Skip to content

Commit

Permalink
Add profile_name to all actions, add revoke_token action, bump hvac t…
Browse files Browse the repository at this point in the history
…o 1.1.0
  • Loading branch information
nzlosh committed Aug 7, 2023
1 parent 06bfb51 commit 9d71c05
Show file tree
Hide file tree
Showing 44 changed files with 445 additions and 260 deletions.
20 changes: 9 additions & 11 deletions .github/workflows/build_and_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,15 @@ jobs:
# StackStorm-Exchange/ci/.github/workflows/pack-build_and_test.yaml@master

build_and_test:
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
name: 'Build and Test / Python ${{ matrix.python-version-short }}'
strategy:
matrix:
include:
- python-version-short: "3.6"
python-version: 3.6.13
vault-version: 1.5.9
- python-version-short: "3.8"
python-version: 3.8.17
vault-version: "1.12.5-1"
hvac-gh-tag: "v1.1.1"
steps:
- name: Checkout Pack Repo and CI Repos
uses: StackStorm-Exchange/ci/.github/actions/checkout@master
Expand All @@ -30,7 +31,7 @@ jobs:
path: hvac
repository: hvac/hvac
# main = the release branch; devel = the active development branch
ref: main
ref: ${{ matrix.hvac-gh-tag }}
fetch-depth: 0

- name: Install APT Dependencies
Expand All @@ -50,7 +51,7 @@ jobs:
working-directory: pack
shell: bash
run: |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/hashicorp.gpg
echo "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/hashicorp.list
Expand All @@ -59,10 +60,7 @@ jobs:
-o APT::Get::List-Cleanup="0" \
-o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
sudo apt install \
consul \
vault=${{ matrix.vault-version }} \
;
sudo apt install consul vault=${{ matrix.vault-version }}
# We disble cap_ipc_lock here as its generally incompatabile with GitHub
# Actions' runtime environments.
Expand Down Expand Up @@ -99,7 +97,7 @@ jobs:

services:
mongo:
image: mongo:3.4
image: mongo:4.4
ports:
- 27017:27017
rabbitmq:
Expand Down
3 changes: 3 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
- Add profile support to pack to define multiple Vault end-points.
- Updated README with full list of available actions.
- Fixes TLS support for server and client certificates.
- Updated HVAC python module dependency v1.1.0
- Added token revoke action.
- Updated all actions to use profile name.

## 1.0.0

Expand Down
7 changes: 3 additions & 4 deletions README.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,9 @@ The following string sets are available

### Update tactic

The update tactic allows control of how the action will update existing secrets. The currently supported
tactics are:
- `update`: Overwrite an existing secret.
- `abstain`: Do not overwrite an existing secret.
The update tactic controls how the action will update existing secrets. It's intended to ensure idempotence on multiple runs of the secret generation action. The currently supported tactics are:
- `overwrite`: Overwrite an existing secret.
- `refrain`: Do not overwrite an existing secret.

## Sensors
{% if sensors | length > 0 %}
Expand Down
120 changes: 73 additions & 47 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,21 @@ The following options are required to be configured for the pack to work correct

The pack provides the following actions:

