	b.vc, err = api.NewClient(nil)
 	if err != nil {
-		panic(ohlog(fmt.Sprintf("could not create vault client, error: %v", err)))
+		panic(ohlog(fmt.Sprintf("could not create bao client, error: %v", err)))
 	}
 
 	b.Backend = &framework.Backend{

plugin/config.go

@@ -50,7 +50,7 @@ func (o *ohAuthPlugin) pathConfig(ctx context.Context, req *logical.Request, d *
 		return nil, errors.New(ohlog(fmt.Sprintf("failed to write secret (%s), error: %v", EXCHANGE_URL_STORAGE_KEY, err)))
 	}
 
-	// Store the vault token used to setup the vault.
+	// Store the bao token used to setup the bao.
 	token := d.Get(CONFIG_TOKEN_KEY).(string)
 	if token == "" {
 		return nil, errors.New(ohlog(fmt.Sprintf("%s is a required parameter", CONFIG_TOKEN_KEY)))
@@ -68,7 +68,7 @@ func (o *ohAuthPlugin) pathConfig(ctx context.Context, req *logical.Request, d *
 		return nil, errors.New(ohlog(fmt.Sprintf("failed to write secret (%s), error: %v", AGBOT_RENEWAL_KEY, err)))
 	}
 
-	// Store the vault API URL used by the plugin to invoke vault APIs.
+	// Store the bao API URL used by the plugin to invoke bao APIs.
 	vaultAPIURL := d.Get(CONFIG_VAULT_API_KEY).(string)
 	if vaultAPIURL == "" {
 		vaultAPIURL = DEFAULT_APIURL
@@ -77,7 +77,7 @@ func (o *ohAuthPlugin) pathConfig(ctx context.Context, req *logical.Request, d *
 		return nil, errors.New(ohlog(fmt.Sprintf("failed to write secret (%s), error: %v", VAULT_APIURL_STORAGE_KEY, err)))
 	}
 
-	// Set the URL into the vault client object.
+	// Set the URL into the bao client object.
 	if err = o.vc.SetAddress(vaultAPIURL); err != nil {
 		return nil, errors.New(ohlog(fmt.Sprintf("failed to set vault URL in the client, error: %v", err)))
 	}
@@ -90,7 +90,7 @@ func (o *ohAuthPlugin) pathConfig(ctx context.Context, req *logical.Request, d *
 	return nil, nil
 }
 
-// Extract the exchange URL and vault token from plugin storage.
+// Extract the exchange URL and bao token from plugin storage.
 func (o *ohAuthPlugin) getConfig(ctx context.Context, req *logical.Request) (exURL string, token string, renewalRate int, err error) {
 
 	var url *logical.StorageEntry
@@ -109,7 +109,7 @@ func (o *ohAuthPlugin) getConfig(ctx context.Context, req *logical.Request) (exU
 
 	var tok *logical.StorageEntry
 
-	// Extract the agbot vault token from plugin storage.
+	// Extract the agbot bao token from plugin storage.
 	tok, err = req.Storage.Get(ctx, VAULT_TOKEN_STORAGE_KEY)
 	if err != nil {
 		return

plugin/http.go

@@ -138,12 +138,12 @@ func (o *ohAuthPlugin) invokeExchange(url string, user string, pw string) (*http
 	}
 }
 
-// Common function to invoke the Vault API.
+// Common function to invoke the bao API.
 func (o *ohAuthPlugin) InvokeVault(url string, method string, vaultToken string) (*http.Response, error) {
 
 	apiMsg := fmt.Sprintf("%v %v", method, url)
 
-	// Create an outgoing HTTP request for the vault.
+	// Create an outgoing HTTP request for the bao.
 	req, err := http.NewRequest(method, url, nil)
 	if err != nil {
 		return nil, errors.New(fmt.Sprintf("unable to create HTTP request for %v, error %v", apiMsg, err))
@@ -152,7 +152,7 @@ func (o *ohAuthPlugin) InvokeVault(url string, method string, vaultToken string)
 	req.Header.Add("X-Vault-Token", vaultToken)
 	req.Close = true
 
-	// Send the request to the vault.
+	// Send the request to the bao.
 	resp, err := o.httpClient.Do(req)
 	if err != nil {
 		return nil, errors.New(fmt.Sprintf("unable to send HTTP request for %v, error %v", apiMsg, err))

plugin/policy.go

@@ -34,7 +34,7 @@ func (o *ohAuthPlugin) setupUserPolicies(userOrg string, userId string, admin bo
 	// TODO: VAULT_TOKEN env var is read by NewClient()
 	o.vc.SetToken(vaultToken)
 
-	// Get a handle to the vault system APIs
+	// Get a handle to the bao system APIs
 	sysVC := o.vc.Sys()
 
 	// The admin privileges of a user can change at any time. First remove any policies that might exist but which no longer apply
@@ -93,7 +93,7 @@ func (o *ohAuthPlugin) setupUserPolicies(userOrg string, userId string, admin bo
 		o.Logger().Info(ohlog(fmt.Sprintf("constructed policy %v for user (%s/%s)", policyString, userOrg, userId)))
 	}
 
-	// Add the policy to the vault.
+	// Add the policy to the bao.
 	if err := sysVC.PutPolicy(policyName, policyString); err != nil {
 		o.Logger().Error(ohlog(fmt.Sprintf("PutPolicy for %v failed, error: %v", policyName, err)))
 		return "", err
@@ -112,7 +112,7 @@ func (o *ohAuthPlugin) setupAgbotPolicies(vaultToken string) (err error) {
 
 	o.vc.SetToken(vaultToken)
 
-	// Get a handle to the vault system APIs
+	// Get a handle to the bao system APIs
 	sysVC := o.vc.Sys()
 
 	// Create a policy for the agbot. If the agbot has been seen before, the correct policy might already exist.
@@ -126,7 +126,7 @@ func (o *ohAuthPlugin) setupAgbotPolicies(vaultToken string) (err error) {
 	// If a policy does not already exist for the agbot, create it.
 	if np == "" {
 
-		// Add the policy to the vault.
+		// Add the policy to the bao.
 		err := sysVC.PutPolicy(AGBOT_POLICY_NAME, AGBOT_POLICY)
 		if err != nil {
 			o.Logger().Error(ohlog(fmt.Sprintf("PutPolicy for %v failed, error: %v", AGBOT_POLICY_NAME, err)))

plugin/renew.go

@@ -31,7 +31,7 @@ func (o *ohAuthPlugin) pathAuthRenew(ctx context.Context, req *logical.Request,
 	agbotOrg := agbotParts[0]
 	id := agbotParts[1]
 
-	// Extract the exchange URL and vault token from plugin storage. The values are stored in plugin storage when the
+	// Extract the exchange URL and bao token from plugin storage. The values are stored in plugin storage when the
 	// config API is invoked.
 	exURL, tok, renewal, err := o.getConfig(ctx, req)