hiera-eyaml-vault 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2500c39c866bab8c7403755030356b0fcecaa9cd433157e961e6a4e7f87d7d8a
+  data.tar.gz: 44966b8d2fba03c146d9f8835893f4c5245bd0655bc4db6667f708e25f78ce63
+SHA512:
+  metadata.gz: d8e4f2a4655ec04907d4ca9f1687123eea7b106b669a6fdd90c341acb23f6e693071a1026172b25c964928cc956e9d2a476781185f7569010984349938d99f6d
+  data.tar.gz: caddceb7edacdaf8a3f00a2b63bf5de647df5b54613aef49d54b74f5c62e7f510e4f3b205849740715bb605347e377a7d0c1f85c5b5fb17214cb5c78dbbc5445

data/lib/hiera/backend/eyaml/encryptors/vault.rb

@@ -0,0 +1,202 @@
+require 'base64'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/encryptors/vault/httphandler'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/plugins'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        class Vault < Encryptor
+          class AuthenticationError < Exception
+          end
+
+
+          VERSION = "0.0.1"
+          HTTP_HANDLER = Hiera::Backend::Eyaml::Encryptors::Vault::Httphandler
+
+          self.tag = 'VAULT'
+
+          self.options = {
+            :addr => {
+              desc: "Address of the vault server",
+              type: :string,
+              default: "https://127.0.0.1:8200"
+            },
+
+            :role_id => {
+              desc: "role_id for the Approle",
+              type: :string,
+            },
+
+            :secret_id => {
+              desc: "secret_id for the Approle",
+              type: :string,
+            },
+
+            :use_ssl => {
+              desc: "Use SSL to connect to vault",
+              type: :boolean,
+              default: true
+            },
+
+            :ssl_verify => {
+              desc: "Verify SSL certs",
+              type: :boolean,
+              default: true
+            },
+
+            :keyname => {
+              desc: "Vault transit key name (default 'hiera')",
+              type: :string,
+              default: 'hiera'
+            },
+
+            :api_version => {
+              desc: "API version to use",
+              type: :integer,
+              default: 1
+            }
+          }
+          class << self
+
+            def create_keys
+              diagnostic_message = self.option :diagnostic_message 
+              puts "Create_keys: #{diagnostic_message}"
+            end
+
+            #### BEGIN IMPORT
+
+            def vault_url(endpoint)
+              uri = []
+              uri << option(:addr)
+              uri << "v#{option :api_version}"
+              uri << endpoint
+              uri.flatten.join("/")
+            end
+
+            def login
+              role_id = option :role_id
+              secret_id = option :secret_id
+
+              login_data = { "role_id" => role_id }
+              login_data['secret_id'] = secret_id unless secret_id.nil?
+
+              response = vault_post(login_data, :login, false)
+              @approle_token = response['auth']['client_token']
+            end
+
+            def ssl?
+              option :use_ssl
+            end
+
+            def read_file(file)
+              raise Exception, "Cannot read #{file}" unless File.exists?(file)
+              File.read(file)
+            end
+
+            def ssl_key
+              return nil if option(:ssl_key).nil?
+              @vault_ssl_key ||= read_file(option :ssl_key)
+              @vault_ssl_key
+            end
+
+            def ssl_cert
+              return nil if option(:ssl_cert).nil?
+              @vault_ssl_cert ||= read_file(option :ssl_cert)
+              @vault_ssl_cert
+            end
+
+
+            def token_configured?
+              not option(:token).nil?
+            end
+
+            def token
+              authenticate
+              option(:token) || @approle_token
+            end
+
+            def authenticate
+              unless token_configured?
+                login if @approle_token.nil?
+              end
+            end
+
+            def endpoint(action)
+              {
+                :decrypt => "transit/decrypt/#{option :keyname}",
+                :encrypt => "transit/encrypt/#{option :keyname}",
+                :login   => "auth/approle/login"
+              }[action]
+            end
+
+            def url_path(action)
+              vault_url(endpoint(action))
+            end
+
+
+
+            def parse_response(response)
+              body = JSON.load(response.body)
+              if response.code_type == Net::HTTPOK
+                return body
+              else
+                if response.code == "403"
+                  raise AuthenticationError, body
+                end
+                if body['errors'].is_a?(Array)
+                  message = body['errors'].join("\n")
+                else
+                  message = "Failed to decrypt entry #{body}"
+                end
+                raise Exception, "Error decrypting data from Vault: #{message}"
+              end
+            end
+
+            def vault_post(data, action, use_token=true, headers={})
+              url = url_path(action)
+              http_options = {}
+
+              if ssl?
+                http_options = {
+                  :ssl        => true,
+                  :ssl_verify => option(:ssl_verify),
+                  :ssl_cert   => ssl_cert,
+                  :ssl_key    => ssl_key,
+                }
+              end
+
+              begin
+                tries ||= 0
+                headers['X-Vault-Token'] = token if use_token
+                parse_response HTTP_HANDLER.post(url, data, headers, http_options)
+              rescue AuthenticationError => e
+                login
+                retry if (tries += 1) < 2
+                raise
+              rescue HTTPError => e
+                raise Exception, "HTTP Error: #{e}"
+              end
+            end
+
+            def decrypt(string)
+              response = vault_post({ 'ciphertext' => string}, :decrypt)
+              response_data=response['data']
+              Base64.decode64(response_data['plaintext'])
+            end
+
+            def encrypt(plain)
+              encoded = Base64.encode64(plain)
+              response = vault_post({ 'plaintext' => encoded}, :encrypt)
+              response_data=response['data']
+              response_data['ciphertext']
+            end
+          end 
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/vault/eyaml_init.rb

