def secret_update(args, ref_controller):
"Update secret recipients"
# TODO --update *might* mean something else for other types
token_name = args.update
if token_name.startswith("gpg:"):
# args.recipients is a list, convert to recipients dict
recipients = [dict([
("name", name),
]) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
try:
recipients = inv['nodes'][args.target_name]['parameters'][
'kapitan']['secrets']['gpg']['recipients']
except KeyError:
# TODO: Keeping gpg recipients backwards-compatible until we make a breaking release
logger.warning(
"WARNING: parameters.kapitan.secrets.recipients is deprecated, "
+
"please move them to parameters.kapitan.secrets.gpg.recipients"
)
recipients = inv['nodes'][args.target_name]['parameters'][
'kapitan']['secrets']['recipients']
type_name, token_path = token_name.split(":")
tag = '?{{gpg:{}}}'.format(token_path)
secret_obj = ref_controller[tag]
secret_obj.update_recipients(recipients)
ref_controller[tag] = secret_obj
# TODO: Implement --update for KMS
else:
fatal_error("Invalid token: {}".format(token_name))
def ref_reveal(args, ref_controller):
"Reveal secrets in file_name"
revealer = Revealer(ref_controller)
file_name = args.file
reffile_name = args.ref_file
tag_name = args.tag
if file_name is None and reffile_name is None and tag_name is None:
fatal_error("--file or --ref-file is required with --reveal")
try:
if file_name == "-" or reffile_name == "-":
out = revealer.reveal_raw_file(None)
sys.stdout.write(out)
elif file_name:
for rev_obj in revealer.reveal_path(file_name):
sys.stdout.write(rev_obj.content)
elif reffile_name:
ref = ref_controller.ref_from_ref_file(reffile_name)
sys.stdout.write(ref.reveal())
elif tag_name:
out = revealer.reveal_raw_string(tag_name)
sys.stdout.write(out)
except (RefHashMismatchError, KeyError):
raise KapitanError(
"Reveal failed for file {name}".format(name=file_name))
def secret_update(args, ref_controller):
"Update secret gpg recipients/gkms/awskms key"
# TODO --update *might* mean something else for other types
token_name = args.update
if token_name.startswith("gpg:"):
# args.recipients is a list, convert to recipients dict
recipients = [dict([("name", name), ]) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
recipients = kap_inv_params['secrets']['gpg']['recipients']
if not recipients:
raise KapitanError("No GPG recipients specified. Use --recipients or specify them in " +
"parameters.kapitan.secrets.gpg.recipients and use --target")
type_name, token_path = token_name.split(":")
tag = '?{{gpg:{}}}'.format(token_path)
secret_obj = ref_controller[tag]
secret_obj.update_recipients(recipients)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
key = kap_inv_params['secrets']['gkms']['key']
if not key:
raise KapitanError("No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target")
type_name, token_path = token_name.split(":")
tag = '?{{gkms:{}}}'.format(token_path)
secret_obj = ref_controller[tag]
secret_obj.update_key(key)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
key = kap_inv_params['secrets']['awskms']['key']
if not key:
raise KapitanError("No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target")
type_name, token_path = token_name.split(":")
tag = '?{{awskms:{}}}'.format(token_path)
secret_obj = ref_controller[tag]
secret_obj.update_key(key)
ref_controller[tag] = secret_obj
else:
fatal_error("Invalid token: {name}. Try using gpg/gkms/awskms:{name}".format(name=token_name))
def secret_write(args, ref_controller):
"Write secret to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error('--file is required with --write')
if file_name == '-':
data = ''
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name), )) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
try:
recipients = inv['nodes'][args.target_name]['parameters'][
'kapitan']['secrets']['gpg']['recipients']
except KeyError:
# TODO: Keeping gpg recipients backwards-compatible until we make a breaking release
logger.warning(
"WARNING: parameters.kapitan.secrets.recipients is deprecated, "
+
"please move them to parameters.kapitan.secrets.gpg.recipients"
)
recipients = inv['nodes'][args.target_name]['parameters'][
'kapitan']['secrets']['recipients']
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = '?{{gpg:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
key = inv['nodes'][args.target_name]['parameters']['kapitan'][
'secrets']['gkms']['key']
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify in parameters.kapitan.secrets.gkms.key and use --target"
)
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{gkms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
else:
fatal_error("Invalid token: {}".format(token_name))
def secret_reveal(args, ref_controller):
