def _handle_puppet(self, plaintext_pw, pwname):
directory = path.expanduser(
self.args["populate"]["puppet_eyaml"]["directory"])
if not path.isdir(directory):
raise CliArgumentError(f"'{directory}' is not a directory")
puppet_bin = path.expanduser(
self.args["populate"]["puppet_eyaml"]["bin"])
if not path.isfile(puppet_bin):
raise CliArgumentError(f"'{puppet_bin}' is not a file")
pkcs7_pass = puppet_password(puppet_bin, plaintext_pw)
if self.args["value"]:
yield pkcs7_pass
else:
for hiera_file, names in self.args["populate"]["puppet_eyaml"][
"passwords"][pwname].items():
with open(path.join(directory, hiera_file),
"r",
encoding="ASCII") as data_file:
yield f"Updating: {hiera_file}"
yaml = YAML()
yaml.indent(mapping=2, sequence=4, offset=2)
yaml.preserve_quotes = True
hiera_yaml = yaml.load(data_file.read())
for name in names:
yield f"Updating: {name}"
hiera_yaml[name] = pkcs7_pass
with open(path.join(directory, hiera_file),
"w",
encoding="ASCII") as data_file:
yaml.dump(hiera_yaml, data_file)
def _run_command_execution(self):
####################################################################
"""Run function for class."""
####################################################################
# currently only support puppet
pop_type = self.args["type"]
if pop_type not in ["puppet_eyaml", "kubernetes"]:
raise CliArgumentError(
f"'{pop_type}' is an unsupported population type")
if pop_type == "kubernetes":
yield from self._handle_kubernetes()
elif self.args["all"]:
for password in self.args["populate"][pop_type]["passwords"].keys(
):
pwentry = PasswordEntry()
self._decrypt_wrapper(self.args["pwstore"], pwentry, password,
pop_type)
elif (self.args["pwname"]
not in self.args["populate"][pop_type]["passwords"].keys()):
raise CliArgumentError(
f"'{self.args['pwname']}' doesn't have a mapping in {pop_type}"
)
else:
password = PasswordEntry()
yield from self._decrypt_wrapper(self.args["pwstore"], password,
self.args["pwname"], pop_type)
def _validate_identities(self, swap_list=None):
if not swap_list:
swap_list = self.escrow_and_recipient_list
for recipient in swap_list:
self.identities.verify_identity(recipient)
if recipient not in self.identities.iddb.keys():
raise CliArgumentError(
"Error: Recipient '%s' is not in the recipient database" %
recipient)
if self.args['identity'] in self.identities.iddb.keys():
self.identities.verify_identity(self.args['identity'])
else:
raise CliArgumentError(
"Error: Your user '%s' is not in the recipient database" %
self.args['identity'])
def _validate_args(self):
####################################################################
"""Ensure arguments are appropriate for this command"""
####################################################################
for argument in ["pwfile", "keypath"]:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError(f"'{argument}' is a required argument")
def _validate_args(self):
"""Validate necessary arguments"""
####################################################################
for argument in ['pwname', 'keypath', 'rename']:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError("'%s' is a required argument" %
argument)
def _validate_args(self):
####################################################################
"""Validate necessary arguments"""
####################################################################
for argument in ["pwname", "keypath", "rename"]:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError(f"'{argument}' is a required argument")
def _validate_args(self):
""" Ensure arguments are appropriate for this command """
####################################################################
for argument in ['pwfile', 'keypath']:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError("'%s' is a required argument" %
argument)
def load_db(self, identity, certlist=None):
#######################################################################
"""Read in all rsa keys from directory and name them as found"""
#######################################################################
try:
session = sessionmaker(bind=self.args["db"]["engine"])()
recipient = create_or_update(
session, Recipient, dont_update=["key"], **{"name": identity}
)
for cert in certlist:
cert = cert.encode()
cert_dict = {}
cert_dict["cert_bytes"] = cert
cert_dict["verified"] = pk_verify_chain(cert, self.cabundle)
cert_dict["fingerprint"] = get_cert_fingerprint(cert)
cert_dict["subject"] = get_cert_subject(cert)
cert_dict["issuer"] = get_cert_issuer(cert)
cert_dict["enddate"] = datetime.strptime(
get_cert_enddate(cert), "%b %d %H:%M:%S %Y %Z"
)
cert_dict["issuerhash"] = get_cert_issuerhash(cert)
cert_dict["subjecthash"] = get_cert_subjecthash(cert)
cert = create_or_update(
session, Cert, unique_identifiers=["fingerprint"], **cert_dict
)
if cert not in recipient.certs:
recipient.certs.append(cert)
session.commit()
except KeyError as err:
raise CliArgumentError(
f"Error: Recipient '{identity}' is not in the recipient database"
) from err
def _handle_kubernetes(self):
####################################################################
"""This function creates a file containing kube secrets"""
####################################################################
k_conf = self.args["populate"]["kubernetes"]
plaintext = {}
for password in k_conf["needed"]:
pwentry = PasswordEntry()
pwentry.read_password_data(
path.join(self.args["pwstore"], password))
plaintext_pw = self._decrypt_password_entry(pwentry)
