def files(client, secret, opt): """Seed files into Vault""" aomi.validation.file_obj(secret) obj = {} my_mount = sanitize_mount(secret['mount']) vault_path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, vault_path, opt): return maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': for sfile in secret.get('files', []): if 'source' not in sfile or 'name' not in sfile: client.revoke_self_token() e_msg = "Invalid file specification %s" % sfile raise aomi.exceptions.AomiData(e_msg) filename = hard_path(sfile['source'], opt.secrets) aomi.validation.secret_file(filename) data = open(filename, 'r').read() obj[sfile['name']] = data log( 'writing file %s into %s/%s' % (filename, vault_path, sfile['name']), opt) write(client, vault_path, obj, opt) else: rmfiles = ','.join([f['source'] for f in secret.get('files', [])]) log("Removing files %s from %s" % (rmfiles, vault_path), opt) delete(client, vault_path, opt)
def __init__(self, obj, opt): super(LDAPUser, self).__init__(obj, opt) self.path = sanitize_mount("auth/%s/users/%s" % (obj.get('mount', 'ldap'), obj['user'])) self._obj = {} map_val(self._obj, obj, 'groups', []) map_val(self._obj, obj, 'policies', [])
def __init__(self, obj, opt): super(LDAPUser, self).__init__(obj, opt) self.path = sanitize_mount("auth/%s/users/%s" % (obj.get('mount', 'ldap'), obj['user'])) self._obj = {} map_val(self._obj, obj, 'groups', []) map_val(self._obj, obj, 'policies', [])
def __init__(self, obj, opt): super(LDAPGroup, self).__init__(obj, opt) self.group = obj['group'] self.path = sanitize_mount("auth/%s/groups/%s" % (obj.get('mount', 'ldap'), self.group)) if self.present: self._obj = {"policies": obj['policies']}
def __init__(self, obj, opt): super(UserPass, self).__init__('userpass', obj, opt) self.username = obj['username'] self.mount = 'userpass' self.path = sanitize_mount("auth/userpass/users/%s" % self.username) self.policies = obj['policies'] self.secret = obj['password_file'] self.filename = self.secret
def freeze_aws_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen AWS credentials""" path = "%s/config/root" % (sanitize_mount(secret['mount'])) if not validate_entry(secret, path, opt): return sfile = secret['aws_file'] freeze_secret(sfile, sfile, 'aws_file', tmp_dir, opt)
def freeze_var_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen var file""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return sfile = secret['var_file'] freeze_secret(sfile, sfile, 'var_file', tmp_dir, opt)
def __init__(self, obj, opt): super(LDAPGroup, self).__init__(obj, opt) self.group = obj['group'] self.path = sanitize_mount("auth/%s/groups/%s" % (obj.get('mount', 'ldap'), self.group)) if self.present: self._obj = { "policies": obj['policies'] }
def __init__(self, obj, opt): super(UserPassUser, self).__init__('userpass', obj, opt) self.username = obj['username'] self.mount = 'userpass' self.path = sanitize_mount("auth/userpass/users/%s" % self.username) self.secret = obj['password_file'] self._obj = {'policies': obj['policies']} map_val(self._obj, obj, 'ttl') map_val(self._obj, obj, 'max_ttl') self.filename = self.secret
def freeze_generic_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen files""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return for a_secret in secret['files']: sfile = a_secret['source'] freeze_secret(sfile, sfile, 'file', tmp_dir, opt)
def read(self, path, wrap_ttl=None): """Wrap the hvac read call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).read(path, wrap_ttl) self.token = self.operational_token return val return super(Client, self).read(path, wrap_ttl)
def read(self, path, wrap_ttl=None): """Wrap the hvac read call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).read(path, wrap_ttl) self.token = self.operational_token return val return super(Client, self).read(path, wrap_ttl)
def __init__(self, obj, opt): super(UserPassUser, self).__init__('userpass', obj, opt) self.username = obj['username'] self.mount = 'userpass' self.path = sanitize_mount("auth/userpass/users/%s" % self.username) self.secret = obj['password_file'] self._obj = { 'policies': obj['policies'] } map_val(self._obj, obj, 'ttl') map_val(self._obj, obj, 'max_ttl') self.filename = self.secret
def delete(self, path): """Wrap the hvac delete call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) val = None if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).delete(path) self.token = self.operational_token else: super(Client, self).delete(path) return val
def delete(self, path): """Wrap the hvac delete call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) val = None if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).delete(path) self.token = self.operational_token else: super(Client, self).delete(path) return val
def write(self, path, wrap_ttl=None, **kwargs): """Wrap the hvac write call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) val = None if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs) self.token = self.operational_token else: super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs) return val
