From 7e839f7058a7bcd1809630d5b290f08a7b31dc17 Mon Sep 17 00:00:00 2001 From: brent s Date: Sun, 29 Mar 2020 23:13:41 -0400 Subject: [PATCH] default port is 8200, not 8000 --- docs/README.adoc | 8 +++---- example.vaultpass.xml | 4 ++-- vaultpass/__init__.py | 56 +++++++++++++++++++++++++++++++++++-------- vaultpass/mounts.py | 13 ++++++++++ 4 files changed, 65 insertions(+), 16 deletions(-) create mode 100644 vaultpass/mounts.py diff --git a/docs/README.adoc b/docs/README.adoc index 97cc3f1..a69231a 100644 --- a/docs/README.adoc +++ b/docs/README.adoc @@ -48,7 +48,7 @@ for how default values/behaviour are determined.] This element is a container fo Vault server. This consists of: ... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server. The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use -`http://localhost:8000/`. +`http://localhost:8200/`. ... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed. This isn't required, but can assist in automatic operation. One of either:footnote:optelem[] @@ -72,7 +72,7 @@ Let's look at an example configuration. xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> - http://localhost:8000/ + http://localhost:8200/ YOUR_UNSEAL_SHARD @@ -82,7 +82,7 @@ Let's look at an example configuration. ---- -In the above, we can see that it would use the vault server at `http://localhost:8000/` using whatever token is either +In the above, we can see that it would use the vault server at `http://localhost:8200/` using whatever token is either in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold needed). @@ -266,7 +266,7 @@ Let's look at an example of GPG-encrypted elements. xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> - http://localhost:8000/ + http://localhost:8200/ ~/.private/vaultpass/unseal.asc ~/.private/vaultpass/auth.gpg diff --git a/example.vaultpass.xml b/example.vaultpass.xml index 6158c5d..19a71ab 100644 --- a/example.vaultpass.xml +++ b/example.vaultpass.xml @@ -3,8 +3,8 @@ xmlns="https://git.square-r00t.net/VaultPass/" xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd"> - - http://localhost:8000/ + + http://localhost:8200/ WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo= diff --git a/vaultpass/__init__.py b/vaultpass/__init__.py index ee1ae1c..8f50b4c 100644 --- a/vaultpass/__init__.py +++ b/vaultpass/__init__.py @@ -1,12 +1,12 @@ import logging +import os ## +from . import logger +_logger = logging.getLogger('VaultPass') from . import auth from . import clipboard from . import config -from . import logger - - -_logger = logging.getLogger('VaultPass') +from . import mounts class PassMan(object): @@ -18,19 +18,50 @@ class PassMan(object): self.cfg = config.getConfig(cfg) self._getURI() self.getClient() + self._checkSeal() + + def _checkSeal(self): + _logger.debug('Checking and attempting unseal if necessary and possible.') + if not self.client.sys.is_sealed(): + _logger.debug('Unsealing unnecessary; Vault is already unsealed.') + return(None) + shard = self.cfg.xml.find('unseal') + if shard is None: + _logger.debug('Vault is sealed but no key shard was provided.') + _logger.error('Vault is sealed') + raise RuntimeError('Vault is sealed') + self.client.sys.submit_unseal_key(shard.text) + if self.client.sys.is_sealed: + _logger.debug(('Vault is sealed and either our unseal shard is incorrect or it is not enough to meet the ' + 'unseal shard threshold.')) + _logger.error('Unable to unseal') + raise RuntimeError('Unable to unseal') + return(None) def _getURI(self): - uri = self.cfg.xml.find('uri') + uri = self.cfg.xml.find('.//uri') if uri is None: - uri = 'http://localhost:8000/' - pass + _logger.debug('No server URI specified; checking ${VAULT_ADDR}') + _uri = os.environ.get('VAULT_ADDR') + if not _uri: + _logger.debug('No ${VAULT_ADDR}; using default of http://localhost:8200/') + uri = 'http://localhost:8200/' + else: + uri = _uri + else: + uri = uri.text + self.uri = uri + _logger.debug('Set URI to {0}'.format(self.uri)) + return(None) def getClient(self): - # This may need to be re-tooled in the future. - auth_xml = self.cfg.xml.find('auth') + auth_xml = self.cfg.xml.find('.//auth') if auth_xml is None: + _logger.debug('No auth section was found in the configuration file.') + _logger.error('Could not find authentication') raise RuntimeError('Could not find authentication') authmethod_xml = auth_xml.getchildren()[0] + _logger.debug('Attempting to auto-detect the authentication method...') for a in dir(auth): if a.startswith('_'): continue @@ -42,10 +73,15 @@ class PassMan(object): continue self.auth = c(self.uri, authmethod_xml) + _logger.debug('Found auth method: {0}'.format(self.auth.name)) break if not self.auth: - _logger.error('Invalid auth configuration') _logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag)) + _logger.error('Invalid auth configuration') raise RuntimeError('Invalid auth configuration') self.client = self.auth.client + if not self.client.sys.is_initialized(): + _logger.debug('Vault instance is not initialized. Please initialize (and configure, if necessary) first.') + _logger.error('Not initialized') + raise RuntimeError('Not initialized') return(None) diff --git a/vaultpass/mounts.py b/vaultpass/mounts.py new file mode 100644 index 0000000..c36e3f0 --- /dev/null +++ b/vaultpass/mounts.py @@ -0,0 +1,13 @@ +class MountHandler(object): + def __init__(self, client, mounts_xml = None): + self.client = client + self.mounts = {} + + def getSysMounts(self): + pass + + def print(self): + pass + + def search(self): + pass