npm - vvauth - Versions diffs - 1.1.3 → 2.0.0 - Mend

vvauth 1.1.3 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -18,7 +18,7 @@ vauth configuration file is a simple yaml file with a specific macro expansion s
 The configuration file should abide the following schema
 ### configuration macro expansion set
-* $${profile.XXX} expand to vault entity metadata/custom_metadata vars
+* $${profile.XXX} expand to vault entity metadata and user `.vauth_database` vars
 * $${env.XXX} expand to local environement vars
 * $${secrets.XXX} expand to remote scrapped secrets (see the env.paths)

package/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ const path  = require('path');
 const url   = require('url');
 const {spawn} = require('child_process');
 const passthru = require('nyks/child_process/passthru');
+const wait     = require('nyks/child_process/wait');
 const {parse} = require('yaml');
 const semver     = require('semver');
@@ -112,12 +113,12 @@ class vvauth {
   async set(k, v) {
-    let {entity_id, identity : {metadata}} = await this._get_profile();
-    if(!metadata)
-      metadata = {};
-    let key_name = `env_${k.toUpperCase()}`;
-    metadata[key_name] = v;
-    await this._update_identity(this.VAULT_TOKEN, entity_id, {metadata});
+    let {profile, database} = await this._vault_get_profile();
+    if(!profile.VAUTH_USER_LOGIN)
+      throw "Could not resolve VAUTH_USER_LOGIN from vault identity";
+    database[k.toUpperCase()] = v;
+    await this._vault_write(`private/${profile.VAUTH_USER_LOGIN}`, '.vauth_database', database);
   }
   async unset(k) {
@@ -125,62 +126,51 @@ class vvauth {
   }
   async show() {
-    let {profile} = await this._get_profile();
-    return profile;
+    let {profile, database} = await this._vault_get_profile();
+    return {...database, ...profile};
   }
-  async _get_profile() {
+  async _vault_get_profile() {
     await this.connect();
+    if(!this.VAULT_TOKEN)
+      return {};
     let {entity_id} = await this._lookup_token(this.VAULT_TOKEN);
     let identity = await this._lookup_identity(this.VAULT_TOKEN, entity_id);
-    let profile = {};
-    for(let alias of identity.aliases) {
-      for(let [k, v] of Object.entries(alias.custom_metadata || {})) {
-        if(k.startsWith('env_'))
-          profile[k.substr(4)] = v;
-      }
-    }
-    for(let [k, v] of Object.entries(identity.metadata || {})) {
-      if(k.startsWith('env_'))
-        profile[k.substr(4)] = v;
-    }
-    return {entity_id, identity, profile};
-  }
+    let profile = {...(identity.metadata || {})};
+    let database = {};
+    if(profile.VAUTH_USER_LOGIN)
+      database = await this._vault_read(`private/${profile.VAUTH_USER_LOGIN}`, '.vauth_database', true);
-  async dotenv() {
-    let {profile} = await this._get_profile();
+    return {entity_id, identity, profile, database};
+  }
-    let env = {VAULT_TOKEN : this.VAULT_TOKEN, VAULT_ADDR : this.VAULT_ADDR}, secrets = {},
-      {map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
+  async _get_env() {
+    let {profile, database} = await this._vault_get_profile();
+    profile = {...database, ...profile};
+    let env = {VAULT_TOKEN : this.VAULT_TOKEN, VAULT_ADDR : this.VAULT_ADDR}, secrets = {},
+      {git, map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
-    if(paths) {
-      for(let secret_path of paths) {
-        console.error("reaching paths", secret_path);
-        let data = await this._read(mount, secret_path);
-        secrets = {...secrets, ...data};
-      }
+    let {'ssh-agent-crypt' : agent } = this.rc;
+    if(agent) {
+      const {path, identity} = agent;
+      let child = spawn('ssh-agent-crypt', ["-decrypt", identity]);
-    }
-    for(let [k, v] of Object.entries(map))
