default port is 8200, not 8000
This commit is contained in:
parent
a904f158da
commit
7e839f7058
@ -48,7 +48,7 @@ for how default values/behaviour are determined.] This element is a container fo
|
|||||||
Vault server. This consists of:
|
Vault server. This consists of:
|
||||||
... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server.
|
... A single `uri` element.footnote:optelem[] It should be the same as the **base** URL for your Vault server.
|
||||||
The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use
|
The default (if not specified) is to first check for a **`VAULT_SERVER`** environment variable and, if not found, to use
|
||||||
`http://localhost:8000/`.
|
`http://localhost:8200/`.
|
||||||
... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed.
|
... An unseal directive, which can be used to (attempt to) automatically unseal the server if it is sealed.
|
||||||
This isn't required, but can assist in automatic operation.
|
This isn't required, but can assist in automatic operation.
|
||||||
One of either:footnote:optelem[]
|
One of either:footnote:optelem[]
|
||||||
@ -72,7 +72,7 @@ Let's look at an example configuration.
|
|||||||
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
||||||
|
|
||||||
<server>
|
<server>
|
||||||
<uri>http://localhost:8000/</uri>
|
<uri>http://localhost:8200/</uri>
|
||||||
<unseal>YOUR_UNSEAL_SHARD</unseal>
|
<unseal>YOUR_UNSEAL_SHARD</unseal>
|
||||||
</server>
|
</server>
|
||||||
<auth>
|
<auth>
|
||||||
@ -82,7 +82,7 @@ Let's look at an example configuration.
|
|||||||
</vaultpass>
|
</vaultpass>
|
||||||
----
|
----
|
||||||
|
|
||||||
In the above, we can see that it would use the vault server at `http://localhost:8000/` using whatever token is either
|
In the above, we can see that it would use the vault server at `http://localhost:8200/` using whatever token is either
|
||||||
in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was
|
in the **`VAULT_TOKEN`** environment variable or, if empty, the `~/.vault-token` file. Because an unseal shard was
|
||||||
provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold
|
provided, it will be able to attempt to automatically unseal the Vault (assuming its shard will complete the threshold
|
||||||
needed).
|
needed).
|
||||||
@ -266,7 +266,7 @@ Let's look at an example of GPG-encrypted elements.
|
|||||||
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
||||||
|
|
||||||
<server>
|
<server>
|
||||||
<uri>http://localhost:8000/</uri>
|
<uri>http://localhost:8200/</uri>
|
||||||
<unsealGpg gpgHome="~/.gnupg">~/.private/vaultpass/unseal.asc</unsealGpg>
|
<unsealGpg gpgHome="~/.gnupg">~/.private/vaultpass/unseal.asc</unsealGpg>
|
||||||
</server>
|
</server>
|
||||||
<authGpg gpgHome="~/.gnupg">~/.private/vaultpass/auth.gpg</unsealGpg>
|
<authGpg gpgHome="~/.gnupg">~/.private/vaultpass/auth.gpg</unsealGpg>
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
xmlns="https://git.square-r00t.net/VaultPass/"
|
xmlns="https://git.square-r00t.net/VaultPass/"
|
||||||
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
xsi:schemaLocation="https://git.square-r00t.net/VaultPass/ http://schema.xml.r00t2.io/projects/vaultpass.xsd">
|
||||||
<server>
|
<server>
|
||||||
<!-- Optional; defaults to http://localhost:8000/ -->
|
<!-- Optional; defaults to http://localhost:8200/ -->
|
||||||
<uri>http://localhost:8000/</uri>
|
<uri>http://localhost:8200/</uri>
|
||||||
<!-- OPTIONAL! If an unseal shard is provided and the server is sealed, we will attempt
|
<!-- OPTIONAL! If an unseal shard is provided and the server is sealed, we will attempt
|
||||||
unsealing with the shard(s) provided. -->
|
unsealing with the shard(s) provided. -->
|
||||||
<unseal>WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo=</unseal>
|
<unseal>WU9VUiBVTlNFQUwgU0hBUkQgSEVSRQo=</unseal>
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
import logging
|
import logging
|
||||||
|
import os
|
||||||
##
|
##
|
||||||
|
from . import logger
|
||||||
|
_logger = logging.getLogger('VaultPass')
|
||||||
from . import auth
|
from . import auth
|
||||||
from . import clipboard
|
from . import clipboard
|
||||||
from . import config
|
from . import config
|
||||||
from . import logger
|
from . import mounts
|
||||||
|
|
||||||
|
|
||||||
_logger = logging.getLogger('VaultPass')
|
|
||||||
|
|
||||||
|
|
||||||
class PassMan(object):
|
class PassMan(object):
|
||||||
@ -18,19 +18,50 @@ class PassMan(object):
|
|||||||
self.cfg = config.getConfig(cfg)
|
self.cfg = config.getConfig(cfg)
|
||||||
self._getURI()
|
self._getURI()
|
||||||
self.getClient()
|
self.getClient()
|
||||||
|
self._checkSeal()
|
||||||
|
|
||||||
|
def _checkSeal(self):
|
||||||
|
_logger.debug('Checking and attempting unseal if necessary and possible.')
