Beispiel #1
0
def aws(client, secret, opt):
    """Seed an aws_file into Vault"""
    if 'aws_file' not in secret or 'mount' not in secret:
        problems("Invalid aws secret definition" % secret)

    aws_file_path = hard_path(secret['aws_file'], opt.secrets)
    aws_obj = yaml.load(open(aws_file_path, 'r').read())

    if 'access_key_id' not in aws_obj \
       or 'secret_access_key' not in aws_obj \
       or 'region' not in aws_obj \
       or 'roles' not in aws_obj:
        problems("Invalid AWS secrets" % aws)

    aws_path = "%s/config/root" % secret['mount']
    if not is_tagged(secret.get('tags', []), opt.tags):
        log("Skipping %s as it does not have appropriate tags" % aws_path, opt)
        return

    ensure_mounted(client, 'aws', secret['mount'])

    obj = {
        'access_key': aws_obj['access_key_id'],
        'secret_key': aws_obj['secret_access_key'],
        'region': aws_obj['region']
    }
    client.write(aws_path, **obj)
    log('wrote aws_file %s into %s' % (aws_file_path, aws_path), opt)

    ttl_obj = {}
    lease_msg = ''
    if 'lease' in aws_obj:
        ttl_obj['lease'] = aws_obj['lease']
        lease_msg = "%s lease:%s" % (lease_msg, ttl_obj['lease'])

    if 'lease_max' in aws_obj:
        ttl_obj['lease_max'] = aws_obj['lease_max']
    else:
        if 'lease' in ttl_obj:
            ttl_obj['lease_max'] = ttl_obj['lease']

    if 'lease_max' in ttl_obj:
        lease_msg = "%s lease_max:%s" % (lease_msg, ttl_obj['lease_max'])

    if ttl_obj:
        client.write("%s/config/lease" % (secret['mount']), **ttl_obj)
        log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt)

    for role in aws_obj['roles']:
        if 'policy' not in role or 'name' not in role:
            problems("Invalid role definition %s" % role)

        data = open(hard_path(role['policy'], opt.policies), 'r').read()
        role_path = "%s/roles/%s" % (secret['mount'], role['name'])
        client.write(role_path, policy=data)
Beispiel #2
0
def seed_aws_roles(client, mount, roles, opt):
    """Handles the seeding of roles associated with an AWS account"""
    for role in roles:
        aomi.validation.aws_role_obj(role)

        role_path = "%s/roles/%s" % (mount, role['name'])
        if role.get('state', 'present') == 'present':
            if 'policy' in role:
                role_file = hard_path(role['policy'], opt.policies)
                role_template_obj = role.get('vars', {})
                cli_obj = merge_dicts(load_var_files(opt),
                                      cli_hash(opt.extra_vars))
                obj = merge_dicts(role_template_obj, cli_obj)
                data = render(role_file, obj)
                log(
                    'writing inline role %s from %s' %
                    (role['name'], role_file), opt)
                write(client, role_path, {'policy': data}, opt)
            elif 'arn' in role:
                log('writing role %s for %s' % (role['name'], role['arn']),
                    opt)
                write(client, role_path, {'arn': role['arn']}, opt)
        else:
            log('removing role %s' % role['name'], opt)
            delete(client, role_path, opt)
Beispiel #3
0
    def obj(self):
        ldap_obj = self._obj
        if self.secret:
            filename = hard_path(self.secret, self.opt.secrets)
            secret_file(filename)

        return ldap_obj
Beispiel #4
0
def files(client, secret, opt):
    """Seed files into Vault"""
    if 'mount' not in secret or 'path' not in secret:
        problems("Invalid files specification %s" % secret)

    obj = {}
    vault_path = "%s/%s" % (secret['mount'], secret['path'])
    if not is_tagged(secret.get('tags', []), opt.tags):
        log("Skipping %s as it does not have appropriate tags" % vault_path,
            opt)
        return

    for f in secret.get('files', []):
        if 'source' not in f or 'name' not in f:
            problems("Invalid file specification %s" % f)

        filename = hard_path(f['source'], opt.secrets)
        data = open(filename, 'r').read()
        obj[f['name']] = data
        log('writing file %s into %s/%s' % (filename, vault_path, f['name']),
            opt)

    ensure_mounted(client, 'generic', secret['mount'])

    client.write(vault_path, **obj)
Beispiel #5
0
def files(client, secret, opt):
    """Seed files into Vault"""
    aomi.validation.file_obj(secret)
    obj = {}
    my_mount = sanitize_mount(secret['mount'])
    vault_path = "%s/%s" % (my_mount, secret['path'])
    if not validate_entry(secret, vault_path, opt):
        return

