#!/usr/bin/env nix-shell #!nix-shell -i python3 -p "python3.withPackages(ps: [ ps.pip ps.consul ps.ldap ps.passlib ps.requests ps.six ps.toml ])" # DEPENDENCY: python-consul import consul # DEPENDENCY: python-ldap import ldap # DEPENDENCY: passlib from passlib.hash import ldap_salted_sha1 # DEPENDENCY: toml import toml import os import sys import glob import subprocess import getpass import base64 from secrets import token_bytes """ This is a utility to handle secrets in the Consul database for the various components of the Deuxfleurs infrastructure Functionnalities: - check that secrets are correctly configured - help user fill in secrets - create LDAP service users and fill in corresponding secrets - TODO: manage Garage buckets and access keys - maybe one day: manage SSL certificates and keys """ # ---- UTIL ---- consul_server = consul.Consul() class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKCYAN = '\033[96m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' # ---- SECRETS ---- class Secret: def __init__(self, key, config, description=None): self.config = config self.key = key self.consul_key = "secrets/" + key if description != None: self.description = description else: self.description = None def check(self, value): return True def generate(self): pass def rotate(self): return None def print_info(self): print("Secret: {}".format(self.consul_key)) print("Type: {}".format(self.__class__.__name__)) if self.description != None: print("Description: {}".format(self.description)) class UserSecret(Secret): def __init__(self, example=None, multiline=False, **kwargs): Secret.__init__(self, **kwargs) self.example = example self.multiline = multiline def generate(self): if self.key in self.config.constants: print("Using constant value from cluster's secretmgr.toml") return self.config.constants[self.key] print("Enter value for secret, or ^C to skip:") if self.multiline: print("THIS IS A LONG VALUE, ENTER SEVERAL LINES AND FINISH WITH A LINE CONTAINING A SINGLE .") try: lines = [] while True: line = input().strip() if line == ".": break lines.append(line) return "\n".join(lines) except KeyboardInterrupt: return None else: try: while True: line = input().strip() if line != "": return line else: print("Please enter a non-empty value, or ^C to skip:") except KeyboardInterrupt: return None class CommandSecret(Secret): def __init__(self, command, rotate=False, **kwargs): Secret.__init__(self, **kwargs) self.command = command self.rotate_value = rotate def generate(self): print("Executing command:", self.command) return subprocess.check_output(["sh", "-c", self.command]) def rotate(self): if self.rotate_value: return self.generate() else: return None class ConstantSecret(Secret): def __init__(self, value, **kwargs): Secret.__init__(self, **kwargs) self.value = value def check(self, value): return value == self.value def generate(self): return self.value # ---- SERVICE USERS ---- class ServiceUserPasswordSecret(Secret): def __init__(self, service_user, **kwargs): Secret.__init__(self, **kwargs) self.service_user = service_user def check(self, value): l = ldap.initialize(self.config.ldap_server) try: l.simple_bind_s(self.service_user.dn, value) return True except Exception as e: return False def generate(self): return self.service_user.password def rotate(self): return self.service_user.password class ServiceUser: def __init__(self, username, password_secret, config, description=None, dn_secret=None, username_secret=None, rotate_password=False): self.config = config self.username = username self.description = description self.password = None self.dn = "cn={},{}".format(self.username, self.config.ldap_service_dn_suffix) self.rotate_password = rotate_password self.password_secret = ServiceUserPasswordSecret( config=config, service_user=self, key=password_secret, description="LDAP password for service user {}".format(username), ) self.username_secret = None if username_secret != None: self.username_secret = ConstantSecret( config=config, key=username_secret, value=username, description="LDAP username for service user {}".format(username), ) self.dn_secret = None if dn_secret != None: self.dn_secret = ConstantSecret( config=config, key=dn_secret, value=self.dn, description="LDAP DN for service user {}".format(username), ) def secrets(self): secrets = {} secrets[self.password_secret.key] = self.password_secret if self.dn_secret != None: secrets[self.dn_secret.key] = self.dn_secret if self.username_secret != None: secrets[self.username_secret.key] = self.username_secret return secrets def configure(self, rotate): _, data = consul_server.kv.get(self.password_secret.consul_key) if data is None: good = False else: l = ldap.initialize(self.config.ldap_server) try: self.password = data["Value"].decode('ascii') l.simple_bind_s(self.dn, self.password) good = True except: good = False if not good or (rotate and self.rotate_password): # Reset passsword self.password = base64.urlsafe_b64encode(token_bytes(12)).decode('ascii') pass_crypt = ldap_salted_sha1.hash(self.password).encode('ascii') l = self.config.get_ldap_admin_conn() res = l.search_s(self.dn, ldap.SCOPE_BASE, "objectclass=*") if res is None or len(res) == 0: print(bcolors.OKCYAN, "Creating entity", self.dn, bcolors.ENDC) l.add_s(self.dn, [ ("objectclass", [b"person", b"top"]), ("displayname", [self.description.encode('ascii')]), ("userpassword", [pass_crypt]), ]) else: print(bcolors.OKCYAN, "Resetting password for entity", self.dn, bcolors.ENDC) l.modify_s(self.dn, [ (ldap.MOD_REPLACE, "userpassword", [pass_crypt]) ]) else: print(bcolors.OKGREEN, "Entity is good: ", self.dn, bcolors.ENDC) # ---- MAIN CONFIG CLASS ---- class Config: