def files(client, secret, opt):
"""Seed files into Vault"""
aomi.validation.file_obj(secret)
obj = {}
my_mount = sanitize_mount(secret['mount'])
vault_path = "%s/%s" % (my_mount, secret['path'])
if not validate_entry(secret, vault_path, opt):
return
maybe_mount(client, 'generic', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
if secret.get('state', 'present') == 'present':
for sfile in secret.get('files', []):
if 'source' not in sfile or 'name' not in sfile:
client.revoke_self_token()
e_msg = "Invalid file specification %s" % sfile
raise aomi.exceptions.AomiData(e_msg)
filename = hard_path(sfile['source'], opt.secrets)
aomi.validation.secret_file(filename)
data = open(filename, 'r').read()
obj[sfile['name']] = data
log(
'writing file %s into %s/%s' %
(filename, vault_path, sfile['name']), opt)
write(client, vault_path, obj, opt)
else:
rmfiles = ','.join([f['source'] for f in secret.get('files', [])])
log("Removing files %s from %s" % (rmfiles, vault_path), opt)
delete(client, vault_path, opt)
def __init__(self, obj, opt):
super(LDAPUser, self).__init__(obj, opt)
self.path = sanitize_mount("auth/%s/users/%s" %
(obj.get('mount', 'ldap'), obj['user']))
self._obj = {}
map_val(self._obj, obj, 'groups', [])
map_val(self._obj, obj, 'policies', [])
def __init__(self, obj, opt):
super(LDAPUser, self).__init__(obj, opt)
self.path = sanitize_mount("auth/%s/users/%s" %
(obj.get('mount', 'ldap'), obj['user']))
self._obj = {}
map_val(self._obj, obj, 'groups', [])
map_val(self._obj, obj, 'policies', [])
def __init__(self, obj, opt):
super(LDAPGroup, self).__init__(obj, opt)
self.group = obj['group']
self.path = sanitize_mount("auth/%s/groups/%s" %
(obj.get('mount', 'ldap'), self.group))
if self.present:
self._obj = {"policies": obj['policies']}
def __init__(self, obj, opt):
super(UserPass, self).__init__('userpass', obj, opt)
self.username = obj['username']
self.mount = 'userpass'
self.path = sanitize_mount("auth/userpass/users/%s" % self.username)
self.policies = obj['policies']
self.secret = obj['password_file']
self.filename = self.secret
def freeze_aws_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen AWS credentials"""
path = "%s/config/root" % (sanitize_mount(secret['mount']))
if not validate_entry(secret, path, opt):
return
sfile = secret['aws_file']
freeze_secret(sfile, sfile, 'aws_file', tmp_dir, opt)
def freeze_var_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen var file"""
path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path'])
if not validate_entry(secret, path, opt):
return
sfile = secret['var_file']
freeze_secret(sfile, sfile, 'var_file', tmp_dir, opt)
def __init__(self, obj, opt):
super(LDAPGroup, self).__init__(obj, opt)
self.group = obj['group']
self.path = sanitize_mount("auth/%s/groups/%s" %
(obj.get('mount', 'ldap'), self.group))
if self.present:
self._obj = {
"policies": obj['policies']
}
def __init__(self, obj, opt):
super(UserPassUser, self).__init__('userpass', obj, opt)
self.username = obj['username']
self.mount = 'userpass'
self.path = sanitize_mount("auth/userpass/users/%s" % self.username)
self.secret = obj['password_file']
self._obj = {'policies': obj['policies']}
map_val(self._obj, obj, 'ttl')
map_val(self._obj, obj, 'max_ttl')
self.filename = self.secret
def freeze_generic_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen files"""
path = "%s/%s" % (sanitize_mount(secret['mount']),
secret['path'])
if not validate_entry(secret, path, opt):
return
for a_secret in secret['files']:
sfile = a_secret['source']
freeze_secret(sfile, sfile, 'file', tmp_dir, opt)
def read(self, path, wrap_ttl=None):
"""Wrap the hvac read call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).read(path, wrap_ttl)
self.token = self.operational_token
return val
return super(Client, self).read(path, wrap_ttl)
def read(self, path, wrap_ttl=None):
"""Wrap the hvac read call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).read(path, wrap_ttl)
self.token = self.operational_token
return val
return super(Client, self).read(path, wrap_ttl)
def __init__(self, obj, opt):
super(UserPassUser, self).__init__('userpass', obj, opt)
self.username = obj['username']
self.mount = 'userpass'
self.path = sanitize_mount("auth/userpass/users/%s" % self.username)
self.secret = obj['password_file']
self._obj = {
'policies': obj['policies']
}
map_val(self._obj, obj, 'ttl')
map_val(self._obj, obj, 'max_ttl')
self.filename = self.secret
def delete(self, path):
"""Wrap the hvac delete call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
val = None
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).delete(path)
self.token = self.operational_token
else:
super(Client, self).delete(path)
return val
def delete(self, path):
"""Wrap the hvac delete call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
val = None
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).delete(path)
self.token = self.operational_token
else:
super(Client, self).delete(path)
return val
def write(self, path, wrap_ttl=None, **kwargs):
"""Wrap the hvac write call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
val = None
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs)
self.token = self.operational_token
else:
super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs)
return val
def write(self, path, wrap_ttl=None, **kwargs):
"""Wrap the hvac write call, using the right token for
cubbyhole interactions."""
