def main():
logger.info("Trying to login with Token")
logger.debug("Debug enabled")
try:
client = Client(url=os.environ['VAULT_ADDR'],
token=os.environ['VAULT_TOKEN'])
client.is_authenticated()
except Exception as err:
logger.exception("Token Login failed: %s", err)
exit(2)
transit = Transit(client=client, encryption_key='backup', mount='transit')
kv = KVstore(client, 'secrets', transit=transit)
data = kv.get_base_folder()
try:
data = json.dumps(data[0], indent=4)
except Exception as err:
logger.exception(f'Error converting to JSON: {err}')
exit(1)
write_to_disk(cfg['out_file'], data)
exported_key = transit.backup_key()
logger.debug(f"Finished getting data:\n{data}")
logger.info(f"Finished encrypting and writting data to {cfg['out_file']}")
logger.info(f'Encryption used key:\n{exported_key}')
def login(self) -> Client:
"""
create a client and log it in with the correct method
:return: a logged in client
"""
client = Client(self.url)
log.info("client created with url %s", client.url)
if not client.is_authenticated():
log.info("client is not authenticated")
if self.method == Method.LDAP:
log.info("trying to login with LDAP")
try:
client.auth.ldap.login(self.username, self.password)
except (InvalidPath, ValueError) as err:
log.error("LDAP Login failed: %s", err)
exit(2)
if self.method == Method.Token:
log.info("trying to login with Token")
try:
client.token = self.token
client.login(self.url, True)
except (InvalidPath, ValueError) as err:
log.error("Token Login failed: %s", err)
exit(2)
if not client.is_authenticated():
log.error("login failed.")
log.error("Aborting...")
exit(2)
return client
def get_client(obj):
client = Client(
**{k: v
for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None})
assert (client.is_authenticated(
)), "Vault authentication error is VAULT_TOKEN_FOR_DYNACONF defined?"
return client
def get_client(obj):
client = Client(
**{k: v
for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None})
if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None:
client.auth_approle(
role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF,
secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"),
)
elif obj.VAULT_ROOT_TOKEN_FOR_DYNACONF is not None:
client.token = obj.VAULT_ROOT_TOKEN_FOR_DYNACONF
elif obj.VAULT_AUTH_WITH_IAM_FOR_DYNACONF:
if boto3 is None:
raise ImportError(
"boto3 package is not installed in your environment. "
"`pip install boto3` or disable the VAULT_AUTH_WITH_IAM")
session = boto3.Session()
credentials = session.get_credentials()
client.auth.aws.iam_login(
credentials.access_key,
credentials.secret_key,
credentials.token,
role=obj.VAULT_AUTH_ROLE_FOR_DYNACONF,
)
assert client.is_authenticated(), (
"Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or "
"VAULT_ROLE_ID_FOR_DYNACONF defined?")
client.kv.default_kv_version = obj.VAULT_KV_VERSION_FOR_DYNACONF
return client
def provide_authed_hvac_client(self, config: VaultConfiguration) -> Client:
client = Client(
url=config.url,
token=config.token,
)
client.kv.default_kv_version = 2
assert client.is_authenticated()
return client
def run(self, terms, variables, **kwargs):
key, field, path = terms
vault = LookupModule.get_vault_from_path('../{}'.format(path))
client = Client(**vault)
if client.is_authenticated() and not client.is_sealed():
result = [client.read(key)['data'][field]]
return result
else:
raise AnsibleError('Unable to authenticate with Vault!')
def pre_flight_check(client: hvac.Client) -> bool:
if not client.is_initialized() or client.is_sealed():
logging.error("The vault is either not initialized or sealed. That's odd.")
elif not client.is_authenticated():
logging.error("It seems the authentication token is invalid. Vault does"
" not like it. Clean everything up and come back.")
else:
logging.info("Everything looks good so far, pre-flight check ok")
return True
return False
def __authenticate_vault_client(client: hvac.Client, tenant: str,
priv_jwt_token: str) -> hvac.Client:
trace_enter(inspect.currentframe())
vault_auth_jwt_path = config.get_vault_auth_jwt_path(tenant)
if not vault_auth_jwt_path:
logger.error('Failed to load auth jwt path for tenant "%s"', tenant)
return None
if config.get_config_by_keypath('DEV_MODE'):
logger.debug('Attempting to authenticate against Vault using JWT: %s',
priv_jwt_token)
cache_id = utils.get_vault_token_cache_id(tenant, priv_jwt_token)
if cache_id in __VAULT_TOKEN_CACHE:
logger.debug('Cache hit: Found token for "%s".', cache_id)
client.token = __VAULT_TOKEN_CACHE[cache_id]
else:
logger.debug('Cache miss: Token for "%s" not found.', cache_id)
token = __get_vault_token(client, tenant, priv_jwt_token,
vault_auth_jwt_path)
if not token:
ret = None
logger.error('Failed to get Vault token.')
