def secret():
secret = {
'name': 'test',
'version': '0000000000000000000',
'value': 'secret'
}
credstash.putSecret(secret['name'], secret['value'])
try:
yield secret
finally:
credstash.deleteSecrets("test")
def credstash_put(self, key, secret, version=""):
return credstash.putSecret(key,
secret,
version,
kms_key=self.credstash_key,
region=self.instance_region,
table=self.credstash_table)
def main():
module = AnsibleModule(
argument_spec=dict(
secret=dict(required=True, type='str'),
fact=dict(default=None, type='str'),
fact_type=dict(default=None, choices=['yaml', 'json']),
mode=dict(default='get', choices=['get', 'put']),
value=dict(default=None, type='str'),
key=dict(default='alias/credstash', type='str'),
region=dict(default='us-east-1', type='str'),
table=dict(default='credential-store', type='str'),
version=dict(default='', type='str'),
context=dict(default=None, type='dict')
)
)
result = dict(changed=False, failed=False)
if module.params.get('mode') == 'put':
result['output'] = credstash.putSecret(
module.params.get('secret'),
module.params.get('value'),
module.params.get('version'),
module.params.get('key'),
module.params.get('region'),
module.params.get('table'),
module.params.get('context')
)
result['changed'] = True
try:
result['output'] = credstash.getSecret(
module.params.get('secret'),
module.params.get('version'),
module.params.get('region'),
module.params.get('table'),
module.params.get('context')
)
except credstash.ItemNotFound:
module.fail_json(msg="credstash secret not found")
fact = module.params.get('fact')
fact_type = module.params.get('fact_type')
if fact is not None:
if fact_type == 'yaml':
result['ansible_facts'] = {
fact: yaml.safe_load(result['output'])
}
elif fact_type == 'json':
result['ansible_facts'] = {
fact: json.load(result['output'])
}
else:
result['ansible_facts'] = {
fact: result['output']
}
module.exit_json(**result)
def store(self, key, secret):
msg = ''
try:
credstash.putSecret(
table=self.make_table_name(),
region=self.region,
name=key,
secret=secret,
)
msg = "secret saved"
except Exception as e:
if (e.response["Error"]["Code"] ==
"ConditionalCheckFailedException"):
msg = ("store command failed\n"
"Please try the command: credstash -r {0}"
" -t {1} put -a {2} [secret]").format(
self.region, self.make_table_name(), key)
finally:
return msg
def set_secret(secret_key, secret_value):
next_version = credstash.paddedInt(int(credstash.getHighestVersion(
name=secret_key
)) + 1)
result = credstash.putSecret(
name=secret_key,
secret=secret_value,
version=next_version
)
return True if result['ResponseMetadata']['HTTPStatusCode'] < 300 else False
def credstash_push(args, key, value, ver=0):
if args.verbose:
print('Pushing secret {secret} to "{table}"'.format(
secret=key, table=args.tar_table))
session_params = credstash.get_session_params(None, None)
if ver == 0:
pushed_secret = credstash.putSecret(key,
value,
region=args.region,
table=args.tar_table,
kms_key=args.kms_key_alias,
**session_params)
else:
pushed_secret = credstash.putSecret(key,
value,
version=ver,
region=args.region,
table=args.tar_table,
kms_key=args.kms_key_alias,
**session_params)
return pushed_secret
def main():
module = AnsibleModule(
argument_spec = dict(
secret = dict(required=True, type='str'),
fact = dict(default=None, type='str'),
fact_type = dict(default=None, choices=['yaml','json']),
mode = dict(default='get', choices=['get', 'put']),
value = dict(default=None, type='str'),
key = dict(default='alias/credstash', type='str'),
region = dict(default='us-east-1', type='str'),
table = dict(default='credential-store', type='str'),
version = dict(default='', type='str'),
context = dict(default=None, type='dict')
)
)
result = dict(changed=False, failed=False)
if module.params.get('mode') == 'put':
result['output'] = credstash.putSecret(module.params.get('secret'), module.params.get('value'), \
module.params.get('version'), module.params.get('key'), module.params.get('region'), \
module.params.get('table'), module.params.get('context'))
result['changed'] = True
try:
result['output'] = credstash.getSecret(module.params.get('secret'), module.params.get('version'), \
module.params.get('region'), module.params.get('table'), module.params.get('context'))
except credstash.ItemNotFound:
module.fail_json(msg="credstash secret not found")
if module.params.get('fact') is not None:
if module.params.get('fact_type') == 'yaml':
result['ansible_facts'] = { module.params.get('fact'): yaml.safe_load(result['output']) }
elif module.params.get('fact_type') == 'json':
result['ansible_facts'] = { module.params.get('fact'): json.load(result['output']) }
else:
result['ansible_facts'] = { module.params.get('fact'): result['output'] }
module.exit_json(**result)
def run(args):
"""Handle credstash script."""
