r00t2
/
vaultpass
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

default port is 8200, not 8000

This commit is contained in:
brent s. 2020-03-29 23:13:41 -04:00
parent a904f158da
commit 7e839f7058
Signed by: bts
GPG Key ID: 8C004C2F93481F6B
4 changed files with 65 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/README.adoc
View File

@ -48,7 +48,7 @@ for how default values/behaviour are determined.] This element is a container fo
Vault server. This consists of: Vault server. This consists of:
... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server. ... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server.
The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use
`http://localhost:8000/`. `http://localhost:8200/`.
... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed. ... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed.
This isn't required, but can assist in automatic operation. This isn't required, but can assist in automatic operation.
One of either:footnote:optelem[] One of either:footnote:optelem[]
@ -72,7 +72,7 @@ Let's look at an example configuration.
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">


<server> <server>
<uri>http://localhost:8000/</uri> <uri>http://localhost:8200/</uri>
<unseal>YOUR_UNSEAL_SHARD</unseal> <unseal>YOUR_UNSEAL_SHARD</unseal>
</server> </server>
<auth> <auth>
@ -82,7 +82,7 @@ Let's look at an example configuration.
</vaultpass> </vaultpass>
---- ----


In the above, we can see that it would use the vault server at `http://localhost:8000/` using whatever token is either In the above, we can see that it would use the vault server at `http://localhost:8200/` using whatever token is either
in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was
provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold
needed). needed).
@ -266,7 +266,7 @@ Let's look at an example of GPG-encrypted elements.
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">


<server> <server>
<uri>http://localhost:8000/</uri> <uri>http://localhost:8200/</uri>
<unsealGpg gpgHome="~/.gnupg">~/.private/vaultpass/unseal.asc</unsealGpg> <unsealGpg gpgHome="~/.gnupg">~/.private/vaultpass/unseal.asc</unsealGpg>
</server> </server>
<authGpg gpgHome="~/.gnupg">~/.private/vaultpass/auth.gpg</unsealGpg> <authGpg gpgHome="~/.gnupg">~/.private/vaultpass/auth.gpg</unsealGpg>

4
example.vaultpass.xml
View File

@ -3,8 +3,8 @@
xmlns="https://git.square-r00t.net/VaultPass/" xmlns="https://git.square-r00t.net/VaultPass/"
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
<server> <server>
<!-- Optional; defaults to http://localhost:8000/ --> <!-- Optional; defaults to http://localhost:8200/ -->
<uri>http://localhost:8000/</uri> <uri>http://localhost:8200/</uri>
<!-- OPTIONAL! If an unseal shard is provided and the server is sealed, we will attempt <!-- OPTIONAL! If an unseal shard is provided and the server is sealed, we will attempt
unsealing with the shard(s) provided. --> unsealing with the shard(s) provided. -->
<unseal>WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo=</unseal> <unseal>WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo=</unseal>

56
vaultpass/__init__.py
View File

@ -1,12 +1,12 @@
import logging import logging
import os
## ##
from . import logger
_logger = logging.getLogger('VaultPass')
from . import auth from . import auth
from . import clipboard from . import clipboard
from . import config from . import config
from . import logger from . import mounts


_logger = logging.getLogger('VaultPass')




class PassMan(object): class PassMan(object):
@ -18,19 +18,50 @@ class PassMan(object):
self.cfg = config.getConfig(cfg) self.cfg = config.getConfig(cfg)
self._getURI() self._getURI()
self.getClient() self.getClient()
self._checkSeal()

def _checkSeal(self):
_logger.debug('Checking and attempting unseal if necessary and possible.')
if not self.client.sys.is_sealed():
_logger.debug('Unsealing unnecessary; Vault is already unsealed.')
return(None)
shard = self.cfg.xml.find('unseal')
if shard is None:
_logger.debug('Vault is sealed but no key shard was provided.')
_logger.error('Vault is sealed')
raise RuntimeError('Vault is sealed')
self.client.sys.submit_unseal_key(shard.text)
if self.client.sys.is_sealed:
_logger.debug(('Vault is sealed and either our unseal shard is incorrect or it is not enough to meet the '
'unseal shard threshold.'))
_logger.error('Unable to unseal')
raise RuntimeError('Unable to unseal')
return(None)


def _getURI(self): def _getURI(self):
uri = self.cfg.xml.find('uri') uri = self.cfg.xml.find('.//uri')
if uri is None: if uri is None:
uri = 'http://localhost:8000/' _logger.debug('No server URI specified; checking ${VAULT_ADDR}')
pass _uri = os.environ.get('VAULT_ADDR')
if not _uri:
_logger.debug('No ${VAULT_ADDR}; using default of http://localhost:8200/')
uri = 'http://localhost:8200/'
else:
uri = _uri
else:
uri = uri.text
self.uri = uri
_logger.debug('Set URI to {0}'.format(self.uri))
return(None)


def getClient(self): def getClient(self):
# This may need to be re-tooled in the future. auth_xml = self.cfg.xml.find('.//auth')
auth_xml = self.cfg.xml.find('auth')
if auth_xml is None: if auth_xml is None:
_logger.debug('No auth section was found in the configuration file.')
_logger.error('Could not find authentication')
raise RuntimeError('Could not find authentication') raise RuntimeError('Could not find authentication')
authmethod_xml = auth_xml.getchildren()[0] authmethod_xml = auth_xml.getchildren()[0]
_logger.debug('Attempting to auto-detect the authentication method...')
for a in dir(auth): for a in dir(auth):
if a.startswith('_'): if a.startswith('_'):
continue continue
@ -42,10 +73,15 @@ class PassMan(object):
continue continue
self.auth = c(self.uri, self.auth = c(self.uri,
authmethod_xml) authmethod_xml)
_logger.debug('Found auth method: {0}'.format(self.auth.name))
break break
if not self.auth: if not self.auth:
_logger.error('Invalid auth configuration')
_logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag)) _logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag))
_logger.error('Invalid auth configuration')
raise RuntimeError('Invalid auth configuration') raise RuntimeError('Invalid auth configuration')
self.client = self.auth.client self.client = self.auth.client
if not self.client.sys.is_initialized():
_logger.debug('Vault instance is not initialized. Please initialize (and configure, if necessary) first.')
_logger.error('Not initialized')
raise RuntimeError('Not initialized')
return(None) return(None)

13
vaultpass/mounts.py Normal file
View File

@ -0,0 +1,13 @@
class MountHandler(object):
def __init__(self, client, mounts_xml = None):
self.client = client
self.mounts = {}

def getSysMounts(self):
pass

def print(self):
pass

def search(self):
pass