### delete
_Delete value from Vault server_
### delete_policy
_Delete policy from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `path` | string | True | default | _Path to delete from Vault_ |
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `name` | string | True | default | _Policy to delete from Vault_ |
### read_kv
_Read a kv value from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `path` | string | True | default | _Key to read from Vault_ |
| `kv_version` | number | True | default | _The version of the KV store in vault. Use 1 for legacy kv stores, 2 for newer kv stores_ |
| `mount_point` | string | True | default | _The mount point of the kv store_ |
| `version` | string | True | default | _The version of the kv *data*_ |
### generate_secret
_Generate a secret and write it to vault._
| Parameter | Type | Required | Secret | Description |
Expand All @@ -40,58 +50,70 @@ _Generate a secret and write it to vault._
| `update_tactic` | string | False | default | _The logic to use when writing secret to Vault. See readme for details._ |
| `string_set` | string | default | default | _Unavailable_ |
| `secret_length` | integer | default | default | _The number of characters to use in the secret._ |
### read
_Read value from Vault server_
### delete
_Delete value from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `path` | string | True | default | _Key to read from Vault_ |
### create_token
_Create a new Token_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `path` | string | True | default | _Path to delete from Vault_ |
### list_policies
_List Policies from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `token_id` | string | False | default | _Value for the token. By default, this is an auto-generated value._ |
| Items are of type | ||||
| `policies` | array | False | default | _List of policy names to associate with this token._ |
| `meta` | string | False | default | _Metadata to associate with the token. This metadata will show in the audit log when the token is used._ |
| `no_parent` | boolean | False | default | _Unavailable_ |
| `display_name` | string | False | default | _Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)._ |
| `num_uses` | string | False | default | _Number of times this token can be used. After the last use, the token is automatically revoked._ |
| `no_default_policy` | boolean | False | default | _Detach the 'default' policy from the policy set for this token._ |
| `ttl` | integer | False | default | _Initial TTL to associate with the token._ |
| `orphan` | boolean | False | default | _Create the token with no parent. This prevents the token from being revoked when the token which created it expires._ |
| `wrap_ttl` | string | False | default | _Unavailable_ |
### write
_Write a key/value to Vault_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
### is_initialized
_Read initialization status from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `path` | string | True | default | _Path to the Vault secrets_ |
| `values` | string | True | default | _Keys and values to write in Vault ({"key":"value", "key2": "value2"}_ |
### get_policy
_Read policy from Vault server_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
### set_policy
_Create a new Vault policy_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `name` | string | True | default | _Policy to read from Vault_ |
### delete_policy
_Delete policy from Vault server_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `name` | string | True | default | _Name of new Vault Policy_ |
| `rules` | string | True | default | _Policy rules_ |
### read
_Read value from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `name` | string | True | default | _Policy to delete from Vault_ |
### read_kv
_Read a kv value from Vault server_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `path` | string | True | default | _Key to read from Vault_ |
### revoke_token
_Revoke a token and all child tokens._
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `path` | string | True | default | _Key to read from Vault_ |
| `kv_version` | number | True | default | _The version of the KV store in vault. Use 1 for legacy kv stores, 2 for newer kv stores_ |
| `mount_point` | string | True | default | _The mount point of the kv store_ |
| `version` | string | True | default | _The version of the kv *data*_ |
### set_policy
_Create a new Vault policy_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `token` | string | True | default | _Token to revoke._ |
| `mount_point` | string | False | default | _The 'path' the method/backend was mounted on._ |
### get_policy
_Read policy from Vault server_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `name` | string | True | default | _Name of new Vault Policy_ |
| `rules` | string | True | default | _Policy rules_ |
### list_policies
_List Policies from Vault server_
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `name` | string | True | default | _Policy to read from Vault_ |
### create_token
_Create a new Token_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `token_id` | string | False | default | _The ID of the client token. By default, this is an auto-generated value._ |
| `role_name` | string | False | default | _The name of the token role._ |
| Items are of type | ||||
| `policies` | array | False | default | _List of policy names to associate with this token._ |
| `meta` | string | False | default | _Metadata to associate with the token. This metadata will show in the audit log when the token is used._ |
| `no_parent` | boolean | False | default | _This argument only has effect if used by a root or sudo caller._ |
| `no_default_policy` | boolean | False | default | _Detach the 'default' policy from the policy set for this token._ |
| `renewable` | boolean | False | default | _True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL._ |
| `ttl` | string | False | default | _Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds)_ |
| `token_type` | string | False | default | _The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name._ |
| `explicit_max_ttl` | string | False | default | _If set, the token will never be able to be renewed or used past the value set at issue time._ |
| `display_name` | string | False | default | _Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)._ |
| `num_uses` | string | False | default | _Number of times this token can be used. After the last use, the token is automatically revoked._ |
| `period` | string | False | default | _If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability._ |
| `entity_alias` | string | default | default | _Name of the entity alias to associate with during token creation._ |
| `wrap_ttl` | string | False | default | _Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'._ |
| `mount_point` | string | False | default | _The 'path' the method/backend was mounted on._ |
### write_secret
_Write a secret to Vault._
| Parameter | Type | Required | Secret | Description |
Expand All @@ -103,8 +125,13 @@ _Write a secret to Vault._
| `secret` | string | True | True | _Secret contents to be written._ |
| `decode_json` | boolean | False | default | _Secret is formatted as a json and should be decode to be sent to Vault_ |
| `update_tactic` | string | False | default | _The logic to use when writing secret to Vault. See readme for details._ |
### is_initialized
_Read initialization status from Vault server_
### write
_Write a key/value to Vault_
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
| `profile_name` | string | False | default | _The profile to use to run this action._ |
| `path` | string | True | default | _Path to the Vault secrets_ |
| `values` | string | True | default | _Keys and values to write in Vault ({"key":"value", "key2": "value2"}_ |