path = sanitize_mount(path)
val = None
if path.startswith('cubbyhole'):
self.token = self.initial_token
val = super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs)
self.token = self.operational_token
else:
super(Client, self).write(path, wrap_ttl=wrap_ttl, **kwargs)
return val
def aws(client, secret, opt):
"""Seed an aws_file into Vault"""
aomi.validation.aws_file_obj(secret)
my_mount = sanitize_mount(secret['mount'])
aws_path = "%s/config/root" % my_mount
if not validate_entry(secret, aws_path, opt):
return
if secret.get('state', 'present') == 'absent':
unmount(client, 'aws', my_mount)
log("Unmounted AWS %s" % aws_path, opt)
return
else:
maybe_mount(client, 'aws', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
aws_file_path = hard_path(secret['aws_file'], opt.secrets)
aomi.validation.secret_file(aws_file_path)
aws_obj = yaml.safe_load(open(aws_file_path, 'r').read())
aomi.validation.aws_secret_obj(aws_file_path, aws_obj)
region = aomi.legacy.aws_region(secret, aws_obj)
if region is None:
client.revoke_self_token()
raise aomi.exceptions.AomiData('missing aws region')
roles = aomi.legacy.aws_roles(secret, aws_obj)
if roles is None:
client.revoke_self_token()
raise aomi.exceptions.AomiData('missing aws roles')
obj = {
'access_key': aws_obj['access_key_id'],
'secret_key': aws_obj['secret_access_key'],
'region': region
}
write(client, aws_path, obj, opt)
log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt)
ttl_obj, lease_msg = grok_ttl(secret, aws_obj)
if ttl_obj:
write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt)
log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt)
seed_aws_roles(client, secret['mount'], roles, opt)
def thaw_aws_file(secret, tmp_dir, opt):
"""Thaw the contents of an AWS file"""
path = "%s/config/root" % (sanitize_mount(secret['mount']))
if not validate_entry(secret, path, opt):
return
dest_file = "%s/%s" % (opt.secrets, secret['aws_file'])
aws_file = os.path.basename(dest_file)
src_file = "%s/%s" % (tmp_dir, aws_file)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("AWS file %s missing" % aws_file)
shutil.copy(src_file, dest_file)
log("Thawed aws_file %s" % aws_file, opt)
def thaw_var_file(secret, tmp_dir, opt):
"""Thaw the contents of a var file"""
path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path'])
if not validate_entry(secret, path, opt):
return
dest_file = "%s/%s" % (opt.secrets, secret['var_file'])
var_file = os.path.basename(dest_file)
src_file = "%s/%s" % (tmp_dir, var_file)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("Var file %s missing" % var_file)
shutil.copy(src_file, dest_file)
log("Thawed var_file %s" % var_file, opt)
def __init__(self, obj, opt):
super(SSHRole, self).__init__(obj, opt)
self.mount = sanitize_mount(obj.get('mount', 'ssh'))
a_name = obj.get('name', obj['ssh_creds'])
self.path = "%s/roles/%s" % (self.mount, a_name)
self._obj = {
'key_type': obj['key_type']
}
if 'cidr_list' in obj:
self._obj['cidr_list'] = ','.join(obj['cidr_list'])
if 'default_user' in obj:
self._obj['default_user'] = obj['default_user']
self.tunable(obj)
def __init__(self, obj, opt):
super(AWS, self).__init__(obj, opt)
self.mount = sanitize_mount(obj['mount'])
self.path = "%s/config/root" % self.mount
aws_file_path = obj['aws_file']
self._obj = (obj['aws_file'], aws_file_path, obj['region'])
self.roles = []