parser = argparse.ArgumentParser(
description=("Modify Home Assistant secrets in credstash."
"Use the secrets in configuration files with: "
"!secret <name>"))
parser.add_argument("--script", choices=["credstash"])
parser.add_argument(
"action",
choices=["get", "put", "del", "list"],
help="Get, put or delete a secret, or list all available secrets",
)
parser.add_argument("name",
help="Name of the secret",
nargs="?",
default=None)
parser.add_argument("value",
help="The value to save when putting a secret",
nargs="?",
default=None)
# pylint: disable=import-error, no-member
import credstash
args = parser.parse_args(args)
table = _SECRET_NAMESPACE
try:
credstash.listSecrets(table=table)
except Exception: # pylint: disable=broad-except
credstash.createDdbTable(table=table)
if args.action == "list":
secrets = [i["name"] for i in credstash.listSecrets(table=table)]
deduped_secrets = sorted(set(secrets))
print("Saved secrets:")
for secret in deduped_secrets:
print(secret)
return 0
if args.name is None:
parser.print_help()
return 1
if args.action == "put":
if args.value:
the_secret = args.value
else:
the_secret = getpass.getpass(
f"Please enter the secret for {args.name}: ")
current_version = credstash.getHighestVersion(args.name, table=table)
credstash.putSecret(args.name,
the_secret,
version=int(current_version) + 1,
table=table)
print(f"Secret {args.name} put successfully")
elif args.action == "get":
the_secret = credstash.getSecret(args.name, table=table)
if the_secret is None:
print(f"Secret {args.name} not found")
else:
print(f"Secret {args.name}={the_secret}")
elif args.action == "del":
credstash.deleteSecrets(args.name, table=table)
print(f"Deleted secret {args.name}")
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError(
'The credstash lookup plugin requires credstash to be installed.'
)
ret = []
for term in terms:
version = kwargs.pop('version', '')
region = kwargs.pop('region', None)
table = kwargs.pop('table', 'credential-store')
kms_alias = kwargs.pop('kms_alias', 'alias/credstash')
keytype = kwargs.pop('keytype', 'password')
secret = kwargs.pop('secret', None)
digest = kwargs.pop('digest', 'SHA512')
context = kwargs.pop('context', None)
cert_request = kwargs.pop('cert_request', None)
