sfn-vault 0.1.1 → 0.1.3

data/lib/sfn-vault.rb

@@ -1,153 +1,13 @@
 require 'sfn'
 require 'vault'
 
-require 'sfn-vault/version'
-
-# Modeled after the Assume Role callback
-module Sfn
-  class Callback
-    class VaultRead < Callback
-
-      # Cache credentials for re-use to prevent re-generation of temporary
-      # credentials on every command request.
-      VAULT_CACHED_ITEMS = [
-        :vault_lease_id,
-        :vault_lease_expiration,
-        :aws_access_key_id,
-        :aws_secret_access_key
-      ]
-
-      # Inject credentials read from vault path
-      # into API provider configuration
-      def after_config(*_)
-        # if credentials block contains vault_read_path
-        if(enabled? && config.fetch(:credentials, :vault_read_path))
-          load_stored_session
-        end
-      end
-
-      # Store session credentials until lease expires
-      def after(*_)
-        if(enabled?)
-          if(config.fetch(:credentials, :vault_read_path) && api.connection.aws_region)
-            path = cache_file
-            FileUtils.touch(path)
-            File.chmod(0600, path)
-            values = load_stored_values(path)
-            VAULT_CACHED_ITEMS.map do |key|
-              values[key] = api.connection.data[key]
-            end
-            File.open(path, 'w') do |file|
-              file.puts MultiJson.dump(values)
-            end
-          end
-        end
-      end
-
-      # @return [TrueClass, FalseClass]
-      def enabled?
-        config.fetch(:vault, :status, 'enabled').to_s == 'enabled'
-      end
-
-      # @return String path
-     def cache_file
-        config.fetch(:vault, :cache_file, '.sfn-vault')
-     end
-
-      # @param [FixNum] expiration
-      # @return [TrueClass, FalseClass]
-      # check lease is just: time.now greater than lease expires?
-      def expired?(expiration)
-        Time.now.to_i > expiration
-      end
-
-      def vault_addr
-        address = config.fetch(:vault, :vault_addr, ENV['VAULT_ADDR'])
-        if address.nil?
-          ui.error 'Set vault_addr in .sfn or VAULT_ADDR in environment'
-        end
-        address
-      end
-
-      def vault_token
-        token = config.fetch(:vault, :vault_token, ENV['VAULT_TOKEN'])
-        if token.nil?
-          ui.error 'Set :vault_token in .sfn or VAULT_TOKEN in environment'
-        end
-        token
-      end
-
-      # @return [Object] of type Vault::Secret
-      def vault_read
-        require 'vault'
-        client = Vault::Client.new(address: vault_addr, token: vault_token)
-        read_path = config.fetch(:credentials, :vault_read_path, "aws/creds/deploy") # save this value?
-        retries = config.fetch(:vault, :retries, 5)
-        credential = client.with_retries(Vault::HTTPError, attempts: retries) do
-          client.logical.read(read_path)
-        end
-        credential
-      end
-
-      # Load stored configuration data into the api connection
-      # or read retrieve with Vault client
-      # @return [TrueClass, FalseClass]
-      def load_stored_session
-        path = cache_file
-        FileUtils.touch(path)
-        if(File.exist?(path))
-          values = load_stored_values(path)
-          VAULT_CACHED_ITEMS.each do |key|
-            api.connection.data[key] = values[key]
-          end
-          if values[:vault_lease_expiration].nil?
-            values[:vault_lease_expiration] = 0
-          end
-          if(expired?(values[:vault_lease_expiration]))
-            ui.debug "No credential or lease expired"
-            begin
-              secret = vault_read
-              ui.debug "vault lease: #{secret.lease_id}"
-              # without the sleep the credentials are not ready
-              ui.info "Sleeping 30s for first time credentials system wide activation"
-              # this is arbitrary
-              timeout = config.fetch(:vault, :iam_delay, 15)
-              sleep(timeout)
-              api.connection.data[:vault_lease_id] = secret.lease_id # maybe unused?
-              api.connection.data[:vault_lease_expiration] = Time.now.to_i + secret.lease_duration
-              # update keys in api connection
-              api.connection.data[:aws_access_key_id] = secret.data[:access_key]
-              api.connection.data[:aws_secret_access_key] = secret.data[:secret_key]
-            rescue
-            end
-          end
-          true
-        else
-          false
-        end
-      end
-
-      # Load stored values
-      #
-      # @param path [String]
-      # @return [Hash]
-      def load_stored_values(path)
-        begin
-          if(File.exist?(path))
-            MultiJson.load(File.read(path)).to_smash
-          else
-            Smash.new
-          end
-        rescue MultiJson::ParseError
-          Smash.new
-        end
-      end
-
-      # Default quiet mode
-      def quiet
-        true unless config[:debug]
-      end
-
-    end
-  end
+module SfnVault
+  autoload :Platform, 'sfn-vault/platform'
+  autoload :Windows, 'sfn-vault/windows'
+  autoload :CertificateStore, 'sfn-vault/certificate_store'
+  autoload :Utils, 'sfn-vault/utils'
 end
+
+require 'sfn-vault/version'
+require 'sfn-vault/callback'
+require 'sfn-vault/inject'

