Пример #1
0
def seed(vault_client, opt):
    """Will provision vault based on the definition within a Secretfile"""
    if opt.thaw_from:
        opt.secrets = tempfile.mkdtemp('aomi-thaw')
        auto_thaw(vault_client, opt)

    Context.load(get_secretfile(opt), opt) \
           .fetch(vault_client) \
           .sync(vault_client, opt)

    if opt.thaw_from:
        rmtree(opt.secrets)
Пример #2
0
def seed(vault_client, opt):
    """Will provision vault based on the definition within a Secretfile"""
    if opt.thaw_from:
        opt.secrets = tempfile.mkdtemp('aomi-thaw')
        auto_thaw(opt)

    Context.load(get_secretfile(opt), opt) \
           .fetch(vault_client) \
           .sync(vault_client, opt)

    if opt.thaw_from:
        rmtree(opt.secrets)
Пример #3
0
def freeze(dest_dir, opt):
    """Iterates over the Secretfile looking for secrets to freeze"""
    tmp_dir = ensure_tmpdir()
    dest_prefix = "%s/dest" % tmp_dir
    ensure_dir(dest_dir)
    ensure_dir(dest_prefix)
    config = get_secretfile(opt)
    Context.load(config, opt) \
           .freeze(dest_prefix)
    zip_filename = freeze_archive(tmp_dir, dest_prefix)
    ice_file = freeze_encrypt(dest_dir, zip_filename, config, opt)
    shutil.rmtree(tmp_dir)
    LOG.debug("Generated file is %s", ice_file)
Пример #4
0
def freeze(dest_dir, opt):
    """Iterates over the Secretfile looking for secrets to freeze"""
    tmp_dir = ensure_tmpdir()
    dest_prefix = "%s/dest" % tmp_dir
    ensure_dir(dest_dir)
    ensure_dir(dest_prefix)
    config = get_secretfile(opt)
    Context.load(config, opt) \
           .freeze(dest_prefix)
    zip_filename = freeze_archive(tmp_dir, dest_prefix)
    ice_file = freeze_encrypt(dest_dir, zip_filename, config, opt)
    shutil.rmtree(tmp_dir)
    LOG.debug("Generated file is %s", ice_file)
Пример #5
0
def export(vault_client, opt):
    """Export contents of a Secretfile from the Vault server
    into a specified directory."""
    ctx = Context.load(get_secretfile(opt), opt) \
                 .fetch(vault_client)
    for resource in ctx.resources():
        resource.export(opt.directory)
Пример #6
0
def render(directory, opt):
    """Render any provided template. This includes the Secretfile,
    Vault policies, and inline AWS roles"""
    if not os.path.exists(directory) and not os.path.isdir(directory):
        os.mkdir(directory)

    a_secretfile = render_secretfile(opt)
    s_path = "%s/Secretfile" % directory
    LOG.debug("writing Secretfile to %s", s_path)
    open(s_path, 'w').write(a_secretfile)
    ctx = Context.load(yaml.safe_load(a_secretfile), opt)
    for resource in ctx.resources():
        if not resource.present:
            continue

        if issubclass(type(resource), Policy):
            if not os.path.isdir("%s/policy" % directory):
                os.mkdir("%s/policy" % directory)

            filename = "%s/policy/%s" % (directory, resource.path)
            open(filename, 'w').write(resource.obj())
            LOG.debug("writing %s to %s", resource, filename)
        elif issubclass(type(resource), AWSRole):
            if not os.path.isdir("%s/aws" % directory):
                os.mkdir("%s/aws" % directory)

            if 'policy' in resource.obj():
                filename = "%s/aws/%s" % (directory,
                                          os.path.basename(resource.path))
                r_obj = resource.obj()
                if 'policy' in r_obj:
                    LOG.debug("writing %s to %s", resource, filename)
                    open(filename, 'w').write(r_obj['policy'])
Пример #7
0
def diff(vault_client, opt):
    """Derive a comparison between what is represented in the Secretfile
    and what is actually live on a Vault instance"""
    if opt.thaw_from:
        opt.secrets = tempfile.mkdtemp('aomi-thaw')
        auto_thaw(opt)
    ctx = Context.load(get_secretfile(opt), opt) \
                 .fetch(vault_client)

    for resource in ctx.resources():
        changed = resource.diff()
        if changed == ADD:
            print("%s %s" % (maybe_colored("+", "green", opt), str(resource)))
        elif changed == DEL:
            print("%s %s" % (maybe_colored("-", "red", opt), str(resource)))
        elif changed == CHANGED:
            print("%s %s" % (maybe_colored("~", "yellow", opt), str(resource)))
        elif changed == OVERWRITE:
            print("%s %s" % (maybe_colored("+", "yellow", opt), str(resource)))

