class SecretsManager(object):
def __init__(self):
self.api = SecretsAdapter()
def deploy(self, config, dependencies_changed=False):
exists = config.path in self.api.list_secrets()
if exists:
content = self.api.get_secret(config.path)
if config.value:
changed = content != config.value
elif config.file_content:
changed = content != config.file_content
else:
raise Exception(
"Specified neither value nor file_content for secret")
if not changed:
print("\tSecret already exists. No update needed.")
return False
print("\tUpdating secret")
self.api.write_secret(config.path,
config.value,
config.file_content,
update=exists)
print("\tSecret updated.")
return True
else:
print("\tCreating secret")
self.api.write_secret(config.path,
config.value,
config.file_content,
update=exists)
print("\tSecret created.")
return True
def dry_run(self, config, dependencies_changed=False, debug=False):
exists = config.path in self.api.list_secrets()
if not exists:
print("Would create secret %s" % config.path)
return True
content = self.api.get_secret(config.path)
if config.value:
changed = content != config.value
elif config.file_content:
changed = content != config.file_content
else:
raise Exception(
"Specified neither value nor file_content for secret")
if changed:
print("Would update secret %s" % config.path)
def __init__(self):
self.ca = CAAdapter()
self.secrets = SecretsAdapter()
class CertsManager(object):
def __init__(self):
self.ca = CAAdapter()
self.secrets = SecretsAdapter()
def deploy(self, config, dependencies_changed=False, silent=False):
cert_secret = self.secrets.get_secret(config.cert_secret)
key_secret = self.secrets.get_secret(config.key_secret)
if key_secret and cert_secret:
if not silent:
print("\tSecrets already exist. Not doing anything.")
return False
if cert_secret and not key_secret:
if not silent:
print("\tDeleting existing secret %s" % config.cert_secret)
self.secrets.delete_secret(config.cert_secret)
if not cert_secret and key_secret:
if not silent:
print("\tDeleting existing secret %s" % config.key_secret)
self.secrets.delete_secret(config.key_secret)
if not silent:
print("\tGenerating private key")
csr, private_key = self.ca.generate_key(config.dn, config.hostnames)
if not silent:
print("\tSigning csr")
cert = self.ca.sign_csr(csr, config.hostnames)
if not silent:
print("\tCreating secrets")
self.secrets.write_secret(config.key_secret,
file_content=private_key,
update=False)
self.secrets.write_secret(config.cert_secret,
file_content=cert,
update=False)
if not silent:
print("\tFinished")
return True
def dry_run(self, config, dependencies_changed=False, debug=False):
cert_secret = self.secrets.get_secret(config.cert_secret)
key_secret = self.secrets.get_secret(config.key_secret)
if key_secret and cert_secret:
return False
elif cert_secret and not key_secret:
print("Would delete existing secret %s for cert %s and recreate" %
(config.cert_secret, config.name))
return True
elif not cert_secret and key_secret:
print("Would delete existing secret %s for cert %s and recreate" %
(config.key_secret, config.name))
return True
else:
print("Would create cert %s" % config.name)
return True
def __init__(self):
self.bouncer = BouncerAdapter()
self.secrets = SecretsAdapter()
class AccountsManager(object):
def __init__(self):
self.bouncer = BouncerAdapter()
self.secrets = SecretsAdapter()
def _does_serviceaccount_exist(self, path):
return self.bouncer.get_account(path) is not None
def _create_serviceaccount(self, path, secret):
private_key, public_key = self._generate_keypair()
self.bouncer.create_account(path, "", public_key)
cert_secret = json.dumps(
dict(login_endpoint=LOGIN_ENDPOINT,
private_key=private_key,
scheme="RS256",
uid=path))
self.secrets.write_secret(secret, cert_secret, update=False)
def _generate_keypair(self, size=2048):
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=size,
backend=default_backend())
private_key_string = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
public_key = private_key.public_key()
public_key_string = public_key.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo)
return private_key_string.decode("utf-8"), public_key_string.decode(
"utf-8")
def deploy(self, config, dependencies_changed=False, silent=False):
changed = False
if not self._does_serviceaccount_exist(config.path):
print_if(not silent, "\tCreating serviceaccount")
self._create_serviceaccount(config.path, config.secret)
changed = True
else:
print_if(not silent,
"\tServiceaccount already exists. Not creating it.")