data/lib/sfn-vault/callback.rb

@@ -0,0 +1,224 @@
+require 'sfn-parameters'
+require 'securerandom'
+require 'vault'
+
+# Modeled after the Assume Role callback
+module Sfn
+  class Callback
+    class VaultRead < Callback
+
+
+      include SfnVault::Utils
+
+      # Cache credentials for re-use to prevent re-generation of temporary
+      # credentials on every command request.
+      VAULT_CACHED_ITEMS = [
+        :vault_lease_id,
+        :vault_lease_expiration,
+        :aws_access_key_id,
+        :aws_secret_access_key
+      ]
+
+      def template(*args)
+        # search for all parameters of type 'Vault::Generic::Secret'
+        # 1. use the sparkleformation instance to get at the parameter hash,
+        config[:parameters] ||= Smash.new
+        stack = args.first[:sparkle_stack]
+        # 2. find names for things you want,
+        client = vault_client
+        pseudo_parameters(stack).each do |param|
+          param_path = vault_path_name(args, param)
+          ui.debug "Using #{param_path} for saved parameter"
+          # check if already saved in vault
+          # Save the secret unless one already exists at the defined path
+          unless client.logical.read(param_path)
+            ui.info "Vault: No pre-existing value for parameter #{param} saving new secret"
+            client.logical.write(param_path, value: random_secret)
+          end
+          # Read saved secret back from Vault and update parameters config
+          # 3. set param into config
+          config[:parameters][param] = client.logical.read(param_path).data[:value]
+          # 4. update type in template and that should do it
+          stack.compile.parameters.set!(param).type 'String'
+        end
+      end
+
+      # Use SecureRandom to generate a suitable password
+      # Length is configurable by setting `pseudo_parameter_length` in the vault
+      # section of the sfn config
+      #
+      # @return [String] The generated string
+      def random_secret
+        SecureRandom.base64(config.fetch(:vault, :pseudo_parameter_length, 15))
+      end
+
+      # Build the path where generated secrets can be saved in Vault
+      # This will use the value of `:pseudo_parameter_path` from the config if set. If
+      # unset it will attempt to build a type of standardized path based on the
+      # combined value any stack 'Project' tag and Stack name.
+      # Project will fallback to 'SparkleFormation' if unset
+      #
+      # @param args [Array] Array of args passed to the sfn instance
+      # @param parameter [String] Template parameter to save value for in vault
+      # @return [String] String value or stack name if available or default to template name
+      def vault_path_name(args, parameter)
+        pref = config.get(:vault, :pseudo_parameter_path)
+        # If we have a stack name use it, otherwise try to get from env and fallback to just template name
+        stack = args.first[:sparkle_stack]
+        stack_name = args.first[:stack_name].nil? ? ENV.fetch('STACK_NAME', stack.name).to_s : args.first[:stack_name]
+        project = config[:options][:tags].fetch('Project', 'SparkleFormation')
+
+        # When running in a detectable CI environment assume that we have rights to save a generic secret
+        # but honor user preference value if set
+        vault_path = if ci_environment?
+                       # write to vault at generic path
+                       base = pref.nil? ?  "secret" : pref
+                       File.join(base, project, stack_name, parameter)
+                     else
+                       base = pref.nil? ?  "cubbyhole" : pref
+                       # or for local dev use cubbyhole
+                       File.join(base, project, stack_name, parameter)
+                     end
+        vault_path
+      end
+
+      # Lookup all pseudo parameters in the template
+      #
+      # @param stack [SparkleFormation] An instance of the stack template
+      # @param parameter [String] The string value of the pseudo type to lookup
+      # @return [Array] Array of parameter names matching the pseudo type
+      def pseudo_parameters(stack, parameter: 'Vault::Generic::Secret')
+        stack.dump.fetch('Parameters', {}).map{|k,v| k if v['Type'] == parameter}.compact
+      end
+
+
+      # Check if we are running in any detectable CI type environments