@@ -0,0 +1,3 @@
+require 'hiera/backend/eyaml/encryptors/vault'
+
+Hiera::Backend::Eyaml::Encryptors::Vault.register

data/lib/hiera/backend/eyaml/encryptors/vault/httphandler.rb

@@ -0,0 +1,59 @@
+require 'net/http'
+require 'json'
+require 'openssl'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        class Vault < Encryptor
+          class HTTPError < Exception
+          end
+          class Httphandler
+            class << self
+
+              def post(uri_str, data={}, headers={}, options={})
+                uri = URI.parse(uri_str)
+                request = Net::HTTP::Post.new(uri.path)
+                request.body = data.to_json
+                http_send(uri, request, headers, options)
+              end
+
+              def put(uri_str, data={}, headers={}, options={})
+                uri = URI.parse(uri_str)
+                request = Net::HTTP::Put.new(uri.path)
+                request.body = data.to_json
+                http_send(uri, request, headers, options)
+              end
+
+
+              def http_send(uri, request, headers={}, options={})
+                request.add_field('Content-Type', options[:content_type]) if options[:content_type]
+
+                headers.each do |header, value|
+                  request.add_field(header, value)
+                end
+
+                http = Net::HTTP.new(uri.host, uri.port)
+                if options[:ssl]
+                  http.use_ssl = true
+                  http.verify_mode = options[:ssl_verify] ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+                  http.cert = OpenSSL::X509::Certificate.new(options[:ssl_cert]) if options[:ssl_cert]
+                  http.key = OpenSSL::PKey::RSA.new(options[:ssl_key]) if options[:ssl_key]
+                end
+
+                begin
+                  response = http.request(request)
+                  return response
+                rescue => e
+                  raise HTTPError, e.message
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+

metadata

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-vault
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Craig Dunn
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hiera-http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+description: Eyaml plugin for Vault transit secrets engine
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/hiera/backend/eyaml/encryptors/vault.rb
+- lib/hiera/backend/eyaml/encryptors/vault/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/vault/httphandler.rb
+homepage: http://github.com/crayfishx/hiera-eyaml-vault
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6.2
+signing_key: 
+specification_version: 4
+summary: Encryption plugin for hiera-eyaml to use Vault's transit secrets engine
+test_files: []