existing_groups = self.bouncer.get_groups_for_user(config.path)
existing_permissions = self.bouncer.get_permissions_for_user(
config.path)
existing_rids = self.bouncer.get_rids()
print_if(not silent, "\tUpdating groups")
# Update groups
for group in existing_groups:
if group not in config.groups:
self.bouncer.remove_user_from_group(config.path, group)
changed = True
for group in config.groups:
if group not in existing_groups:
self.bouncer.add_user_to_group(config.path, group)
changed = True
# Update permissions
print_if(not silent, "\tUpdating permissions")
for rid, actions in existing_permissions.items():
target_actions = config.permissions.get(rid, list())
for action in actions:
if action not in target_actions:
self.bouncer.remove_permission_from_user(
config.path, rid, action)
changed = True
for rid, actions in config.permissions.items():
if rid not in existing_rids:
self.bouncer.create_permission(rid)
for action in actions:
if action not in existing_permissions.get(rid, list()):
self.bouncer.add_permission_to_user(
config.path, rid, action)
changed = True
return changed
def dry_run(self, config, dependencies_changed=False, debug=False):
existing_rids = self.bouncer.get_rids()
if not self._does_serviceaccount_exist(config.path):
print("Would create serviceaccount %s" % config.path)
for rid, actions in config.permissions.items():
if rid not in existing_rids:
print("Would create permission %s" % rid)
return True
existing_groups = self.bouncer.get_groups_for_user(config.path)
existing_permissions = self.bouncer.get_permissions_for_user(
config.path)
changes = False
# Check groups
for group in existing_groups:
if group not in config.groups:
print("Would remove user %s from group %s" %
(config.path, group))
changes = True
for group in config.groups:
if group not in existing_groups:
print("Would add user %s to group %s" % (config.path, group))
changes = True
# Check permissions
for rid, actions in existing_permissions.items():
if rid not in config.permissions:
print("Would remove permission %s completely from user %s" %
(rid, config.path))
changes = True
else:
for action in actions:
if action not in config.permissions[rid]:
print("Would remove permission %s %s from user %s" %
(rid, action, config.path))
changes = True
for rid, actions in config.permissions.items():
if rid not in existing_rids:
print("Would create permission %s" % rid)
for action in actions:
if action not in existing_permissions.get(rid, list()):
print("Would add permission %s %s to user %s" %
(rid, action, config.path))
changes = True
return changes
def delete(self, config, silent=False):
print("\tDeleting serviceaccount secret")
self.secrets.delete_secret(config.secret)
print("\tDeleting account")
self.bouncer.delete_account(config.path)
print("\tDeletion complete.")
return True
def dry_delete(self, config):
if self._does_serviceaccount_exist(config.path):
print("Would delete serviceaccount %s" % config.path)
return True
else:
return False
def __init__(self):
self.api = SecretsAdapter()
class SecretsManager(object):
def __init__(self):
self.api = SecretsAdapter()
def deploy(self, config, dependencies_changed=False, silent=False):
exists = config.path in self.api.list_secrets()
if exists:
content = self.api.get_secret(config.path)
if config.value:
changed = content != config.value
elif config.file_content:
if isinstance(config.file_content, str):
content = content.decode("utf-8")
changed = content != config.file_content
else:
raise Exception(
"Specified neither value nor file_content for secret")
if not changed:
print_if(not silent,
"\tSecret already exists. No update needed.")
return False
print_if(not silent, "\tUpdating secret")
self.api.write_secret(config.path,
config.value,
config.file_content,
update=exists)
print_if(not silent, "\tSecret updated.")
