add BitWarden lookup plugin, port secrets to BW
https://github.com/status-im/infra-docs/issues/9 Signed-off-by: Jakub Sokołowski <jakub@status.im>
This commit is contained in:
parent
3fc96c685c
commit
972ac84fe0
|
@ -6,3 +6,4 @@
|
|||
*.retry
|
||||
|
||||
ansible/files/*
|
||||
__pycache__
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# Root password
|
||||
bootstrap__root_pass: '{{lookup("passwordstore", "hosts/admin-pass")}}'
|
||||
# Consul encryption key
|
||||
bootstrap__consul_encryption_key: '{{lookup("passwordstore", "services/consul/encryption-key")}}'
|
||||
bootstrap__consul_encryption_key: '{{lookup("bitwarden", "consul", field="encryption-key")}}'
|
||||
|
||||
# Narrow users for host
|
||||
bootstrap__active_extra_users:
|
||||
|
@ -11,13 +11,12 @@ bootstrap__active_extra_users:
|
|||
# CloudFlare Origin certificates
|
||||
origin_certs:
|
||||
- domain: 'status.im'
|
||||
crt: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.crt returnall=true")}}'
|
||||
key: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.key returnall=true")}}'
|
||||
default: true
|
||||
crt: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.crt")}}'
|
||||
key: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.key")}}'
|
||||
|
||||
# Master password for backups
|
||||
restic_repo_master_pass: '{{lookup("passwordstore", "services/restic/master-pass")}}'
|
||||
restic_ssh_public_key: '{{lookup("passwordstore", "services/restic/ssh-public")}}'
|
||||
restic_repo_master_pass: '{{lookup("bitwarden", "restic-backups/repo", field="master-pass")}}'
|
||||
restic_ssh_public_key: '{{lookup("bitwarden", "restic-backups/ssh", field="public")}}'
|
||||
|
||||
# general container config
|
||||
cont_state: started
|
||||
|
|
|
@ -8,23 +8,23 @@ referral_srv_public_protocol: 'https'
|
|||
referral_srv_app_tag: 'deploy-{{ stage }}'
|
||||
|
||||
# Google Sign-In
|
||||
referral_srv_google_sign_in_client_id: '{{lookup("passwordstore", "services/referral-service/"+stage+"/google/sign-in-client-id")}}'
|
||||
referral_srv_google_sign_in_client_secret: '{{lookup("passwordstore", "services/referral-service/"+stage+"/google/sign-in-client-secret")}}'
|
||||
referral_srv_google_sign_in_client_id: '{{lookup("bitwarden", "referral-service/"+stage+"/google-oauth", field="client-id")}}'
|
||||
referral_srv_google_sign_in_client_secret: '{{lookup("bitwarden", "referral-service/"+stage+"/google-oauth", field="secret")}}'
|
||||
|
||||
# Ethereum contract
|
||||
referral_srv_eth_http_endpoint: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/endpoint")}}'
|
||||
referral_srv_eth_contract_address: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/contract-addr")}}'
|
||||
referral_srv_eth_contract_name: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/contract-name")}}'
|
||||
referral_srv_eth_private_key: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/priv-key")}}'
|
||||
referral_srv_eth_http_endpoint: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="endpoint")}}'
|
||||
referral_srv_eth_contract_address: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="addr")}}'
|
||||
referral_srv_eth_contract_name: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="name")}}'
|
||||
referral_srv_eth_private_key: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="priv-key")}}'
|
||||
|
||||
# Rails secret key base
|
||||
referral_srv_secret_key_base: '{{lookup("passwordstore", "services/referral-service/"+stage+"/secret-key-base")}}'
|
||||
referral_srv_secret_key_base: '{{lookup("bitwarden", "referral-service/"+stage+"/app", field="secret-key-base")}}'
|
||||
# The salt for the hashing of ips
|
||||
referral_srv_ip_salt: '{{lookup("passwordstore", "services/referral-service/"+stage+"/ip-salt")}}'
|
||||
referral_srv_ip_salt: '{{lookup("bitwarden", "referral-service/"+stage+"/app", field="ip-salt")}}'
|
||||
|
||||
# GeoIP API Auth
|
||||
referral_srv_geoip_account_id: '{{lookup("passwordstore", "services/referral-service/"+stage+"/geoip/account-id")}}'
|
||||
referral_srv_geoip_license_key: '{{lookup("passwordstore", "services/referral-service/"+stage+"/geoip/license-key")}}'
|
||||
referral_srv_geoip_account_id: '{{lookup("bitwarden", "referral-service/"+stage+"/geoip", field="account-id")}}'
|
||||
referral_srv_geoip_license_key: '{{lookup("bitwarden", "referral-service/"+stage+"/geoip", field="license-key")}}'