transient = kwargs.pop(
'transient', False) # if transient we don't save certificates
# Deal with credstash version numbers...
if version == '':
version = self.paddedInt(1)
else:
version = self.paddedInt(version)
if 'alias/' not in kms_alias:
kms_alias = 'alias/{0}'.format(kms_alias)
try:
if keytype == 'password' or keytype == 'manual' or keytype == 'consul-gossip-encryption-key' or keytype == 'uuid':
val = credstash.getSecret(term,
version,
region,
table,
context=context)
elif keytype == 'ssh-key':
id_rsa = credstash.getSecret(term + '_private',
version,
region,
table,
context=context)
id_rsa_pub = credstash.getSecret(term + '_public',
version,
region,
table,
context=context)
val = [id_rsa_pub, id_rsa]
elif keytype == 'x509':
ca_ser = credstash.getSecret(term + '_serial',
version,
region,
table,
context=context)
ca_key = credstash.getSecret(term + '_key',
version,
region,
table,
context=context)
ca_csr = credstash.getSecret(term + '_csr',
version,
region,
table,
context=context)
ca_crt = credstash.getSecret(term + '_crt',
version,
region,
table,
context=context)
val = [ca_ser, ca_key, ca_csr, ca_crt]
else:
raise AnsibleError(
'Invalid password type: {0}'.format(keytype))
except credstash.ItemNotFound:
if keytype == 'password':
secret = self.random_password()
rc = credstash.putSecret(name=term,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = secret
elif keytype == 'uuid':
secret = self.random_uuid()
rc = credstash.putSecret(name=term,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = secret
elif keytype == 'ssh-key':
(id_rsa, id_rsa_pub) = self.random_rsa()
rc_rsa = credstash.putSecret(name=term + '_private',
secret=id_rsa,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
rc_rsa_pub = credstash.putSecret(name=term + '_public',
secret=id_rsa_pub,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = [id_rsa_pub, id_rsa]
elif keytype == 'x509':
# For use in creating a PKI, we can create x509 requests
bits = cert_request.get('bits', 4096)
cert_digest = cert_request.get('hash', 'sha256')
extensions = cert_request.get('extensions', [])
subject = cert_request.get('subject', {'CN': term})
subject_alt_names = cert_request.get(
'subject_alt_names', '')
days = cert_request.get('days', 3650)
ca = cert_request.get('ca', None)
cert_version = int(cert_request.get('version', 1))
# Get the latest version of the ca_serial ca_key and ca_crt
if ca:
ca_ser = int(
credstash.getSecret(ca + '_serial',
'',
region,
table,
context=context))
ca_key = crypto.load_privatekey(
crypto.FILETYPE_PEM,
credstash.getSecret(ca + '_key',
'',
region,
table,
context=context))
ca_crt = crypto.load_certificate(
crypto.FILETYPE_PEM,
credstash.getSecret(ca + '_crt',
'',
region,
table,
context=context))
# handle any weird unicode conversion issues on subjects and extensions and subjectaltnames
subject = dict(
(str(k), str(v)) for (k, v) in subject.items())
extensions = [
dict((str(k), str(v)) for (k, v) in i.items())
for i in extensions
]
subject_alt_names = [str(x) for x in subject_alt_names]
# create the key and certificate signing request
key = self.create_key_pair(bits=bits)
csr = self.create_certificate_request(key,
digest=cert_digest,
**subject)
# if this certificate needs to be signed, the 'ca' attribute will be set to the name of the CA.
# use the ca_key and ca_crt to sign, and increment the serial number associated with the ca_ser.
if ca:
rc_ser = int(ca_ser) + 1
crt = self.create_certificate(
csr,
ca_crt,
ca_key,
int(rc_ser),
days=days,
digest=cert_digest,
extensions=extensions,
subject_alt_names=subject_alt_names,
version=cert_version)
if not transient:
credstash.putSecret(name=ca + '_serial',
secret=str(rc_ser),
version=self.paddedInt(rc_ser),
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
else:
rc_ser = "1"
crt = self.create_certificate(
csr,
csr,
key,
int(rc_ser),
days=days,
digest=cert_digest,
extensions=extensions,
subject_alt_names=subject_alt_names,
version=cert_version)
# write the configuration for this x509 certificate to credstash if not transient
rc_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
rc_csr = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, csr)
rc_crt = crypto.dump_certificate(crypto.FILETYPE_PEM, crt)
if not transient:
credstash.putSecret(name=term + '_serial',
secret=str(rc_ser),
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
credstash.putSecret(name=term + '_key',
secret=rc_key,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
credstash.putSecret(name=term + '_csr',
secret=rc_csr,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
credstash.putSecret(name=term + '_crt',
secret=rc_crt,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = [rc_ser, rc_key, rc_csr, rc_crt]
elif keytype == 'consul-gossip-encryption-key':
# Consul Gossip Encryption keys are 16-byte base64 encoded numbers
key = os.urandom(16)
secret = base64.b64encode(key)
rc = credstash.putSecret(name=term,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = secret
elif keytype == 'manual':
if secret is not None:
rc = credstash.putSecret(name=term,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = secret
else:
raise AnsibleError(
'Key {0} is flagged as manually set, but has not yet been set'
.format(term))
else:
raise AnsibleError(
'Invalid password type: {0}'.format(keytype))
except Exception as e:
raise AnsibleError(
'Encountered exception while fetching {0}: {1}'.format(
term, e.message))
ret.append(val)
return ret
def run(args):
"""Handle credstash script."""
