def aws(client, secret, opt): """Seed an aws_file into Vault""" if 'aws_file' not in secret or 'mount' not in secret: problems("Invalid aws secret definition" % secret) aws_file_path = hard_path(secret['aws_file'], opt.secrets) aws_obj = yaml.load(open(aws_file_path, 'r').read()) if 'access_key_id' not in aws_obj \ or 'secret_access_key' not in aws_obj \ or 'region' not in aws_obj \ or 'roles' not in aws_obj: problems("Invalid AWS secrets" % aws) aws_path = "%s/config/root" % secret['mount'] if not is_tagged(secret.get('tags', []), opt.tags): log("Skipping %s as it does not have appropriate tags" % aws_path, opt) return ensure_mounted(client, 'aws', secret['mount']) obj = { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': aws_obj['region'] } client.write(aws_path, **obj) log('wrote aws_file %s into %s' % (aws_file_path, aws_path), opt) ttl_obj = {} lease_msg = '' if 'lease' in aws_obj: ttl_obj['lease'] = aws_obj['lease'] lease_msg = "%s lease:%s" % (lease_msg, ttl_obj['lease']) if 'lease_max' in aws_obj: ttl_obj['lease_max'] = aws_obj['lease_max'] else: if 'lease' in ttl_obj: ttl_obj['lease_max'] = ttl_obj['lease'] if 'lease_max' in ttl_obj: lease_msg = "%s lease_max:%s" % (lease_msg, ttl_obj['lease_max']) if ttl_obj: client.write("%s/config/lease" % (secret['mount']), **ttl_obj) log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt) for role in aws_obj['roles']: if 'policy' not in role or 'name' not in role: problems("Invalid role definition %s" % role) data = open(hard_path(role['policy'], opt.policies), 'r').read() role_path = "%s/roles/%s" % (secret['mount'], role['name']) client.write(role_path, policy=data)
def seed_aws_roles(client, mount, roles, opt): """Handles the seeding of roles associated with an AWS account""" for role in roles: aomi.validation.aws_role_obj(role) role_path = "%s/roles/%s" % (mount, role['name']) if role.get('state', 'present') == 'present': if 'policy' in role: role_file = hard_path(role['policy'], opt.policies) role_template_obj = role.get('vars', {}) cli_obj = merge_dicts(load_var_files(opt), cli_hash(opt.extra_vars)) obj = merge_dicts(role_template_obj, cli_obj) data = render(role_file, obj) log( 'writing inline role %s from %s' % (role['name'], role_file), opt) write(client, role_path, {'policy': data}, opt) elif 'arn' in role: log('writing role %s for %s' % (role['name'], role['arn']), opt) write(client, role_path, {'arn': role['arn']}, opt) else: log('removing role %s' % role['name'], opt) delete(client, role_path, opt)
def obj(self): ldap_obj = self._obj if self.secret: filename = hard_path(self.secret, self.opt.secrets) secret_file(filename) return ldap_obj
def files(client, secret, opt): """Seed files into Vault""" if 'mount' not in secret or 'path' not in secret: problems("Invalid files specification %s" % secret) obj = {} vault_path = "%s/%s" % (secret['mount'], secret['path']) if not is_tagged(secret.get('tags', []), opt.tags): log("Skipping %s as it does not have appropriate tags" % vault_path, opt) return for f in secret.get('files', []): if 'source' not in f or 'name' not in f: problems("Invalid file specification %s" % f) filename = hard_path(f['source'], opt.secrets) data = open(filename, 'r').read() obj[f['name']] = data log('writing file %s into %s/%s' % (filename, vault_path, f['name']), opt) ensure_mounted(client, 'generic', secret['mount']) client.write(vault_path, **obj)