plaintext[password] = plaintext_pw
if "output" in k_conf:
if self.args["pwstore"] in k_conf["output"]:
raise CliArgumentError(
"Kubernetes output file should not exist in password store"
)
if path.isfile(k_conf["output"]):
remove(k_conf["output"])
for args in k_conf["passwords"]:
data = self._kubernetes_match_loop(args, plaintext)
kube_map = {
"kind": "Secret",
"apiVersion": args["apiVersion"],
"metadata": args["metadata"],
"data": data,
"type": args["type"],
}
if self.args["value"] or "output" not in k_conf:
yield f"---\n{dump(kube_map)}"
else:
with open(k_conf["output"], "a", encoding="ASCII") as fname:
print(f"---\n{dump(kube_map)}", file=fname)
def _validate_args(self):
self.args['rules_map'] = self._parse_json_arguments('rules_map')
for argument in ['pwname', 'keypath', 'rules_map']:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError(
"'%s' is a required argument" % argument)
if self.args['rules'] not in self.args['rules_map'] or self.args['rules_map'][self.args['rules']] == "":
raise RulesMapError("No Rule set defined as %s" % self.args['rules'])
def _validate_args(self):
self.args["rules_map"] = parse_json_arguments(self.args, "rules_map")
for argument in ["pwname", "keypath", "rules_map"]:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError(f"'{argument}' is a required argument")
if (
self.args["rules"] not in self.args["rules_map"]
or self.args["rules_map"][self.args["rules"]] == ""
):
raise RulesMapError(f"No Rule set defined as {self.args['rules']}")
def _validate_identities(self, swap_list=None):
##################################################################
"""Ensure identities meet criteria for processing"""
##################################################################
if not swap_list:
swap_list = self.escrow_and_recipient_list
for recipient in swap_list:
self.identities.verify_identity(recipient)
if recipient not in [
x[0] for x in self.session.query(Recipient.name).all()
]:
raise CliArgumentError(
f"Error: Recipient '{recipient}' is not in the recipient database"
)
if self.identity:
self.identities.verify_identity(self.args["identity"])
else:
raise CliArgumentError(
f"Error: Your user '{self.args['identity']}' is not in the recipient database"
)
def _validate_combinatorial_args(self):
""" This is a weird function name so: combinatorial in this case
means that one of the 'combinatorial' arguments are required
however, not all of them are necessarily required.
Ex: We need certs, we can get this from certpath or connect
we do not need both of these arguments but at least one is
required"""
##################################################################
# we want a multi-dim of lists, this way if more combinations come up
# that would be required in a 1 or more capacity, we just add
# a list to this list
args_list = [['certpath', 'connect']]
for arg_set in args_list:
valid = False
for arg in arg_set:
if arg in self.args and self.args[arg] is not None:
valid = True
break
if not valid:
raise CliArgumentError(
"'%s' or '%s' is required" % tuple(arg_set))
def verify_identity(self, identity, results): #pylint: disable=unused-argument
""" Read in all rsa keys from directory and name them as found
results is a meaningless parameter, but is required to make threading work
"""
#######################################################################
try:
self.iddb[identity]['cabundle'] = self.cabundle
self.iddb[identity]['certs'] = []
for cert in parse_file(self.iddb[identity]['certificate_path']):
cert = cert.as_bytes()
cert_dict = {}
cert_dict['cert_bytes'] = cert
cert_dict['verified'] = pk_verify_chain(cert, self.iddb[identity]['cabundle'])
cert_dict['fingerprint'] = get_cert_fingerprint(cert)
cert_dict['subject'] = get_cert_subject(cert)
cert_dict['issuer'] = get_cert_issuer(cert)
cert_dict['enddate'] = get_cert_enddate(cert)
cert_dict['issuerhash'] = get_cert_issuerhash(cert)
cert_dict['subjecthash'] = get_cert_subjecthash(cert)
self.iddb[identity]['certs'].append(cert_dict)
except KeyError:
raise CliArgumentError(
"Error: Recipient '%s' is not in the recipient database" % identity)
def verify_identity(self, identity):
#######################################################################
""" Read in all rsa keys from directory and name them as found """
#######################################################################
try:
self.iddb[identity]['cabundle'] = self.cabundle
self.iddb[identity]['verified'] = crypto.pk_verify_chain(
self.iddb[identity])
self.iddb[identity]['fingerprint'] = crypto.get_cert_fingerprint(
self.iddb[identity])
self.iddb[identity]['subject'] = crypto.get_cert_subject(
self.iddb[identity])
self.iddb[identity]['issuer'] = crypto.get_cert_issuer(
self.iddb[identity])
self.iddb[identity]['enddate'] = crypto.get_cert_enddate(
self.iddb[identity])
self.iddb[identity]['issuerhash'] = crypto.get_cert_issuerhash(
self.iddb[identity])
self.iddb[identity]['subjecthash'] = crypto.get_cert_subjecthash(
self.iddb[identity])
except KeyError:
raise CliArgumentError(
"Error: Recipient '%s' is not in the recipient database" %
identity)
def _validate_args(self):
for argument in ["pwname", "keypath"]:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError(f"'{argument}' is a required argument")
def _validate_args(self):
for argument in ['pwname', 'keypath']:
if argument not in self.args or self.args[argument] is None:
raise CliArgumentError("'%s' is a required argument" %
argument)
