securden 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3ab035ae2404108a3ad9234d90687856acdeef487c9c39f1ccc2d9a1d7292022
+  data.tar.gz: bc792eae5a82c88107a444d99269c254cfb4a8d743d1e1452b66c9ffdea9a2b2
+SHA512:
+  metadata.gz: 257699c10ca6879c21935259df6625c5bdc92036c20efa7b8296ed390a6a9cf8c29191f30325b7dee7558251686e44a9cf22262201668cfde82d242ecf608d8a
+  data.tar.gz: af2dd70f75d6f4902a870ee18079145fce2afef24c46a1cc6dcefd9408cd030d34357a2932ef8784d3a50a297325f3eca08441d9f846beed5253de47f5b06300

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 securden
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,78 @@
+# Securden Chef Plugin
+
+The Securden Chef plugin enables seamless integration with Securden Secrets Manager, making it easy to fetch and utilize account details within your Chef recipes. This guide provides a detailed overview of the plugin's features and usage.
+
+## Installation
+
+Add the Securden Chef plugin gem to your Chef environment. Ensure all required dependencies, including Ruby and the Chef client, are properly installed and configured.
+
+## Initialization
+
+The Securden plugin is initialized with the following parameters:
+- `server_url`: The URL of your Securden Secrets Manager server.
+- `authtoken`: The authentication token required for API access.
+- `certificate`: (Optional) Path to the certificate file. If omitted, the plugin automatically fetches the certificate.
+
+## Usage Example
+
+```ruby
+require 'Securden'
+
+securden = nil
+
+ruby_block 'Plugin Initialize Block' do
+  block do
+    securden = Securden::Account.new(
+      server_url: node['securden']['server_url'],
+      authtoken: node['securden']['authtoken'],
+      certificate: node['securden']['certificate'] # Certificate is optional
+    )
+  end
+end
+
+ruby_block 'Get Account Block' do
+  block do
+    if securden
+      account = securden.get(account_id: node['securden']['account_id'])
+      if account
+        puts "\nPassword: #{account['password']}"
+      end
+    end
+  end
+end
+```
+
+## Access
+
+Once the account data is fetched, you can access its attributes directly, such as `password`, or any additional fields created in the account.
+
+## Example Workflow
+
+1. Define necessary `node` attributes, such as `server_url`, `authtoken`, and optionally, `certificate`.
+2. Initialize the Securden plugin using the `Securden::Account.new` method.
+3. Use the `get` method to fetch account details.
+4. Access and utilize the required attributes in your Chef recipes.
+
+## Key Features
+
+1. **Plugin Initialization**:
+   - Simplifies the initialization process with essential parameters (`server_url`, `authtoken`, `certificate`).
+
+2. **Fetching Account Data**:
+   - Retrieve account details using the `get` method by providing any of the following:
+     - `account_id`
+     - `account_title`
+     - `account_name`
+     - Combination of `account_name` and `account_title`
+
+3. **Accessing Account Attributes**:
+   - Access the fetched account's attributes, such as `password`, or additional fields created in the account.
+
+## Additional Notes
+
+- Ensure that `server_url` and `authtoken` values are securely stored and not hardcoded in your recipes.
+- The `certificate` parameter is optional; the plugin will automatically fetch it if not provided.
+- Additional fields in the account can be accessed using their respective names.
+
+For further details and support, refer to the official Securden documentation.
+

