Vault, Nant & Integrated Security

[jaydenm]

Is there any way we can get Vault to use Windows Authentication from Nant to create the connection?

The Nant block I am using to initialise the vault connection is :

<target name="InitialiseVaultSettings">
<echo>InitialiseVaultSettings</echo>
<vaultsetloginoptions user="${vault.Username}" password="${vault.Password}" URL="${vault.Host}" repository="${vault.Repository}" />
<vaultsetworkingfolder repositoryFolderPath="${vault.Folder}" diskPath="${vault.WorkingDirectory}" createDiskPath="true" />

As I am working on the project with other developers, hard coding user names and passwords into the Nant build file is not a good idea. Both username and password are required options in the vaultsetloginoptions command.

An alternative would be to call the vault.exe command line tool, if that was able to be called and use integrated security? Is this possible if not within Nant tasks?

Regards

Jayden

[Beth]

Vault has a way to use Windows logins, but then you still have to enter in the login name and password into your script. If you have room for one more user in your licenses, you might want to consider making a Vault login that has very limited access or maybe read-only.

[jaydenm]

Hi

I've solved this problem by building some custom NAnt tasks. See this link with an explanation for anyone else interested :

http://stackoverflow.com/questions/8512 ... 935#993935

[jaydenm]

UPDATE : the code sample and attachments have been updated since the original post see end of post for details, encryption improved, test stub added and additional comments made in source code ...

The following attachment is a barebones NAnt extension that can be used to provide a UI prompting the user for their Vault UserName and Password. This removes the need to hard code usernames or passwords into your NAnt scripts when using Vault.

Ensure you have the appropriate NAnt tasks installed for Vault. Place the binary file CompassHealth.NAntExtensions.Tasks.dll in the source root directory.

You can then use the following tasks : <VaultLoginGet> , <VaultLoginSave>

You can then use the following functions : ${VaultLoginFunctions::UserName()} , ${VaultLoginFunctions::Password}

Ensure you incluede the <loadtasks assembly="CompassHealth.NAntExtensions.Tasks.dll" /> line to load the extension.

The below is an example of useage :

Code: Select all

  <target name="InitialiseVaultSettings">
    <echo>InitialiseVaultSettings</echo>

    <loadtasks assembly="CompassHealth.NAntExtensions.Tasks.dll" />

    <VaultLoginGet />
    <echo message="UserName = ${VaultLoginFunctions::UserName()}" />

    <vaultsetloginoptions user="${VaultLoginFunctions::UserName()}" password="${VaultLoginFunctions::Password()}" URL="${vault.Host}" repository="${vault.Repository}" />
    
    <vaultsetworkingfolder repositoryFolderPath="${vault.Folder}" diskPath="${vault.WorkingDirectory}" createDiskPath="true" />

    <!-- need to save the login here, as it is cleared once called, this ensures that only correct username and password are stored -->
    <VaultLoginSave />    

  </target>

UPDATE DETAILS
i. need to call VaultLoginSave after vaultsetworkingfolder as vaultsetloginoptions doesn't cause the script to fail immediately until the vaultsetworkingfolder operation begins
ii. Added AES encryption so that user's password is not saved in plaintext in the registry
iii. Fixed some internal logic around clearing the authentication details appropriately after a VaultLoginGet call

[Beth]

Thanks for the update. I'm sure other users will find this useful.