def test_getSecret_nonexistent():
try:
credstash.getSecret("bad secret")
except credstash.ItemNotFound:
assert True
else:
assert False, "expected credstash.ItemNotFound error"
def __init__(self):
self.dynamo = boto3.client(
"dynamodb") # using the python SDK of AWS DynamoDB
# credstash fetching api tokens/client secret
self.twilio_sid = credstash.getSecret("twilio_sid")
self.twilio_api_token = credstash.getSecret("twilio_api_token")
def create_incident_note(event, context):
"""
This script uses the PagerDuty API to write notes to specific incidents.
"""
EMAIL = getSecret('sre.oaf.utility.pd-commenter.username',
region='us-east-1',
table='{}-credstash'.format(os.environ['environ']))
API_KEY = getSecret('sre.oaf.utility.pd-commenter.password',
region='us-east-1',
table='{}-credstash'.format(os.environ['environ']))
INCIDENT_ID = event['incidentID']
CONTENT = event['message']
url = 'https://api.pagerduty.com/incidents/{id}/notes'.format(
id=INCIDENT_ID)
headers = {
'Accept': 'application/vnd.pagerduty+json;version=2',
'Authorization': 'Token token={token}'.format(token=API_KEY),
'Content-type': 'application/json',
'From': EMAIL
}
payload = {'note': {'content': CONTENT}}
r = requests.post(url, headers=headers, data=json.dumps(payload))
if r.status_code == 201:
print("Note added successfully.")
return "Note: " + CONTENT + " added successfully."
def test_deletes_on_teardown(self):
key_name = run_tiltfile_func(
"local_resource_ext/Tiltfile",
"credstash_key",
mocks={'local_resource': local_resource_integration},
resource_name="my_key",
val="my_secret",
)
run_tiltfile_func(
"local_resource_ext/Tiltfile",
"credstash_key",
mocks={
'local_resource': local_resource_integration,
'config': TiltConfig('down')
},
resource_name="my_key",
val="my_secret",
)
with pytest.raises(credstash.ItemNotFound):
credstash.getSecret(key_name)
assert run_tiltfile_func("tilt_env/Tiltfile",
"tilt_env_get",
key="my_key") == None
def test_getSecret_wrong_region(secret):
try:
credstash.getSecret(secret['name'], region='us-west-2')
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'ResourceNotFoundException':
assert True
else:
assert False, "expected botocore ResourceNotFoundException"
def read_config(config_file, instance_metadata):
settings = {}
# get user config
config = ConfigParser.ConfigParser()
config.read(config_file)
# get global config settings
use_credstash = config.getboolean('DEFAULT', 'use_credstash')
settings['call_create_job'] = config.getboolean('DEFAULT',
'call_create_job')
settings['call_terminate_job'] = config.getboolean('DEFAULT',
'call_terminate_job')
# get jenkins settings
settings['url'] = config.get('jenkins', 'url')
settings['verify_ssl'] = config.getboolean('jenkins', 'verify_ssl')
if settings['call_create_job']:
settings['create_job'] = config.get('jenkins', 'create_job')
settings['create_job_params'] = config.get('jenkins',
'create_job_params', 0,
instance_metadata)
if settings['call_terminate_job']:
settings['terminate_job'] = config.get('jenkins', 'terminate_job')
settings['terminate_job_params'] = config.get('jenkins',
'terminate_job_params',
0, instance_metadata)
# get credstash settings
if use_credstash:
credstash_table = config.get('credstash', 'table')
settings['username'] = credstash.getSecret(config.get(
'credstash', 'jenkins_username_key'),
table=credstash_table)
settings['api_key'] = credstash.getSecret(config.get(
'credstash', 'jenkins_user_token_key'),
table=credstash_table)
if settings['call_create_job']:
settings['create_job_token'] = credstash.getSecret(
config.get('credstash', 'jenkins_create_job_token_key'),
table=credstash_table)
if settings['call_terminate_job']:
settings['terminate_job_token'] = credstash.getSecret(
config.get('credstash', 'jenkins_terminate_job_token_key'),
table=credstash_table)
else:
settings['username'] = config.get('jenkins', 'username')
settings['api_key'] = config.get('jenkins', 'api_key')
if settings['call_create_job']:
settings['create_job_token'] = config.get('jenkins',
'create_job_token')
if settings['call_terminate_job']:
settings['terminate_job_token'] = config.get(
'jenkins', 'terminate_job_token')
return settings
def get_creds():
"""Reads a user and key out of credstash to auth into the LM API."""
