def files(client, secret, opt): """Seed files into Vault""" aomi.validation.file_obj(secret) obj = {} my_mount = sanitize_mount(secret['mount']) vault_path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, vault_path, opt): return maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': for sfile in secret.get('files', []): if 'source' not in sfile or 'name' not in sfile: client.revoke_self_token() e_msg = "Invalid file specification %s" % sfile raise aomi.exceptions.AomiData(e_msg) filename = hard_path(sfile['source'], opt.secrets) aomi.validation.secret_file(filename) data = open(filename, 'r').read() obj[sfile['name']] = data log( 'writing file %s into %s/%s' % (filename, vault_path, sfile['name']), opt) write(client, vault_path, obj, opt) else: rmfiles = ','.join([f['source'] for f in secret.get('files', [])]) log("Removing files %s from %s" % (rmfiles, vault_path), opt) delete(client, vault_path, opt)
def freeze_var_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen var file""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return sfile = secret['var_file'] freeze_secret(sfile, sfile, 'var_file', tmp_dir, opt)
def freeze_aws_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen AWS credentials""" path = "%s/config/root" % (sanitize_mount(secret['mount'])) if not validate_entry(secret, path, opt): return sfile = secret['aws_file'] freeze_secret(sfile, sfile, 'aws_file', tmp_dir, opt)
def freeze_generic_file(secret, tmp_dir, opt): """Handles the potential validation of any frozen files""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return for a_secret in secret['files']: sfile = a_secret['source'] freeze_secret(sfile, sfile, 'file', tmp_dir, opt)
def thaw_aws_file(secret, tmp_dir, opt): """Thaw the contents of an AWS file""" path = "%s/config/root" % (sanitize_mount(secret['mount'])) if not validate_entry(secret, path, opt): return dest_file = "%s/%s" % (opt.secrets, secret['aws_file']) aws_file = os.path.basename(dest_file) src_file = "%s/%s" % (tmp_dir, aws_file) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("AWS file %s missing" % aws_file) shutil.copy(src_file, dest_file) log("Thawed aws_file %s" % aws_file, opt)
def thaw_var_file(secret, tmp_dir, opt): """Thaw the contents of a var file""" path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return dest_file = "%s/%s" % (opt.secrets, secret['var_file']) var_file = os.path.basename(dest_file) src_file = "%s/%s" % (tmp_dir, var_file) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("Var file %s missing" % var_file) shutil.copy(src_file, dest_file) log("Thawed var_file %s" % var_file, opt)
def policy(client, secret, opt): """Seed a standalone policy into Vault""" aomi.validation.policy_obj(secret) policy_name = secret['name'] if not validate_entry(secret, "policy/%s" % policy_name, opt): return if secret.get('state', 'present') == 'present': data = policy_data(secret['file'], secret.get('vars', {}), opt) write_policy(policy_name, data, client, opt) else: log('removing policy %s' % policy_name, opt) client.delete_policy(policy_name)
def aws(client, secret, opt): """Seed an aws_file into Vault""" aomi.validation.aws_file_obj(secret) my_mount = sanitize_mount(secret['mount']) aws_path = "%s/config/root" % my_mount if not validate_entry(secret, aws_path, opt): return if secret.get('state', 'present') == 'absent': unmount(client, 'aws', my_mount) log("Unmounted AWS %s" % aws_path, opt) return else: maybe_mount(client, 'aws', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return aws_file_path = hard_path(secret['aws_file'], opt.secrets) aomi.validation.secret_file(aws_file_path) aws_obj = yaml.safe_load(open(aws_file_path, 'r').read()) aomi.validation.aws_secret_obj(aws_file_path, aws_obj) region = aomi.legacy.aws_region(secret, aws_obj) if region is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws region') roles = aomi.legacy.aws_roles(secret, aws_obj) if roles is None: client.revoke_self_token() raise aomi.exceptions.AomiData('missing aws roles') obj = { 'access_key': aws_obj['access_key_id'], 'secret_key': aws_obj['secret_access_key'], 'region': region } write(client, aws_path, obj, opt) log('wrote aws secrets %s into %s' % (aws_file_path, aws_path), opt) ttl_obj, lease_msg = grok_ttl(secret, aws_obj) if ttl_obj: write(client, "%s/config/lease" % (secret['mount']), ttl_obj, opt) log("Updated lease for %s %s" % (secret['mount'], lease_msg), opt) seed_aws_roles(client, secret['mount'], roles, opt)
def mount_path(client, obj, opt): """Manage a Vault mountpoint""" aomi.validation.mount_obj(obj) path = obj['path'] if not validate_entry(obj, path, opt): return backends = client.list_secret_backends() mounted = is_mounted(path, backends, 'generic') if obj.get('state', 'present') == 'present': if not mounted: actually_mount(client, 'generic', path) log("Mounted %s" % (path), opt) else: if mounted: unmount(client, 'generic', path) log("Mounted %s" % (path), opt)
def thaw_files(secret, tmp_dir, opt): """Thaw some files""" for a_secret in secret['files']: path = "%s/%s" % (sanitize_mount(secret['mount']), secret['path']) if not validate_entry(secret, path, opt): return filename = a_secret['source'] dest_file = "%s/%s" % (opt.secrets, a_secret['source']) src_file = "%s/%s" % (tmp_dir, filename) if not os.path.exists(src_file): raise aomi.exceptions.IceFile("File %s missing" % filename) dest_dir = os.path.dirname(dest_file) if not os.path.isdir(dest_dir): os.mkdir(dest_dir, 0o700) shutil.copy(src_file, dest_file) log("Thawed file %s" % filename, opt)
def app(client, app_obj, opt): """Seed an app file into Vault""" if 'app_file' not in app_obj: client.revoke_self_token() raise aomi.exceptions.AomiData("Invalid app definition %s" % app_obj) name = app_id_name(app_obj) if not validate_entry(app_obj, "app-id/%s" % name, opt): return app_file = hard_path(app_obj['app_file'], opt.secrets) aomi.validation.secret_file(app_file) data = yaml.safe_load(open(app_file).read()) app_id = aomi.legacy.app_id_itself(app_obj, data) app_path = "auth/app-id/map/app-id/%s" % app_id if app_obj.get('state', 'present') == 'absent': delete(client, app_path, opt) else: ensure_auth(client, 'app-id') if opt.mount_only: log("Only enabling app-id", opt) return if 'users' not in data: client.revoke_self_token() raise aomi.exceptions.AomiData("Invalid app file %s" % app_file) policy_name = aomi.legacy.app_id_policy_name(app_obj, data) policy_file = aomi.legacy.app_id_policy_file(app_obj, data) app_policy(client, policy_name, policy_file, app_obj, opt) app_obj = {'value': policy_name, 'display_name': name} write(client, app_path, app_obj, opt) r_users = data.get('users', []) app_users(client, app_id, r_users, opt) log('created %d users in application %s' % (len(r_users), name), opt)
def var_file(client, secret, opt): """Seed a var_file into Vault""" aomi.validation.var_file_obj(secret) my_mount = sanitize_mount(secret['mount']) path = "%s/%s" % (my_mount, secret['path']) if not validate_entry(secret, path, opt): return var_file_name = hard_path(secret['var_file'], opt.secrets) aomi.validation.secret_file(var_file_name) varz = yaml.safe_load(open(var_file_name).read()) maybe_mount(client, 'generic', my_mount, opt) if opt.mount_only: log("Only mounting %s" % my_mount, opt) return if secret.get('state', 'present') == 'present': write(client, path, varz, opt) log('wrote var_file %s into %s' % (var_file_name, path), opt) else: delete(client, path, opt) log('deleted var_file %s from %s' % (var_file_name, path), opt)