def write(self, path, wrap_ttl=None, **kwargs): """Wrap the hvac write call, using the right token for cubbyhole interactions.""" path = sanitize_mount(path) val = None if path.startswith('cubbyhole'): self.token = self.initial_token val = super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs) self.token = self.operational_token else: super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs) return val
def aws(client, secret, opt): """Seed an aws_file into Vault""" aomi.validation.aws_file_obj(secret) my_mount = sanitize_mount(secret['mount']) aws_path = "%s/config/root" % my_mount if not validate_entry(secret, aws_path, opt): return if secret.get('state', 'present') == 'absent': unmount(client, 'aws', my_mount) log("Unmounted AWS %s" % aws_path, opt) return else: maybe_mount(client, 'aws', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return aws_file_path = hard_path(secret['aws_file'], opt.secrets) aomi.validation.secret_file(aws_file_path) aws_obj = yaml.safe_load(open(aws_file_path, 'r').read()) aomi.validation.aws_secret_obj(aws_file_path, aws_obj) region = aomi.legacy.aws_region(secret, aws_obj) if region is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws region') roles = aomi.legacy.aws_roles(secret, aws_obj) if roles is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws roles') obj = { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': region } write(client, aws_path, obj, opt) log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt) ttl_obj, lease_msg = grok_ttl(secret, aws_obj) if ttl_obj: write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt) log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt) seed_aws_roles(client, secret['mount'], roles, opt)
def thaw_aws_file(secret, tmp_dir, opt): """Thaw the contents of an AWS file""" path = "%s/config/root" % (sanitize_mount(secret['mount'])) if not validate_entry(secret, path, opt): return dest_file = "%s/%s" % (opt.secrets, secret['aws_file']) aws_file = os.path.basename(dest_file) src_file = "%s/%s" % (tmp_dir, aws_file) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("AWS file %s missing" % aws_file) shutil.copy(src_file, dest_file) log("Thawed aws_file %s" % aws_file, opt)
def thaw_var_file(secret, tmp_dir, opt): """Thaw the contents of a var file""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return dest_file = "%s/%s" % (opt.secrets, secret['var_file']) var_file = os.path.basename(dest_file) src_file = "%s/%s" % (tmp_dir, var_file) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("Var file %s missing" % var_file) shutil.copy(src_file, dest_file) log("Thawed var_file %s" % var_file, opt)
def __init__(self, obj, opt): super(SSHRole, self).__init__(obj, opt) self.mount = sanitize_mount(obj.get('mount', 'ssh')) a_name = obj.get('name', obj['ssh_creds']) self.path = "%s/roles/%s" % (self.mount, a_name) self._obj = { 'key_type': obj['key_type'] } if 'cidr_list' in obj: self._obj['cidr_list'] = ','.join(obj['cidr_list']) if 'default_user' in obj: self._obj['default_user'] = obj['default_user'] self.tunable(obj)
def __init__(self, obj, opt): super(AWS, self).__init__(obj, opt) self.mount = sanitize_mount(obj['mount']) self.path = "%s/config/root" % self.mount aws_file_path = obj['aws_file'] self._obj = (obj['aws_file'], aws_file_path, obj['region']) self.roles = [] for role in obj['roles']: self.roles.append(AWSRole(self.mount, role, opt)) if self.roles is None: raise aomi.exceptions.AomiData('missing aws roles') ttl_obj, lease_msg = grok_ttl(obj) if ttl_obj: self.ttl = AWSTTL(self.mount, ttl_obj, lease_msg, opt)
def __init__(self, obj, opt): super(LDAP, self).__init__('ldap', obj, opt) auth_obj = {'url': obj['url']} self.mount = 'ldap' self.path = sanitize_mount("auth/ldap/config") self.secret = obj.get('secrets') map_val(auth_obj, obj, 'starttls', False) map_val(auth_obj, obj, 'insecure_tls', False) map_val(auth_obj, obj, 'discoverdn') map_val(auth_obj, obj, 'userdn') map_val(auth_obj, obj, 'userattr') map_val(auth_obj, obj, 'deny_null_bind', True) map_val(auth_obj, obj, 'upndomain') map_val(auth_obj, obj, 'groupfilter') map_val(auth_obj, obj, 'groupdn') map_val(auth_obj, obj, 'groupattr') map_val(auth_obj, obj, 'binddn') self._obj = auth_obj
def thaw_files(secret, tmp_dir, opt): """Thaw some files""" for a_secret in secret['files']: path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return filename = a_secret['source'] dest_file = "%s/%s" % (opt.secrets, a_secret['source']) src_file = "%s/%s" % (tmp_dir, filename) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("File %s missing" % filename) dest_dir = os.path.dirname(dest_file) if not os.path.isdir(dest_dir): os.mkdir(dest_dir, 0o700) shutil.copy(src_file, dest_file) log("Thawed file %s" % filename, opt)