global user
global key
if user or key == None:
user = getSecret('sre.oaf.utility.oaf-logicmonitor-reaper.id',
region='us-east-1',
table='{}-credstash'.format(os.environ['environ']))
key = getSecret('sre.oaf.utility.oaf-logicmonitor-reaper.key',
region='us-east-1',
table='{}-credstash'.format(os.environ['environ']))
def __init__(self):
"""General object initializer."""
self.OIDC_DOMAIN = os.environ['OIDC_DOMAIN']
self.OIDC_CLIENT_ID = credstash.getSecret(
name="riskheatmap.oidc_client_id",
context={'app': 'riskheatmap'},
region="us-east-1")
self.OIDC_CLIENT_SECRET = credstash.getSecret(
name="riskheatmap.oidc_client_secret",
context={'app': 'riskheatmap'},
region="us-east-1")
self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format(
DOMAIN=self.OIDC_DOMAIN, CLIENT_ID=self.OIDC_CLIENT_ID)
def set_user_data(ctx: Context) -> None:
"""Retrieve behave -userdata values, setting them on the context"""
user_data = ctx.config.userdata
try:
ctx.users = credstash.getSecret(name='stg.viz.tableau.login', region='us-east-1')
except credstash.ItemNotFound as ex:
LOGGER.debug(f'Cloud secret not found: {ex.value}')
except (credstash.KmsError, credstash.IntegrityError) as ex:
LOGGER.debug(f'Cloud secret exception: {ex.value}')
ctx.users = credstash.getSecret('stg.viz.tableau.login')
ctx.wait_timeout = user_data.getfloat("wait_timeout", 10)
ctx.max_attempts = user_data.getint("max_attempts", 1)
ctx.debug_mode = user_data.getbool("debug_mode", False)
ctx.latency = user_data.get("latency", 0)
def get_secret(secret_key):
try:
value = credstash.getSecret(secret_key)
except credstash.ItemNotFound as item_not_found:
value = None
return value
def get_secrets(env_name, team, component_name, boto_session):
credentials = boto_session.get_credentials()
aws_credentials = {
'aws_access_key_id': credentials.access_key,
'aws_secret_access_key': credentials.secret_key,
'aws_session_token': credentials.token
}
prefix = 'deploy.{}.{}.'.format(env_name, component_name)
table_name = 'credstash-{}'.format(team)
return {
name[len(prefix):]: credstash.getSecret(
name,
table=table_name,
region=boto_session.region_name,
**aws_credentials
)
for name
in _component_secrets_for_environment(
table_name,
boto_session.region_name,
prefix,
aws_credentials
)
}
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
ret = []
for term in terms:
try:
version = kwargs.pop('version', '')
region = kwargs.pop('region', None)
table = kwargs.pop('table', 'credential-store')
profile_name = kwargs.pop('profile_name', os.getenv('AWS_PROFILE', None))
aws_access_key_id = kwargs.pop('aws_access_key_id', os.getenv('AWS_ACCESS_KEY_ID', None))
aws_secret_access_key = kwargs.pop('aws_secret_access_key', os.getenv('AWS_SECRET_ACCESS_KEY', None))
aws_session_token = kwargs.pop('aws_session_token', os.getenv('AWS_SESSION_TOKEN', None))
kwargs_pass = {'profile_name': profile_name, 'aws_access_key_id': aws_access_key_id,
'aws_secret_access_key': aws_secret_access_key, 'aws_session_token': aws_session_token}
val = credstash.getSecret(term, version, region, table, context=kwargs, **kwargs_pass)
except credstash.ItemNotFound:
raise AnsibleError('Key {0} not found'.format(term))
except Exception as e:
raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message))
ret.append(val)
return ret
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError(
'The credstash lookup plugin requires credstash to be installed.'