data/lib/securden/version.rb

@@ -0,0 +1,4 @@
+module Securden
+    VERSION = "0.0.1"
+  end
+  

data/lib/securden.rb

@@ -0,0 +1,420 @@
+require "net/http"
+require "json"
+require "openssl"
+
+module Securden
+  # request header constants
+  AUTHTOKEN = "authtoken"
+  ORG = "org"
+  # request constants
+  GET = "GET"
+  POST = "POST"
+  PUT = "PUT"
+  DELETE = "DELETE"
+
+  # log contants
+  INFO = "info"
+  ERROR = "error"
+  WARN = "warn"
+  DEBUG = "debug"
+
+  class Error < StandardError; end
+
+  class << self
+    attr_accessor :server_url, :authtoken, :org, :certificate
+    def log(message:, level: )
+      message = "[SECURDEN] " + message.to_s
+      case level
+      when ERROR
+        Chef::Log.error(message)
+        nil
+      when DEBUG
+        Chef::Log.debug(message)
+      when WARN
+        Chef::Log.warn(message)
+      when INFO
+        Chef::Log.info(message)
+      end
+    end
+  end
+
+  class Init
+    def initialize(server_url:, authtoken:, org: nil, certificate: nil)
+      if server_url.nil? || authtoken.nil?
+        Securden.log(message: "Server URL and authtoken are required to initialize Securden", level: ERROR)
+        return nil
+      end
+      unless server_url.start_with?("http://", "https://")
+        Securden.log(message: "Invalid server URL. It must begin with either http:// or https://", level: ERROR)
+        return nil
+      end
+      Securden.server_url = server_url
+      Securden.authtoken = authtoken
+      Securden.org = org unless org.nil? || org.nil?
+      Securden.certificate = certificate
+      Securden.log(message: "Securden initialized successfully", level: DEBUG)
+    end
+  end
+
+  class Account
+    def self.get(account_id: nil, account_name: nil, account_title: nil, account_type: nil)
+      begin
+        unless Securden.server_url && Securden.authtoken
+          Securden.log(message: "Securden has not been initialized. Please initialize before using", level: ERROR)
+          return nil
+        end
+        if account_id.nil? && account_title.nil? && account_name.nil? && account_type.nil?
+          Securden.log(message: "Required account attributes Account ID, Account title or Account name", level: ERROR)
+          return nil
+        end
+        Securden.log(message: "Fetching account from Securden", level: DEBUG)
+        params = {}
+        params["account_id"] = account_id.to_i if account_id
+        params["account_title"] = account_title unless account_title.nil?
+        params["account_name"] = account_name unless account_name.nil?
+        params["account_type"] = account_type unless account_type.nil?
+        account = Request.new.raise_request(params, "/secretsmanagement/get_account", GET)
+        if account
+          if account["message"]
+            Securden.log(message: account["message"], level: DEBUG)
+          end
+          return account
+        else
+          return nil
+        end
+      rescue StandardError => e
+        Securden.log(message: "Failed to fetch account data: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def self.add(account_title: nil, account_name: nil, account_type: nil, password:nil, ipaddress: nil, notes: nil, tags: nil, personal_account: nil, folder_id: nil, account_expiration_date: nil, distinguished_name: nil, account_alias: nil, domain_name: nil)
+      begin
+        unless Securden.server_url && Securden.authtoken
+          Securden.log(message: "Securden has not been initialized. Please initialize before using", level: ERROR)
+          return nil
+        end
+        if account_type.nil?
+          Securden.log(message: "Required Account type", level: ERROR)
+          return nil
+        elsif account_title.nil?
+          Securden.log(message: "Required account title", level: ERROR)
+          return nil
+        end
+        Securden.log(message: "Adding account", level: DEBUG)
+        params = {}
+        params["account_title"] = account_title
+        params["account_type"] = account_type
+        params["account_name"] = account_name unless account_name.nil?
+        params["personal_account"] = personal_account unless personal_account.nil?
+        params["ipaddress"] = ipaddress unless ipaddress.nil?
+        params["notes"] = notes unless notes.nil?
+        params["tags"] = tags unless tags.nil?
+        params["folder_id"] = folder_id unless folder_id.nil?
+        params["password"] = password unless password.nil?
+        params["account_expiration_date"] = account_expiration_date unless account_expiration_date.nil?
+        params["distinguished_name"] = distinguished_name unless distinguished_name.nil?
+        params["account_alias"] = account_alias unless account_alias.nil?
+        params["domain_name"] = domain_name unless domain_name.nil?
+        account = Request.new.raise_request(params, "/api/add_account", POST)
+        if account
+          if account["message"]
+            Securden.log(message: account["message"], level: DEBUG)
+          end
+          return account
+        else
+          Securden.log(message: "Could not add account", level: ERROR)
+          return nil
+        end
+      end
+    end
+
+    def self.edit(account_id: nil, account_title: nil, account_name: nil, account_type: nil, ipaddress: nil, notes: nil, tags: nil, personal_account: nil, folder_id: nil, account_expiration_date: nil, distinguished_name: nil, account_alias: nil, domain_name: nil)
+      begin
+        unless Securden.server_url && Securden.authtoken
+          Securden.log(message: "Securden has not been initialized. Please initialize before using", level: ERROR)
+          return nil
+        end
+        Securden.log(message: "Updating account", level: DEBUG)
+        if account_id.nil? || account_type.nil?