def files(client, secret, opt): """Seed files into Vault""" aomi.validation.file_obj(secret) obj = {} my_mount = sanitize_mount(secret['mount']) vault_path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, vault_path, opt): return maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': for sfile in secret.get('files', []): if 'source' not in sfile or 'name' not in sfile: client.revoke_self_token() e_msg = "Invalid file specification %s" % sfile raise aomi.exceptions.AomiData(e_msg) filename = hard_path(sfile['source'], opt.secrets) aomi.validation.secret_file(filename) data = open(filename, 'r').read() obj[sfile['name']] = data log( 'writing file %s into %s/%s' % (filename, vault_path, sfile['name']), opt) write(client, vault_path, obj, opt) else: rmfiles = ','.join([f['source'] for f in secret.get('files', [])]) log("Removing files %s from %s" % (rmfiles, vault_path), opt) delete(client, vault_path, opt)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) secret_file(filename) password = open(filename).readline().strip() a_obj = self._obj a_obj['password'] = password a_obj['policies'] = ','.join(sorted(a_obj['policies'])) return a_obj
def __init__(self, obj, opt): super(Policy, self).__init__(obj, opt) self.path = obj['name'] if self.present: self.filename = hard_path(obj['file'], opt.policies) cli_obj = merge_dicts(load_var_files(opt), cli_hash(opt.extra_vars)) self._obj = merge_dicts(cli_obj, obj.get('vars', {}))
def __init__(self, mount, obj, opt): super(AWSRole, self).__init__(obj, opt) self.path = "%s/roles/%s" % (mount, obj['name']) if self.present: self._obj = obj if 'policy' in self._obj: self._obj['policy'] = hard_path(self._obj['policy'], opt.policies)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) secret_file(filename) password = open(filename).readline().strip() return { 'password': password, 'policies': ','.join(sorted(self.policies)) }
def app(client, app_obj, opt): """Seed an app file into Vault""" if 'app_file' not in app_obj: problems("Invalid app definition %s" % app_obj) name = None if 'name' in app_obj: name = app_obj['name'] else: name = os.path.splitext(os.path.basename(app_obj['app_file']))[0] if not is_tagged(app_obj.get('tags', []), opt.tags): log("Skipping %s as it does not have appropriate tags" % name, opt) return app_file = hard_path(app_obj['app_file'], opt.secrets) data = yaml.load(open(app_file).read()) if 'app_id' not in data \ or 'policy' not in data: problems("Invalid app file %s" % app_file) policy_name = None if 'policy_name' in data: policy_name = data['policy_name'] else: policy_name = name policy = open(hard_path(data['policy'], opt.policies), 'r').read() client.set_policy(name, policy) app_path = "auth/app-id/map/app-id/%s" % data['app_id'] app_obj = {'value': policy_name, 'display_name': name} client.write(app_path, **app_obj) users = data.get('users', []) for user in users: if 'id' not in user: problems("Invalid user definition %s" % user) user_path = "auth/app-id/map/user-id/%s" % user['id'] user_obj = {'value': data['app_id']} if 'cidr' in user: user_obj['cidr_block'] = user['cidr'] client.write(user_path, **user_obj) log('created %d users in application %s' % (len(users), name), opt)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) aomi.validation.secret_file(filename) obj = yaml.safe_load(open(filename).read()) return { 'host': self.host, 'skey': obj['secret'], 'ikey': obj['key'] }
def obj(self): ldap_obj = self._obj if self.secret: filename = hard_path(self.secret, self.opt.secrets) secret_file(filename) s_obj = load_var_file(filename, load_vars(self.opt)) for obj_k, obj_v in iteritems(s_obj): ldap_obj[obj_k] = obj_v return ldap_obj
def __init__(self, mount, obj, opt): super(AWSRole, self).__init__(obj, opt) self.path = "%s/roles/%s" % (mount, obj['name']) if 'policy' in obj: self.filename = obj['policy'] if self.present: self._obj = obj if 'policy' in self._obj: self._obj['policy'] = hard_path(self.filename, opt.policies)
def freeze_secret(src, dest, flav, tmp_dir, opt): """Copies a secret into a particular location""" src_file = hard_path(src, opt.secrets) dest_file = "%s/%s" % (tmp_dir, dest) dest_dir = os.path.dirname(dest_file) if not os.path.isdir(dest_dir): os.mkdir(dest_dir, 0o700) shutil.copy(src_file, dest_file) log("Froze %s %s" % (flav, src), opt)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) aomi.validation.secret_file(filename) handle = open(filename, 'r') s_obj = { 'role_name': self.role_name, 'secret_name': self.secret_name, 'secret_id': handle.read().strip() } handle.close() return s_obj