)
ret = []
for term in terms:
try:
version = kwargs.pop('version', '')
region = kwargs.pop('region', None)
table = kwargs.pop('table', 'credential-store')
val = credstash.getSecret(term,
version,
region,
table,
context=kwargs)
except credstash.ItemNotFound:
raise AnsibleError('Key {0} not found'.format(term))
except Exception as e:
raise AnsibleError(
'Encountered exception while fetching {0}: {1}'.format(
term, e.message))
ret.append(val)
return ret
def lambda_handler(event,context):
logger = logging.getLogger()
logger.setLevel(logging.INFO)
#logger.info('got event{}'.json.dumps(event))
#logger.error('something went wrong')
sns_message=json.loads(event['Records'][0]['Sns']['Message'])
logger.info('SNS message received: '+str(sns_message))
# These two lines enable debugging at httplib level (requests->urllib3->http.client)
# You will see the REQUEST, including HEADERS and DATA, and RESPONSE with HEADERS but without DATA.
# The only thing missing will be the response.body which is not logged.
try:
import http.client as http_client
except ImportError:
# Python 2
import httplib as http_client
http_client.HTTPConnection.debuglevel = 1
# You must initialize logging, otherwise you'll not see debug output.
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
timeStamp = time.time()
requestTimestamp = datetime.datetime.fromtimestamp(int(timeStamp)).strftime('%Y-%m-%d %H:%M:%S')
endPoint = os.environ['endPoint'] #IAS/qualys/prepareScan
#url = "https://ias.cengage.info/IAS/qualys/prepareScan"
url = os.environ['url']
#accessKey=os.environ['accessKey']
#secretKey=os.environ['secretKey']
accessKey = credstash.getSecret("IAS-accessKey")
secretKey = credstash.getSecret("IAS-secretKey")
#payload = json.load(open("test"))
#data = json.dumps(sns_message['PrivateIP'])
data = ["10.172.104.117", "10.172.105.202", "10.172.253.71"]
stringToHash = endPoint + accessKey + requestTimestamp + secretKey
calculatedSignatureHash = hashlib.sha1(stringToHash).hexdigest()
print calculatedSignatureHash
#calculatedSignatureHash = DigestUtils().getHexSha1Digest(stringToHash)
headers = {'content-type': 'application/json', 'accessKey' : str(accessKey), 'secretKey' : str(secretKey) ,'requestSignature' : calculatedSignatureHash, 'requestTimestamp' : str(requestTimestamp) , 'requestEndpoint' : str(endPoint)}
response=requests.post(url, data=data, headers=headers)
logger.info("AppBuilder requested to prepare requested list of IPs for scanning: "+str(response))
def secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node) -> JSON_TYPE:
"""Load secrets and embed it into the configuration YAML."""
secret_path = os.path.dirname(loader.name)
while True:
secrets = _load_secret_yaml(secret_path)
if node.value in secrets:
_LOGGER.debug(
"Secret %s retrieved from secrets.yaml in folder %s",
node.value,
secret_path,
)
return secrets[node.value]
if secret_path == os.path.dirname(sys.path[0]):
break # sys.path[0] set to config/deps folder by bootstrap
secret_path = os.path.dirname(secret_path)
if not os.path.exists(secret_path) or len(secret_path) < 5:
break # Somehow we got past the .homeassistant config folder
if keyring:
# do some keyring stuff
pwd = keyring.get_password(_SECRET_NAMESPACE, node.value)
if pwd:
global KEYRING_WARN # pylint: disable=global-statement
if not KEYRING_WARN:
KEYRING_WARN = True
_LOGGER.warning(
"Keyring is deprecated and will be removed in March 2021."
)
_LOGGER.debug("Secret %s retrieved from keyring", node.value)
return pwd
global credstash # pylint: disable=invalid-name, global-statement
if credstash:
# pylint: disable=no-member
try:
pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE)
if pwd:
global CREDSTASH_WARN # pylint: disable=global-statement
if not CREDSTASH_WARN:
CREDSTASH_WARN = True
_LOGGER.warning(
"Credstash is deprecated and will be removed in March 2021."