+      #
+      # @return [TrueClass, FalseClass]
+      def ci_environment?
+        # check for any ci system env variables
+        return true if ENV['GO_PIPELINE_NAME']
+        return true if ENV['CI']
+        false
+      end
+
+      def after_config(*_)
+        # Inject credentials read from configured vault path
+        # into API provider configuration
+        # if credentials block contains vault_read_path
+        # TODO: this could be done earlier if at all possible so credentials
+        # struct does not need the aws config
+        if(enabled? && config.fetch(:credentials, :vault_read_path))
+          load_stored_session
+        end
+      end
+
+      # Store session credentials until lease expires
+      def after(*_)
+        if(enabled?)
+          if(config.fetch(:credentials, :vault_read_path) && api.connection.aws_region)
+            path = cache_file
+            FileUtils.touch(path)
+            File.chmod(0600, path)
+            values = load_stored_values(path)
+            VAULT_CACHED_ITEMS.map do |key|
+              values[key] = api.connection.data[key]
+            end
+            File.open(path, 'w') do |file|
+              file.puts MultiJson.dump(values)
+            end
+          end
+        end
+      end
+
+      # @return [TrueClass, FalseClass]
+      def enabled?
+        config.fetch(:vault, :status, 'enabled').to_s == 'enabled'
+      end
+
+      # @return [String ]path
+      def cache_file
+        config.fetch(:vault, :cache_file, '.sfn-vault')
+      end
+
+      # @param [FixNum] expiration
+      # @return [TrueClass, FalseClass]
+      # check lease is just: time.now greater than lease expires?
+      def expired?(expiration)
+        Time.now.to_i >= expiration
+      end
+
+      # @return [Object] of type Vault::Secret
+      def vault_read
+        client = vault_client
+        ui.debug "Have Vault client, configured with: #{client.options}"
+        read_path = config.fetch(:credentials, :vault_read_path, "aws/creds/deploy") # save this value?
+        credential = client.logical.read(read_path)
+        credential
+      end
+
+      # Load stored configuration data into the api connection
+      # or read retrieve with Vault client
+      # @return [TrueClass, FalseClass]
+      def load_stored_session
+        path = cache_file
+        FileUtils.touch(path)
+        if(File.exist?(path))
+          values = load_stored_values(path)
+          VAULT_CACHED_ITEMS.each do |key|
+            api.connection.data[key] = values[key]
+            if [:aws_access_key_id, :aws_secret_access_key].member?(key)
+              ui.debug "Updating environment #{key} with #{values[key]}"
+              # also update environment for this process
+              ENV[key.to_s] = values[key]
+            end
+          end
+          if values[:vault_lease_expiration].nil?
+            values[:vault_lease_expiration] = 0
+          end
+          if(expired?(values[:vault_lease_expiration]))
+            begin
+              secret = vault_read
+              # without the sleep the credentials are not ready
+              # this is arbitrary
+              timeout = config.fetch(:vault, :iam_delay, 30)
+              ui.info "Sleeping #{timeout}s for first time credentials system wide activation"
+              sleep(timeout)
+              api.connection.data[:vault_lease_id] = secret.lease_id # maybe unused?
+              api.connection.data[:vault_lease_expiration] = Time.now.to_i + secret.lease_duration
+              # update keys in api connection
+              api.connection.data[:aws_access_key_id] = secret.data[:access_key]
+              api.connection.data[:aws_secret_access_key] = secret.data[:secret_key]
+            rescue
+            end
+          end
+          true
+        else
+          false
+        end
+      end
+
+      # Load stored values
+      #
+      # @param path [String]
+      # @return [Hash]
+      def load_stored_values(path)
+        begin
+          if(File.exist?(path))
+            MultiJson.load(File.read(path)).to_smash
+          else
+            Smash.new
+          end
+        rescue MultiJson::ParseError
+          Smash.new
+        end
+      end
+
+      # Default quiet mode
+      def quiet
+        true unless config[:debug]
+      end
+
+    end
+  end
+end

