r00t2
/
vaultpass
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

default port is 8200, not 8000

This commit is contained in:
brent s. 2020-03-29 23:13:41 -04:00
parent a904f158da
commit 7e839f7058
Signed by: bts
GPG Key ID: 8C004C2F93481F6B
4 changed files with 65 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/README.adoc
View File

@ -48,7 +48,7 @@ for how default values/behaviour are determined.] This element is a container fo
Vault server. This consists of:
... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server.
The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use
`http://localhost:8000/`.
`http://localhost:8200/`.
... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed.
This isn't required, but can assist in automatic operation.
One of either:footnote:optelem[]
@ -72,7 +72,7 @@ Let's look at an example configuration.
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">

<server>
<uri>http://localhost:8000/</uri>
<uri>http://localhost:8200/</uri>
<unseal>YOUR_UNSEAL_SHARD</unseal>
</server>
<auth>
@ -82,7 +82,7 @@ Let's look at an example configuration.
</vaultpass>
----

In the above, we can see that it would use the vault server at `http://localhost:8000/` using whatever token is either
In the above, we can see that it would use the vault server at `http://localhost:8200/` using whatever token is either
in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was
provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold
needed).
@ -266,7 +266,7 @@ Let's look at an example of GPG-encrypted elements.
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">

<server>
<uri>http://localhost:8000/</uri>
<uri>http://localhost:8200/</uri>
<unsealGpg gpgHome="~/.gnupg">~/.private/vaultpass/unseal.asc</unsealGpg>
</server>
<authGpg gpgHome="~/.gnupg">~/.private/vaultpass/auth.gpg</unsealGpg>

4
example.vaultpass.xml
View File

@ -3,8 +3,8 @@
xmlns="https://git.square-r00t.net/VaultPass/"
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
<server>
<!-- Optional; defaults to http://localhost:8000/ -->
<uri>http://localhost:8000/</uri>
<!-- Optional; defaults to http://localhost:8200/ -->
<uri>http://localhost:8200/</uri>
<!-- OPTIONAL! If an unseal shard is provided and the server is sealed, we will attempt
unsealing with the shard(s) provided. -->
<unseal>WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo=</unseal>

56
vaultpass/__init__.py
View File

@ -1,12 +1,12 @@
import logging
import os
##
from . import logger
_logger = logging.getLogger('VaultPass')
from . import auth
from . import clipboard
from . import config
from . import logger


_logger = logging.getLogger('VaultPass')
from . import mounts


class PassMan(object):
@ -18,19 +18,50 @@ class PassMan(object):
self.cfg = config.getConfig(cfg)
self._getURI()
self.getClient()
self._checkSeal()

def _checkSeal(self):
_logger.debug('Checking and attempting unseal if necessary and possible.')
if not self.client.sys.is_sealed():
_logger.debug('Unsealing unnecessary; Vault is already unsealed.')
return(None)
shard = self.cfg.xml.find('unseal')
if shard is None:
_logger.debug('Vault is sealed but no key shard was provided.')
_logger.error('Vault is sealed')
raise RuntimeError('Vault is sealed')
self.client.sys.submit_unseal_key(shard.text)
if self.client.sys.is_sealed:
_logger.debug(('Vault is sealed and either our unseal shard is incorrect or it is not enough to meet the '
'unseal shard threshold.'))
_logger.error('Unable to unseal')
raise RuntimeError('Unable to unseal')
return(None)

def _getURI(self):
uri = self.cfg.xml.find('uri')
uri = self.cfg.xml.find('.//uri')
if uri is None:
uri = 'http://localhost:8000/'
pass
_logger.debug('No server URI specified; checking ${VAULT_ADDR}')
_uri = os.environ.get('VAULT_ADDR')
if not _uri:
_logger.debug('No ${VAULT_ADDR}; using default of http://localhost:8200/')
uri = 'http://localhost:8200/'
else:
uri = _uri
else:
uri = uri.text
self.uri = uri
_logger.debug('Set URI to {0}'.format(self.uri))
return(None)

def getClient(self):
# This may need to be re-tooled in the future.
auth_xml = self.cfg.xml.find('auth')
auth_xml = self.cfg.xml.find('.//auth')
if auth_xml is None:
_logger.debug('No auth section was found in the configuration file.')
_logger.error('Could not find authentication')
raise RuntimeError('Could not find authentication')
authmethod_xml = auth_xml.getchildren()[0]
_logger.debug('Attempting to auto-detect the authentication method...')
for a in dir(auth):
if a.startswith('_'):
continue
@ -42,10 +73,15 @@ class PassMan(object):
continue
self.auth = c(self.uri,
authmethod_xml)
_logger.debug('Found auth method: {0}'.format(self.auth.name))
break
if not self.auth:
_logger.error('Invalid auth configuration')
_logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag))
_logger.error('Invalid auth configuration')
raise RuntimeError('Invalid auth configuration')
self.client = self.auth.client
if not self.client.sys.is_initialized():
_logger.debug('Vault instance is not initialized. Please initialize (and configure, if necessary) first.')
_logger.error('Not initialized')
raise RuntimeError('Not initialized')
return(None)

13
vaultpass/mounts.py Normal file
View File

@ -0,0 +1,13 @@
class MountHandler(object):
def __init__(self, client, mounts_xml = None):
self.client = client
self.mounts = {}

def getSysMounts(self):
pass

def print(self):
pass

def search(self):
pass