for role in obj['roles']:
self.roles.append(AWSRole(self.mount, role, opt))
if self.roles is None:
raise aomi.exceptions.AomiData('missing aws roles')
ttl_obj, lease_msg = grok_ttl(obj)
if ttl_obj:
self.ttl = AWSTTL(self.mount, ttl_obj, lease_msg, opt)
def __init__(self, obj, opt):
super(LDAP, self).__init__('ldap', obj, opt)
auth_obj = {'url': obj['url']}
self.mount = 'ldap'
self.path = sanitize_mount("auth/ldap/config")
self.secret = obj.get('secrets')
map_val(auth_obj, obj, 'starttls', False)
map_val(auth_obj, obj, 'insecure_tls', False)
map_val(auth_obj, obj, 'discoverdn')
map_val(auth_obj, obj, 'userdn')
map_val(auth_obj, obj, 'userattr')
map_val(auth_obj, obj, 'deny_null_bind', True)
map_val(auth_obj, obj, 'upndomain')
map_val(auth_obj, obj, 'groupfilter')
map_val(auth_obj, obj, 'groupdn')
map_val(auth_obj, obj, 'groupattr')
map_val(auth_obj, obj, 'binddn')
self._obj = auth_obj
def thaw_files(secret, tmp_dir, opt):
"""Thaw some files"""
for a_secret in secret['files']:
path = "%s/%s" % (sanitize_mount(secret['mount']),
secret['path'])
if not validate_entry(secret, path, opt):
return
filename = a_secret['source']
dest_file = "%s/%s" % (opt.secrets, a_secret['source'])
src_file = "%s/%s" % (tmp_dir, filename)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("File %s missing" % filename)
dest_dir = os.path.dirname(dest_file)
if not os.path.isdir(dest_dir):
os.mkdir(dest_dir, 0o700)
shutil.copy(src_file, dest_file)
log("Thawed file %s" % filename, opt)
def __init__(self, obj, opt):
super(AWS, self).__init__(obj, opt)
self.mount = sanitize_mount(obj['mount'])
self.path = "%s/config/root" % self.mount
aws_file_path = obj['aws_file']
if self.present:
self._obj = (obj['aws_file'],
aws_file_path,
obj['region'])
self.roles = []
for role in obj['roles']:
self.roles.append(AWSRole(self.mount, role, opt))
if self.roles is None:
raise aomi.exceptions.AomiData('missing aws roles')
ttl_obj, _lease_msg = grok_ttl(obj)
if ttl_obj:
self.ttl = AWSTTL(self.mount, ttl_obj, opt)
self.tunable(obj)
def generated(client, obj, opt):
"""Will provision some random strings into vault, as requested"""
aomi.validation.generated_obj(obj)
my_mount = sanitize_mount(obj['mount'])
vault_path = "%s/%s" % (my_mount, obj['path'])
if not aomi.validation.tag_check(obj, vault_path, opt):
return
maybe_mount(client, 'generic', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
existing = {}
resp = client.read(vault_path)
if resp:
existing = resp['data']
if obj.get('state', 'present') == 'present':
secret_obj = {}
for key in obj['keys']:
key_name = key['name']
if key_name in existing and not key.get('overwrite'):
log("Not overwriting %s/%s" % (vault_path, key_name), opt)
continue
secret_obj[key_name] = generated_key(key, opt)
genseclen = len(secret_obj.keys())
if genseclen > 0:
update_msg = "Writing %s generated secrets to %s" % \
(genseclen, vault_path)
log(update_msg, opt)
write(client, vault_path, secret_obj, opt)
else:
log("Removing generated secret at %s" % vault_path, opt)
delete(client, vault_path, opt)
def __init__(self, obj, opt):
super(LDAP, self).__init__('ldap', obj, opt)
auth_obj = {
'url': obj['url']
}
self.mount = obj.get('mount', 'ldap')
self.path = sanitize_mount("auth/%s/config" % self.mount)
self.secret = obj.get('secrets')
map_val(auth_obj, obj, 'starttls', False)