+          Securden.log(message: "Required account ID and Account type", level: ERROR)
+          return nil
+        end
+        params = {}
+        params["account_id"] = account_id
+        params["account_type"] = account_type
+        params["account_title"] = account_title unless account_title.nil?
+        params["account_name"] = account_name unless account_name.nil?
+        params["ipaddress"] = ipaddress unless ipaddress.nil?
+        params["notes"] = notes unless notes.nil?
+        params["tags"] = tags unless tags.nil?
+        params["personal_account"] = personal_account unless personal_account.nil?
+        params["folder_id"] = folder_id unless folder_id.nil?
+        params["account_expiration_date"] = account_expiration_date unless account_expiration_date.nil?
+        params["distinguished_name"] = distinguished_name unless distinguished_name.nil?
+        params["account_alias"] = account_alias unless account_alias.nil?
+        params["domain_name"] = domain_name unless domain_name.nil?
+        account = Request.new.raise_request(params, "/api/edit_account", PUT)
+        if account
+          if account["message"]
+            Securden.log(message: account["message"], level: DEBUG)
+          end
+          return account
+        else
+          Securden.log(message: "Could not update account", level: ERROR)
+          return nil
+        end
+      rescue StandardError => e
+        Securden.log(message: "Error updating account: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+  end
+
+  class Accounts
+    def self.get(account_ids:)
+      begin
+        if Securden.server_url.nil? || Securden.authtoken.nil? || Securden.server_url.strip.empty? || Securden.authtoken.strip.empty?
+          Securden.log(message: "Securden has not been initialized. Please initialize before using", level: ERROR)
+          return nil
+        end
+        params = {}
+        if account_ids.nil? || account_ids.empty?
+          Securden.log(message: "Required account IDs", level: ERROR)
+          return nil
+        end
+        Securden.log(message: "Fetching accounts from Securden", level: DEBUG)
+        params["account_ids"] = account_ids
+        accounts = Request.new.raise_request(params, "/secretsmanagement/get_accounts", POST) 
+        if accounts
+          if accounts["message"]
+            Securden.log(message: accounts["message"], level: DEBUG)
+          end
+          return accounts
+        else
+          Securden.log(message: "Could not fetch accounts", level: ERROR)
+          return nil
+        end
+      rescue StandardError => e
+        Securden.log(message: "Error fetching accounts: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def self.delete(account_ids:, reason: nil, delete_permanently: nil)
+      begin
+        if Securden.server_url.nil? || Securden.authtoken.nil?
+          Securden.log(message: "Securden has not been initialized. Please initialize before using", level: ERROR)
+          return nil
+        end
+        params = {}
+        if account_ids.nil? || account_ids.empty?
+          Securden.log(message: "Required account IDs", level: ERROR)
+          return nil
+        end
+        params["account_ids"] = account_ids
+        params["reason"] = reason unless reason.nil?
+        params["delete_permanently"] = delete_permanently unless delete_permanently.nil?
+        Securden.log(message: "Deleting accounts", level: INFO)
+        accounts = Request.new.raise_request(params, "/api/delete_accounts", DELETE)
+        if accounts
+          if accounts["message"]
+            Securden.log(message: accounts["message"], level: DEBUG)
+          end
+          return accounts
+        else
+          Securden.log(message: "Could not delete accounts", level: ERROR)
+          return nil
+        end
+      rescue StandardError => e
+        Securden.log(message: "Error deleting accounts: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+  end
+
+  class Request
+    def raise_request(payload, request_path, method)
+      begin
+        Securden.log(message: "Raising API request to Securden server", level: DEBUG)
+        uri = URI(Securden.server_url + request_path)
+        if method == GET
+          uri.query = URI.encode_www_form(payload) unless payload.empty?
+        end
+        http = set_http(uri)
+        case method
+        when GET
+          request = Net::HTTP::Get.new(uri)
+        when POST
+          request = Net::HTTP::Post.new(uri)
+        when PUT
+          request = Net::HTTP::Put.new(uri)
+        when DELETE
+          request = Net::HTTP::Delete.new(uri)
+        end
+        request = set_header(request)
+        if method != GET
+          request["Content-Type"] = "application/json"
+        end
+        request.body = payload.to_json unless payload.nil? || payload.empty?
+        response = http.request(request)
+        return handle_response(response)
+      rescue StandardError => e
+        Securden.log(message: "#{e}", level: ERROR)
+        return nil
+      end
+    end
+
+    protected
+    def handle_response(response)
+      begin
+        status_code = nil
+        if response.code && !response.code.strip.empty?
+          status_code = response.code.to_i
+        else response.status_code && !response.status_code.strip.empty?
+          status_code = response.status_code.to_i
+        end
+        response = JSON.parse(response.body)
+        if !status_code.nil? && status_code == 200
+          return response
+        elsif response['error']
+          message = response['error']['message']
+        else
+          message = response['message']
+        end
+        Securden.log(message: "#{response['status_code']}: #{message}", level: ERROR)
+        return nil
