def test_plain_ref_reveal(self):
"check plain ref reveal() output is original plain data"
tag = "?{plain:my/ref2_plain}"
REF_CONTROLLER[tag] = PlainRef(b"ref 2 plain data")
ref_obj = REF_CONTROLLER[tag]
revealed = ref_obj.reveal()
self.assertEqual(revealed, "ref 2 plain data")
def test_plain_ref_compile(self):
"check plain ref compile() output is not hashed"
tag = "?{plain:my/ref1_plain}"
REF_CONTROLLER[tag] = PlainRef(b"ref plain data")
ref_obj = REF_CONTROLLER[tag]
compiled = ref_obj.compile()
self.assertEqual(compiled, "ref plain data")
def __getitem__(self, ref_path):
return PlainRef(ref_path)
def ref_write(args, ref_controller):
"Write ref to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error("--file is required with --write")
if file_name == "-":
data = ""
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name), )) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
recipients = kap_inv_params["secrets"]["gpg"]["recipients"]
if not recipients:
raise KapitanError(
"No GPG recipients specified. Use --recipients or specify them in "
+
"parameters.kapitan.secrets.gpg.recipients and use --target-name"
)
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = "?{{gpg:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
key = kap_inv_params["secrets"]["gkms"]["key"]
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target-name"
)
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = "?{{gkms:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
key = kap_inv_params["secrets"]["awskms"]["key"]
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target-name"
)
secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
tag = "?{{awskms:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("base64:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = "original"
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = "base64"
ref_obj = Base64Ref(_data, encoding=encoding)
tag = "?{{base64:{}}}".format(token_path)
ref_controller[tag] = ref_obj
elif token_name.startswith("vaultkv:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
vault_params = {}
encoding = "original"
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv["nodes"][
args.target_name]["parameters"]["kapitan"]
if "secrets" not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in inventory of target {}"
.format(args.target_name))
vault_params = kap_inv_params["secrets"]["vaultkv"]
if args.vault_auth:
vault_params["auth"] = args.vault_auth
if vault_params.get("auth") is None:
raise KapitanError(
"No Authentication type parameter specified. Specify it"
" in parameters.kapitan.secrets.vaultkv.auth and use --target-name or use --vault-auth"
)
secret_obj = VaultSecret(_data, vault_params)
tag = "?{{vaultkv:{}}}".format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("plain:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = "original"
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = "base64"
ref_obj = PlainRef(_data, encoding=encoding)
tag = "?{{plain:{}}}".format(token_path)
ref_controller[tag] = ref_obj
else:
fatal_error(
"Invalid token: {name}. Try using gpg/gkms/awskms/vaultkv/base64/plain:{name}"
.format(name=token_name))
def ref_write(args, ref_controller):
"Write ref to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error('--file is required with --write')
if file_name == '-':
data = ''
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name),)) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
recipients = kap_inv_params['secrets']['gpg']['recipients']
if not recipients:
raise KapitanError("No GPG recipients specified. Use --recipients or specify them in " +
"parameters.kapitan.secrets.gpg.recipients and use --target")
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = '?{{gpg:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
key = kap_inv_params['secrets']['gkms']['key']
if not key:
raise KapitanError("No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target")
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{gkms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError("parameters.kapitan.secrets not defined in {}".format(args.target_name))
key = kap_inv_params['secrets']['awskms']['key']
if not key:
raise KapitanError("No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target")
secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{awskms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("base64:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = 'original'
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = 'base64'
ref_obj = Base64Ref(_data, encoding=encoding)
tag = '?{{base64:{}}}'.format(token_path)
ref_controller[tag] = ref_obj
elif token_name.startswith("plain:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = 'original'
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = 'base64'
ref_obj = PlainRef(_data, encoding=encoding)
tag = '?{{plain:{}}}'.format(token_path)
ref_controller[tag] = ref_obj
else:
fatal_error("Invalid token: {name}. Try using gpg/gkms/awskms/base64/plain:{name}".format(name=token_name))