def __init__(self, cluster_name): self.cluster_name = cluster_name self.app_path = os.path.join(".", "cluster", cluster_name, "app") self.service_users = {} self.secrets = {} self.modules = [] # Load config from secretmgr.toml in cluster directory secretmgr_toml_path = os.path.join(".", "cluster", cluster_name, "secretmgr.toml") if os.path.exists(secretmgr_toml_path): with open(secretmgr_toml_path) as f: secretmgr_toml = toml.load(f) else: secretmgr_toml = {} if "constants" in secretmgr_toml: self.constants = secretmgr_toml["constants"] else: self.constants = {} self.ldap_server = None self.ldap_service_dn_suffix = None self.ldap_admin_dn = None self.ldap_admin_password_secret = None self.ldap_admin_conn = None if "ldap" in secretmgr_toml: if "server" in secretmgr_toml["ldap"]: self.ldap_server = secretmgr_toml["ldap"]["server"] if "service_dn_suffix" in secretmgr_toml["ldap"]: self.ldap_service_dn_suffix = secretmgr_toml["ldap"]["service_dn_suffix"] if "admin_dn" in secretmgr_toml["ldap"]: self.ldap_admin_dn = secretmgr_toml["ldap"]["admin_dn"] if "admin_password_secret" in secretmgr_toml["ldap"]: self.ldap_admin_password_secret = secretmgr_toml["ldap"]["admin_password_secret"] def load_module(self, module_name): secrets_toml_path = os.path.join(self.app_path, module_name, "secrets.toml") with open(secrets_toml_path) as f: secrets_toml = toml.load(f) self.modules.append(module_name) # Service users, and their associated secrets if "service_users" in secrets_toml: for (uname, uargs) in secrets_toml["service_users"].items(): service_user = ServiceUser(uname, config=self, **uargs) for (skey, secret) in service_user.secrets().items(): if skey in self.secrets: raise Exception("Duplicate secret: {}".format(skey)) self.secrets[skey] = secret self.service_users[uname] = service_user # Other secrets if "secrets" in secrets_toml: for (skey, sargs) in secrets_toml["secrets"].items(): ty = sargs["type"] del sargs["type"] if ty == "user": secret = UserSecret(config=self, key=skey, **sargs) elif ty == "command": secret = CommandSecret(config=self, key=skey, **sargs) elif ty == "constant": secret = ConstantSecret(config=self, key=skey, **sargs) else: raise Exception("Invalid secret type: {}".format(ty)) if skey in self.secrets: raise Exception("Duplicate secret: {}".format(skey)) self.secrets[skey] = secret def add_constant_secrets(self): for (skey, value) in self.constants.items(): self.secrets[skey] = ConstantSecret( config=self, key=skey, value=value, description="Constant value for secret {}".format(skey)) def get_ldap_admin_conn(self): if self.ldap_admin_conn is None: if self.ldap_admin_password_secret != None: pass_key = "secrets/" + self.ldap_admin_password_secret _, data = consul_server.kv.get(pass_key) if data is None: raise Exception("LDAP admin password could not be read at: {}".format(pass_key)) ldap_pass = data["Value"].decode('ascii').strip() else: ldap_pass = getpass.getpass("LDAP admin password: ") self.ldap_admin_conn = ldap.initialize(self.ldap_server) self.ldap_admin_conn.simple_bind_s(self.ldap_admin_dn, ldap_pass) return self.ldap_admin_conn def check_secrets(self): print(":: Checking secrets...") must_gen = False for (_, secret) in self.secrets.items(): _, data = consul_server.kv.get(secret.consul_key) if data is None: print(secret.consul_key, bcolors.FAIL, "x missing", bcolors.ENDC) must_gen = True elif not secret.check(data["Value"].decode('ascii').strip()): print(secret.consul_key, bcolors.WARNING, "x bad value", bcolors.ENDC) must_gen = True else: print(secret.consul_key, bcolors.OKGREEN, "✓", bcolors.ENDC) print() if must_gen: print("To fix missing or invalid secrets, use `secretmgr gen ...`") print() def gen_secrets(self): if len(self.service_users) > 0: print(":: Configuring service users...") for (_, su) in self.service_users.items(): su.configure(False) print() print(":: Generating missing/invalid secrets...") for (_, secret) in self.secrets.items(): _, data = consul_server.kv.get(secret.consul_key) if data is None or not secret.check(data["Value"].decode('ascii').strip()): print() secret.print_info() value = secret.generate() if value != None: consul_server.kv.put(secret.consul_key, value) print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) else: print(bcolors.WARNING, "Skipped.", bcolors.ENDC) print() self.check_secrets() def rotate_secrets(self): if len(self.service_users) > 0: print(":: Regenerating service user passwords...") for (_, su) in self.service_users.items(): su.configure(True) print() print(":: Rotating secrets...") for (_, secret) in self.secrets.items(): print() secret.print_info() _, data = consul_server.kv.get(secret.consul_key) if data is None: old_value = None else: old_value = data["Value"].decode('ascii').strip() new_value = secret.rotate() if new_value != None and new_value != old_value: consul_server.kv.put(secret.consul_key, new_value) print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) else: print(bcolors.OKGREEN, "Nothing to do.", bcolors.ENDC) print() self.check_secrets() # ---- MAIN ---- def load_config(cluster_name, modules): cfg = Config(cluster_name) if len(modules) > 0: for mod in modules: cfg.load_module(mod) else: cfg.add_constant_secrets() return cfg if __name__ == "__main__": verb = None for i, val in enumerate(sys.argv): if val == "check": verb = lambda cfg: cfg.check_secrets() break elif val == "gen": verb = lambda cfg: cfg.gen_secrets() break elif val == "rotate": verb = lambda cfg: cfg.rotate_secrets() break if verb is None: print("Usage:") print(" secretmgr.py [check|gen|rotate] ...") else: cfg = load_config(sys.argv[i+1], sys.argv[i+2:]) verb(cfg) # vim: set sts=4 ts=4 sw=4 tw=0 ft=python et :