)
_LOGGER.debug("Secret %s retrieved from credstash", node.value)
return pwd
except credstash.ItemNotFound:
pass
except Exception: # pylint: disable=broad-except
# Catch if package installed and no config
credstash = None
raise HomeAssistantError(f"Secret {node.value} not defined")
def main():
module = AnsibleModule(
argument_spec=dict(
secret=dict(required=True, type='str'),
fact=dict(default=None, type='str'),
fact_type=dict(default=None, choices=['yaml', 'json']),
mode=dict(default='get', choices=['get', 'put']),
value=dict(default=None, type='str'),
key=dict(default='alias/credstash', type='str'),
region=dict(default='us-east-1', type='str'),
table=dict(default='credential-store', type='str'),
version=dict(default='', type='str'),
context=dict(default=None, type='dict')
)
)
result = dict(changed=False, failed=False)
if module.params.get('mode') == 'put':
result['output'] = credstash.putSecret(
module.params.get('secret'),
module.params.get('value'),
module.params.get('version'),
module.params.get('key'),
module.params.get('region'),
module.params.get('table'),
module.params.get('context')
)
result['changed'] = True
try:
result['output'] = credstash.getSecret(
module.params.get('secret'),
module.params.get('version'),
module.params.get('region'),
module.params.get('table'),
module.params.get('context')
)
except credstash.ItemNotFound:
module.fail_json(msg="credstash secret not found")
fact = module.params.get('fact')
fact_type = module.params.get('fact_type')
if fact is not None:
if fact_type == 'yaml':
result['ansible_facts'] = {
fact: yaml.safe_load(result['output'])
}
elif fact_type == 'json':
result['ansible_facts'] = {
fact: json.load(result['output'])
}
else:
result['ansible_facts'] = {
fact: result['output']
}
module.exit_json(**result)
def __init__(self):
"""General object initializer."""
self.OIDC_DOMAIN = os.environ['OIDC_DOMAIN']
self.OIDC_CLIENT_ID = credstash.getSecret(
name="riskheatmap.oidc_client_id",
context={'app': 'riskheatmap'},
region="us-east-1"
)
self.OIDC_CLIENT_SECRET = credstash.getSecret(
name="riskheatmap.oidc_client_secret",
context={'app': 'riskheatmap'},
region="us-east-1"
)
self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format(
DOMAIN=self.OIDC_DOMAIN,
CLIENT_ID=self.OIDC_CLIENT_ID
)
def credstash_getone(name, args):
""" Returns one single secret from from credstash table `args.table`. """
if args.verbose:
print('fetching your secret from "{table}" '.format(table=args.table))
session_params = credstash.get_session_params(None, None)
return credstash.getSecret(name,
region=args.region,
table=args.table,
**session_params)
def get_secret(secret_name, context):
"""Fetch secret from environment or credstash."""
