Skip to content

Commit

Permalink
allow autogenerate of new secrets if missing
Browse files Browse the repository at this point in the history
see issue voxpupuli#9
  • Loading branch information
sircubbi committed Sep 5, 2023
1 parent 1f58e9e commit 61dbe8c
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 6 deletions.
10 changes: 7 additions & 3 deletions lib/puppet/functions/vault_lookup/lookup.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
optional_param 'String', :secret_id
optional_param 'Optional[String]', :approle_path_segment
optional_param 'String', :agent_sink_file
optional_param 'Optional[Integer]', :gen_secret_len
return_type 'Sensitive'
end

Expand Down Expand Up @@ -50,7 +51,8 @@ def lookup_opts_hash(cache, path, options = {})
role_id: options['role_id'],
secret_id: options['secret_id'],
approle_path_segment: options['approle_path_segment'],
agent_sink_file: options['agent_sink_file'])
agent_sink_file: options['agent_sink_file'],
gen_secret_len: options['gen_secret_len'])
end

# Lookup with a path and positional arguments.
Expand All @@ -68,7 +70,8 @@ def lookup(cache,
role_id = nil,
secret_id = nil,
approle_path_segment = nil,
agent_sink_file = nil)
agent_sink_file = nil,
gen_secret_len = nil)

PuppetX::VaultLookup::Lookup.lookup(cache: cache,
path: path,
Expand All @@ -81,6 +84,7 @@ def lookup(cache,
role_id: role_id,
secret_id: secret_id,
approle_path_segment: approle_path_segment,
agent_sink_file: agent_sink_file)
agent_sink_file: agent_sink_file,
gen_secret_len: gen_secret_len)
end
end
31 changes: 28 additions & 3 deletions lib/puppet_x/vault_lookup/lookup.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# frozen_string_literal: true

require 'puppet'
require 'securerandom'

module PuppetX
module VaultLookup
Expand All @@ -17,7 +18,8 @@ def self.lookup(cache:,
role_id: nil,
secret_id: nil,
approle_path_segment: nil,
agent_sink_file: nil)
agent_sink_file: nil,
gen_secret_len: nil)

if vault_addr.nil?
Puppet.debug 'No Vault address was set on function, defaulting to value from VAULT_ADDR env value'
Expand Down Expand Up @@ -98,7 +100,8 @@ def self.lookup(cache:,
uri: secret_uri,
token: token,
namespace: namespace,
key: field)
key: field,
gen_secret_len: gen_secret_len)

sensitive_data = Puppet::Pops::Types::PSensitiveType::Sensitive.new(data)
Puppet.debug "Caching found data for #{path}"
Expand All @@ -114,11 +117,33 @@ def self.auth_login_body(cert_role)
end
end

def self.get_secret(client:, uri:, token:, namespace:, key:)
def self.get_secret(client:, uri:, token:, namespace:, key:, gen_secret_len:)
headers = { 'X-Vault-Token' => token, 'X-Vault-Namespace' => namespace }.delete_if { |_key, value| value.nil? }
secret_response = client.get(uri,
headers: headers,
options: { include_system_store: true })

if secret_response.code == 404 and !gen_secret_len.nil?
# generate a new secret
Puppet.debug "Generating new secret at #{uri}"
new_secret = SecureRandom.alphanumeric(gen_secret_len)
param = { value: new_secret }
generate_response = client.post(uri,
JSON.generate(param),
headers: headers.merge({'Content-Type' => 'application/json'}),
options: { include_system_store: true })

unless generate_response.code >= 200 && generate_response.code <= 299
message = "Received #{generate_response.code} generate_response code from vault at #{uri} for secret put"
raise Puppet::Error, append_api_errors(message, generate_response)
end

secret_response = client.get(uri,
headers: headers,
options: { include_system_store: true })
end


unless secret_response.success?
message = "Received #{secret_response.code} response code from vault at #{uri} for secret lookup"
raise Puppet::Error, append_api_errors(message, secret_response)
Expand Down

0 comments on commit 61dbe8c

Please sign in to comment.