        if changed != OVERWRITE and changed != NOOP:
            maybe_details(resource, opt)

    if opt.thaw_from:
        rmtree(opt.secrets)
Пример #8
0
def export(vault_client, opt):
    """Export contents of a Secretfile from the Vault server
    into a specified directory."""
    ctx = Context.load(get_secretfile(opt), opt) \
                 .fetch(vault_client)
    for resource in ctx.resources():
        resource.export(opt.directory)
Пример #9
0
def render(directory, opt):
    """Render any provided template. This includes the Secretfile,
    Vault policies, and inline AWS roles"""
    if not os.path.exists(directory) and not os.path.isdir(directory):
        os.mkdir(directory)

    a_secretfile = render_secretfile(opt)
    s_path = "%s/Secretfile" % directory
    LOG.debug("writing Secretfile to %s", s_path)
    open(s_path, 'w').write(a_secretfile)
    ctx = Context.load(yaml.safe_load(a_secretfile), opt)
    for resource in ctx.resources():
        if not resource.present:
            continue

        if issubclass(type(resource), Policy):
            if not os.path.isdir("%s/policy" % directory):
                os.mkdir("%s/policy" % directory)

            filename = "%s/policy/%s" % (directory, resource.path)
            open(filename, 'w').write(resource.obj())
            LOG.debug("writing %s to %s", resource, filename)
        elif issubclass(type(resource), AWSRole):
            if not os.path.isdir("%s/aws" % directory):
                os.mkdir("%s/aws" % directory)

            if 'policy' in resource.obj():
                filename = "%s/aws/%s" % (directory,
                                          os.path.basename(resource.path))
                r_obj = resource.obj()
                if 'policy' in r_obj:
                    LOG.debug("writing %s to %s", resource, filename)
                    open(filename, 'w').write(r_obj['policy'])
Пример #10
0
def thaw(src_file, opt):
    """Given the combination of a Secretfile and the output of
    a freeze operation, will restore secrets to usable locations"""
    if not os.path.exists(src_file):
        raise aomi.exceptions.AomiFile("%s does not exist" % src_file)

    tmp_dir = ensure_tmpdir()
    zip_file = thaw_decrypt(src_file, tmp_dir, opt)
    archive = zipfile.ZipFile(zip_file, 'r')
    for archive_file in archive.namelist():
        archive.extract(archive_file, tmp_dir)
        os.chmod("%s/%s" % (tmp_dir, archive_file), 0o640)
        LOG.debug("Extracted %s from archive", archive_file)

    LOG.info("Thawing secrets into %s", opt.secrets)
    config = get_secretfile(opt)
    Context.load(config, opt) \
           .thaw(tmp_dir)
Пример #11
0
def thaw(vault_client, src_file, opt):
    """Given the combination of a Secretfile and the output of
    a freeze operation, will restore secrets to usable locations"""
    if not os.path.exists(src_file):
        raise aomi.exceptions.AomiFile("%s does not exist" % src_file)

    tmp_dir = ensure_tmpdir()
    zip_file = thaw_decrypt(vault_client, src_file, tmp_dir, opt)
    archive = zipfile.ZipFile(zip_file, 'r')
    for archive_file in archive.namelist():
        archive.extract(archive_file, tmp_dir)
        os.chmod("%s/%s" % (tmp_dir, archive_file), 0o640)
        LOG.debug("Extracted %s from archive", archive_file)

    LOG.info("Thawing secrets into %s", opt.secrets)
    config = get_secretfile(opt)
    Context.load(config, opt) \
           .thaw(tmp_dir)
Пример #12
0
def diff(vault_client, opt):
    """Derive a comparison between what is represented in the Secretfile
    and what is actually live on a Vault instance"""
    if opt.thaw_from:
        opt.secrets = tempfile.mkdtemp('aomi-thaw')
        auto_thaw(vault_client, opt)

    ctx = Context.load(get_secretfile(opt), opt) \
                 .fetch(vault_client)

    for backend in ctx.mounts():
        diff_a_thing(backend, opt)

    for resource in ctx.resources():
        diff_a_thing(resource, opt)

    if opt.thaw_from:
        rmtree(opt.secrets)
Пример #13
0
def diff(vault_client, opt):
    """Derive a comparison between what is represented in the Secretfile
    and what is actually live on a Vault instance"""
    if opt.thaw_from:
        opt.secrets = tempfile.mkdtemp('aomi-thaw')
        auto_thaw(vault_client, opt)

    ctx = Context.load(get_secretfile(opt), opt) \
                 .fetch(vault_client)

    for backend in ctx.mounts():
        diff_a_thing(backend, opt)

    for resource in ctx.resources():
        diff_a_thing(resource, opt)

    if opt.thaw_from:
        rmtree(opt.secrets)