secret = os.getenv(secret_name.split('.')[1], None)
if not secret:
secret = credstash.getSecret(name=secret_name,
context=context,
region="us-west-2")
return secret
def get_secret(key, table=None, region='us-east-1'):
if table is None:
table = 'credential-store'
secret = _check_local(key, table, region)
if not secret:
secret = credstash.getSecret(key, table=table, region=region)
_put_local(secret, key, table, region)
return secret
def main():
module = AnsibleModule(
argument_spec = dict(
autoversion = dict(default=False, type='bool'),
context = dict(default=None, type='dict'),
digest = dict(default='SHA256', type='str'),
fact = dict(default=None, type='str'),
fact_type = dict(default=None, choices=['yaml','json']),
key = dict(default='alias/credstash', type='str'),
mode = dict(default='get', choices=['get', 'put']),
region = dict(default='us-east-1', type='str'),
secret = dict(required=True, type='str'),
table = dict(default='credential-store', type='str'),
value = dict(default=None, type='str'),
version = dict(default='', type='str'),
)
)
args_dict = {
'autoversion' : module.params.get('autoversion'),
'context' : module.params.get('context'),
'digest' : module.params.get('digest'),
'fact' : module.params.get('fact'),
'fact_type' : module.params.get('fact_type'),
'credential' : module.params.get('secret'),
'key' : module.params.get('key'),
'mode' : module.params.get('mode'),
'region' : module.params.get('region'),
'table' : module.params.get('table'),
'value' : module.params.get('value'),
'version' : module.params.get('version'),
}
args = Arguments(args_dict)
result = dict(changed=False, failed=False)
if module.params.get('mode') == 'put':
result['output'] = credstash.putSecretAction(args, args.region)
result['changed'] = True
try:
result['output'] = credstash.getSecret(module.params.get('secret'), module.params.get('version'), \
module.params.get('region'), module.params.get('table'), module.params.get('context'))
except credstash.ItemNotFound:
module.fail_json(msg="credstash secret not found")
if module.params.get('fact') is not None:
if module.params.get('fact_type') == 'yaml':
result['ansible_facts'] = { module.params.get('fact'): yaml.safe_load(result['output']) }
elif module.params.get('fact_type') == 'json':
result['ansible_facts'] = { module.params.get('fact'): json.load(result['output']) }
else:
result['ansible_facts'] = { module.params.get('fact'): result['output'] }
module.exit_json(**result)
def __init__(self):
"""General object initializer."""
self.OIDC_DOMAIN = credstash.getSecret(
name="observatory.oidc_domain",
context={'app': 'serverless-observatory'},
region="us-east-1")
self.OIDC_CLIENT_ID = credstash.getSecret(
name="observatory.client_id",
context={'app': 'serverless-observatory'},
region="us-east-1")
self.OIDC_CLIENT_SECRET = credstash.getSecret(
name="observatory.client_secret",
context={'app': 'serverless-observatory'},
region="us-east-1")
self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format(
DOMAIN=self.OIDC_DOMAIN, CLIENT_ID=self.OIDC_CLIENT_ID)
def get(self, name):
try:
value = credstash.getSecret(name,
region=region(),
table=table())
return value
except ItemNotFound:
sys.stderr.write(
'cant find credstash value for key "%s"\n' % name)
sys.exit(1)
def test_creates_key_on_first_run(self):
key_name = run_tiltfile_func(
"local_resource_ext/Tiltfile",
"credstash_key",
mocks={'local_resource': local_resource_integration},
resource_name="my_key",
val="my_secret",
)
assert credstash.getSecret(key_name) == 'my_secret'
class Config(object):
"""Defaults for the configuration objects."""
DEBUG = True
TESTING = False
CSRF_ENABLED = True
SECRET_KEY = credstash.getSecret(name="observatory.secret_key",
context={'app': 'serverless-observatory'},
region="us-east-1")
SERVER_NAME = "serverless-observatory.threatresponse.cloud"
SESSION_COOKIE_HTTPONLY = True
LOGGER_NAME = "serverless-observatory"
TEMPLATES_AUTO_RELOAD = True
def _get_credential(self, key):
context = {}
if self.env:
context['env'] = self.env
if self.appid:
context['appid'] = self.appid
if self.client:
context['client'] = self.client
secret = getSecret(key, region=DEFAULT_REGION, context=context)
return secret
def __getitem__(self, key):
"""
Enable dict-like access
"""
if not self._initialized:
self._initialize()
return credstash.getSecret(
key,
version=self._version,
region=self._region,
table=self._table)
def _get_credential(self, key):
context = {}
if self.env:
context['env'] = self.env
if self.appid:
context['appid'] = self.appid
if self.client:
context['client'] = self.client
secret = getSecret(key, region=DEFAULT_REGION, context=context)
return secret
class Config(object):
"""Defaults"""
blogger.setLevel(logging.INFO)
DEBUG = False
TESTING = False
SECRET_KEY = credstash.getSecret(name="riskheatmap.secret_key",
context={'app': 'riskheatmap'},
region="us-east-1")
SERVER_NAME = os.environ['SERVER_NAME']
PERMANENT_SESSION = os.environ['PERMANENT_SESSION']
PERMANENT_SESSION_LIFETIME = int(os.environ['PERMANENT_SESSION_LIFETIME'])
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = False
LOGGER_NAME = "riskheatmap"
def query_credstash(self, key, region):
"""
Query credstash for a specific key in the credstash table as specified by
the `credstash_table` config setting. Returns None if no table is configured.
