def __init__( self, soa_dir: Optional[str], service_name: Optional[str], cluster_names: List[str], vault_cluster_config: Dict[str, str] = {}, vault_auth_method: str = "ldap", vault_token_file: str = "/root/.vault-token", vault_num_uses: int = 1, **kwargs: Any, ) -> None: super().__init__(soa_dir, service_name, cluster_names) self.vault_cluster_config = vault_cluster_config self.vault_auth_method = vault_auth_method self.vault_token_file = vault_token_file self.ecosystems = self.get_vault_ecosystems_for_clusters() self.clients: Mapping[str, hvac.Client] = {} if vault_auth_method == "ldap": username = getpass.getuser() password = getpass.getpass( "Please enter your LDAP password to auth with Vault\n") else: username = None password = None for ecosystem in self.ecosystems: self.clients[ecosystem] = get_vault_client( ecosystem=ecosystem, num_uses=vault_num_uses, vault_auth_method=self.vault_auth_method, vault_token_file=self.vault_token_file, username=username, password=password, )
def decrypt_environment( self, environment: Dict[str, str], **kwargs: Any, ) -> Dict[str, str]: self.ecosystem = self.get_vault_ecosystems_for_clusters()[0] self.client = get_vault_client( ecosystem=self.ecosystem, num_uses=len(environment), vault_auth_method=self.vault_auth_method, vault_token_file=self.vault_token_file, ) secret_environment = {} for k, v in environment.items(): secret_name = get_secret_name_from_ref(v) secret_path = os.path.join( self.secret_dir, f"{secret_name}.json", ) secret = get_plaintext( client=self.client, env=self.ecosystem, path=secret_path, cache_enabled=False, cache_dir=None, cache_key=None, context=self.service_name, ).decode('utf-8') secret_environment[k] = secret return secret_environment
def write_secret( self, action: str, secret_name: str, plaintext: bytes, ) -> None: with TempGpgKeyring(overwrite=True): ecosystems = self.get_vault_ecosystems_for_clusters() if 'VAULT_TOKEN_OVERRIDE' not in os.environ: username = getpass.getuser() password = getpass.getpass("Please enter your LDAP password to auth with Vault\n") else: username = None password = None for ecosystem in ecosystems: client = get_vault_client( ecosystem=ecosystem, username=username, password=password, ) encrypt_secret( client=client, action=action, ecosystem=ecosystem, secret_name=secret_name, soa_dir=self.soa_dir, plaintext=plaintext, service_name=self.service_name, transit_key=self.encryption_key, )
def decrypt_secret(self, secret_name: str) -> str: ecosystem = self.get_vault_ecosystems_for_clusters()[0] if 'VAULT_TOKEN_OVERRIDE' not in os.environ: username = getpass.getuser() password = getpass.getpass("Please enter your LDAP password to auth with Vault\n") else: username = None password = None client = get_vault_client( ecosystem=ecosystem, username=username, password=password, ) secret_path = os.path.join( self.secret_dir, f"{secret_name}.json", ) return get_plaintext( client=client, path=secret_path, env=ecosystem, cache_enabled=False, cache_key=None, cache_dir=None, context=self.service_name, ).decode('utf-8')