|
||||
# NOTE: For now we don't do campaigns in US so we disable GeoIP to save money.
|
||||
referral_srv_geoip_enabled: false
|
||||
|
||||
|
|
|
@ -0,0 +1,219 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# (c) 2018, Matt Stofko <matt@mjslabs.com>
|
||||
# GNU General Public License v3.0+ (see LICENSE or
|
||||
# https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
#
|
||||
# This plugin can be run directly by specifying the field followed by a list of
|
||||
# entries, e.g. bitwarden.py password google.com wufoo.com
|
||||
#
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
import json
|
||||
import os
|
||||
import sys
|
||||
|
||||
from subprocess import Popen, PIPE, STDOUT, check_output
|
||||
|
||||
from ansible.errors import AnsibleError
|
||||
from ansible.plugins.lookup import LookupBase
|
||||
|
||||
try:
|
||||
from __main__ import display
|
||||
except ImportError:
|
||||
from ansible.utils.display import Display
|
||||
display = Display()
|
||||
|
||||
|
||||
DOCUMENTATION = """
|
||||
lookup: bitwarden
|
||||
author:
|
||||
- Matt Stofko <matt@mjslabs.com>
|
||||
requirements:
|
||||
- bw (command line utility)
|
||||
- BW_SESSION environment var (from `bw login` or `bw unlock`)
|
||||
short_description: look up data from a bitwarden vault
|
||||
description:
|
||||
- use the bw command line utility to grab one or more items stored in a
|
||||
bitwarden vault
|
||||
options:
|
||||
_terms:
|
||||
description: name of item that contains the field to fetch
|
||||
required: true
|
||||
field:
|
||||
description: field to return from bitwarden
|
||||
default: 'password'
|
||||
sync:
|
||||
description: If True, call `bw sync` before lookup
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
- name: get 'username' from Bitwarden entry 'Google'
|
||||
debug:
|
||||
msg: "{{ lookup('bitwarden', 'Google', field='username') }}"
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
_raw:
|
||||
description:
|
||||
- Items from Bitwarden vault
|
||||
"""
|
||||
|
||||
|
||||
class Bitwarden(object):
|
||||
def __init__(self, path):
|
||||
self._cli_path = path
|
||||
self._bw_session = ""
|
||||
try:
|
||||
check_output([self._cli_path, "--version"])
|
||||
except OSError:
|
||||
raise AnsibleError("Command not found: {0}".format(self._cli_path))
|
||||
|
||||
@property
|
||||
def session(self):
|
||||
return self._bw_session
|
||||
|
||||
@session.setter
|
||||
def session(self, value):
|
||||
self._bw_session = value
|
||||
|
||||
@property
|
||||
def cli_path(self):
|
||||
return self._cli_path
|
||||
|
||||
@property
|
||||
def logged_in(self):
|
||||
# Parse Bitwarden status to check if logged in
|
||||
if self.status() == 'unlocked':
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
def _run(self, args):
|
||||
my_env = os.environ.copy()
|
||||
if self.session != "":
|
||||
my_env["BW_SESSION"] = self.session
|
||||
p = Popen([self.cli_path] + args, stdin=PIPE,
|
||||
stdout=PIPE, stderr=STDOUT, env=my_env)
|
||||
out, _ = p.communicate()
|
||||
out = out.decode()
|
||||
rc = p.wait()
|
||||
if rc != 0:
|
||||
display.debug("Received error when running '{0} {1}': {2}"
|
||||
.format(self.cli_path, args, out))
|
||||
if out.startswith("Vault is locked."):
|
||||
raise AnsibleError("Error accessing Bitwarden vault. "
|
||||
"Run 'bw unlock' to unlock the vault.")
|
||||
elif out.startswith("You are not logged in."):
|
||||
raise AnsibleError("Error accessing Bitwarden vault. "
|
||||
"Run 'bw login' to login.")
|
||||
elif out.startswith("Failed to decrypt."):
|
||||
raise AnsibleError("Error accessing Bitwarden vault. "
|
||||
"Make sure BW_SESSION is set properly.")
|
||||
elif out.startswith("More than one result was found."):
|
||||
raise AnsibleError("More than one object found with this name.")