def obj(self): _secret, filename, region = self._obj actual_filename = hard_path(filename, self.opt.secrets) secret_file(actual_filename) aws_obj = yaml.safe_load(open(actual_filename, 'r').read()) check_obj(['access_key_id', 'secret_access_key'], self, aws_obj) return { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': region }
def duo_access(client, obj, opt): """Sets the DUO access configuration""" creds_file_name = hard_path(obj['creds'], opt.secrets) aomi.validation.secret_file(creds_file_name) creds = yaml.safe_load(open(creds_file_name).read()) duo_obj = { 'ikey': creds['key'], 'skey': creds['secret'], 'host': obj['host'] } path = "auth/%s/duo/access" % obj['backend'] write(client, path, duo_obj, opt)
def obj(self): _secret, filename, region = self._obj actual_filename = hard_path(filename, self.opt.secrets) secret_file(actual_filename) template_obj = load_vars(self.opt) aws_obj = load_var_file(actual_filename, template_obj) check_obj(['access_key_id', 'secret_access_key'], self, aws_obj) return { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': region }
def obj(self): s_obj = {} for name, filename in iteritems(self._obj): actual_file = hard_path(filename, self.opt.secrets) secret_file(actual_file) data = open_maybe_binary(actual_file) try: is_unicode_string(data) s_obj[name] = data except aomi.exceptions.Validation: s_obj[name] = portable_b64encode(data) self.secret_format = 'binary' return s_obj
def aws(client, secret, opt): """Seed an aws_file into Vault""" aomi.validation.aws_file_obj(secret) my_mount = sanitize_mount(secret['mount']) aws_path = "%s/config/root" % my_mount if not validate_entry(secret, aws_path, opt): return if secret.get('state', 'present') == 'absent': unmount(client, 'aws', my_mount) log("Unmounted AWS %s" % aws_path, opt) return else: maybe_mount(client, 'aws', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return aws_file_path = hard_path(secret['aws_file'], opt.secrets) aomi.validation.secret_file(aws_file_path) aws_obj = yaml.safe_load(open(aws_file_path, 'r').read()) aomi.validation.aws_secret_obj(aws_file_path, aws_obj) region = aomi.legacy.aws_region(secret, aws_obj) if region is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws region') roles = aomi.legacy.aws_roles(secret, aws_obj) if roles is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws roles') obj = { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': region } write(client, aws_path, obj, opt) log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt) ttl_obj, lease_msg = grok_ttl(secret, aws_obj) if ttl_obj: write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt) log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt) seed_aws_roles(client, secret['mount'], roles, opt)
def freeze(self, tmp_dir): """Copies a secret into a particular location""" for sfile in self.secrets(): src_file = hard_path(sfile, self.opt.secrets) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("%s secret not found at %s" % (self, src_file)) dest_file = "%s/%s" % (tmp_dir, sfile) dest_dir = os.path.dirname(dest_file) if not os.path.isdir(dest_dir): os.mkdir(dest_dir, 0o700) shutil.copy(src_file, dest_file) log("Froze %s %s" % (self, sfile), self.opt)
def freeze(self, tmp_dir): """Copies a secret into a particular location""" for sfile in self.secrets(): src_file = hard_path(sfile, self.opt.secrets) if not os.path.exists(src_file): raise aomi_excep.IceFile("%s secret not found at %s" % (self, src_file)) dest_file = "%s/%s" % (tmp_dir, sfile) dest_dir = os.path.dirname(dest_file) if not os.path.isdir(dest_dir): os.mkdir(dest_dir, 0o700) shutil.copy(src_file, dest_file) LOG.debug("Froze %s %s", self, sfile)