data/lib/sfn-vault/certificate_store.rb

@@ -0,0 +1,40 @@
+require 'sfn-parameters'
+
+# This module implements helper functions to build a valid X509 bundle on
+# for SSL verification based on installed certificates.
+module SfnVault
+  module CertificateStore
+
+    include SfnVault::Platform
+
+    # Add to an X509 store, ignoring duplicates
+    def self.safe_add(cert_store, cert)
+      cert_store.add_cert(cert)
+    rescue OpenSSL::X509::StoreError => e
+      raise unless e.message == 'cert already in hash table'
+    end
+
+    # Return a certificate store that can be used to validate certificates with
+    # the system certificate authorities. This will probably not do anything on
+    # OS X, which monkey patches OpenSSL in terrible ways to insert its own
+    # validation. On most *nix platforms, this will add the system certificates
+    # using OpenSSL::X509::Store#set_default_paths. On Windows, this will use
+    # SfnVault::Windows::RootCerts to look up the CAs trusted by the system.
+    #
+    # @return [OpenSSL::X509::Store]
+    #
+    def self.default_ssl_cert_store
+      cert_store = OpenSSL::X509::Store.new
+      cert_store.set_default_paths
+      # set_default_paths() doesn't do anything on Windows, so look up
+      # certificates using the win32 API.
+      if SfnVault::Platform.windows?
+        require 'sfn-vault/windows/root_certs'
+        SfnVault::Windows::RootCerts.instance.to_a.uniq.each do |cert|
+          safe_add(cert_store, cert)
+        end
+      end
+      cert_store
+    end
+  end
+end

data/lib/sfn-vault/inject.rb

@@ -0,0 +1,18 @@
+class SparkleFormation
+  module SparkleAttribute
+    module Aws
+
+      # A small helper method for adding the specific named
+      # parameter struct with the custom type
+      def _vault_parameter(vp_name)
+        __t_stringish(vp_name)
+        parameters.set!(vp_name) do
+          no_echo true
+          description "Generated secret automatically stored in Vault"
+          type 'Vault::Generic::Secret'
+        end
+      end
+      alias_method :vault_parameter!, :_vault_parameter
+    end
+  end
+end

data/lib/sfn-vault/platform.rb

@@ -0,0 +1,17 @@
+require 'sfn-vault'
+
+module SfnVault
+  module Platform
+
+    # Return true if we are running on Windows.
+    #
+    # @return [Boolean]
+    #
+    def self.windows?
+      # Ruby only sets File::ALT_SEPARATOR on Windows, and the Ruby standard
+      # library uses that to test what platform it's on.
+      # https://github.com/rest-client/rest-client/blob/master/lib/restclient/platform.rb#L17
+      !!File::ALT_SEPARATOR
+    end
+  end
+end