parser = argparse.ArgumentParser(
description=("Modify Home Assistant secrets in credstash."
"Use the secrets in configuration files with: "
"!secret <name>"))
parser.add_argument('--script', choices=['credstash'])
parser.add_argument(
'action',
choices=['get', 'put', 'del', 'list'],
help="Get, put or delete a secret, or list all available secrets")
parser.add_argument('name',
help="Name of the secret",
nargs='?',
default=None)
parser.add_argument('value',
help="The value to save when putting a secret",
nargs='?',
default=None)
# pylint: disable=import-error, no-member
import credstash
args = parser.parse_args(args)
table = _SECRET_NAMESPACE
try:
credstash.listSecrets(table=table)
except Exception: # pylint: disable=broad-except
credstash.createDdbTable(table=table)
if args.action == 'list':
secrets = [i['name'] for i in credstash.listSecrets(table=table)]
deduped_secrets = sorted(set(secrets))
print('Saved secrets:')
for secret in deduped_secrets:
print(secret)
return 0
if args.name is None:
parser.print_help()
return 1
if args.action == 'put':
if args.value:
the_secret = args.value
else:
the_secret = getpass.getpass(
'Please enter the secret for {}: '.format(args.name))
current_version = credstash.getHighestVersion(args.name, table=table)
credstash.putSecret(args.name,
the_secret,
version=int(current_version) + 1,
table=table)
print('Secret {} put successfully'.format(args.name))
elif args.action == 'get':
the_secret = credstash.getSecret(args.name, table=table)
if the_secret is None:
print('Secret {} not found'.format(args.name))
else:
print('Secret {}={}'.format(args.name, the_secret))
elif args.action == 'del':
credstash.deleteSecrets(args.name, table=table)
print('Deleted secret {}'.format(args.name))
def put(self, name, value):
return credstash.putSecret(name,
value,
region=region(),
table=table())
def run(args):
"""Handle credstash script."""
parser = argparse.ArgumentParser(
description=("Modify Home Assistant secrets in credstash."