map_val(auth_obj, obj, 'insecure_tls', False)
map_val(auth_obj, obj, 'discoverdn')
map_val(auth_obj, obj, 'userdn')
map_val(auth_obj, obj, 'userattr')
map_val(auth_obj, obj, 'deny_null_bind', True)
map_val(auth_obj, obj, 'upndomain')
map_val(auth_obj, obj, 'groupfilter')
map_val(auth_obj, obj, 'groupdn')
map_val(auth_obj, obj, 'groupattr')
map_val(auth_obj, obj, 'binddn')
map_val(auth_obj, obj, 'tls_max_version')
map_val(auth_obj, obj, 'tls_min_version')
self._obj = auth_obj
self.tunable(obj)
def __init__(self, resource, opt, managed=True):
self.path = sanitize_mount(resource.mount)
self.backend = resource.backend
self.existing = dict()
self.present = resource.present
self.config = dict()
self.managed = managed
if hasattr(resource, 'tune') and isinstance(resource.tune, dict):
for tunable in MOUNT_TUNABLES:
tunable_key = tunable[0]
tunable_type = tunable[1]
if tunable_key in resource.tune and \
not isinstance(resource.tune[tunable_key], tunable_type):
e_msg = "Mount tunable %s on %s must be of type %s" % \
(tunable_key, self.path, tunable_type)
raise aomi_excep.AomiData(e_msg)
map_val(self.config, resource.tune, tunable_key)
if 'description' in resource.tune:
self.config['description'] = resource.tune['description']
self.opt = opt
def __init__(self, resource, opt, managed=True):
self.path = sanitize_mount(resource.mount)
self.backend = resource.backend
self.existing = dict()
self.present = resource.present
self.config = dict()
self.managed = managed
if hasattr(resource, 'tune') and isinstance(resource.tune, dict):
for tunable in MOUNT_TUNABLES:
tunable_key = tunable[0]
tunable_type = tunable[1]
if tunable_key in resource.tune and \
not isinstance(resource.tune[tunable_key], tunable_type):
e_msg = "Mount tunable %s on %s must be of type %s" % \
(tunable_key, self.path, tunable_type)
raise aomi_excep.AomiData(e_msg)
map_val(self.config, resource.tune, tunable_key)
if 'description' in resource.tune:
self.config['description'] = resource.tune['description']
self.opt = opt
def var_file(client, secret, opt):
"""Seed a var_file into Vault"""
aomi.validation.var_file_obj(secret)
my_mount = sanitize_mount(secret['mount'])
path = "%s/%s" % (my_mount, secret['path'])
if not validate_entry(secret, path, opt):
return
var_file_name = hard_path(secret['var_file'], opt.secrets)
aomi.validation.secret_file(var_file_name)
varz = yaml.safe_load(open(var_file_name).read())
maybe_mount(client, 'generic', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
if secret.get('state', 'present') == 'present':
write(client, path, varz, opt)
log('wrote var_file %s into %s' % (var_file_name, path), opt)
else:
delete(client, path, opt)
log('deleted var_file %s from %s' % (var_file_name, path), opt)
def __init__(self, obj, opt):
super(Generic, self).__init__(obj, opt)
self.mount = sanitize_mount(obj['mount'])
self.path = "%s/%s" % (self.mount, obj['path'])
def __init__(self, obj, opt):
super(Generic, self).__init__(obj, opt)
self.mount = sanitize_mount(obj['mount'])
self.path = "%s/%s" % (self.mount, obj['path'])
def __init__(self, path, backend, opt):
self.path = sanitize_mount(path)
self.backend = backend
self.existing = False
self.opt = opt
def __init__(self, resource, opt):
self.path = sanitize_mount(resource.mount)
self.backend = resource.backend
self.existing = False
self.present = resource.present
self.opt = opt