|
||||
elif out.startswith("Not found."):
|
||||
raise AnsibleError("Error accessing Bitwarden vault. "
|
||||
"Specified item not found: {}".format(args[-1]))
|
||||
else:
|
||||
print("Unknown failure in 'bw' command: \n%s" % out)
|
||||
return None
|
||||
return out.strip()
|
||||
|
||||
def sync(self):
|
||||
self._run(['sync'])
|
||||
|
||||
def status(self):
|
||||
try:
|
||||
data = json.loads(self._run(['status']))
|
||||
except json.decoder.JSONDecodeError as e:
|
||||
raise AnsibleError("Error decoding Bitwarden status: %s" % e)
|
||||
return data['status']
|
||||
|
||||
def get_entry(self, key, field):
|
||||
return self._run(["get", field, key])
|
||||
|
||||
def get_item(self, key):
|
||||
return json.loads(self.get_entry(key, 'item'))
|
||||
|
||||
def get_notes(self, key):
|
||||
return self.get_item(key).get('notes')
|
||||
|
||||
def get_custom_field(self, key, field):
|
||||
rval = self.get_entry(key, 'item')
|
||||
data = json.loads(rval)
|
||||
if 'fields' not in data:
|
||||
return None
|
||||
matching = [x for x in data['fields'] if x['name'] == field]
|
||||
if len(matching) == 0:
|
||||
return None
|
||||
return matching[0]['value']
|
||||
|
||||
def get_itemid(self, key):
|
||||
return self.get_item(key).get('id')
|
||||
|
||||
def get_attachments(self, key, itemid):
|
||||
return self._run(['get', 'attachment', key, '--itemid={}'.format(itemid), '--raw'])
|
||||
|
||||
|
||||
class LookupModule(LookupBase):
|
||||
|
||||
def run(self, terms, variables=None, **kwargs):
|
||||
self.bw = Bitwarden(path=kwargs.get('path', 'bw'))
|
||||
|
||||
if not self.bw.logged_in:
|
||||
raise AnsibleError("Not logged into Bitwarden: please run "
|
||||
"'bw login', or 'bw unlock' and set the "
|
||||
"BW_SESSION environment variable first")
|
||||
|
||||
values = []
|
||||
|
||||
if kwargs.get('sync'):
|
||||
self.bw.sync()
|
||||
if kwargs.get('session'):
|
||||
self.bw.session = kwargs.get('session')
|
||||
|
||||
for term in terms:
|
||||
rval = self.lookup(term, kwargs)
|
||||
if rval is None:
|
||||
raise AnsibleError("No matching term, field or attachment found!")
|
||||
values.append(rval)
|
||||
|
||||
return values
|
||||
|
||||
def lookup(self, term, kwargs):
|
||||
if 'file' in kwargs:
|
||||
# Try attachments first
|
||||
itemid = self.bw.get_itemid(term)
|
||||
if itemid is None:
|
||||
raise AnsibleError("No such object, wrong name")
|
||||
return self.bw.get_attachments(kwargs['file'], itemid)
|
||||
|
||||
# By default check password
|
||||
field = kwargs.get('field', 'password')
|
||||
|
||||
# Special field which contains notes.
|
||||
if field == 'notes':
|
||||
return self.bw.get_notes(term)
|
||||
|
||||
# Try custom fields second
|
||||
val = self.bw.get_custom_field(term, field)
|
||||
if val:
|
||||
return val
|
||||
|
||||
# If not found check default bw entries
|
||||
return self.bw.get_entry(term, field)
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 3:
|
||||
print("Usage: %s <field> <name> [name name ...]" % os.path.basename(__file__))
|
||||
return -1
|
||||
|
||||
print(LookupModule().run(sys.argv[2:], variables=None, field=sys.argv[1], file='origin.crt'))
|
||||
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
|
@ -8,6 +8,7 @@
|
|||
tasks:
|
||||
- local_action: command ./versioncheck.py
|
||||
changed_when: false
|
||||
- debug: msg="{{ True | lower }}"
|
||||
|
||||
- name: Configure Referral service host
|
||||
hosts: referral
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
- name: infra-role-bootstrap
|
||||
src: git@github.com:status-im/infra-role-bootstrap.git
|
||||
version: 4dfd3e0b32a93e1f07a73c6794684bae21f2e556
|
||||
version: 75455427dd5e8aef32c6f9045736ab198ef58f42
|
||||
scm: git
|
||||
|
||||
- name: consul-service
|
||||
|
@ -48,3 +48,8 @@
|
|||
src: git@github.com:status-im/infra-role-restic-backups.git
|
||||
version: 6031db0c72094aaa09ea70fa6be172ab85f247ee
|
||||
scm: git
|
||||
|
||||
- name: ansible-modules-bitwarden
|
||||
src: https://github.com/c0sco/ansible-modules-bitwarden
|
||||
version: 126a5e5ea66609ec3aec052f10b84823308b4e25
|
||||
scm: git
|
||||
|
|
Loading…
Reference in New Issue