def __init__(self, obj, opt): super(AWS, self).__init__(obj, opt) self.mount = sanitize_mount(obj['mount']) self.path = "%s/config/root" % self.mount aws_file_path = obj['aws_file'] if self.present: self._obj = (obj['aws_file'], aws_file_path, obj['region']) self.roles = [] for role in obj['roles']: self.roles.append(AWSRole(self.mount, role, opt)) if self.roles is None: raise aomi.exceptions.AomiData('missing aws roles') ttl_obj, _lease_msg = grok_ttl(obj) if ttl_obj: self.ttl = AWSTTL(self.mount, ttl_obj, opt) self.tunable(obj)
def generated(client, obj, opt): """Will provision some random strings into vault, as requested""" aomi.validation.generated_obj(obj) my_mount = sanitize_mount(obj['mount']) vault_path = "%s/%s" % (my_mount, obj['path']) if not aomi.validation.tag_check(obj, vault_path, opt): return maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return existing = {} resp = client.read(vault_path) if resp: existing = resp['data'] if obj.get('state', 'present') == 'present': secret_obj = {} for key in obj['keys']: key_name = key['name'] if key_name in existing and not key.get('overwrite'): log("Not overwriting %s/%s" % (vault_path, key_name), opt) continue secret_obj[key_name] = generated_key(key, opt) genseclen = len(secret_obj.keys()) if genseclen > 0: update_msg = "Writing %s generated secrets to %s" % \ (genseclen, vault_path) log(update_msg, opt) write(client, vault_path, secret_obj, opt) else: log("Removing generated secret at %s" % vault_path, opt) delete(client, vault_path, opt)
def __init__(self, obj, opt): super(LDAP, self).__init__('ldap', obj, opt) auth_obj = { 'url': obj['url'] } self.mount = obj.get('mount', 'ldap') self.path = sanitize_mount("auth/%s/config" % self.mount) self.secret = obj.get('secrets') map_val(auth_obj, obj, 'starttls', False) map_val(auth_obj, obj, 'insecure_tls', False) map_val(auth_obj, obj, 'discoverdn') map_val(auth_obj, obj, 'userdn') map_val(auth_obj, obj, 'userattr') map_val(auth_obj, obj, 'deny_null_bind', True) map_val(auth_obj, obj, 'upndomain') map_val(auth_obj, obj, 'groupfilter') map_val(auth_obj, obj, 'groupdn') map_val(auth_obj, obj, 'groupattr') map_val(auth_obj, obj, 'binddn') map_val(auth_obj, obj, 'tls_max_version') map_val(auth_obj, obj, 'tls_min_version') self._obj = auth_obj self.tunable(obj)
def __init__(self, resource, opt, managed=True): self.path = sanitize_mount(resource.mount) self.backend = resource.backend self.existing = dict() self.present = resource.present self.config = dict() self.managed = managed if hasattr(resource, 'tune') and isinstance(resource.tune, dict): for tunable in MOUNT_TUNABLES: tunable_key = tunable[0] tunable_type = tunable[1] if tunable_key in resource.tune and \ not isinstance(resource.tune[tunable_key], tunable_type): e_msg = "Mount tunable %s on %s must be of type %s" % \ (tunable_key, self.path, tunable_type) raise aomi_excep.AomiData(e_msg) map_val(self.config, resource.tune, tunable_key) if 'description' in resource.tune: self.config['description'] = resource.tune['description'] self.opt = opt
def __init__(self, resource, opt, managed=True): self.path = sanitize_mount(resource.mount) self.backend = resource.backend self.existing = dict() self.present = resource.present self.config = dict() self.managed = managed if hasattr(resource, 'tune') and isinstance(resource.tune, dict): for tunable in MOUNT_TUNABLES: tunable_key = tunable[0] tunable_type = tunable[1] if tunable_key in resource.tune and \ not isinstance(resource.tune[tunable_key], tunable_type): e_msg = "Mount tunable %s on %s must be of type %s" % \ (tunable_key, self.path, tunable_type) raise aomi_excep.AomiData(e_msg) map_val(self.config, resource.tune, tunable_key) if 'description' in resource.tune: self.config['description'] = resource.tune['description'] self.opt = opt
def var_file(client, secret, opt): """Seed a var_file into Vault""" aomi.validation.var_file_obj(secret) my_mount = sanitize_mount(secret['mount']) path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, path, opt): return var_file_name = hard_path(secret['var_file'], opt.secrets) aomi.validation.secret_file(var_file_name) varz = yaml.safe_load(open(var_file_name).read()) maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': write(client, path, varz, opt) log('wrote var_file %s into %s' % (var_file_name, path), opt) else: delete(client, path, opt) log('deleted var_file %s from %s' % (var_file_name, path), opt)
def __init__(self, obj, opt): super(Generic, self).__init__(obj, opt) self.mount = sanitize_mount(obj['mount']) self.path = "%s/%s" % (self.mount, obj['path'])
def __init__(self, obj, opt): super(Generic, self).__init__(obj, opt) self.mount = sanitize_mount(obj['mount']) self.path = "%s/%s" % (self.mount, obj['path'])
def __init__(self, path, backend, opt): self.path = sanitize_mount(path) self.backend = backend self.existing = False self.opt = opt
def __init__(self, resource, opt): self.path = sanitize_mount(resource.mount) self.backend = resource.backend self.existing = False self.present = resource.present self.opt = opt