sanctum 0.8.0

data/lib/sanctum/command/push.rb

@@ -0,0 +1,98 @@
+require 'pathname'
+require 'json'
+
+module Sanctum
+  module Command
+    class Push < Base
+
+      def run
+        targets.each do |target|
+          # Use command line if force: true
+          if options[:cli][:force]
+            force = options[:cli][:force]
+          else
+            force = target.fetch(:force) {options[:sanctum][:force]}
+          end
+
+          # Build array of local paths by recursively searching for local files for each prefix specified in sanctum.yaml
+          local_paths = get_local_paths(File.join(File.dirname(config_file), target[:path]))
+
+          local_secrets = build_local_secrets(local_paths)
+          vault_secrets = build_vault_secrets(local_paths, target[:prefix], target[:path])
+
+          # Compare secrets
+          # vault_secrets paths have been mapped to local_paths to make comparison easier
+          differences = compare_secrets(vault_secrets, local_secrets, target[:name], "push")
+          next if differences.nil?
+
+          # Get uniq array of HashDiff returned paths
+          diff_paths = differences.map{|x| x[1][0]}.uniq
+
+          # Only write changes
+          vault_secrets = only_changes(diff_paths, local_secrets)
+
+          #Convert paths back to vault prefix so we can sync
+          vault_secrets = vault_secrets.map {|k, v| [k.gsub(File.join(File.dirname(config_file), target[:path]), target[:prefix]), v] }.to_h
+
+          if force
+            warn red("#{target[:name]}: Forcefully writing differences to vault(push)")
+            VaultTransit.write_to_vault(vault_client, vault_secrets)
+          else
+            #Confirm with user, and write to local file if approved
+            next unless confirmed_with_user?
+            VaultTransit.write_to_vault(vault_client, vault_secrets)
+          end
+        end
+      end
+
+      def read_remote(paths, prefix)
+        tmp_hash = Hash.new
+        paths.each do |k,v|
+          p = File.join(prefix, k)
+          unless vault_client.logical.read(p).nil?
+            v = vault_client.logical.read(p).data
+            tmp_hash["#{k}"] = v
+          else
+            next
+          end
+        end
+        tmp_hash
+      end
+
+      def map_local_path(secrets_hash, local_path)
+        config_path = Pathname.new(config_file)
+        tmp_hash = Hash.new
+
+        secrets_hash.map do |p, v|
+          p = config_path.dirname + Pathname.new(File.join(local_path, p))
+          tmp_hash["#{p}"] = v
+        end
+        tmp_hash
+      end
+
+      def build_local_secrets(local_paths)
+        # Read each local file
+        local_secrets = read_local_files(local_paths)
+        # Decrypt local secrets
+        local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
+      end
+
+      def build_vault_secrets(local_paths, target_prefix, target_path)
+        # Map local_paths into vault_paths
+        vault_paths = local_paths.map{|x| x.gsub(File.join(File.dirname(config_file), target_path), "")}
+
+        # Get vault secrets (if they exist) for each vault prefix specified in sanctum.yaml that also maps to a local path
+        # This means that we will only compare secrets/paths that exist both locally and in vault.
+        # We will not for example, see differences if a secret exists in vault but not locally.
+
+        # Read secrets from vault
+        vault_secrets = read_remote(vault_paths, target_prefix)
+
+        # To make comparing a bit easier map vault_secrets paths back local_paths
+        # Convert to json, then read, to make keys strings vs symbols
+        vault_secrets = JSON(map_local_path(vault_secrets, target_path).to_json)
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/sanctum.example.yaml

@@ -0,0 +1,33 @@
+# sanctum.yml
+sanctum:
+  # force - defaults to false. Setting to true modifies behavior of push and pull commands.
+  #   If true you will not be asked if you want to overwrite changes.
+  #force: false
+  # color - defaults to true. Setting to false will disable color to tty
+  #color: true
+
+vault:
+  # url - will use `ENV["VAULT_ADDR"]` if available, otherwise defaults to http://localhost:8200
+  #url: http://localhost:8200
+  # token - (required) will use `ENV["VAULT_TOKEN"]` if available, otherwise tries to read from `ENV["HOME"]/.vault-token`
+  #token: aaabbbcc-ddee-ffgg-hhii-jjkkllmmnnoop
+  # transit_key - (required) will use `ENV["SANCTUM_TRANSIT_KEY"]` if available.
+  #   Transit key ring used to encrypt/decrypt secrets for local storage.
+  #   If you need to use multiple transit_keys you will need to create seperate config files
+  #transit_key: transit/keys/app-foo
+
+sync:
+  # sync is an array of hashes of sync target configurations
+  # at least one app definition is REQUIRED Fields:
+  #     name - (required) Friendly name of the sync target.
+  #     prefix - (required) The vault prefix(secret mount) to synchronize to.
+  #     path - (required) The relative filesystem path to the directory
+  #       containing the files with content to synchronize to Vault.
+  #       This path is calculated relative to the directory containing
+  #       the configuration file.
+  #     force - Whether or not to force push, pull actions (no user input)
+  #       This inherits the setting from the `sanctum` section.
+  #- name: app-foo
+    #prefix: secrets/app-foo
+    #path: vault/app-foo
+    #force: false