    maybe_mount(client, 'generic', my_mount, opt)

    if opt.mount_only:
        log("Only mounting %s" % my_mount, opt)
        return

    if secret.get('state', 'present') == 'present':
        for sfile in secret.get('files', []):
            if 'source' not in sfile or 'name' not in sfile:
                client.revoke_self_token()
                e_msg = "Invalid file specification %s" % sfile
                raise aomi.exceptions.AomiData(e_msg)

            filename = hard_path(sfile['source'], opt.secrets)
            aomi.validation.secret_file(filename)
            data = open(filename, 'r').read()
            obj[sfile['name']] = data
            log(
                'writing file %s into %s/%s' %
                (filename, vault_path, sfile['name']), opt)

        write(client, vault_path, obj, opt)
    else:
        rmfiles = ','.join([f['source'] for f in secret.get('files', [])])
        log("Removing files %s from %s" % (rmfiles, vault_path), opt)
        delete(client, vault_path, opt)
Beispiel #6
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     password = open(filename).readline().strip()
     a_obj = self._obj
     a_obj['password'] = password
     a_obj['policies'] = ','.join(sorted(a_obj['policies']))
     return a_obj
Beispiel #7
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     password = open(filename).readline().strip()
     a_obj = self._obj
     a_obj['password'] = password
     a_obj['policies'] = ','.join(sorted(a_obj['policies']))
     return a_obj
Beispiel #8
0
 def __init__(self, obj, opt):
     super(Policy, self).__init__(obj, opt)
     self.path = obj['name']
     if self.present:
         self.filename = hard_path(obj['file'], opt.policies)
         cli_obj = merge_dicts(load_var_files(opt),
                               cli_hash(opt.extra_vars))
         self._obj = merge_dicts(cli_obj, obj.get('vars', {}))
Beispiel #9
0
 def __init__(self, mount, obj, opt):
     super(AWSRole, self).__init__(obj, opt)
     self.path = "%s/roles/%s" % (mount, obj['name'])
     if self.present:
         self._obj = obj
         if 'policy' in self._obj:
             self._obj['policy'] = hard_path(self._obj['policy'],
                                             opt.policies)
Beispiel #10
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     password = open(filename).readline().strip()
     return {
         'password': password,
         'policies': ','.join(sorted(self.policies))
     }
Beispiel #11
0
def app(client, app_obj, opt):
    """Seed an app file into Vault"""
    if 'app_file' not in app_obj:
        problems("Invalid app definition %s" % app_obj)

    name = None
    if 'name' in app_obj:
        name = app_obj['name']
    else:
        name = os.path.splitext(os.path.basename(app_obj['app_file']))[0]

    if not is_tagged(app_obj.get('tags', []), opt.tags):
        log("Skipping %s as it does not have appropriate tags" % name, opt)
        return

    app_file = hard_path(app_obj['app_file'], opt.secrets)
    data = yaml.load(open(app_file).read())
    if 'app_id' not in data \
       or 'policy' not in data:
        problems("Invalid app file %s" % app_file)

    policy_name = None
    if 'policy_name' in data:
        policy_name = data['policy_name']
    else:
        policy_name = name

    policy = open(hard_path(data['policy'], opt.policies), 'r').read()
    client.set_policy(name, policy)
    app_path = "auth/app-id/map/app-id/%s" % data['app_id']
    app_obj = {'value': policy_name, 'display_name': name}
    client.write(app_path, **app_obj)
    users = data.get('users', [])
    for user in users:
        if 'id' not in user:
            problems("Invalid user definition %s" % user)

        user_path = "auth/app-id/map/user-id/%s" % user['id']
        user_obj = {'value': data['app_id']}
        if 'cidr' in user:
            user_obj['cidr_block'] = user['cidr']

        client.write(user_path, **user_obj)

    log('created %d users in application %s' % (len(users), name), opt)
Beispiel #12
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     aomi.validation.secret_file(filename)
     obj = yaml.safe_load(open(filename).read())
     return {
         'host': self.host,
         'skey': obj['secret'],
         'ikey': obj['key']
     }
Beispiel #13
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     aomi.validation.secret_file(filename)
     obj = yaml.safe_load(open(filename).read())
     return {
         'host': self.host,
         'skey': obj['secret'],
         'ikey': obj['key']
     }
Beispiel #14
0
    def obj(self):
        ldap_obj = self._obj
        if self.secret:
            filename = hard_path(self.secret, self.opt.secrets)
            secret_file(filename)
            s_obj = load_var_file(filename, load_vars(self.opt))
            for obj_k, obj_v in iteritems(s_obj):
                ldap_obj[obj_k] = obj_v

