def take_action(self, parsed_args):
self.LOG.debug('[*] setting secrets')
if (len(parsed_args.arg) == 0 and not parsed_args.undefined
and not parsed_args.from_options):
raise RuntimeError('[-] no secrets specified to be set')
se = self.app.secrets
se.read_secrets_and_descriptions()
options = dict(se.Options)
# TODO(dittrich): Use Variable map like this elsewhere
variables = dict(se.Variable)
types = dict(se.Type)
from_env = None
if parsed_args.from_environment is not None:
from_env = SecretsEnvironment(
environment=parsed_args.from_environment)
from_env.read_secrets()
options = dict(from_env.secrets.Options)
variables = dict(from_env.secrets.Variable)
types = dict(from_env.secrets.Type)
args = (list(variables.keys())
if not len(parsed_args.arg) else parsed_args.arg)
if parsed_args.undefined:
# Downselect to just those currently undefined
args = [k for k, v in variables if v in [None, '']]
if not len(args):
raise RuntimeError('[-] no secrets identified to be set')
for arg in args:
k, v, k_type = None, None, None
if parsed_args.from_options:
k, v, k_type = (arg, options.get(arg, '').split(',')[0],
types.get(arg))
# Don't set from options if the type is generable
if is_generable(k_type):
continue
v = None if v == '*' else v
elif '=' not in arg:
# No value was specified with the argument
k = arg
k_type = self.app.secrets.get_type(k)
if k_type is None:
self.LOG.info(f"[-] no description for '{k}'")
raise RuntimeError(
f"[-] variable '{k}' has no description")
if from_env is not None:
# Getting value from same var, different environment
v = from_env.get_secret(k, allow_none=True)
else:
# Try to prompt user for value
if (k_type == 'boolean'
and k not in self.app.secrets.Options):
# Default options for boolean type
self.app.secrets.Options[k] = BOOLEAN_OPTIONS
if k in self.app.secrets.Options:
# Attempt to select from list of option dictionaries
v = psec.utils.prompt_options_dict(
options=self.app.secrets.Options[k],
prompt=self.app.secrets.get_prompt(k))
else:
# Just ask user for value
v = psec.utils.prompt_string(
prompt=self.app.secrets.get_prompt(k),
default=("" if v is None else v))
else: # ('=' in arg)
# Assignment syntax found (a=b)
lhs, rhs = arg.split('=')
k_type = self.app.secrets.get_type(lhs)
if k_type is None:
self.LOG.info(f"[-] no description for '{lhs}'")
raise RuntimeError(
f"[-] variable '{lhs}' has no description")
k = lhs
if from_env is not None:
# Get value from different var in different environment
v = from_env.get_secret(rhs, allow_none=True)
self.LOG.info(f"[+] getting value from '{rhs}' in "
f"environment '{str(from_env)}'")
else:
# Value was specified in arg
v = rhs
if v is not None:
# Is the value indirectly referenced?
if v.startswith('@'):
if v[1] == '~':
_path = os.path.expanduser(v[1:])
else:
_path = v[1:]
with open(_path, 'r') as f:
v = f.read().strip()
elif v.startswith('!'):
# >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input. # noqa
# Severity: Low Confidence: High
# Location: psec/secrets.py:641
p = run(v[1:].split(),
stdout=PIPE,
stderr=PIPE,
shell=False)
v = p.stdout.decode('UTF-8').strip()
# After all that, did we get a value?
if v is None:
self.LOG.info(f"[-] could not obtain value for '{k}'")
else:
self.LOG.debug(f"[+] setting variable '{k}'")
self.app.secrets.set_secret(k, v)
if not i.startswith('_') and not i.startswith('translate_')
]
@contextfunction
def include_raw(ctx, name):
env = ctx.environment
return Markup(env.loader.get_source(env, name)[0]).strip
log = logging.getLogger(__name__)
LoggingUndefined = make_logging_undefined(logger=log, base=Undefined)
# Use the default environment
env = SecretsEnvironment()
env.read_secrets()
aws_private_keypath = env.get_secret('aws_privatekey_path')
with open(aws_private_keypath + '.pub', 'r') as f:
aws_publickey = f.read().strip()
instance_type = env.get_secret('aws_instance_type')
pulumi.info(msg="instance_type={}".format(instance_type))
try:
ami = env.get_secret('aws_ami_id')
except RuntimeError:
ami = ''
if ami == '':
ami = get_linux_ami(instance_type)
pulumi.info(msg="ami={}".format(ami))
web_group = ec2.SecurityGroup('web-secgrp',