def func_wrapper(self, vault_client):
try:
return func(self, vault_client)
except (hvac.exceptions.InvalidRequest,
hvac.exceptions.Forbidden) as vault_exception:
if vault_exception.errors[0] == 'permission denied':
error_output(
"Permission denied %s from %s" % (msg, self.path),
self.opt)
else:
raise
def delete(client, path, opt):
"""Delete from Vault while handling non-surprising errors."""
try:
client.delete(path)
except (hvac.exceptions.InvalidRequest,
hvac.exceptions.Forbidden) as vault_exception:
client.revoke_self_token()
if vault_exception.errors[0] == 'permission denied':
error_output("Permission denied deleting %s" % path, opt)
else:
raise
def write(client, path, varz, opt):
"""Write to Vault while handling non-surprising errors."""
try:
client.write(path, **varz)
except (hvac.exceptions.InvalidRequest,
hvac.exceptions.Forbidden) as vault_exception:
client.revoke_self_token()
if vault_exception.errors[0] == 'permission denied':
error_output("Permission denied writing to %s" % path, opt)
else:
raise
def operational_token(vault_client, operation, opt):
"""Return a properly annotated token for our use."""
display_name = vault_client.lookup_token()['data']['display_name']
args = {
'lease': opt.lease,
'display_name': display_name,
'meta': token_meta(operation, opt)
}
try:
token = vault_client.create_token(**args)
except (hvac.exceptions.InvalidRequest,
hvac.exceptions.Forbidden) as vault_exception:
if vault_exception.errors[0] == 'permission denied':
error_output("Permission denied creating operational token", opt)
else:
raise
log("Using lease of %s" % opt.lease, opt)
return token['auth']['client_token']
def aws(client, path, opt):
"""Renders a shell environment snippet with AWS information"""
try:
creds = client.read(path)
except (hvac.exceptions.InternalServerError) as vault_exception:
# this is how old vault behaves
if vault_exception.errors[0].find('unsupported path') > 0:
error_output(
"Invalid AWS path. Did you forget the"
" credential type and role?", opt)
else:
raise
# this is how new vault behaves
if not creds:
error_output(
"Invalid AWS path. Did you forget the"
" credential type and role?", opt)
renew_secret(client, creds, opt)
if creds and 'data' in creds:
print("AWS_ACCESS_KEY_ID=\"%s\"" % creds['data']['access_key'])
print("AWS_SECRET_ACCESS_KEY=\"%s\"" % creds['data']['secret_key'])
if 'security_token' in creds['data'] \
and creds['data']['security_token']:
token = creds['data']['security_token']
print("AWS_SECURITY_TOKEN=\"%s\"" % token)
else:
client.revoke_self_token()
e_msg = "Unable to generate AWS credentials from %s" % path
raise aomi.exceptions.VaultData(e_msg)
if opt.export:
print("export AWS_ACCESS_KEY_ID")
print("export AWS_SECRET_ACCESS_KEY")
if 'security_token' in creds['data'] \
and creds['data']['security_token']:
print("export AWS_SECURITY_TOKEN")
def op_token(self, opt):
"""Return a properly annotated token for our use. This
token will be revoked at the end of the session. The token
will have some decent amounts of metadata tho."""
display_name = self.lookup_token()['data']['display_name']
args = {
'lease': opt.lease,
'display_name': display_name,
'meta': token_meta(opt)
}
try:
token = self.create_token(**args)
except (hvac.exceptions.InvalidRequest,
hvac.exceptions.Forbidden) as vault_exception:
if vault_exception.errors[0] == 'permission denied':
error_output("Permission denied creating operational token",
opt)
else:
raise
LOG.debug("Using lease of %s", opt.lease)
return token['auth']['client_token']