vagrant-zanzibar 0.1.1

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec/spec_helper

data/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+deploy:
+  provider: rubygems
+  api_key:
+    secure: "CFXaOgtLypVc3/Nn3NFyeTYJ3rR/KNua2FPFHc02h5K/TPm8PMlHsYEB3e9OpithnC5cLqPUUlyZL4Gz7QC4zxX0G4luNVz+ZXdueMk1GBstK9QMsrjOQMKnQTCPaK/3x2/53kuPWMjYSyn5+ICkf/Omq1EVD4YEplhSvIRA9QQ="
+  gem: vagrant-zanzibar
+  on:
+    tags: true
+    all_branches: true

data/Gemfile

@@ -0,0 +1,16 @@
+source 'https://rubygems.org'
+
+gem 'savon', '0.9.5'
+
+group :test do
+  gem 'rake'
+  gem 'savon_spec'
+  gem 'rspec'
+  gem 'webmock'
+  gem 'codeclimate-test-reporter'
+  gem 'vagrant-zanzibar', path: '.'
+  gem 'rubocop'
+end
+
+# Specify your gem's dependencies in zanzibar.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright (c) 2015 Cimpress
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,74 @@
+# Zanzibar
+[![Gem Version](https://badge.fury.io/rb/zanzibar.svg)](http://badge.fury.io/rb/zanzibar)
+
+Zanzibar is a utility to retrieve secrets from a Secret Server installation. It supports retrieval of a password, public/private key, or secret attachment.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'zanzibar'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install zanzibar
+
+## Usage
+
+In your ruby project, rakefile, etc., create a new Zanzibar object. The constructor takes a hash of optional parameters for the WSDL location, the domain of the Secret Server, a hash of global variables to pass to savon (necessary for windows environments with self-signed certs) and a password for the current user (intended to be passed in through some encryption method, unless you really want a plaintext password there.). All of these parameters are optional and the user will be prompted to enter them if they are missing.
+
+```ruby
+  my_object = Zanzibar::Zanzibar.new(:domain => 'my.domain.net', :wsdl => 'my.scrt.srvr.com/webservices/sswebservice.asmx?wdsl', :pwd => get_encrypted_password_from_somewhere)
+```
+
+Example:
+
+```ruby
+require 'zanzibar'
+
+## Constructor takes hash as argument, all optional :domain, :wsdl, :pwd, :globals
+secrets = Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl")
+# On windows with self-signed certs,
+# Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl", :globals => {:ssl_verify_mode => :none})
+
+## Simple password -> takes secret id as argument
+secrets.get_password(1234)
+
+## Private Key -> takes hash as argument, requires :scrt_id, :type, optional :scrt_item_id, :path
+secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Private Key")
+
+## Public Key -> takes hash as argument, requires :scrt_id, :type, optional :scrt_item_id, :path
+secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Public Key")
+
+## Attachment; only supports secrets with single attachment -> takes hash as argument, requires :scrt_id, :path, optional :scrt_item_id, :path
+secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Attachment")
+
+```
+
+### Command Line
+
+Zanzibar comes bundled with the `zanzibar` command-line utility that can be used for fetching passwords and downloading keys from outside of Ruby.
+
+`zanzibar` supports most actions provided by Zanzibar itself. Because it operates on the command-line, it can be used as part of a pipeline or within a bash script.
+
+```bash
+# if you don't pipe in a password, you will be prompted to enter one.
+# this will download the private key from secret 1984 to the current directory
+cat ./local-password | zanzibar 1984 -s server.example.com -d example.com -t privatekey
+
+ssh user@someremote -i ./private_key
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/Cimpress-MCP/zanzibar/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'bundler/setup' # load up our gem environment (incl. local zanzibar)
+require 'rspec/core/rake_task'
+require 'vagrant-zanzibar/version'
+require 'rubocop/rake_task'
+
+task default: [:test]
+
+RSpec::Core::RakeTask.new(:test)
+
+RuboCop::RakeTask.new

data/bin/zamioculcas

@@ -0,0 +1,2 @@
+#! ruby
+system("zanzibar #{ARGV.join(" ")}")