        return ldap_obj
Beispiel #15
0
    def __init__(self, mount, obj, opt):
        super(AWSRole, self).__init__(obj, opt)
        self.path = "%s/roles/%s" % (mount, obj['name'])
        if 'policy' in obj:
            self.filename = obj['policy']

        if self.present:
            self._obj = obj
            if 'policy' in self._obj:
                self._obj['policy'] = hard_path(self.filename, opt.policies)
Beispiel #16
0
    def obj(self):
        ldap_obj = self._obj
        if self.secret:
            filename = hard_path(self.secret, self.opt.secrets)
            secret_file(filename)
            s_obj = load_var_file(filename, load_vars(self.opt))
            for obj_k, obj_v in iteritems(s_obj):
                ldap_obj[obj_k] = obj_v

        return ldap_obj
Beispiel #17
0
def freeze_secret(src, dest, flav, tmp_dir, opt):
    """Copies a secret into a particular location"""
    src_file = hard_path(src, opt.secrets)
    dest_file = "%s/%s" % (tmp_dir, dest)
    dest_dir = os.path.dirname(dest_file)
    if not os.path.isdir(dest_dir):
        os.mkdir(dest_dir, 0o700)

    shutil.copy(src_file, dest_file)
    log("Froze %s %s" % (flav, src), opt)
Beispiel #18
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     aomi.validation.secret_file(filename)
     handle = open(filename, 'r')
     s_obj = {
         'role_name': self.role_name,
         'secret_name': self.secret_name,
         'secret_id': handle.read().strip()
     }
     handle.close()
     return s_obj
Beispiel #19
0
 def obj(self):
     _secret, filename, region = self._obj
     actual_filename = hard_path(filename, self.opt.secrets)
     secret_file(actual_filename)
     aws_obj = yaml.safe_load(open(actual_filename, 'r').read())
     check_obj(['access_key_id', 'secret_access_key'], self, aws_obj)
     return {
         'access_key': aws_obj['access_key_id'],
         'secret_key': aws_obj['secret_access_key'],
         'region': region
     }
Beispiel #20
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     aomi.validation.secret_file(filename)
     handle = open(filename, 'r')
     s_obj = {
         'role_name': self.role_name,
         'secret_name': self.secret_name,
         'secret_id': handle.read().strip()
     }
     handle.close()
     return s_obj
Beispiel #21
0
def duo_access(client, obj, opt):
    """Sets the DUO access configuration"""
    creds_file_name = hard_path(obj['creds'], opt.secrets)
    aomi.validation.secret_file(creds_file_name)
    creds = yaml.safe_load(open(creds_file_name).read())
    duo_obj = {
        'ikey': creds['key'],
        'skey': creds['secret'],
        'host': obj['host']
    }
    path = "auth/%s/duo/access" % obj['backend']
    write(client, path, duo_obj, opt)
Beispiel #22
0
 def obj(self):
     _secret, filename, region = self._obj
     actual_filename = hard_path(filename, self.opt.secrets)
     secret_file(actual_filename)
     template_obj = load_vars(self.opt)
     aws_obj = load_var_file(actual_filename, template_obj)
     check_obj(['access_key_id', 'secret_access_key'], self, aws_obj)
     return {
         'access_key': aws_obj['access_key_id'],
         'secret_key': aws_obj['secret_access_key'],
         'region': region
     }
Beispiel #23
0
 def obj(self):
     _secret, filename, region = self._obj
     actual_filename = hard_path(filename, self.opt.secrets)
     secret_file(actual_filename)
     template_obj = load_vars(self.opt)
     aws_obj = load_var_file(actual_filename, template_obj)
     check_obj(['access_key_id', 'secret_access_key'],
               self, aws_obj)
     return {
         'access_key': aws_obj['access_key_id'],
         'secret_key': aws_obj['secret_access_key'],
         'region': region
     }
Beispiel #24
0
    def obj(self):
        s_obj = {}
        for name, filename in iteritems(self._obj):
            actual_file = hard_path(filename, self.opt.secrets)
            secret_file(actual_file)
            data = open_maybe_binary(actual_file)
            try:
                is_unicode_string(data)
                s_obj[name] = data
            except aomi.exceptions.Validation:
                s_obj[name] = portable_b64encode(data)
                self.secret_format = 'binary'

