Exemple #1
0
def create_sa_secret(secret_name,
                     service_account,
                     strict=False,
                     private_key_filename='private-key.pem'):
    """Create an sa-secret with a given private key file for passed service account in the vault. Both
       (service account and secret) should share the same key pair. `{strict}` parameter should be
       `True` when creating a secret in a `strict` secure cluster. Private key file will be removed
       after secret is successfully created.
       This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param secret_name: secret name
       :type secret_name: str
       :param service_account: service account name
       :type service_account: str
       :param strict: `True` is this a `strict` secure cluster
       :type strict: bool
       :param private_key_filename: private key file name
       :type private_key_filename: str
    """
    assert os.path.isfile(
        private_key_filename), "Failed to create secret: private key not found"

    logger.info('Creating new sa-secret {} for service-account: {}'.format(
        secret_name, service_account))
    strict_opt = '--strict' if strict else ''
    with attached_cli():
        stdout, stderr, return_code = run_dcos_command(
            'security secrets create-sa-secret {} {} {} {}'.format(
                strict_opt, private_key_filename, service_account,
                secret_name))

    os.remove(private_key_filename)
    assert return_code == 0, "Failed to create a secret"
Exemple #2
0
def install_enterprise_cli_package():
    """Install `dcos-enterprise-cli` package. It is required by the `dcos security`
       command to create secrets, manage service accounts etc.
    """
    logger.info('Installing dcos-enterprise-cli package')
    with attached_cli():
        cmd = 'package install dcos-enterprise-cli --cli --yes'
        stdout, stderr, return_code = run_dcos_command(cmd,
                                                       raise_on_error=True)
Exemple #3
0
def delete_service_account(service_account):
    """Removes an existing service account. This method uses `dcos security org`
       command and assumes that `dcos-enterprise-cli` package is installed.

       :param service_account: service account name
       :type service_account: str
    """
    logger.info('Removing existing service account {}'.format(service_account))
    with attached_cli():
        cmd = 'security org service-accounts delete {}'.format(service_account)
        stdout, stderr, return_code = run_dcos_command(cmd)
        assert return_code == 0, "Failed to create a service account"
Exemple #4
0
def has_service_account(service_account):
    """Returns `True` if a service account with a given name already exists.
       This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param service_account: service account name
       :type service_account: str
    """
    with attached_cli():
        stdout, stderr, return_code = run_dcos_command(
            'security org service-accounts show --json')
        result_json = json.loads(stdout)
        return service_account in result_json
Exemple #5
0
def delete_secret(secret_name):
    """Delete a secret with a given name from the vault.
       This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param secret_name: secret name
       :type secret_name: str
    """
    logger.info('Removing existing secret {}'.format(secret_name))
    with attached_cli():
        stdout, stderr, return_code = run_dcos_command(
            'security secrets delete {}'.format(secret_name))
        assert return_code == 0, "Failed to remove existing secret"
Exemple #6
0
def is_enterprise_cli_package_installed():
    """Returns `True` if `dcos-enterprise-cli` package is installed."""
    with attached_cli():
        stdout, stderr, return_code = run_dcos_command('package list --json')
        logger.info(
            'package list command returned code:{}, stderr:{}, stdout: {}'.
            format(return_code, stderr, stdout))
        try:
            result_json = json.loads(stdout)
        except JSONDecodeError as error:
            raise DCOSException(
                'Could not parse: "{}"'.format(stdout)) from error
        return any(cmd['name'] == 'dcos-enterprise-cli' for cmd in result_json)
Exemple #7
0
def has_secret(secret_name):
    """Returns `True` if the secret with given name exists in the vault.
       This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param secret_name: secret name
       :type secret_name: str
    """
    with attached_cli():
        stdout, stderr, return_code = run_dcos_command(
            'security secrets list / --json')
        if stdout:
            result_json = json.loads(stdout)
            return secret_name in result_json
        return False
Exemple #8
0
def create_service_account(service_account,
                           private_key_filename='private-key.pem',
                           public_key_filename='public-key.pem',
                           account_description='SI test account'):
    """Create new private and public key pair and use them to add a new service
       with a give name. Public key file is then removed, however private key file
       is left since it might be used to create a secret. If you don't plan on creating
       a secret afterwards, please remove it manually.
       This method uses `dcos security org` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param service_account: service account name
       :type service_account: str
       :param private_key_filename: optional private key file name
       :type private_key_filename: str
       :param public_key_filename: optional public key file name
       :type public_key_filename: str
       :param account_description: service account description
       :type account_description: str
    """
    logger.info('Creating a key pair for the service account')
    with attached_cli():
        cmd = 'security org service-accounts keypair {} {}'.format(
            private_key_filename, public_key_filename)
        run_dcos_command(cmd)
        assert os.path.isfile(
            private_key_filename
        ), "Private key of the service account key pair not found"
        assert os.path.isfile(
            public_key_filename
        ), "Public key of the service account key pair not found"

        logger.info('Creating {} service account'.format(service_account))
        stdout, stderr, return_code = run_dcos_command(
            'security org service-accounts create -p {} -d "{}" {}'.format(
                public_key_filename, account_description, service_account))

        os.remove(public_key_filename)
        assert return_code == 0
Exemple #9
0
def create_secret(name, value=None, description=None):
    """Create a secret with a passed `{name}` and optional `{value}`.
       This method uses `dcos security secrets` command and assumes that `dcos-enterprise-cli`
       package is installed.

       :param name: secret name
       :type name: str
       :param value: optional secret value
       :type value: str
       :param description: option secret description
       :type description: str
    """
    logger.info('Creating new secret {}:{}'.format(name, value))

    value_opt = '-v {}'.format(shlex.quote(value)) if value else ''
    description_opt = '-d "{}"'.format(description) if description else ''

    with attached_cli():
        stdout, stderr, return_code = run_dcos_command(
            'security secrets create {} {} "{}"'.format(
                value_opt, description_opt, name),
            print_output=True)
        assert return_code == 0, "Failed to create a secret"