:param str key: The key in the credstash table to query.
:param str region: The name of the AWS region to query credstash.
:return: The value of the credstash key.
:rtype: str or None
"""
table = self.get_region_setting(region, "credstash_table")
if table:
r = credstash.getSecret(key, region=region, table=table)
return r
return None
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError("The credstash lookup plugin requires credstash to be installed.")
ret = []
for term in terms:
try:
val = credstash.getSecret(term, **kwargs)
except credstash.ItemNotFound:
raise AnsibleError("Key {0} not found".format(term))
except Exception as e:
raise AnsibleError("Encountered exception while fetching {0}: {1}".format(term, e.message))
ret.append(val)
return ret
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError(
'The credstash lookup plugin requires credstash to be installed.'
)
ret = []
for term in terms:
try:
val = credstash.getSecret(term, **kwargs)
except credstash.ItemNotFound:
raise AnsibleError('Key {0} not found'.format(term))
except Exception, e:
raise AnsibleError(
'Encountered exception while fetching {0}: {1}'.format(
term, e.message))
ret.append(val)
def get_secret(self, name, context):
"""
Get a secret.
First tries to load a secret from the local file, then falls back
to credstash. The context is not considered when looking secrets up
in the local file.
"""
secret = self.get_local(name)
if secret is None:
try:
return credstash.getSecret(name,
region=self.region,
context=context)
except credstash.ItemNotFound:
raise ItemNotFound(name)
else:
return secret
def _secret_yaml(loader: SafeLineLoader,
node: yaml.nodes.Node):
"""Load secrets and embed it into the configuration YAML."""
secret_path = os.path.dirname(loader.name)
while True:
secrets = _load_secret_yaml(secret_path)
if node.value in secrets:
_LOGGER.debug("Secret %s retrieved from secrets.yaml in "
"folder %s", node.value, secret_path)
return secrets[node.value]
if secret_path == os.path.dirname(sys.path[0]):
break # sys.path[0] set to config/deps folder by bootstrap
secret_path = os.path.dirname(secret_path)
if not os.path.exists(secret_path) or len(secret_path) < 5:
break # Somehow we got past the .homeassistant config folder
if keyring:
# do some keyring stuff
pwd = keyring.get_password(_SECRET_NAMESPACE, node.value)
if pwd:
_LOGGER.debug("Secret %s retrieved from keyring", node.value)
return pwd
global credstash # pylint: disable=invalid-name
if credstash:
# pylint: disable=no-member
try:
pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE)
if pwd:
_LOGGER.debug("Secret %s retrieved from credstash", node.value)
return pwd
except credstash.ItemNotFound:
pass
except Exception: # pylint: disable=broad-except
# Catch if package installed and no config
credstash = None
_LOGGER.error("Secret %s not defined", node.value)
raise HomeAssistantError(node.value)
def secret_yaml(loader: SafeLineLoader,
node: yaml.nodes.Node) -> JSON_TYPE:
"""Load secrets and embed it into the configuration YAML."""