"Reveal secrets in file_name"
revealer = Revealer(ref_controller)
file_name = args.file
if file_name is None:
fatal_error('--file is required with --reveal')
if file_name == '-':
# TODO deal with RefHashMismatchError or KeyError exceptions
out = revealer.reveal_raw_file(None)
sys.stdout.write(out)
elif file_name:
for rev_obj in revealer.reveal_path(file_name):
sys.stdout.write(rev_obj.content)
def ref_reveal(args, ref_controller):
"Reveal secrets in file_name"
revealer = Revealer(ref_controller)
file_name = args.file
if file_name is None:
fatal_error('--file is required with --reveal')
try:
if file_name == '-':
out = revealer.reveal_raw_file(None)
sys.stdout.write(out)
elif file_name:
for rev_obj in revealer.reveal_path(file_name):
sys.stdout.write(rev_obj.content)
except (RefHashMismatchError, KeyError):
raise KapitanError("Reveal failed for file {name}".format(name=file_name))
def ref_write(args, ref_controller):
"Write ref to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error("--file is required with --write")
if file_name == "-":
data = ""
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name), )) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
recipients = kap_inv_params["secrets"]["gpg"]["recipients"]
if not recipients:
raise KapitanError(
"No GPG recipients specified. Use --recipients or specify them in "
+
"parameters.kapitan.secrets.gpg.recipients and use --target-name"
)
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = "?{{gpg:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
key = kap_inv_params["secrets"]["gkms"]["key"]
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target-name"
)
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = "?{{gkms:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
key = kap_inv_params["secrets"]["awskms"]["key"]
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target-name"
)
secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
tag = "?{{awskms:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("base64:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = "original"
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = "base64"
ref_obj = Base64Ref(_data, encoding=encoding)
tag = "?{{base64:{}}}".format(token_path)
ref_controller[tag] = ref_obj
elif token_name.startswith("vaultkv:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
vault_params = {}
encoding = "original"
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
vault_params = kap_inv_params["secrets"]["vaultkv"]
if args.vault_auth:
vault_params["auth"] = args.vault_auth
if vault_params.get("auth") is None:
raise KapitanError(
"No Authentication type parameter specified. Specify it"
" in parameters.kapitan.secrets.vaultkv.auth and use --target-name or use --vault-auth"
)
secret_obj = VaultSecret(_data, vault_params)
tag = "?{{vaultkv:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("plain:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = "original"
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = "base64"
ref_obj = PlainRef(_data, encoding=encoding)
tag = "?{{plain:{}}}".format(token_path)
ref_controller[tag] = ref_obj
else:
fatal_error(
"Invalid token: {name}. Try using gpg/gkms/awskms/vaultkv/base64/plain:{name}"
.format(name=token_name))
def secret_write(args, ref_controller):
"Write secret to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error('--file is required with --write')
if file_name == '-':
data = ''
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name), )) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
recipients = kap_inv_params['secrets']['gpg']['recipients']
if not recipients:
raise KapitanError(
"No GPG recipients specified. Use --recipients or specify them in "
+ "parameters.kapitan.secrets.gpg.recipients and use --target")
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = '?{{gpg:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
key = kap_inv_params['secrets']['gkms']['key']
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target"
)
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{gkms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
key = kap_inv_params['secrets']['awskms']['key']
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target"
)
secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{awskms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("ref:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = 'original'
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = 'base64'
ref_obj = Ref(_data, encoding=encoding)
tag = '?{{ref:{}}}'.format(token_path)
ref_controller[tag] = ref_obj
else:
fatal_error(
"Invalid token: {name}. Try using gpg/gkms/awskms/ref:{name}".
format(name=token_name))