def var_file(client, secret, opt): """Seed a var_file into Vault""" path = "%s/%s" % (secret['mount'], secret['path']) var_file_name = hard_path(secret['var_file'], opt.secrets) varz = yaml.load(open(var_file_name).read()) if 'var_file' not in secret \ or 'mount' not in secret \ or 'path' not in secret: problems("Invalid generic secret definition %s" % secret) if not is_tagged(secret.get('tags', []), opt.tags): log("Skipping %s as it does not have appropriate tags" % path, opt) return ensure_mounted(client, 'generic', secret['mount']) client.write(path, **varz) log( 'wrote var_file %s into %s/%s' % (var_file_name, secret['mount'], secret['path']), opt)
def app(client, app_obj, opt): """Seed an app file into Vault""" if 'app_file' not in app_obj: client.revoke_self_token() raise aomi.exceptions.AomiData("Invalid app definition %s" % app_obj) name = app_id_name(app_obj) if not validate_entry(app_obj, "app-id/%s" % name, opt): return app_file = hard_path(app_obj['app_file'], opt.secrets) aomi.validation.secret_file(app_file) data = yaml.safe_load(open(app_file).read()) app_id = aomi.legacy.app_id_itself(app_obj, data) app_path = "auth/app-id/map/app-id/%s" % app_id if app_obj.get('state', 'present') == 'absent': delete(client, app_path, opt) else: ensure_auth(client, 'app-id') if opt.mount_only: log("Only enabling app-id", opt) return if 'users' not in data: client.revoke_self_token() raise aomi.exceptions.AomiData("Invalid app file %s" % app_file) policy_name = aomi.legacy.app_id_policy_name(app_obj, data) policy_file = aomi.legacy.app_id_policy_file(app_obj, data) app_policy(client, policy_name, policy_file, app_obj, opt) app_obj = {'value': policy_name, 'display_name': name} write(client, app_path, app_obj, opt) r_users = data.get('users', []) app_users(client, app_id, r_users, opt) log('created %d users in application %s' % (len(r_users), name), opt)
def users(client, user_obj, opt): """Creates userpass users in Vault""" aomi.validation.user_obj(user_obj) name = user_obj['username'] if not aomi.validation.tag_check(user_obj, "userpass/%s" % name, opt): return password_file = hard_path(user_obj['password_file'], opt.secrets) aomi.validation.secret_file(password_file) password = open(password_file).readline().strip() ensure_auth(client, 'userpass') user_path = "auth/userpass/users/%s" % name if user_obj.get('state', 'present') == 'present': v_obj = { 'password': password, 'policies': ','.join(user_obj['policies']) } write(client, user_path, v_obj, opt) else: delete(client, user_path, opt)
def var_file(client, secret, opt): """Seed a var_file into Vault""" aomi.validation.var_file_obj(secret) my_mount = sanitize_mount(secret['mount']) path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, path, opt): return var_file_name = hard_path(secret['var_file'], opt.secrets) aomi.validation.secret_file(var_file_name) varz = yaml.safe_load(open(var_file_name).read()) maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': write(client, path, varz, opt) log('wrote var_file %s into %s' % (var_file_name, path), opt) else: delete(client, path, opt) log('deleted var_file %s from %s' % (var_file_name, path), opt)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) secret_file(filename) template_obj = load_vars(self.opt) return load_var_file(filename, template_obj)
def obj(self): return render(hard_path(self.filename, self.opt.policies), self._obj) \ .lstrip() \ .strip() \ .replace("\n\n", "\n")
def policy_data(file_name, policy_vars, opt): """Returns the rendered policy""" policy_path = hard_path(file_name, opt.policies) cli_obj = merge_dicts(load_var_files(opt), cli_hash(opt.extra_vars)) obj = merge_dicts(policy_vars, cli_obj) return render(policy_path, obj)
def obj(self): filename = hard_path(self.filename, self.opt.secrets) secret_file(filename) return yaml.safe_load(open(filename).read())
def obj(self): filename = hard_path(self.secret, self.opt.secrets) secret_file(filename) return open_maybe_binary(filename)