def files(client, secret, opt):
"""Seed files into Vault"""
aomi.validation.file_obj(secret)
obj = {}
my_mount = sanitize_mount(secret['mount'])
vault_path = "%s/%s" % (my_mount, secret['path'])
if not validate_entry(secret, vault_path, opt):
return
maybe_mount(client, 'generic', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
if secret.get('state', 'present') == 'present':
for sfile in secret.get('files', []):
if 'source' not in sfile or 'name' not in sfile:
client.revoke_self_token()
e_msg = "Invalid file specification %s" % sfile
raise aomi.exceptions.AomiData(e_msg)
filename = hard_path(sfile['source'], opt.secrets)
aomi.validation.secret_file(filename)
data = open(filename, 'r').read()
obj[sfile['name']] = data
log(
'writing file %s into %s/%s' %
(filename, vault_path, sfile['name']), opt)
write(client, vault_path, obj, opt)
else:
rmfiles = ','.join([f['source'] for f in secret.get('files', [])])
log("Removing files %s from %s" % (rmfiles, vault_path), opt)
delete(client, vault_path, opt)
def freeze_var_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen var file"""
path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path'])
if not validate_entry(secret, path, opt):
return
sfile = secret['var_file']
freeze_secret(sfile, sfile, 'var_file', tmp_dir, opt)
def freeze_aws_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen AWS credentials"""
path = "%s/config/root" % (sanitize_mount(secret['mount']))
if not validate_entry(secret, path, opt):
return
sfile = secret['aws_file']
freeze_secret(sfile, sfile, 'aws_file', tmp_dir, opt)
def freeze_generic_file(secret, tmp_dir, opt):
"""Handles the potential validation of any frozen files"""
path = "%s/%s" % (sanitize_mount(secret['mount']),
secret['path'])
if not validate_entry(secret, path, opt):
return
for a_secret in secret['files']:
sfile = a_secret['source']
freeze_secret(sfile, sfile, 'file', tmp_dir, opt)
def thaw_aws_file(secret, tmp_dir, opt):
"""Thaw the contents of an AWS file"""
path = "%s/config/root" % (sanitize_mount(secret['mount']))
if not validate_entry(secret, path, opt):
return
dest_file = "%s/%s" % (opt.secrets, secret['aws_file'])
aws_file = os.path.basename(dest_file)
src_file = "%s/%s" % (tmp_dir, aws_file)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("AWS file %s missing" % aws_file)
shutil.copy(src_file, dest_file)
log("Thawed aws_file %s" % aws_file, opt)
def thaw_var_file(secret, tmp_dir, opt):
"""Thaw the contents of a var file"""
path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path'])
if not validate_entry(secret, path, opt):
return
dest_file = "%s/%s" % (opt.secrets, secret['var_file'])
var_file = os.path.basename(dest_file)
src_file = "%s/%s" % (tmp_dir, var_file)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("Var file %s missing" % var_file)
shutil.copy(src_file, dest_file)
log("Thawed var_file %s" % var_file, opt)
def policy(client, secret, opt):
"""Seed a standalone policy into Vault"""
aomi.validation.policy_obj(secret)
policy_name = secret['name']
if not validate_entry(secret, "policy/%s" % policy_name, opt):
return
if secret.get('state', 'present') == 'present':
data = policy_data(secret['file'], secret.get('vars', {}), opt)
write_policy(policy_name, data, client, opt)
else:
log('removing policy %s' % policy_name, opt)
client.delete_policy(policy_name)
def aws(client, secret, opt):
"""Seed an aws_file into Vault"""
aomi.validation.aws_file_obj(secret)
my_mount = sanitize_mount(secret['mount'])
aws_path = "%s/config/root" % my_mount
if not validate_entry(secret, aws_path, opt):
return
if secret.get('state', 'present') == 'absent':
unmount(client, 'aws', my_mount)
log("Unmounted AWS %s" % aws_path, opt)
return
else:
maybe_mount(client, 'aws', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
aws_file_path = hard_path(secret['aws_file'], opt.secrets)
aomi.validation.secret_file(aws_file_path)