|
||||||
|
if not self.client.sys.is_sealed():
|
||||||
|
_logger.debug('Unsealing unnecessary; Vault is already unsealed.')
|
||||||
|
return(None)
|
||||||
|
shard = self.cfg.xml.find('unseal')
|
||||||
|
if shard is None:
|
||||||
|
_logger.debug('Vault is sealed but no key shard was provided.')
|
||||||
|
_logger.error('Vault is sealed')
|
||||||
|
raise RuntimeError('Vault is sealed')
|
||||||
|
self.client.sys.submit_unseal_key(shard.text)
|
||||||
|
if self.client.sys.is_sealed:
|
||||||
|
_logger.debug(('Vault is sealed and either our unseal shard is incorrect or it is not enough to meet the '
|
||||||
|
'unseal shard threshold.'))
|
||||||
|
_logger.error('Unable to unseal')
|
||||||
|
raise RuntimeError('Unable to unseal')
|
||||||
|
return(None)
|
||||||
|
|
||||||
def _getURI(self):
|
def _getURI(self):
|
||||||
uri = self.cfg.xml.find('uri')
|
uri = self.cfg.xml.find('.//uri')
|
||||||
if uri is None:
|
if uri is None:
|
||||||
uri = 'http://localhost:8000/'
|
_logger.debug('No server URI specified; checking ${VAULT_ADDR}')
|
||||||
pass
|
_uri = os.environ.get('VAULT_ADDR')
|
||||||
|
if not _uri:
|
||||||
|
_logger.debug('No ${VAULT_ADDR}; using default of http://localhost:8200/')
|
||||||
|
uri = 'http://localhost:8200/'
|
||||||
|
else:
|
||||||
|
uri = _uri
|
||||||
|
else:
|
||||||
|
uri = uri.text
|
||||||
|
self.uri = uri
|
||||||
|
_logger.debug('Set URI to {0}'.format(self.uri))
|
||||||
|
return(None)
|
||||||
|
|
||||||
def getClient(self):
|
def getClient(self):
|
||||||
# This may need to be re-tooled in the future.
|
auth_xml = self.cfg.xml.find('.//auth')
|
||||||
auth_xml = self.cfg.xml.find('auth')
|
|
||||||
if auth_xml is None:
|
if auth_xml is None:
|
||||||
|
_logger.debug('No auth section was found in the configuration file.')
|
||||||
|
_logger.error('Could not find authentication')
|
||||||
raise RuntimeError('Could not find authentication')
|
raise RuntimeError('Could not find authentication')
|
||||||
authmethod_xml = auth_xml.getchildren()[0]
|
authmethod_xml = auth_xml.getchildren()[0]
|
||||||
|
_logger.debug('Attempting to auto-detect the authentication method...')
|
||||||
for a in dir(auth):
|
for a in dir(auth):
|
||||||
if a.startswith('_'):
|
if a.startswith('_'):
|
||||||
continue
|
continue
|
||||||
@ -42,10 +73,15 @@ class PassMan(object):
|
|||||||
continue
|
continue
|
||||||
self.auth = c(self.uri,
|
self.auth = c(self.uri,
|
||||||
authmethod_xml)
|
authmethod_xml)
|
||||||
|
_logger.debug('Found auth method: {0}'.format(self.auth.name))
|
||||||
break
|
break
|
||||||
if not self.auth:
|
if not self.auth:
|
||||||
_logger.error('Invalid auth configuration')
|
|
||||||
_logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag))
|
_logger.debug('Auth specified ({0}) was not found or is not supported'.format(authmethod_xml.tag))
|
||||||
|
_logger.error('Invalid auth configuration')
|
||||||
raise RuntimeError('Invalid auth configuration')
|
raise RuntimeError('Invalid auth configuration')
|
||||||
self.client = self.auth.client
|
self.client = self.auth.client
|
||||||
|
if not self.client.sys.is_initialized():
|
||||||
|
_logger.debug('Vault instance is not initialized. Please initialize (and configure, if necessary) first.')
|
||||||
|
_logger.error('Not initialized')
|
||||||
|
raise RuntimeError('Not initialized')
|
||||||
return(None)
|
return(None)
|
||||||
|
13
vaultpass/mounts.py
Normal file
13
vaultpass/mounts.py
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
class MountHandler(object):
|
||||||
|
def __init__(self, client, mounts_xml = None):
|
||||||
|
self.client = client
|
||||||
|
self.mounts = {}
|
||||||
|
|
||||||
|
def getSysMounts(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def print(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def search(self):
|
||||||
|
pass
|
Reference in New Issue
Block a user