+      rescue StandardError => e
+        Securden.log(message: "HTTP request failed: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def set_header(request)
+      request[AUTHTOKEN] = Securden.authtoken
+      request[ORG] = Securden.org if Securden.org && !Securden.org.strip.empty?
+      request
+    end
+    
+    def set_http(uri)
+      begin
+        Securden.log(message: "Setting up HTTP connection.", level: DEBUG)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.scheme == "https"
+        if uri.scheme == "https"
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          configure_ssl(http, uri)
+        end
+        http
+      rescue StandardError => e
+        Securden.log(message: "Failed to set HTTP connection: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def configure_ssl(http, uri)
+      begin
+        if Securden.server_url.start_with?("https://")
+          if Securden.certificate
+            handle_ssl_certificate(http)
+          else
+            Securden.log(message: "No SSL certificate provided. Attempting to fetch from server.", level: DEBUG)
+            fetch_and_set_server_certificate(http, uri)
+          end
+        end
+      rescue StandardError => e
+        Securden.log(message: "Failed to configure SSL: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def handle_ssl_certificate(http)
+      begin
+        Securden.log(message: "Adding SSL certificate.", level: INFO)
+        if Securden.certificate.start_with?("-----BEGIN CERTIFICATE-----")
+          cert_object = OpenSSL::X509::Certificate.new(Securden.certificate)
+          http.cert_store = OpenSSL::X509::Store.new
+          http.cert_store.add_cert(cert_object)
+        elsif File.exist?(Securden.certificate)
+          http.ca_file = Securden.certificate
+        else
+          Securden.log(message: "Invalid certificate value or file path", level: ERROR)
+          return nil
+        end
+        http
+      rescue OpenSSL::X509::CertificateError => e
+        Securden.log(message: "Invalid certificate format: #{e.message}", level: ERROR)
+        return nil
+      end
+    end
+
+    def verify_certificate_domain(cert, uri)
+      cn = cert.subject.to_s.match(/CN=([^\s\/,]+)/i)&.captures&.first
+      sans = cert.extensions.select { |ext| ext.oid == 'subjectAltName' }.flat_map { |ext| ext.value.split(', ').grep(/^DNS:/) }.map { |dns| dns.gsub(/^DNS:/, '') }
+      cert_domains = [cn, *sans].compact
+      cert_domains.any? do |domain|
+        if domain.start_with?('*.')
+          uri.host.end_with?(domain[2..-1])
+        else
+          uri.host == domain
+        end
+      end
+    end
+
+    def fetch_and_set_server_certificate(http, uri)
+      begin
+        Securden.log(message: "Attempting to fetch SSL certificate from #{uri.host}:#{uri.port}", level: DEBUG)
+        tcp_socket = TCPSocket.new(uri.host, uri.port || 443)
+        ssl_context = OpenSSL::SSL::SSLContext.new
+        ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+        ssl_socket.sync_close = true
+        ssl_socket.connect
+        peer_cert = ssl_socket.peer_cert
+        peer_cert_chain = ssl_socket.peer_cert_chain || [peer_cert]
+        unless verify_certificate_domain(peer_cert, uri)
+          Securden.log(message: "Hostname mismatch: Certificate is for #{peer_cert.subject}, requested #{uri.host}", level: DEBUG)
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          return
+        end
+        ssl_socket.close
+        tcp_socket.close
+        http.cert_store = OpenSSL::X509::Store.new
+        http.cert_store.set_default_paths
+        peer_cert_chain.each do |cert|
+          begin
+            http.cert_store.add_cert(cert)
+          rescue OpenSSL::X509::StoreError => e
+            Securden.log(message: "Certificate already in store or invalid: #{e.message}", level: DEBUG)
+          end
+        end
+        verification_result = http.cert_store.verify(peer_cert_chain.first)
+        if verification_result
+          Securden.log(message: "Successfully verified certificate", level: DEBUG)
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        else
+          Securden.log(message: "Certificate verification failed: #{http.cert_store.error_string}", level: WARN)
+          if self_signed?(peer_cert_chain.first)
+            Securden.log(message: "Server uses self-signed certificate. Adding to trust store.", level: DEBUG)
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          else
+            Securden.log(message: "Untrusted certificate. Disabling SSL verification.", level: WARN)
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+        end
+
+      rescue StandardError => e
+        Securden.log(message: "Failed to establish secure connection: #{e.message}. Disabling SSL verification", level: WARN)
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ensure
+        ssl_socket&.close rescue nil
+        tcp_socket&.close rescue nil
+      end
+    end
+
+    def self_signed?(cert)
+      cert.subject.to_s == cert.issuer.to_s
+    end
+  end
+
+  private_constant :Request
+end

metadata

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+name: securden
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Securden
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2025-04-23 00:00:00.000000000 Z
+dependencies: []
+description: 
+email:
+- devops-support@securden.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/securden.rb
+- lib/securden/version.rb
+homepage: https://securden.com
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key: 
+specification_version: 4
+summary: Leverage the Chef development environment for seamless access to passwords,
+  secrets, certificates, and keys stored in Securden.
+test_files: []