-      env[k] = replaceEnv(v, {env : process.env, profile, secrets});
+      child.stdin.end(fs.readFileSync(path));
+      child.stderr.pipe(process.stderr);
-    for(let [k, v] of Object.entries(env)) {
-      process.stdout.write(`${k}=${String(v)}\n`);
-      process.stderr.write(`export ${k}=[redacted]\n`);
+      const [exit, body] = await Promise.all([wait(child, false), drain(child.stdout)]);
+      if(exit !== 0) {
+        console.error("Could not expand armored %s using %s", path, identity);
+        process.exit();
+      }
+      const result = JSON.parse(body);
+      secrets = {...secrets, ...result};
     }
-    process.exit();
-  }
-  async env(source = false) {
-    let {profile} = await this._get_profile();
-    let env = {VAULT_TOKEN : this.VAULT_TOKEN, VAULT_ADDR : this.VAULT_ADDR}, secrets = {},
-      {git, map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
     if(git) {
       map = {...map,
         "GIT_COMMITTER_NAME" : profile.VAUTH_USER_NAME,
@@ -193,32 +183,69 @@ class vvauth {
     if(paths) {
       for(let secret_path of paths) {
         console.error("reaching paths", secret_path);
-        let data = await this._read(mount, secret_path);
+        let data = await this._vault_read(mount, secret_path);
         secrets = {...secrets, ...data};
       }
     }
     for(let [k, v] of Object.entries(map))
       env[k] = replaceEnv(v, {env : process.env, profile, secrets});
+    return env;
+  }
+  async dotenv() {
+    const env = await this._get_env();
+    for(let [k, v] of Object.entries(env)) {
+      process.stdout.write(`${k}=${String(v)}\n`);
+      process.stderr.write(`export ${k}=[redacted]\n`);
+    }
+    process.exit();
+  }
+  async env(source = false) {
+    const env = await this._get_env();
     if(source) {
       this._publish_env(env);
       process.exit();
     }
     return env;
   }
-  async _read(mount, secret_path) {
+  async _vault_read(mount, secret_path, optional = false) {
     let remote_url = `${trim(this.VAULT_ADDR, '/')}/v1/${mount}/data/${trim(secret_path, '/')}`;
-    let query = {...url.parse(remote_url), headers : {'x-vault-token' : this.VAULT_TOKEN}, expect : 200};
+    let query = {...url.parse(remote_url), headers : {'x-vault-token' : this.VAULT_TOKEN}};
     let res = await request(query);
-    return get(JSON.parse(String(await drain(res))), 'data.data');
+    let body = String(await drain(res));
+    if(optional && res.statusCode == 404)
+      return {};
+    if(res.statusCode != 200)
+      throw `Could not read vault secret '${mount}/${trim(secret_path, '/')}' : ${body}`;
+    return get(JSON.parse(body), 'data.data');
   }
+  async _vault_write(mount, secret_path, data) {
+    let remote_url = `${trim(this.VAULT_ADDR, '/')}/v1/${mount}/data/${trim(secret_path, '/')}`;
+    let query = {...url.parse(remote_url), headers : {'x-vault-token' : this.VAULT_TOKEN}, json : true};
+    let res = await request(query, {data});
+    let body = String(await drain(res));
+    if(res.statusCode != 200)
+      throw `Could not write vault secret '${mount}/${trim(secret_path, '/')}' : ${body}`;
+    return body ? JSON.parse(body) : {};
+  }
   async _login_vault_ssh({path = 'ssh', role}) {
     logger.info("Trying to auth as '%s'", role);
     let agent = new OpenSSHAgent(process.env.SSH_AUTH_SOCK);
     let keys = await promiser(chain => agent.getIdentities(chain));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vvauth",
-  "version": "1.1.3",
+  "version": "2.0.0",
   "description": "Vault Auth helper",
   "main": "index.js",
   "bin": {
@@ -17,6 +17,7 @@
     "mout": "^1.2.4",
     "nyks": "^6.15.0",
     "semver": "^7.5.4",
+    "ssh-agent-crypt": "^1.0.1",
     "ssh2": "^1.16.0",
     "yaml": "^2.6.1"
   },