migrate bootstrap secrets to BitWarden

Signed-off-by: Jakub Sokołowski <jakub@status.im>

.gitignore

@@ -6,3 +6,4 @@
 *.retry
 
 ansible/files/*
+__pycache__

ansible/group_vars/all.yml

@@ -1,8 +1,8 @@
 ---
 # Root password
-bootstrap__root_pass: '{{lookup("passwordstore", "hosts/admin-pass-sha512")}}'
+bootstrap__root_pass: '{{lookup("bitwarden", "root")}}'
 # Consul encryption key
-bootstrap__consul_encryption_key: '{{lookup("passwordstore", "services/consul/encryption-key")}}'
+bootstrap__consul_encryption_key: '{{lookup("bitwarden", "consul", field="encryption-key")}}'
 
 # Custom SSH accounts for Nimbus fleet, should start from UID 8000.
 bootstrap__active_extra_users:

ansible/lookup_plugins/bitwarden.py

@@ -0,0 +1,224 @@
+#!/usr/bin/env python
+
+# (c) 2018, Matt Stofko <matt@mjslabs.com>
+# GNU General Public License v3.0+ (see LICENSE or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+#
+# This plugin can be run directly by specifying the field followed by a list of
+# entries, e.g.  bitwarden.py password google.com wufoo.com
+#
+# CHANGES:
+# - Dropped custom_field argument
+# - Started checking sources in order
+# - Refactored Bitwarden class, added get_item()
+# - Split LookupModule.run into two functions
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import json
+import os
+import sys
+
+from subprocess import Popen, PIPE, STDOUT, check_output
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+    display = Display()
+
+
+DOCUMENTATION = """
+lookup: bitwarden
+author:
+  - Matt Stofko <matt@mjslabs.com>
+requirements:
+  - bw (command line utility)
+  - BW_SESSION environment var (from `bw login` or `bw unlock`)
+short_description: look up data from a bitwarden vault
+description:
+  - use the bw command line utility to grab one or more items stored in a
+    bitwarden vault
+options:
+  _terms:
+    description: name of item that contains the field to fetch
+    required: true
+field:
+  description: field to return from bitwarden
+  default: 'password'
+sync:
+  description: If True, call `bw sync` before lookup
+"""
+
+EXAMPLES = """
+- name: get 'username' from Bitwarden entry 'Google'
+  debug:
+    msg: "{{ lookup('bitwarden', 'Google', field='username') }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - Items from Bitwarden vault
+"""
+
+
+class Bitwarden(object):
+    def __init__(self, path):
+        self._cli_path = path
+        self._bw_session = ""
+        try:
+            check_output([self._cli_path, "--version"])
+        except OSError:
+            raise AnsibleError("Command not found: {0}".format(self._cli_path))
+
+    @property
+    def session(self):
+        return self._bw_session
+
+    @session.setter
+    def session(self, value):
+        self._bw_session = value
+
+    @property
+    def cli_path(self):
+        return self._cli_path
+
+    @property
+    def logged_in(self):
+        # Parse Bitwarden status to check if logged in
+        if self.status() == 'unlocked':
+            return True
+        else:
+            return False
+
+    def _run(self, args):
+        my_env = os.environ.copy()
+        if self.session != "":
+            my_env["BW_SESSION"] = self.session
+        p = Popen([self.cli_path] + args, stdin=PIPE,
+                  stdout=PIPE, stderr=STDOUT, env=my_env)
+        out, _ = p.communicate()
+        out = out.decode()
+        rc = p.wait()
+        if rc != 0:
+            display.debug("Received error when running '{0} {1}': {2}"
+                          .format(self.cli_path, args, out))
+            if out.startswith("Vault is locked."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Run 'bw unlock' to unlock the vault.")
+            elif out.startswith("You are not logged in."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Run 'bw login' to login.")
+            elif out.startswith("Failed to decrypt."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Make sure BW_SESSION is set properly.")
+            elif out.startswith("More than one result was found."):
+                raise AnsibleError("More than one object found with this name.")
+            elif out.startswith("Not found."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Specified item not found: {}".format(args[-1]))
+            else:
+                print("Unknown failure in 'bw' command: \n%s" % out)
+                return None
+        return out.strip()
+
+    def sync(self):
+        self._run(['sync'])
+
+    def status(self):
+        try:
+            data = json.loads(self._run(['status']))
+        except json.decoder.JSONDecodeError as e:
+            raise AnsibleError("Error decoding Bitwarden status: %s" % e)
+        return data['status']
+
+    def get_entry(self, key, field):
+        return self._run(["get", field, key])
+
+    def get_item(self, key):
+        return json.loads(self.get_entry(key, 'item'))
+
+    def get_notes(self, key):
+        return self.get_item(key).get('notes')
+
+    def get_custom_field(self, key, field):
+        rval = self.get_entry(key, 'item')
+        data = json.loads(rval)
+        if 'fields' not in data:
+            return None
+        matching = [x for x in data['fields'] if x['name'] == field]
+        if len(matching) == 0:
+            return None
+        return matching[0]['value']
+
+    def get_itemid(self, key):
+        return self.get_item(key).get('id')
+
+    def get_attachments(self, key, itemid):
+        return self._run(['get', 'attachment', key, '--itemid={}'.format(itemid), '--raw'])
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+        self.bw = Bitwarden(path=kwargs.get('path', 'bw'))
+
+        if not self.bw.logged_in:
+            raise AnsibleError("Not logged into Bitwarden: please run "
+                               "'bw login', or 'bw unlock' and set the "
+                               "BW_SESSION environment variable first")
+
+        values = []
+
+        if kwargs.get('sync'):
+            self.bw.sync()
+        if kwargs.get('session'):
+            self.bw.session = kwargs.get('session')
+
+        for term in terms:
+            rval = self.lookup(term, kwargs)
+            if rval is None:
+                raise AnsibleError("No matching term, field or attachment found!")
+            values.append(rval)
+
+        return values
+
+    def lookup(self, term, kwargs):
+        if 'file' in kwargs:
+            # Try attachments first
+            itemid = self.bw.get_itemid(term)
+            if itemid is None:
+                raise AnsibleError("No such object, wrong name")
+            return self.bw.get_attachments(kwargs['file'], itemid)
+
+        # By default check password
+        field = kwargs.get('field', 'password')
+
+        # Special field which contains notes.
+        if field == 'notes':
+            return self.bw.get_notes(term)
+
+        # Try custom fields second
+        val = self.bw.get_custom_field(term, field)
+        if val:
+            return val
+
+        # If not found check default bw entries
+        return self.bw.get_entry(term, field)
+
+def main():
+    if len(sys.argv) < 3:
+        print("Usage: %s <field> <name> [name name ...]" % os.path.basename(__file__))
+        return -1
+
+    print(LookupModule().run(sys.argv[2:], variables=None, field=sys.argv[1], file='origin.crt'))
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())