data/bin/zanzibar

@@ -0,0 +1,72 @@
+#! ruby
+
+require 'vagrant-zanzibar'
+require 'optparse'
+
+options = {
+  :domain => 'local'
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: zamioculcas -d domain [-w wsdl] [-k] [-p] [secret_id]"
+
+  opts.on("-d", "--domain DOMAIN", "Specify domain") do |v|
+    options[:domain] = v
+  end
+
+  opts.on("-w", "--wsdl WSDL", "Specify WSDL location") do |v|
+    options[:wsdl] = v
+  end
+
+  opts.on("-s", "--server SERVER", "Secret server hostname or IP") do |v|
+    options[:server] = v
+  end
+
+  opts.on("-k", "--no-check-certificate", "Don't run SSL certificate checks") do |v|
+    options[:globals] = {:ssl_verify_mode => :none}
+  end
+
+  opts.on("-p", "--password PASSWORD", "Specify password") do |v|
+    options[:pwd] = v
+  end
+
+  opts.on("-t", "--type TYPE", "Specify the type of secret") do |v|
+    options[:type] = v
+  end
+
+  opts.on("-u", "--user USER", "Specify the username") do |v|
+    options[:username] = v
+  end
+
+end.parse!
+
+raise OptionParser::MissingArgument if options[:server].nil?
+options[:type] = "password" if options[:type].nil?
+
+unless STDIN.tty? || options[:pwd]
+  options[:pwd] = $stdin.read.strip
+end
+
+secret_id = Integer(ARGV.pop)
+if(!secret_id)
+  fail "no secret!"
+end
+
+unless options[:wsdl] || options[:server].nil?
+  options[:wsdl] = "https://#{options[:server]}/webservices/sswebservice.asmx?wsdl"
+end
+
+scrt = Zanzibar::Zanzibar.new(options)
+
+case options[:type]
+when "password"
+  $stdout.write "#{scrt.get_password(secret_id)}\n"
+when "privatekey"
+  scrt.download_private_key(:scrt_id=>secret_id)
+when "publickey"
+  scrt.download_public_key(:scrt_id=>secret_id)
+when "attachment"
+  scrt.download_attachment(:scrt_id=>secret_id)
+else
+  $stderr.write "#{options[:type]} is not a known type."
+end