data/lib/sanctum/command/view.rb

@@ -0,0 +1,21 @@
+require 'yaml'
+
+module Sanctum
+  module Command
+    class View < Base
+
+      def run(command="less")
+        raise ArgumentError, red('Please provide at least one path') if args.empty?
+
+        local_secrets = read_local_files(args)
+        local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
+        begin
+          IO.popen(command, "w") { |f| f.puts "#{local_secrets.to_yaml}" }
+        rescue
+          puts light_blue(local_secrets.to_yaml)
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/get_config.rb

@@ -0,0 +1 @@
+require 'sanctum/get_config/config_merge'

data/lib/sanctum/get_config/config_file.rb

@@ -0,0 +1,46 @@
+require 'yaml'
+
+module Sanctum
+  module GetConfig
+    class ConfigFile
+      attr_reader :config_file
+
+      def initialize(config_file=nil)
+        raise "Please create or specify a config file. `sanctum config --help`" if config_file.nil?
+        raise "Config file not found" unless File.file?(config_file)
+        @config_file = config_file
+      end
+
+      def run
+        config_hash = load_config_file(config_file)
+        if config_hash.empty? || config_hash[:sync].nil?
+          raise "Please specify at least one sync target in your config file: #{config_file}"
+        else
+          config_hash
+        end
+      end
+
+      def load_config_file(config_file)
+        config_hash = YAML.load_file(config_file)
+        config_hash.compact!
+        deep_symbolize(config_hash)
+      rescue
+        raise "Please ensure your config file is formatted correctly. `sanctum config --help`"
+      end
+
+      def deep_symbolize(obj)
+        case obj
+        when Hash
+          obj.each_with_object({}) do |(k, v), hash|
+            hash[k.to_sym] = deep_symbolize(v)
+          end
+        when Array
+          obj.map { |el| deep_symbolize(el) }
+        else
+          obj
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/get_config/config_merge.rb

@@ -0,0 +1,60 @@
+require 'sanctum/get_config/config_file'
+require 'sanctum/get_config/env'
+require 'sanctum/get_config/hash_merger'
+require 'sanctum/get_config/options'
+
+
+module Sanctum
+  module GetConfig
+    class ConfigMerge
+
+      using HashMerger
+      attr_reader :config_file, :targets, :force
+
+      def initialize(config_file: , targets: , force: )
+        @config_file = config_file
+        @targets = targets.split(/\,/).map(&:strip) unless targets.nil?
+        @force = force
+      end
+
+      def final_options
+        # default_options will search for config_file or take the path specified via cli
+        default_options = DefaultOptions.new(config_file).run
+        config_options = ConfigFile.new(default_options[:config_file]).run
+        env_options = Env.new.run
+        cli_options = {cli: {targets: targets, force: force }}
+
+        # Check that targets specified via commandline actually exist in config_file and update config_options[:sync] array
+        config_options = check_targets(targets, config_options) unless targets.nil?
+
+        merge_options(default_options, config_options, env_options, cli_options)
+      end
+
+
+      def merge_options(default_options, config_options, env_options, cli_options)
+        default_options.deep_merge(config_options).deep_merge(env_options).deep_merge(cli_options)
+      end
+
+      def check_targets(targets, config_options)
+        tmp_array = Array.new
+        sync = config_options[:sync]
+
+        targets.each do |t|
+          sync.each do |h|
+            tmp_array << h if h[:name] == t
+          end
+        end
+
+        if tmp_array.empty?
+          valid_targets = sync.map{|h| h[:name]}
+          raise "Please specify at least one valid target\n Valid targets are #{valid_targets}"
+        end
+
+        config_options[:sync] = tmp_array
+        config_options
+      end
+
+
+    end
+  end
+end

data/lib/sanctum/get_config/env.rb

@@ -0,0 +1,18 @@
+module Sanctum
+  module GetConfig
+    class Env
+      attr_reader :env_options
+
+      def initialize
+        @env_options = {vault: {url: ENV["VAULT_ADDR"], token: ENV["VAULT_TOKEN"], transit_key: ENV["SANCTUM_TRANSIT_KEY"]}}
+      end
+
+      def run
+        env_options.each do |key, value|
+          value.compact!
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/get_config/hash_merger.rb

