vvauth 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +45 -0
  2. package/index.js +35 -11
  3. package/package.json +2 -1
package/README.md CHANGED
@@ -4,3 +4,48 @@ This projects helps you log yourself in a HCL vault and retrieve VAULT_TOKEN thr
4
4
  * jwt login
5
5
  * ssh (with agent) login
6
6
 
7
+
8
+ # Vauth configuration
9
+ ## Vauth configuration file location
10
+ vauth configuration file lies on a `.vauthrc` file (this name can be controlled by the VAUTHRC env var).
11
+ vauth will try to find
12
+ * if specified, the VAUTHRC file
13
+ * fallback to a .vauthrc file in the current directory
14
+ * fallback to a .vauthrc file in the current user home directory
15
+
16
+ ## Vauth configuration format
17
+ vauth configuration file is a simple yaml file with a specific macro expansion syntax for dynamic parts.
18
+ The configuration file should abide the following schema
19
+
20
+ ### configuration macro expansion set
21
+ * $${profile.XXX} expand to vault entity metadata/custom_metadata vars
22
+ * $${env.XXX} expand to local environement vars
23
+ * $${secrets.XXX} expand to remote scrapped secrets (see the env.paths)
24
+
25
+ ```
26
+ # vauth URL
27
+ vault_addr: https://vauth.myserver.org
28
+
29
+ # for vauth-auth-plugin-ssh, configure the binding role here
30
+ ssh_auth:
31
+ role: $${env.VAUTH_USER_LOGIN}
32
+ env:
33
+ map:
34
+ TF_HTTP_USERNAME: $${profile.VAUTH_USER_LOGIN}
35
+ TF_HTTP_PASSWORD: $${profile.GITLAB_API_TOKEN}
36
+ AWS_ACCESS_KEY_ID: $${secrets.AWS_ACCESS_KEY_ID}
37
+ AWS_SECRET_ACCESS_KEY: $${secrets.AWS_SECRET_ACCESS_KEY}
38
+
39
+ # remote secrets mecanism
40
+ # set the secrets mount point - default to secrets
41
+ [path: secrets]
42
+ # list extra secrets to be reached and populated into the $${secrets.XXX} macro
43
+ paths:
44
+ - /some/pa4-backend.creds
45
+
46
+ ```
47
+
48
+
49
+ # Credits
50
+ * [Francois Leurent](https://github.com/131)
51
+
package/index.js CHANGED
@@ -9,6 +9,7 @@ const net = require('net');
9
9
  const {spawn} = require('child_process');
10
10
 
11
11
  const {parse} = require('yaml');
12
+ const semver = require('semver');
12
13
  const SSHAgent = require('ssh-agent-js/client');
13
14
  const trim = require('mout/string/trim');
14
15
  const get = require('mout/object/get');
@@ -35,6 +36,15 @@ const FUNCTION_DECL = "function vauth() { source <(/usr/bin/env vvauth --ir://ra
35
36
  class vvauth {
36
37
  constructor(rc = null) {
37
38
 
39
+
40
+ let {dependencies = {}} = require(path.resolve('package.json'));
41
+
42
+ for(let [module_name, module_version] of Object.entries(dependencies)) {
43
+ let {version} = require(require.resolve(`${module_name}/package.json`));
44
+ if(!semver.satisfies(version, module_version))
45
+ throw `Unsupported ${module_name} version (requires ${module_version})`;
46
+ }
47
+
38
48
  this.rc = {};
39
49
  if(rc) {
40
50
  this.rc = rc;
@@ -42,7 +52,7 @@ class vvauth {
42
52
  let vauth_rc = VAUTH_RC.filter(path => path && fs.existsSync(path))[0];
43
53
  if(vauth_rc) {
44
54
  let body = fs.readFileSync(vauth_rc, 'utf8');
45
- this.rc = walk(parse(body), v => replaceEnv(v, { env : process.env}));
55
+ this.rc = walk(parse(body), v => replaceEnv(v, {env : process.env}));
46
56
  }
47
57
  }
48
58
 
@@ -126,21 +136,27 @@ class vvauth {
126
136
  async env(source = false) {
127
137
  let {profile} = await this._get_profile();
128
138
 
129
- let env = {VAULT_TOKEN : this.VAULT_TOKEN}, {git, map} = this.rc.env || {};
139
+ let env = {VAULT_TOKEN : this.VAULT_TOKEN}, secrets = {},
140
+ {git, map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
141
+
130
142
  if(git) {
131
143
  map = {...map,
132
- "GIT_COMMITTER_NAME" : "VAUTH_USER_NAME",
133
- "GIT_COMMITTER_EMAIL" : "VAUTH_USER_MAIL",
134
- "GIT_AUTHOR_EMAIL" : "VAUTH_USER_MAIL",
135
- "GIT_AUTHOR_NAME" : "VAUTH_USER_NAME",
136
- "GIT_USER_LOGIN" : "VAUTH_USER_LOGIN",
144
+ "GIT_COMMITTER_NAME" : profile.VAUTH_USER_NAME,
145
+ "GIT_COMMITTER_EMAIL" : profile.VAUTH_USER_MAIL,
146
+ "GIT_AUTHOR_EMAIL" : profile.VAUTH_USER_MAIL,
147
+ "GIT_AUTHOR_NAME" : profile.VAUTH_USER_NAME,
148
+ "GIT_USER_LOGIN" : profile.VAUTH_USER_LOGIN,
137
149
  };
138
150
  }
139
-
140
- for(let [k, v] of Object.entries(map || {})) {
141
- if(profile[v])
142
- env[k] = profile[v];
151
+ if(paths) {
152
+ for(let secret_path of paths) {
153
+ console.error("reaching paths", secret_path);
154
+ let data = await this._read(mount, secret_path);
155
+ secrets = {...secrets, ...data};
156
+ }
143
157
  }
158
+ for(let [k, v] of Object.entries(map))
159
+ env[k] = replaceEnv(v, {env : process.env, profile, secrets});
144
160
 
145
161
  if(source) {
146
162
  this._publish_env(env);
@@ -148,6 +164,14 @@ class vvauth {
148
164
  }
149
165
  }
150
166
 
167
+
168
+ async _read(mount, secret_path) {
169
+ let remote_url = `${trim(this.vault_addr, '/')}/v1/${mount}/data/${trim(secret_path, '/')}`;
170
+ let query = {...url.parse(remote_url), headers : {'x-vault-token' : this.VAULT_TOKEN}, expect : 200};
171
+ let res = await request(query);
172
+ return get(JSON.parse(String(await drain(res))), 'data.data');
173
+ }
174
+
151
175
  async _login_vault_ssh({path = 'ssh', role}) {
152
176
  logger.info("Trying to auth as '%s'", role);
153
177
  let sock;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "vvauth",
3
- "version": "0.2.2",
3
+ "version": "0.3.1",
4
4
  "description": "Vault Auth helper",
5
5
  "main": "index.js",
6
6
  "bin": {
@@ -16,6 +16,7 @@
16
16
  "debug": "^4.3.4",
17
17
  "mout": "^1.0.0",
18
18
  "nyks": "^6.9.1",
19
+ "semver": "^7.5.4",
19
20
  "ssh-agent-js": "^2.0.4",
20
21
  "yaml": "^2.6.1"
21
22
  },