data/lib/vagrant-zanzibar.rb

@@ -0,0 +1,213 @@
+require 'vagrant-zanzibar/version'
+require 'savon'
+require 'io/console'
+require 'fileutils'
+
+module Zanzibar
+  ##
+  # Class for interacting with Secret Server
+  class Zanzibar
+    ##
+    # @param args{:domain, :wsdl, :pwd, :username, :globals{}}
+
+    def initialize(args = {})
+
+      ## Array to store checked out secrets
+      @@secrets = []
+
+      if args[:username]
+        @@username = args[:username]
+      else
+        @@username = ENV['USER']
+      end
+
+      if args[:wsdl]
+        @@wsdl = args[:wsdl]
+      else
+        @@wsdl = get_wsdl_location
+      end
+      if args[:pwd]
+        @@password = args[:pwd]
+      else
+        @@password = prompt_for_password
+      end
+      if args[:domain]
+        @@domain = args[:domain]
+      else
+        @@domain = prompt_for_domain
+      end
+      args[:globals] = {} unless args[:globals]
+      init_client(args[:globals])
+    end
+
+    ## Initializes the Savon client class variable with the wdsl document location and optional global variables
+    # @param globals{}, optional
+
+    def init_client(globals = {})
+      globals = {} if globals.nil?
+      Savon.configure do |config|
+        config.log = false
+      end
+      @@client = Savon::Client.new(@@wsdl) do
+        #wsdl.endpoint  = "https://scrt.vistaprint.net/webservices/sswebservice.asmx"
+        #wsdl.namespace = "thesecretserver.com"
+        http.auth.ssl.verify_mode = :none
+        HTTPI.log = false
+      end
+      #@@client.log = false
+      #@@client.http.auth.ssl.verify_mode = :none
+    end
+
+    ## Gets the user's password if none is provided in the constructor.
+    # @return [String] the password for the current user
+
+    def prompt_for_password
+      puts "Please enter password for #{@@username}:"
+      STDIN.noecho(&:gets).chomp
+    end
+
+    ## Gets the wsdl document location if none is provided in the constructor
+    # @return [String] the location of the WDSL document
+
+    def prompt_for_wsdl_location
+      puts 'Enter the URL of the Secret Server WSDL:'
+      STDIN.gets.chomp
+    end
+
+    ## Gets the domain of the Secret Server installation if none is provided in the constructor
+    # @return [String] the domain of the secret server installation
+
+    def prompt_for_domain
+      puts 'Enter the domain of your Secret Server:'
+      STDIN.gets.chomp
+    end
+
+    ## Check in the secrets that are currently checked out
+    def check_in_secrets
+      failures = []
+      token = get_token
+      @@secrets.each do |secret_id|
+        begin
+          response = @@client.request(:wsdl, :check_in) { soap.body = { token: token, secretId: secret_id} }
+            .hash[:envelope][:body][:check_in_response][:check_in_result][:errors]
+            if !response.nil? and response[:string] != "Secret is not CheckedOut to current user."
+              failures << "Error checking in secret #{secret_id} : #{response[:string]}"
+            end
+        rescue Savon::Error => err
+        raise "There was an error checking in secret #{secret_id}: #{err}"
+        end
+      end
+      if !failures.empty?
+        failures.each do |message|
+          puts message
+        end
+        abort()
+      end
+    end
+
+    ## Get an authentication token for interacting with Secret Server. These are only good for about 10 minutes so just get a new one each time.
+    # Will raise an error if there is an issue with the authentication.
+    # @return the authentication token for the current user.
+
+    def get_token
+      response = @@client.request( :wsdl, :authenticate) { soap.body =  { username: @@username, password: @@password, organization: '', domain: @@domain }}
+        .hash[:envelope][:body][:authenticate_response][:authenticate_result]
+      abort("Error generating the authentication token for user #{@@username}: #{response[:errors][:string]}")  if response[:errors]
+      response[:token]
+    rescue Savon::Error => err
+      raise "There was an error generating the authentiaton token for user #{@@username}: #{err}"
+    end
+
+    ## Get a secret returned as a hash
+    # Will raise an error if there was an issue getting the secret
+    # @param [Integer] the secret id
+    # @return [Hash] the secret hash retrieved from the wsdl
+
+    def get_secret(scrt_id, token = nil)
+      token = get_token if token.nil?
+      secret = @@client.request(:wsdl, :get_secret) { soap.body = { token: token, secretId: scrt_id } }.hash[:envelope][:body][:get_secret_response][:get_secret_result]
+      abort("There was an error getting secret #{scrt_id}: #{secret[:errors][:string]}") if secret[:errors]
+      @@secrets << scrt_id
+      return secret
+    rescue Savon::Error => err
+      raise "There was an error getting the secret with id #{scrt_id}: #{err}"
+    end
+
+    ## Retrieve a simple password from a secret
+    # Will raise an error if there are any issues
+    # @param [Integer] the secret id
+    # @return [String] the password for the given secret
+
+    def get_password(scrt_id)
+      secret = get_secret(scrt_id)
+      secret_items = secret[:secret][:items][:secret_item]
+      return get_secret_item_by_field_name(secret_items, 'Password')[:value]
+    rescue Savon::Error => err
+      raise "There was an error getting the password for secret #{scrt_id}: #{err}"
+    end
+
+    def write_secret_to_file(path, secret_response)
+      File.open(File.join(path, secret_response[:file_name]), 'wb') do |file|
+        file.puts Base64.decode64(secret_response[:file_attachment])
+      end
+    end
+
+    def get_secret_item_by_field_name(secret_items, field_name)
+      secret_items.each do |item|
+        return item if item[:field_name] == field_name
+      end
+    end
+
+    ## Get the secret item id that relates to a key file or attachment.
+    # Will raise on error
+    # @param [Integer] the secret id
+    # @param [String] the type of secret item to get, one of privatekey, publickey, attachment
+    # @return [Integer] the secret item id
+
+    def get_scrt_item_id(scrt_id, type, token)
+      secret = get_secret(scrt_id, token)
+      secret_items = secret[:secret][:items][:secret_item]
+      begin
+        return get_secret_item_by_field_name(secret_items, type)[:id]
+      rescue
+        raise "Unknown type, #{type}."
+      end
+    end
+
+    ## Downloads a file for a secret and places it where Zanzibar is running, or :path if specified
+    # Raise on error
+    # @param [Hash] args, :scrt_id, :type (one of "Private Key", "Public Key", "Attachment"), :scrt_item_id - optional, :path - optional
+
+    def download_secret_file(args = {})
+      token = get_token
+      scrt_item_id = get_scrt_item_id(args[:scrt_id], args[:type], token)
+      FileUtils.mkdir_p(args[:path]) if args[:path]
+      path = args[:path] ? args[:path] : '.' ## The File.join below doesn't handle nils well, so let's take that possibility away.
+      begin
+        response = @@client.request(:wsdl, :download_file_attachment_by_item_id){ soap.body =
+          { token: token, secretId: args[:scrt_id], secretItemId: scrt_item_id  }}
+                   .hash[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result]
+        abort("There was an error getting the #{args[:type]} for secret #{args[:scrt_id]}: #{response[:errors][:string]}")  if response[:errors]
+        write_secret_to_file(path, response)
+      rescue Savon::Error => err
+        raise "There was an error getting the #{args[:type]} for secret #{args[:scrt_id]}: #{err}"
+      end
+    end
+
+    ## Methods to maintain backwards compatibility
+    def download_private_key(args = {})
+      args[:type] = 'Private Key'
+      download_secret_file(args)
+    end
+
+    def download_public_key(args = {})
+      args[:type] = 'Public Key'
+      download_secret_file(args)
+    end
+
+    def download_attachment(args = {})
+      args[:type] = 'Attachment'
+      download_secret_file(args)
+    end
+  end
+end

data/lib/vagrant-zanzibar/version.rb

@@ -0,0 +1,3 @@
+module Zanzibar
+  VERSION = '0.1.1'
+end