@@ -0,0 +1,12 @@
+module Sanctum
+  module GetConfig
+    module HashMerger
+      refine ::Hash do
+        def deep_merge(second)
+          merger = proc { |key, v1, v2| Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : Array === v1 && Array === v2 ? v1 | v2 : [:undefined, nil, :nil].include?(v2) ? v1 : v2 }
+          self.merge(second.to_h, &merger)
+        end
+      end
+    end
+  end
+end

data/lib/sanctum/get_config/options.rb

@@ -0,0 +1,41 @@
+require 'etc'
+require 'pathname'
+
+module Sanctum
+  module GetConfig
+    class DefaultOptions
+      attr_reader :config_file
+
+      def initialize(config_file=nil)
+        @config_file = config_file
+      end
+
+      def run
+        {
+          config_file: config_file.nil? ? config_file_search : config_file,
+          sanctum: { force: false, color: true },
+          vault: { url: "https://127.0.0.1:8200", token: get_vault_token }
+        }
+      end
+
+      def config_file_search
+        path = Pathname.new(Dir.pwd)
+        path.ascend do |p|
+          if File.file?("#{p}/sanctum.yaml")
+            return "#{p}/sanctum.yaml"
+          else
+            next
+          end
+        end
+      end
+
+      def get_vault_token
+        token_file = "#{Dir.home}/.vault-token"
+        if File.file?("#{token_file}") && File.readable?("#{token_file}")
+          File.read("#{token_file}")
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/vault_client.rb

@@ -0,0 +1,31 @@
+require 'vault'
+
+module Sanctum
+  class VaultClient
+
+    def self.build(vault_address, vault_token)
+      vault_client = Vault::Client.new(address: vault_address, token: vault_token)
+      check_token(vault_client)
+      vault_client
+    end
+
+    def self.check_token(vault_client)
+      response = vault_client.request(:get, "v1/auth/token/lookup-self")
+      renewable = response[:data][:renewable]
+
+      if renewable
+        creation_ttl = response[:data][:creation_ttl]
+        remaining = response[:data][:ttl]
+        fifty_percent = (creation_ttl * 0.50).to_i
+
+        renew_token(vault_client, creation_ttl) if remaining < fifty_percent
+      end
+    end
+
+    def self.renew_token(vault_client, increment)
+      payload = {"increment": increment}.to_json
+      vault_client.request(:post, "v1/auth/token/renew-self", payload)
+    end
+
+  end
+end

data/lib/sanctum/vault_secrets.rb

@@ -0,0 +1,46 @@
+module Sanctum
+  class VaultSecrets
+    include Colorizer
+    attr_reader :vault_client, :prefix
+
+    def initialize(vault_client, prefix)
+      @vault_client = vault_client
+      @prefix = prefix
+    end
+
+    def get
+      if invalid_prefix?
+        raise yellow("Warning: Vault prefix: '#{prefix}' does not exist.. ")
+      end
+
+      secrets_from_vault = Hash.new
+      secrets_from_vault[prefix] = JSON(list_recursive(prefix).to_json)
+      secrets_from_vault
+    end
+
+    private
+    def list_recursive(prefix, parent = '')
+      me = File.join(parent, prefix)
+      result = vault_client.logical.list(me).inject({}) do |hash, item|
+        case item
+        when /.*\/$/
+          hash[item.gsub(/\/$/, '').to_sym] = list_recursive(item, me)
+        else
+          hash[item.to_sym] = read_data(item, me)
+        end
+        hash
+      end
+      result
+    end
+
+    def read_data(item, parent = '')
+      me = File.join(parent, item)
+      vault_client.logical.read(me).data
+    end
+
+    def invalid_prefix?
+      vault_client.logical.list(prefix).empty?
+    end
+
+  end
+end

data/lib/sanctum/vault_transit.rb

@@ -0,0 +1,60 @@
+require 'base64'
+require 'pathname'
+
+module Sanctum
+  class VaultTransit
+    include Colorizer
+
+    def self.encrypt(vault_client, secrets, transit_key)
+      transit_key = Pathname.new(transit_key)
+
+      unless transit_key_exist?(vault_client, transit_key)
+        raise red("#{transit_key} does not exist")
+      end
+
+      secrets.each do |k, v|
+        v = encode(v.to_json)
+        #TODO: Fix this....
+        v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/encrypt/#{transit_key.basename}", plaintext: v)
+        secrets[k] = v
+      end
+      secrets
+    end
+
+    def self.decrypt(vault_client, secrets, transit_key)
+      transit_key = Pathname.new(transit_key)
+      secrets.each do |k, v|
+        v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/decrypt/#{transit_key.basename}", ciphertext: v)
+        v = JSON(decode(v.data[:plaintext]))
+        secrets[k] = v
+      end
+      secrets
+    end
+
+    def self.write_to_file(vault_client, secrets, transit_key)
+      secrets = encrypt(vault_client, secrets, transit_key)
+      secrets.each do |k, v|
+        File.write(k, v.data[:ciphertext])
+      end
+    end
+
+    def self.write_to_vault(vault_client, secrets)
+      secrets.each do |k, v|
+        vault_client.logical.write(k, v)
+      end
+    end
+
+    def self.encode(string)
+      Base64.encode64(string)
+    end
+
+    def self.decode(string)
+      Base64.decode64(string)
+    end
+
+    def self.transit_key_exist?(vault_client, transit_key)
+      !vault_client.logical.read(transit_key.to_path).nil?
+    end
+
+  end
+end