From 7f93e5b769583cdc4d95259c5247f197420bb9d9 Mon Sep 17 00:00:00 2001
From: Robert Yokota <rayokota@gmail.com>
Date: Fri, 3 Oct 2025 20:08:27 -0700
Subject: [PATCH 1/2] DGS-22404 Add AppRole auth for HC Vault

---
 .../HcVaultKmsClient.cs                       | 12 +++---
 .../HcVaultKmsDriver.cs                       | 40 +++++++++++++++++--
 2 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs
index 0e9aa4c1a..2d741b549 100644
--- a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs
+++ b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs
@@ -17,20 +17,22 @@ public class HcVaultKmsClient : IKmsClient
         
         public string KekId { get; }
         public string Namespace { get; }
-        public string TokenId { get; }
-        
+
         public HcVaultKmsClient(string kekId, string ns, string tokenId)
+            : this(kekId, ns, new TokenAuthMethodInfo(tokenId))
+        {
+        }
+
+        public HcVaultKmsClient(string kekId, string ns, IAuthMethodInfo authMethod)
         {
             KekId = kekId;
             Namespace = ns;
-            TokenId = tokenId;
-            
+
             if (!kekId.StartsWith(HcVaultKmsDriver.Prefix))
             {
               throw new ArgumentException(string.Format($"key URI must start with {HcVaultKmsDriver.Prefix}"));
             }
             keyId = KekId.Substring(HcVaultKmsDriver.Prefix.Length);
-            IAuthMethodInfo authMethod = new TokenAuthMethodInfo(tokenId);
             Uri uri = new Uri(keyId);
             if (uri.Segments.Length == 0)
             {
diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
index b2cfd17ca..b4c9b663a 100644
--- a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
+++ b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
@@ -1,5 +1,8 @@
 using System;
 using System.Collections.Generic;
+using VaultSharp.V1.AuthMethods;
+using VaultSharp.V1.AuthMethods.AppRole;
+using VaultSharp.V1.AuthMethods.Token;
 
 namespace Confluent.SchemaRegistry.Encryption.HcVault
 {
@@ -13,7 +16,9 @@ public static void Register()
         public static readonly string Prefix = "hcvault://";
         public static readonly string TokenId = "token.id";
         public static readonly string Namespace = "namespace";
-        
+        public static readonly string AppRoleId = "app.role.id";
+        public static readonly string AppRoleSecretId = "app.role.secret.id";
+
         public string GetKeyUrlPrefix()
         {
             return Prefix;
@@ -22,13 +27,42 @@ public string GetKeyUrlPrefix()
         public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl)
         {
             config.TryGetValue(TokenId, out string tokenId);
-            config.TryGetValue(Namespace, out string ns);
             if (tokenId == null)
             {
                 tokenId = Environment.GetEnvironmentVariable("VAULT_TOKEN");
+            }
+            config.TryGetValue(Namespace, out string ns);
+            if (ns == null)
+            {
                 ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE");
             }
-            return new HcVaultKmsClient(keyUrl, ns, tokenId);
+            config.TryGetValue(AppRoleId, out string appRoleId);
+            if (appRoleId == null)
+            {
+                appRoleId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_ID");
+            }
+            config.TryGetValue(AppRoleSecretId, out string appRoleSecretId);
+            if (appRoleSecretId == null)
+            {
+                appRoleSecretId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_SECRET_ID");
+            }
+
+            IAuthMethodInfo authMethod;
+            if (appRoleId != null && appRoleSecretId != null)
+            {
+                authMethod = new AppRoleAuthMethodInfo(appRoleId, appRoleSecretId);
+            }
+            else if (tokenId != null)
+            {
+                authMethod = new TokenAuthMethodInfo(tokenId);
+            }
+            else
+            {
+                throw new ArgumentException($"Either {TokenId} or both {AppRoleId} and {AppRoleSecretId} " +
+                                            $"must be provided in config or environment variables.");
+            }
+
+            return new HcVaultKmsClient(keyUrl, ns, authMethod);
         }
     }
 }
\ No newline at end of file

From 50125d200e2d3bcaecc8524d2f87ae740f64de12 Mon Sep 17 00:00:00 2001
From: Robert Yokota <rayokota@gmail.com>
Date: Fri, 3 Oct 2025 23:59:44 -0700
Subject: [PATCH 2/2] Minor renaming

---
 .../HcVaultKmsDriver.cs                       | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
index b4c9b663a..abb0883fc 100644
--- a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
+++ b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsDriver.cs
@@ -16,8 +16,8 @@ public static void Register()
         public static readonly string Prefix = "hcvault://";
         public static readonly string TokenId = "token.id";
         public static readonly string Namespace = "namespace";
-        public static readonly string AppRoleId = "app.role.id";
-        public static readonly string AppRoleSecretId = "app.role.secret.id";
+        public static readonly string ApproleRoleId = "approle.role.id";
+        public static readonly string ApproleSecretId = "approle.secret.id";
 
         public string GetKeyUrlPrefix()
         {
@@ -36,21 +36,21 @@ public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl
             {
                 ns = Environment.GetEnvironmentVariable("VAULT_NAMESPACE");
             }
-            config.TryGetValue(AppRoleId, out string appRoleId);
-            if (appRoleId == null)
+            config.TryGetValue(ApproleRoleId, out string roleId);
+            if (roleId == null)
             {
-                appRoleId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_ID");
+                roleId = Environment.GetEnvironmentVariable("VAULT_APPROLE_ROLE_ID");
             }
-            config.TryGetValue(AppRoleSecretId, out string appRoleSecretId);
-            if (appRoleSecretId == null)
+            config.TryGetValue(ApproleSecretId, out string secretId);
+            if (secretId == null)
             {
-                appRoleSecretId = Environment.GetEnvironmentVariable("VAULT_APP_ROLE_SECRET_ID");
+                secretId = Environment.GetEnvironmentVariable("VAULT_APPROLE_SECRET_ID");
             }
 
             IAuthMethodInfo authMethod;
-            if (appRoleId != null && appRoleSecretId != null)
+            if (roleId != null && secretId != null)
             {
-                authMethod = new AppRoleAuthMethodInfo(appRoleId, appRoleSecretId);
+                authMethod = new AppRoleAuthMethodInfo(roleId, secretId);
             }
             else if (tokenId != null)
             {
@@ -58,7 +58,7 @@ public IKmsClient NewKmsClient(IDictionary<string, string> config, string keyUrl
             }
             else
             {
-                throw new ArgumentException($"Either {TokenId} or both {AppRoleId} and {AppRoleSecretId} " +
+                throw new ArgumentException($"Either {TokenId} or both {ApproleRoleId} and {ApproleSecretId} " +
                                             $"must be provided in config or environment variables.");
             }