secret_path = os.path.dirname(loader.name)
while True:
secrets = _load_secret_yaml(secret_path)
if node.value in secrets:
_LOGGER.debug("Secret %s retrieved from secrets.yaml in "
"folder %s", node.value, secret_path)
return secrets[node.value]
if secret_path == os.path.dirname(sys.path[0]):
break # sys.path[0] set to config/deps folder by bootstrap
secret_path = os.path.dirname(secret_path)
if not os.path.exists(secret_path) or len(secret_path) < 5:
break # Somehow we got past the .homeassistant config folder
if keyring:
# do some keyring stuff
pwd = keyring.get_password(_SECRET_NAMESPACE, node.value)
if pwd:
_LOGGER.debug("Secret %s retrieved from keyring", node.value)
return pwd
global credstash # pylint: disable=invalid-name
if credstash:
# pylint: disable=no-member
try:
pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE)
if pwd:
_LOGGER.debug("Secret %s retrieved from credstash", node.value)
return pwd
except credstash.ItemNotFound:
pass
except Exception: # pylint: disable=broad-except
# Catch if package installed and no config
credstash = None
raise HomeAssistantError("Secret {} not defined".format(node.value))
def run(self, terms, variables, **kwargs):
if not CREDSTASH_INSTALLED:
raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
ret = []
for term in terms:
try:
version = kwargs.pop('version', '')
region = kwargs.pop('region', None)
table = kwargs.pop('table', 'credential-store')
val = credstash.getSecret(term, version, region, table,
context=kwargs)
except credstash.ItemNotFound:
raise AnsibleError('Key {0} not found'.format(term))
except Exception as e:
raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message))
ret.append(val)
return ret
def _secret_yaml(loader: SafeLineLoader,
node: yaml.nodes.Node):
"""Load secrets and embed it into the configuration YAML."""
secret_path = os.path.dirname(loader.name)
while True:
secrets = _load_secret_yaml(secret_path)
if node.value in secrets:
_LOGGER.debug("Secret %s retrieved from secrets.yaml in "
"folder %s", node.value, secret_path)
return secrets[node.value]
if secret_path == os.path.dirname(sys.path[0]):
break # sys.path[0] set to config/deps folder by bootstrap
secret_path = os.path.dirname(secret_path)
if not os.path.exists(secret_path) or len(secret_path) < 5:
break # Somehow we got past the .homeassistant config folder
if keyring:
# do some keyring stuff
pwd = keyring.get_password(_SECRET_NAMESPACE, node.value)
if pwd:
_LOGGER.debug("Secret %s retrieved from keyring", node.value)
return pwd
if credstash:
try:
pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE)
if pwd:
_LOGGER.debug("Secret %s retrieved from credstash", node.value)
return pwd
except credstash.ItemNotFound:
pass
_LOGGER.error("Secret %s not defined", node.value)
raise HomeAssistantError(node.value)
#!/usr/bin/env python
import credstash
secret_value = credstash.getSecret('secret_key', region='us-west-2', table='credstash-table')
print secret_value
def run(args):
"""Handle credstash script."""
parser = argparse.ArgumentParser(
description=("Modify Home Assistant secrets in credstash."
"Use the secrets in configuration files with: "
"!secret <name>"))
parser.add_argument(
'--script', choices=['credstash'])
parser.add_argument(
'action', choices=['get', 'put', 'del', 'list'],
help="Get, put or delete a secret, or list all available secrets")
parser.add_argument(
'name', help="Name of the secret", nargs='?', default=None)
parser.add_argument(
'value', help="The value to save when putting a secret",
nargs='?', default=None)
import credstash
import botocore
args = parser.parse_args(args)
table = _SECRET_NAMESPACE
try:
credstash.listSecrets(table=table)
except botocore.errorfactory.ClientError:
credstash.createDdbTable(table=table)
if args.action == 'list':
secrets = [i['name'] for i in credstash.listSecrets(table=table)]
deduped_secrets = sorted(set(secrets))
print('Saved secrets:')
for secret in deduped_secrets:
print(secret)
return 0
if args.name is None:
parser.print_help()
return 1
if args.action == 'put':
if args.value:
the_secret = args.value
else:
the_secret = getpass.getpass('Please enter the secret for {}: '
.format(args.name))
current_version = credstash.getHighestVersion(args.name, table=table)
credstash.putSecret(args.name,
the_secret,
version=int(current_version) + 1,
table=table)
print('Secret {} put successfully'.format(args.name))
elif args.action == 'get':
the_secret = credstash.getSecret(args.name, table=table)
if the_secret is None:
print('Secret {} not found'.format(args.name))
else:
print('Secret {}={}'.format(args.name, the_secret))
elif args.action == 'del':
credstash.deleteSecrets(args.name, table=table)
print('Deleted secret {}'.format(args.name))