"Use the secrets in configuration files with: "
"!secret <name>"))
parser.add_argument(
'--script', choices=['credstash'])
parser.add_argument(
'action', choices=['get', 'put', 'del', 'list'],
help="Get, put or delete a secret, or list all available secrets")
parser.add_argument(
'name', help="Name of the secret", nargs='?', default=None)
parser.add_argument(
'value', help="The value to save when putting a secret",
nargs='?', default=None)
import credstash
import botocore
args = parser.parse_args(args)
table = _SECRET_NAMESPACE
try:
credstash.listSecrets(table=table)
except botocore.errorfactory.ClientError:
credstash.createDdbTable(table=table)
if args.action == 'list':
secrets = [i['name'] for i in credstash.listSecrets(table=table)]
deduped_secrets = sorted(set(secrets))
print('Saved secrets:')
for secret in deduped_secrets:
print(secret)
return 0
if args.name is None:
parser.print_help()
return 1
if args.action == 'put':
if args.value:
the_secret = args.value
else:
the_secret = getpass.getpass('Please enter the secret for {}: '
.format(args.name))
current_version = credstash.getHighestVersion(args.name, table=table)
credstash.putSecret(args.name,
the_secret,
version=int(current_version) + 1,
table=table)
print('Secret {} put successfully'.format(args.name))
elif args.action == 'get':
the_secret = credstash.getSecret(args.name, table=table)
if the_secret is None:
print('Secret {} not found'.format(args.name))
else:
print('Secret {}={}'.format(args.name, the_secret))
elif args.action == 'del':
credstash.deleteSecrets(args.name, table=table)
print('Deleted secret {}'.format(args.name))
def create(self, **kwargs):
secret_name = kwargs.pop('secret_name', None)
version = kwargs.pop('version', '')
keytype = kwargs.pop('keytype', 'password')
region = kwargs.pop('region', None)
table = kwargs.pop('table', 'credential-store')
kms_alias = kwargs.pop('kms_alias', 'alias/credstash')
digest = kwargs.pop('digest', 'SHA512')
context = kwargs.pop('context', None)
cert_request = kwargs.pop('cert_request', None)
transient = kwargs.pop(
'transient', False) # if transient we don't save certificates
val = None
# Deal with credstash version numbers...
if version == '':
version = self.paddedInt(1)
else:
version = self.paddedInt(version)
if 'alias/' not in kms_alias:
kms_alias = 'alias/{0}'.format(kms_alias)
try:
if keytype == 'password':
secret = credstash.getSecret(secret_name,
version,
region,
table,
context=context)
val = {"Password": secret}
elif keytype == 'manual':
secret = credstash.getSecret(secret_name,
version,
region,
table,
context=context)
val = {"Manual": secret}
elif keytype == 'consul-gossip-encryption-key':
secret = credstash.getSecret(secret_name,
version,
region,
table,
context=context)
val = {"ConsulGossipEncryptionKey": secret}
elif keytype == 'uuid':
secret = credstash.getSecret(secret_name,
version,
region,
table,
context=context)
val = {"Uuid": secret}
elif keytype == 'ssh-key':
id_rsa = credstash.getSecret(secret_name + '_private',
version,
region,
table,
context=context)
id_rsa_pub = credstash.getSecret(secret_name + '_public',
version,
region,
table,
context=context)
val = {"PublicKey": id_rsa_pub}
else:
raise Exception('Invalid password type: {0}'.format(keytype))
except credstash.ItemNotFound:
if keytype == 'password':
secret = self.random_password()
rc = credstash.putSecret(name=secret_name,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = {"Password": secret}
elif keytype == 'uuid':
secret = self.random_uuid()
rc = credstash.putSecret(name=secret_name,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = {"Uuid": secret}
elif keytype == 'ssh-key':
(id_rsa, id_rsa_pub) = self.random_rsa()
rc_rsa = credstash.putSecret(name=secret_name + '_private',
secret=id_rsa,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
rc_rsa_pub = credstash.putSecret(name=secret_name + '_public',
secret=id_rsa_pub,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = {"PublicKey": id_rsa_pub}
elif keytype == 'consul-gossip-encryption-key':
# Consul Gossip Encryption keys are 16-byte base64 encoded numbers
key = os.urandom(16)
secret = base64.b64encode(key)
rc = credstash.putSecret(name=secret_name,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = {"ConsulGossipEncryptionKey": secret}
elif keytype == 'manual':
if secret is not None:
rc = credstash.putSecret(name=secret_name,
secret=secret,
version=version,
kms_key=kms_alias,
region=region,
table=table,
digest=digest,
context=context)
val = {"Manual": secret}
else:
raise Exception(
'Key {0} is flagged as manually set, but has not yet been set'
.format(secret_name))
else:
raise Exception('Invalid password type: {0}'.format(keytype))
except Exception as e:
raise Exception(
'Encountered exception while fetching {0}: {1}'.format(
secret_name, e.message))
return val