trace_exit(inspect.currentframe(), ret)
return ret
client.token = token
__VAULT_TOKEN_CACHE[cache_id] = token
if not client.is_authenticated():
# token might be invalid/has expired
del __VAULT_TOKEN_CACHE[cache_id]
ret = None
logger.error('Failed to validate Vault client. '
'Review configuration (config/config.json). '
'Retry as token might have expired.')
trace_exit(inspect.currentframe(), ret)
return ret
logger.debug('Successfully authenticated Vault client '
'for tenant "%s"', tenant)
trace_exit(inspect.currentframe(), client)
return client
def get_client(obj):
client = Client(
**{k: v
for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None})
if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None:
client.auth_approle(
role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF,
secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"),
)
assert client.is_authenticated(), (
"Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or "
"VAULT_ROLE_ID_FOR_DYNACONF defined?")
return client
def main():
logger.info("Trying to login with Token")
logger.debug("Debug enabled")
try:
client = Client(
url=os.environ['VAULT_ADDR'],
token=os.environ['VAULT_TOKEN']
)
client.is_authenticated()
except Exception as err:
logger.exception("Token Login failed: %s", err)
exit(2)
transit = Transit(client=client, encryption_key='backup', mount='transit')
kv = KVstore(client, cfg['kv_path'], transit=transit)
data = kv.get_base_folder()
write_to_disk(cfg['out_file'], data)
logger.info(f"Finished encrypting and writting data to {cfg['out_file']}")
exported_key = transit.backup_key()
write_to_disk(cfg['backup_key'], exported_key)
logger.info(f"Finished encrypting and writting data to {cfg['backup_key']}")
def _auth(self):
client = VaultClient(url=self._config['addr'])
auth = self._config['auth_type']
token = self._config['token']
if token and auth == 'token':
client.token = token
elif auth == 'aws_iam':
session = boto3.Session()
creds = session.get_credentials()
kwargs = [self._config['header_value'], self._config['role']]
client.auth_aws_iam(
creds.access_key, creds.secret_key, creds.token,
**{k: v
for k, v in self._config.items() if v and k in kwargs})
if client.is_authenticated() is False:
raise VaultUnauthorized(f'auth_type: {auth}')
return client.secrets.kv
class SecretsClient(BaseSecretsClient):
def __init__(self, connection_config) -> None:
'''
Args:
connection_config (Dict):
Parameters required to connect to the Vault
'''
try:
token = os.environ[connection_config['token_env']]
except KeyError as error:
raise SecretsException(
'Token environment variable missing: {}'.format(error)
)
self._client = Client(
url=connection_config['url'],
token=token
)
if not self._client.is_authenticated():
raise SecretsException('Vault client authentication failed!')
else:
logging.debug('Sucessfully connected to Vault.')
def get_secret(self, secret):
read_response = self._client.secrets.kv.read_secret_version(
path=secret
)
return read_response['data']['data']
def create_secret(self, name, value, description=None):
create_response = self._client.secrets.kv.v2.create_or_update_secret(
path=name,
secret=value
)
logging.debug("Wrote secret to path {}".format(name))
if create_response['warnings'] is not None:
logging.debug(
'with warnings {}'.format(create_response['warnings'])
)
class Vaulter:
def __init__(self, url, git_token, mount_point, vault_path_prefix=""):
self.LOGGER = sesam_logger('KeyVault')
self.client = Client(url=url)
self.mount_point = mount_point
self.client.auth.github.login(git_token)
self.missing_secrets = []
self.vault_path_prefix = vault_path_prefix
if not self.client.is_authenticated():
self.LOGGER.critical(f'Cannot authenticate vault {url}. Exiting.')
exit(-1)
def get_secret(self, secret):
return_value = None
try:
response = self.client.secrets.kv.v2.read_secret_version(
mount_point=self.mount_point,
path=f'{self.vault_path_prefix}{secret}')
key_value = response['data']['data']
for k in key_value:
return_value = key_value[k]
break
except InvalidPath as e:
self.missing_secrets.append(secret)
return return_value
def get_secrets(self, secrets):
output = {}
for s in secrets:
output[s] = self.get_secret(s)
return output
def verify(self):
if len(self.missing_secrets) != 0:
return False
return True
def get_missing_secrets(self):
return self.missing_secrets
class Vaulter:
def __init__(self, url, git_token, mount_point):
self.client = Client(url=url)
self.mount_point = mount_point
self.client.auth.github.login(git_token)
self.missing_secrets = []
if not self.client.is_authenticated():
print(f'Cannot authenticate vault {url}. Exiting.')
exit(-1)
def get_secret(self, secret):
return_value = None
try:
response = self.client.secrets.kv.v2.read_secret_version(mount_point=self.mount_point, path=secret)
key_value = response['data']['data']
for k in key_value:
return_value = key_value[k]
break
except InvalidPath as e:
print(f'Could not find {secret} in vault. Invalid path: "{e}"')
self.missing_secrets.append(secret)
return return_value
def get_secrets(self, secrets):
output = {}
for s in secrets:
output[s] = self.get_secret(s)
return output
def verify(self):
if len(self.missing_secrets) != 0:
return False
return True
def get_missing_secrets(self):
return self.missing_secrets