        return s_obj
Beispiel #25
0
    def obj(self):
        s_obj = {}
        for name, filename in iteritems(self._obj):
            actual_file = hard_path(filename, self.opt.secrets)
            secret_file(actual_file)
            data = open_maybe_binary(actual_file)
            try:
                is_unicode_string(data)
                s_obj[name] = data
            except aomi.exceptions.Validation:
                s_obj[name] = portable_b64encode(data)
                self.secret_format = 'binary'

        return s_obj
Beispiel #26
0
def aws(client, secret, opt):
    """Seed an aws_file into Vault"""
    aomi.validation.aws_file_obj(secret)

    my_mount = sanitize_mount(secret['mount'])
    aws_path = "%s/config/root" % my_mount
    if not validate_entry(secret, aws_path, opt):
        return

    if secret.get('state', 'present') == 'absent':
        unmount(client, 'aws', my_mount)
        log("Unmounted AWS %s" % aws_path, opt)
        return
    else:
        maybe_mount(client, 'aws', my_mount, opt)

    if opt.mount_only:
        log("Only mounting %s" % my_mount, opt)
        return

    aws_file_path = hard_path(secret['aws_file'], opt.secrets)
    aomi.validation.secret_file(aws_file_path)

    aws_obj = yaml.safe_load(open(aws_file_path, 'r').read())
    aomi.validation.aws_secret_obj(aws_file_path, aws_obj)

    region = aomi.legacy.aws_region(secret, aws_obj)
    if region is None:
        client.revoke_self_token()
        raise aomi.exceptions.AomiData('missing aws region')

    roles = aomi.legacy.aws_roles(secret, aws_obj)
    if roles is None:
        client.revoke_self_token()
        raise aomi.exceptions.AomiData('missing aws roles')

    obj = {
        'access_key': aws_obj['access_key_id'],
        'secret_key': aws_obj['secret_access_key'],
        'region': region
    }
    write(client, aws_path, obj, opt)
    log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt)

    ttl_obj, lease_msg = grok_ttl(secret, aws_obj)
    if ttl_obj:
        write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt)
        log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt)

    seed_aws_roles(client, secret['mount'], roles, opt)
Beispiel #27
0
    def freeze(self, tmp_dir):
        """Copies a secret into a particular location"""
        for sfile in self.secrets():
            src_file = hard_path(sfile, self.opt.secrets)
            if not os.path.exists(src_file):
                raise aomi.exceptions.IceFile("%s secret not found at %s" %
                                              (self, src_file))

            dest_file = "%s/%s" % (tmp_dir, sfile)
            dest_dir = os.path.dirname(dest_file)
            if not os.path.isdir(dest_dir):
                os.mkdir(dest_dir, 0o700)

            shutil.copy(src_file, dest_file)
            log("Froze %s %s" % (self, sfile), self.opt)
Beispiel #28
0
    def freeze(self, tmp_dir):
        """Copies a secret into a particular location"""
        for sfile in self.secrets():
            src_file = hard_path(sfile, self.opt.secrets)
            if not os.path.exists(src_file):
                raise aomi_excep.IceFile("%s secret not found at %s" %
                                         (self, src_file))

            dest_file = "%s/%s" % (tmp_dir, sfile)
            dest_dir = os.path.dirname(dest_file)
            if not os.path.isdir(dest_dir):
                os.mkdir(dest_dir, 0o700)

            shutil.copy(src_file, dest_file)
            LOG.debug("Froze %s %s", self, sfile)
Beispiel #29
0
def var_file(client, secret, opt):
    """Seed a var_file into Vault"""
    path = "%s/%s" % (secret['mount'], secret['path'])
    var_file_name = hard_path(secret['var_file'], opt.secrets)
    varz = yaml.load(open(var_file_name).read())
    if 'var_file' not in secret \
       or 'mount' not in secret \
       or 'path' not in secret:
        problems("Invalid generic secret definition %s" % secret)

    if not is_tagged(secret.get('tags', []), opt.tags):
        log("Skipping %s as it does not have appropriate tags" % path, opt)
        return

    ensure_mounted(client, 'generic', secret['mount'])

    client.write(path, **varz)
    log(
        'wrote var_file %s into %s/%s' %
        (var_file_name, secret['mount'], secret['path']), opt)
Beispiel #30
0
def app(client, app_obj, opt):
    """Seed an app file into Vault"""
    if 'app_file' not in app_obj:
        client.revoke_self_token()
        raise aomi.exceptions.AomiData("Invalid app definition %s" % app_obj)