return True
else:
print_if(not silent, "\tCreating secret")
self.api.write_secret(config.path,
config.value,
config.file_content,
update=exists)
print_if(not silent, "\tSecret created.")
return True
def dry_run(self, config, dependencies_changed=False, debug=False):
exists = config.path in self.api.list_secrets()
if not exists:
print("Would create secret %s" % config.path)
return True
content = self.api.get_secret(config.path)
if config.value:
changed = content != config.value
elif config.file_content:
if isinstance(config.file_content, str):
content = content.decode("utf-8")
changed = content != config.file_content
else:
raise Exception(
"Specified neither value nor file_content for secret")
if changed:
if debug:
new_content = config.file_content if config.file_content else config.value
print("Would update secret %s:" % config.path)
print(compare_text(content, new_content))
else:
print("Would update secret %s" % config.path)
return changed
def delete(self, config, silent=False):
print("\tDeleting secret")
deleted = self.api.delete_secret(config.path)
print("\tDeleted secret.")
return deleted
def dry_delete(self, config):
if self.api.get_secret(config.path):
print("Would delete secret %s" % config.path)
return True
else:
return False
class AccountsManager(object):
def __init__(self):
self.bouncer = BouncerAdapter()
self.secrets = SecretsAdapter()
def does_serviceaccount_exist(self, path):
return self.bouncer.get_account(path) is not None
def create_serviceaccount(self, path, secret):
private_key, public_key = generate_keypair()
self.bouncer.create_account(path, "", public_key)
ca_secret = json.dumps(dict(login_endpoint=LOGIN_ENDPOINT, private_key=private_key, scheme="RS256", uid=path))
self.secrets.write_secret(secret, ca_secret, update=False)
def deploy(self, config, dependencies_changed=False):
changed = False
if not self.does_serviceaccount_exist(config.path):
print("\tCreating serviceaccount")
self.create_serviceaccount(config.path, config.secret)
changed = True
else:
print("\tServiceaccount already exists. Not creating it.")
existing_groups = self.bouncer.get_groups_for_user(config.path)
existing_permissions = self.bouncer.get_permissions_for_user(config.path)
print("\tUpdating groups")
# Update groups
for group in existing_groups:
if group not in config.groups:
self.bouncer.remove_user_from_group(config.path, group)
changed = True
for group in config.groups:
if group not in existing_groups:
self.bouncer.add_user_to_group(config.path, group)
changed = True
# Update permissions
print("\tUpdating permissions")
for rid, actions in existing_permissions.items():
if rid not in config.permissions:
self.bouncer.remove_permission_from_user(config.path, rid)
changed = True
else:
for action in actions:
if action not in config.permissions[rid]:
self.bouncer.remove_permission_from_user(config.path, rid, action)
changed = True
for rid, actions in config.permissions.items():
for action in actions:
if action not in existing_permissions.get(rid, list()):
self.bouncer.add_permission_to_user(config.path, rid, action)
changed = True
return changed
def dry_run(self, config, dependencies_changed=False, debug=False):
if not self.does_serviceaccount_exist(config.path):
print("Would create serviceaccount %s" % config.path)
return True
existing_groups = self.bouncer.get_groups_for_user(config.path)
existing_permissions = self.bouncer.get_permissions_for_user(config.path)
changes = False
# Check groups
for group in existing_groups:
if group not in config.groups:
print("Would remove user %s from group %s" % (config.path, group))
changes = True
for group in config.groups:
if group not in existing_groups:
print("Would add user %s to group %s" % (config.path, group))
changes = True
# Check permissions
for rid, actions in existing_permissions.items():
if rid not in config.permissions:
print("Would remove permission %s completely from user %s" % (rid, config.path))
changes = True
else:
for action in actions:
if action not in config.permissions[rid]:
print("Would remove permission %s %s from user %s" % (rid, action, config.path))
changes = True
for rid, actions in config.permissions.items():
for action in actions:
if action not in existing_permissions.get(rid, list()):
print("Would add permission %s %s to user %s" % (rid, action, config.path))
changes = True
return changes