Expand Down Expand Up @@ -132,10 +159,9 @@ The following string sets are available

### Update tactic

The update tactic allows control of how the action will update existing secrets. The currently supported
tactics are:
- `update`: Overwrite an existing secret.
- `abstain`: Do not overwrite an existing secret.
The update tactic controls how the action will update existing secrets. It's intended to ensure idempotence on multiple runs of the secret generation action. The currently supported tactics are:
- `overwrite`: Overwrite an existing secret.
- `refrain`: Do not overwrite an existing secret.

## Sensors

Expand Down
55 changes: 39 additions & 16 deletions actions/create_token.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,51 @@


class VaultCreateTokenAction(action.VaultBaseAction):
"""
Request a child token to be created. Useful for one time use
or fixed time.
"""

def run(
self,
token_id=None,
policies=None,
display_name=None,
entity_alias=None,
explicit_max_ttl="1h",
meta=None,
mount_point="token",
no_default_policy=False,
no_parent=False,
display_name=None,
num_uses=None,
no_default_policy=False,
period=None,
policies=None,
profile_name=None,
renewable=True,
role_name=None,
token_id=None,
token_type=None,
ttl=None,
orphan=False,
wrap_ttl=None,
):
return self.vault.create_token(
token_id=token_id,
policies=policies,
meta=meta,
no_parent=no_parent,
display_name=display_name,
num_uses=num_uses,
no_default_policy=no_default_policy,
ttl=ttl,
orphan=orphan,
wrap_ttl=wrap_ttl,
super().run(profile_name=profile_name)

return (
True,
self.vault.auth.token.create(
display_name=display_name,
entity_alias=entity_alias,
explicit_max_ttl=explicit_max_ttl,
id=token_id,
meta=meta,
mount_point=mount_point,
no_default_policy=no_default_policy,
no_parent=no_parent,
num_uses=num_uses,
period=period,
policies=policies,
renewable=renewable,
role_name=role_name,
ttl=ttl,
type=token_type,
wrap_ttl=wrap_ttl,
),
)
57 changes: 43 additions & 14 deletions actions/create_token.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,17 @@ description: "Create a new Token"
enabled: true
entry_point: "create_token.py"
parameters:
profile_name:
description: "The profile to use to run this action."
type: "string"
required: false
token_id:
type: string
description: "Value for the token. By default, this is an auto-generated value."
description: "The ID of the client token. By default, this is an auto-generated value."
required: false
role_name:
type: string
description: "The name of the token role."
required: false
policies:
type: array
Expand All @@ -22,9 +30,31 @@ parameters:
description: "Metadata to associate with the token. This metadata will show in the audit log when the token is used."
required: false
no_parent:
description: "This argument only has effect if used by a root or sudo caller."
type: boolean
required: false
default: false
no_default_policy:
type: boolean
description: "Detach the 'default' policy from the policy set for this token."
required: false
default: false
renewable:
type: boolean
description: "True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL."
required: false
ttl:
type: string
description: "Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds)"
required: false
token_type:
type: string
description: "The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name."
required: false
explicit_max_ttl:
type: string
description: "If set, the token will never be able to be renewed or used past the value set at issue time."
required: false
display_name:
type: string
description: "Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes)."
Expand All @@ -33,20 +63,19 @@ parameters:
type: string
description: "Number of times this token can be used. After the last use, the token is automatically revoked."
required: false
no_default_policy:
type: boolean
description: "Detach the 'default' policy from the policy set for this token."
required: false
default: false
ttl:
type: integer
description: "Initial TTL to associate with the token."
required: false
orphan:
type: boolean
description: "Create the token with no parent. This prevents the token from being revoked when the token which created it expires."
period:
type: string
description: "If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability."
required: false
default: false
entity_alias:
type: string
description: "Name of the entity alias to associate with during token creation."
wrap_ttl:
type: string
description: "Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'."
required: false
mount_point:
type: string
description: "The 'path' the method/backend was mounted on."
required: false
default: "token"
Loading

0 comments on commit 9d71c05

Please sign in to comment.