    name = app_id_name(app_obj)
    if not validate_entry(app_obj, "app-id/%s" % name, opt):
        return

    app_file = hard_path(app_obj['app_file'], opt.secrets)
    aomi.validation.secret_file(app_file)
    data = yaml.safe_load(open(app_file).read())
    app_id = aomi.legacy.app_id_itself(app_obj, data)
    app_path = "auth/app-id/map/app-id/%s" % app_id

    if app_obj.get('state', 'present') == 'absent':
        delete(client, app_path, opt)
    else:
        ensure_auth(client, 'app-id')
        if opt.mount_only:
            log("Only enabling app-id", opt)
            return

        if 'users' not in data:
            client.revoke_self_token()
            raise aomi.exceptions.AomiData("Invalid app file %s" % app_file)

        policy_name = aomi.legacy.app_id_policy_name(app_obj, data)
        policy_file = aomi.legacy.app_id_policy_file(app_obj, data)
        app_policy(client, policy_name, policy_file, app_obj, opt)

        app_obj = {'value': policy_name, 'display_name': name}
        write(client, app_path, app_obj, opt)
        r_users = data.get('users', [])
        app_users(client, app_id, r_users, opt)
        log('created %d users in application %s' % (len(r_users), name), opt)
Beispiel #31
0
def users(client, user_obj, opt):
    """Creates userpass users in Vault"""
    aomi.validation.user_obj(user_obj)

    name = user_obj['username']

    if not aomi.validation.tag_check(user_obj, "userpass/%s" % name, opt):
        return

    password_file = hard_path(user_obj['password_file'], opt.secrets)
    aomi.validation.secret_file(password_file)
    password = open(password_file).readline().strip()

    ensure_auth(client, 'userpass')

    user_path = "auth/userpass/users/%s" % name
    if user_obj.get('state', 'present') == 'present':
        v_obj = {
            'password': password,
            'policies': ','.join(user_obj['policies'])
        }
        write(client, user_path, v_obj, opt)
    else:
        delete(client, user_path, opt)
Beispiel #32
0
def var_file(client, secret, opt):
    """Seed a var_file into Vault"""
    aomi.validation.var_file_obj(secret)
    my_mount = sanitize_mount(secret['mount'])
    path = "%s/%s" % (my_mount, secret['path'])
    if not validate_entry(secret, path, opt):
        return

    var_file_name = hard_path(secret['var_file'], opt.secrets)
    aomi.validation.secret_file(var_file_name)
    varz = yaml.safe_load(open(var_file_name).read())

    maybe_mount(client, 'generic', my_mount, opt)

    if opt.mount_only:
        log("Only mounting %s" % my_mount, opt)
        return

    if secret.get('state', 'present') == 'present':
        write(client, path, varz, opt)
        log('wrote var_file %s into %s' % (var_file_name, path), opt)
    else:
        delete(client, path, opt)
        log('deleted var_file %s from %s' % (var_file_name, path), opt)
Beispiel #33
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     template_obj = load_vars(self.opt)
     return load_var_file(filename, template_obj)
Beispiel #34
0
 def obj(self):
     return render(hard_path(self.filename, self.opt.policies), self._obj) \
         .lstrip() \
         .strip() \
         .replace("\n\n", "\n")
Beispiel #35
0
def policy_data(file_name, policy_vars, opt):
    """Returns the rendered policy"""
    policy_path = hard_path(file_name, opt.policies)
    cli_obj = merge_dicts(load_var_files(opt), cli_hash(opt.extra_vars))
    obj = merge_dicts(policy_vars, cli_obj)
    return render(policy_path, obj)
Beispiel #36
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     return yaml.safe_load(open(filename).read())
Beispiel #37
0
 def obj(self):
     filename = hard_path(self.secret, self.opt.secrets)
     secret_file(filename)
     return open_maybe_binary(filename)
Beispiel #38
0
 def obj(self):
     filename = hard_path(self.secret, self.opt.secrets)
     secret_file(filename)
     return open_maybe_binary(filename)
Beispiel #39
0
 def obj(self):
     return render(hard_path(self.filename, self.opt.policies), self._obj) \
         .lstrip() \
         .strip() \
         .replace("\n\n", "\n")
Beispiel #40
0
 def obj(self):
     filename = hard_path(self.filename, self.opt.secrets)
     secret_file(filename)
     template_obj = load_vars(self.opt)
     return load_var_file(filename, template_obj)