aws_obj = yaml.safe_load(open(aws_file_path, 'r').read())
aomi.validation.aws_secret_obj(aws_file_path, aws_obj)
region = aomi.legacy.aws_region(secret, aws_obj)
if region is None:
client.revoke_self_token()
raise aomi.exceptions.AomiData('missing aws region')
roles = aomi.legacy.aws_roles(secret, aws_obj)
if roles is None:
client.revoke_self_token()
raise aomi.exceptions.AomiData('missing aws roles')
obj = {
'access_key': aws_obj['access_key_id'],
'secret_key': aws_obj['secret_access_key'],
'region': region
}
write(client, aws_path, obj, opt)
log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt)
ttl_obj, lease_msg = grok_ttl(secret, aws_obj)
if ttl_obj:
write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt)
log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt)
seed_aws_roles(client, secret['mount'], roles, opt)
def mount_path(client, obj, opt):
"""Manage a Vault mountpoint"""
aomi.validation.mount_obj(obj)
path = obj['path']
if not validate_entry(obj, path, opt):
return
backends = client.list_secret_backends()
mounted = is_mounted(path, backends, 'generic')
if obj.get('state', 'present') == 'present':
if not mounted:
actually_mount(client, 'generic', path)
log("Mounted %s" % (path), opt)
else:
if mounted:
unmount(client, 'generic', path)
log("Mounted %s" % (path), opt)
def thaw_files(secret, tmp_dir, opt):
"""Thaw some files"""
for a_secret in secret['files']:
path = "%s/%s" % (sanitize_mount(secret['mount']),
secret['path'])
if not validate_entry(secret, path, opt):
return
filename = a_secret['source']
dest_file = "%s/%s" % (opt.secrets, a_secret['source'])
src_file = "%s/%s" % (tmp_dir, filename)
if not os.path.exists(src_file):
raise aomi.exceptions.IceFile("File %s missing" % filename)
dest_dir = os.path.dirname(dest_file)
if not os.path.isdir(dest_dir):
os.mkdir(dest_dir, 0o700)
shutil.copy(src_file, dest_file)
log("Thawed file %s" % filename, opt)
def app(client, app_obj, opt):
"""Seed an app file into Vault"""
if 'app_file' not in app_obj:
client.revoke_self_token()
raise aomi.exceptions.AomiData("Invalid app definition %s" % app_obj)
name = app_id_name(app_obj)
if not validate_entry(app_obj, "app-id/%s" % name, opt):
return
app_file = hard_path(app_obj['app_file'], opt.secrets)
aomi.validation.secret_file(app_file)
data = yaml.safe_load(open(app_file).read())
app_id = aomi.legacy.app_id_itself(app_obj, data)
app_path = "auth/app-id/map/app-id/%s" % app_id
if app_obj.get('state', 'present') == 'absent':
delete(client, app_path, opt)
else:
ensure_auth(client, 'app-id')
if opt.mount_only:
log("Only enabling app-id", opt)
return
if 'users' not in data:
client.revoke_self_token()
raise aomi.exceptions.AomiData("Invalid app file %s" % app_file)
policy_name = aomi.legacy.app_id_policy_name(app_obj, data)
policy_file = aomi.legacy.app_id_policy_file(app_obj, data)
app_policy(client, policy_name, policy_file, app_obj, opt)
app_obj = {'value': policy_name, 'display_name': name}
write(client, app_path, app_obj, opt)
r_users = data.get('users', [])
app_users(client, app_id, r_users, opt)
log('created %d users in application %s' % (len(r_users), name), opt)
def var_file(client, secret, opt):
"""Seed a var_file into Vault"""
aomi.validation.var_file_obj(secret)
my_mount = sanitize_mount(secret['mount'])
path = "%s/%s" % (my_mount, secret['path'])
if not validate_entry(secret, path, opt):
return
var_file_name = hard_path(secret['var_file'], opt.secrets)
aomi.validation.secret_file(var_file_name)
varz = yaml.safe_load(open(var_file_name).read())
maybe_mount(client, 'generic', my_mount, opt)
if opt.mount_only:
log("Only mounting %s" % my_mount, opt)
return
if secret.get('state', 'present') == 'present':
write(client, path, varz, opt)
log('wrote var_file %s into %s' % (var_file_name, path), opt)
else:
delete(client, path, opt)
log('deleted var_file %s from %s' % (var_file_name, path), opt)