class CertsManager(object): def __init__(self): self.ca = CAAdapter() self.secrets = SecretsAdapter() def deploy(self, config, dependencies_changed=False, silent=False): cert_secret = self.secrets.get_secret(config.cert_secret) key_secret = self.secrets.get_secret(config.key_secret) if key_secret and cert_secret: if not silent: print("\tSecrets already exist. Not doing anything.") return False if cert_secret and not key_secret: if not silent: print("\tDeleting existing secret %s" % config.cert_secret) self.secrets.delete_secret(config.cert_secret) if not cert_secret and key_secret: if not silent: print("\tDeleting existing secret %s" % config.key_secret) self.secrets.delete_secret(config.key_secret) if not silent: print("\tGenerating private key") csr, private_key = self.ca.generate_key(config.dn, config.hostnames) if not silent: print("\tSigning csr") cert = self.ca.sign_csr(csr, config.hostnames) if not silent: print("\tCreating secrets") self.secrets.write_secret(config.key_secret, file_content=private_key, update=False) self.secrets.write_secret(config.cert_secret, file_content=cert, update=False) if not silent: print("\tFinished") return True def dry_run(self, config, dependencies_changed=False, debug=False): cert_secret = self.secrets.get_secret(config.cert_secret) key_secret = self.secrets.get_secret(config.key_secret) if key_secret and cert_secret: return False elif cert_secret and not key_secret: print("Would delete existing secret %s for cert %s and recreate" % (config.cert_secret, config.name)) return True elif not cert_secret and key_secret: print("Would delete existing secret %s for cert %s and recreate" % (config.key_secret, config.name)) return True else: print("Would create cert %s" % config.name) return True
class SecretsManager(object): def __init__(self): self.api = SecretsAdapter() def deploy(self, config, dependencies_changed=False): exists = config.path in self.api.list_secrets() if exists: content = self.api.get_secret(config.path) if config.value: changed = content != config.value elif config.file_content: changed = content != config.file_content else: raise Exception( "Specified neither value nor file_content for secret") if not changed: print("\tSecret already exists. No update needed.") return False print("\tUpdating secret") self.api.write_secret(config.path, config.value, config.file_content, update=exists) print("\tSecret updated.") return True else: print("\tCreating secret") self.api.write_secret(config.path, config.value, config.file_content, update=exists) print("\tSecret created.") return True def dry_run(self, config, dependencies_changed=False, debug=False): exists = config.path in self.api.list_secrets() if not exists: print("Would create secret %s" % config.path) return True content = self.api.get_secret(config.path) if config.value: changed = content != config.value elif config.file_content: changed = content != config.file_content else: raise Exception( "Specified neither value nor file_content for secret") if changed: print("Would update secret %s" % config.path)
class AccountsManager(object): def __init__(self): self.bouncer = BouncerAdapter() self.secrets = SecretsAdapter() def _does_serviceaccount_exist(self, path): return self.bouncer.get_account(path) is not None def _create_serviceaccount(self, path, secret): private_key, public_key = self._generate_keypair() self.bouncer.create_account(path, "", public_key) cert_secret = json.dumps( dict(login_endpoint=LOGIN_ENDPOINT, private_key=private_key, scheme="RS256", uid=path)) self.secrets.write_secret(secret, cert_secret, update=False) def _generate_keypair(self, size=2048): private_key = rsa.generate_private_key(public_exponent=65537, key_size=size, backend=default_backend()) private_key_string = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()) public_key = private_key.public_key() public_key_string = public_key.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) return private_key_string.decode("utf-8"), public_key_string.decode( "utf-8") def deploy(self, config, dependencies_changed=False, silent=False): changed = False if not self._does_serviceaccount_exist(config.path): print_if(not silent, "\tCreating serviceaccount") self._create_serviceaccount(config.path, config.secret) changed = True else: print_if(not silent, "\tServiceaccount already exists. Not creating it.") existing_groups = self.bouncer.get_groups_for_user(config.path) existing_permissions = self.bouncer.get_permissions_for_user( config.path) existing_rids = self.bouncer.get_rids() print_if(not silent, "\tUpdating groups") # Update groups for group in existing_groups: if group not in config.groups: self.bouncer.remove_user_from_group(config.path, group) changed = True for group in config.groups: if group not in existing_groups: self.bouncer.add_user_to_group(config.path, group) changed = True # Update permissions print_if(not silent, "\tUpdating permissions") for rid, actions in existing_permissions.items(): target_actions = config.permissions.get(rid, list()) for action in actions: if action not in target_actions: self.bouncer.remove_permission_from_user( config.path, rid, action) changed = True for rid, actions in config.permissions.items(): if rid not in existing_rids: self.bouncer.create_permission(rid) for action in actions: if action not in existing_permissions.get(rid, list()): self.bouncer.add_permission_to_user( config.path, rid, action) changed = True return changed def dry_run(self, config, dependencies_changed=False, debug=False): existing_rids = self.bouncer.get_rids() if not self._does_serviceaccount_exist(config.path): print("Would create serviceaccount %s" % config.path) for rid, actions in config.permissions.items(): if rid not in existing_rids: print("Would create permission %s" % rid) return True existing_groups = self.bouncer.get_groups_for_user(config.path) existing_permissions = self.bouncer.get_permissions_for_user( config.path) changes = False # Check groups for group in existing_groups: if group not in config.groups: print("Would remove user %s from group %s" % (config.path, group)) changes = True for group in config.groups: if group not in existing_groups: print("Would add user %s to group %s" % (config.path, group)) changes = True # Check permissions for rid, actions in existing_permissions.items(): if rid not in config.permissions: print("Would remove permission %s completely from user %s" % (rid, config.path)) changes = True else: for action in actions: if action not in config.permissions[rid]: print("Would remove permission %s %s from user %s" % (rid, action, config.path)) changes = True for rid, actions in config.permissions.items(): if rid not in existing_rids: print("Would create permission %s" % rid) for action in actions: if action not in existing_permissions.get(rid, list()): print("Would add permission %s %s to user %s" % (rid, action, config.path)) changes = True return changes def delete(self, config, silent=False): print("\tDeleting serviceaccount secret") self.secrets.delete_secret(config.secret) print("\tDeleting account") self.bouncer.delete_account(config.path) print("\tDeletion complete.") return True def dry_delete(self, config): if self._does_serviceaccount_exist(config.path): print("Would delete serviceaccount %s" % config.path) return True else: return False
class SecretsManager(object): def __init__(self): self.api = SecretsAdapter() def deploy(self, config, dependencies_changed=False, silent=False): exists = config.path in self.api.list_secrets() if exists: content = self.api.get_secret(config.path) if config.value: changed = content != config.value elif config.file_content: if isinstance(config.file_content, str): content = content.decode("utf-8") changed = content != config.file_content else: raise Exception( "Specified neither value nor file_content for secret") if not changed: print_if(not silent, "\tSecret already exists. No update needed.") return False print_if(not silent, "\tUpdating secret") self.api.write_secret(config.path, config.value, config.file_content, update=exists) print_if(not silent, "\tSecret updated.") return True else: print_if(not silent, "\tCreating secret") self.api.write_secret(config.path, config.value, config.file_content, update=exists) print_if(not silent, "\tSecret created.") return True def dry_run(self, config, dependencies_changed=False, debug=False): exists = config.path in self.api.list_secrets() if not exists: print("Would create secret %s" % config.path) return True content = self.api.get_secret(config.path) if config.value: changed = content != config.value elif config.file_content: if isinstance(config.file_content, str): content = content.decode("utf-8") changed = content != config.file_content else: raise Exception( "Specified neither value nor file_content for secret") if changed: if debug: new_content = config.file_content if config.file_content else config.value print("Would update secret %s:" % config.path) print(compare_text(content, new_content)) else: print("Would update secret %s" % config.path) return changed def delete(self, config, silent=False): print("\tDeleting secret") deleted = self.api.delete_secret(config.path) print("\tDeleted secret.") return deleted def dry_delete(self, config): if self.api.get_secret(config.path): print("Would delete secret %s" % config.path) return True else: return False
class AccountsManager(object): def __init__(self): self.bouncer = BouncerAdapter() self.secrets = SecretsAdapter() def does_serviceaccount_exist(self, path): return self.bouncer.get_account(path) is not None def create_serviceaccount(self, path, secret): private_key, public_key = generate_keypair() self.bouncer.create_account(path, "", public_key) ca_secret = json.dumps(dict(login_endpoint=LOGIN_ENDPOINT, private_key=private_key, scheme="RS256", uid=path)) self.secrets.write_secret(secret, ca_secret, update=False) def deploy(self, config, dependencies_changed=False): changed = False if not self.does_serviceaccount_exist(config.path): print("\tCreating serviceaccount") self.create_serviceaccount(config.path, config.secret) changed = True else: print("\tServiceaccount already exists. Not creating it.") existing_groups = self.bouncer.get_groups_for_user(config.path) existing_permissions = self.bouncer.get_permissions_for_user(config.path) print("\tUpdating groups") # Update groups for group in existing_groups: if group not in config.groups: self.bouncer.remove_user_from_group(config.path, group) changed = True for group in config.groups: if group not in existing_groups: self.bouncer.add_user_to_group(config.path, group) changed = True # Update permissions print("\tUpdating permissions") for rid, actions in existing_permissions.items(): if rid not in config.permissions: self.bouncer.remove_permission_from_user(config.path, rid) changed = True else: for action in actions: if action not in config.permissions[rid]: self.bouncer.remove_permission_from_user(config.path, rid, action) changed = True for rid, actions in config.permissions.items(): for action in actions: if action not in existing_permissions.get(rid, list()): self.bouncer.add_permission_to_user(config.path, rid, action) changed = True return changed def dry_run(self, config, dependencies_changed=False, debug=False): if not self.does_serviceaccount_exist(config.path): print("Would create serviceaccount %s" % config.path) return True existing_groups = self.bouncer.get_groups_for_user(config.path) existing_permissions = self.bouncer.get_permissions_for_user(config.path) changes = False # Check groups for group in existing_groups: if group not in config.groups: print("Would remove user %s from group %s" % (config.path, group)) changes = True for group in config.groups: if group not in existing_groups: print("Would add user %s to group %s" % (config.path, group)) changes = True # Check permissions for rid, actions in existing_permissions.items(): if rid not in config.permissions: print("Would remove permission %s completely from user %s" % (rid, config.path)) changes = True else: for action in actions: if action not in config.permissions[rid]: print("Would remove permission %s %s from user %s" % (rid, action, config.path)) changes = True for rid, actions in config.permissions.items(): for action in actions: if action not in existing_permissions.get(rid, list()): print("Would add permission %s %s to user %s" % (rid, action, config.path)) changes = True return changes