add BitWarden lookup plugin, port secrets to BW

https://github.com/status-im/infra-docs/issues/9 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-05-29 00:42:23 +02:00 · 2021-05-29 00:42:23 +02:00 · 972ac84fe0
parent 3fc96c685c
commit 972ac84fe0
6 changed files with 242 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,3 +6,4 @@
 *.retry

 ansible/files/*
+__pycache__
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -2,7 +2,7 @@
 # Root password
 bootstrap__root_pass: '{{lookup("passwordstore", "hosts/admin-pass")}}'
 # Consul encryption key
-bootstrap__consul_encryption_key: '{{lookup("passwordstore", "services/consul/encryption-key")}}'
+bootstrap__consul_encryption_key: '{{lookup("bitwarden", "consul", field="encryption-key")}}'

 # Narrow users for host
 bootstrap__active_extra_users:
@ -11,13 +11,12 @@ bootstrap__active_extra_users:
 # CloudFlare Origin certificates
 origin_certs:
  - domain: 'status.im'
-    crt: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.crt returnall=true")}}'
-    key: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.key returnall=true")}}'
-    default: true
+    crt: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.crt")}}'
+    key: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.key")}}'

 # Master password for backups
-restic_repo_master_pass: '{{lookup("passwordstore", "services/restic/master-pass")}}'
-restic_ssh_public_key: '{{lookup("passwordstore", "services/restic/ssh-public")}}'
+restic_repo_master_pass: '{{lookup("bitwarden", "restic-backups/repo", field="master-pass")}}'
+restic_ssh_public_key: '{{lookup("bitwarden", "restic-backups/ssh", field="public")}}'

 # general container config
 cont_state: started
--- a/ansible/group_vars/referral.yml
+++ b/ansible/group_vars/referral.yml
@ -8,23 +8,23 @@ referral_srv_public_protocol: 'https'
 referral_srv_app_tag: 'deploy-{{ stage }}'

 # Google Sign-In
-referral_srv_google_sign_in_client_id: '{{lookup("passwordstore", "services/referral-service/"+stage+"/google/sign-in-client-id")}}'
-referral_srv_google_sign_in_client_secret: '{{lookup("passwordstore", "services/referral-service/"+stage+"/google/sign-in-client-secret")}}'
+referral_srv_google_sign_in_client_id: '{{lookup("bitwarden", "referral-service/"+stage+"/google-oauth", field="client-id")}}'
+referral_srv_google_sign_in_client_secret: '{{lookup("bitwarden", "referral-service/"+stage+"/google-oauth", field="secret")}}'

 # Ethereum contract
-referral_srv_eth_http_endpoint: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/endpoint")}}'
-referral_srv_eth_contract_address: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/contract-addr")}}'
-referral_srv_eth_contract_name: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/contract-name")}}'
-referral_srv_eth_private_key: '{{lookup("passwordstore", "services/referral-service/"+stage+"/eth/priv-key")}}'
+referral_srv_eth_http_endpoint: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="endpoint")}}'
+referral_srv_eth_contract_address: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="addr")}}'
+referral_srv_eth_contract_name: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="name")}}'
+referral_srv_eth_private_key: '{{lookup("bitwarden", "referral-service/"+stage+"/eth-contract", field="priv-key")}}'

 # Rails secret key base
-referral_srv_secret_key_base: '{{lookup("passwordstore", "services/referral-service/"+stage+"/secret-key-base")}}'
+referral_srv_secret_key_base: '{{lookup("bitwarden", "referral-service/"+stage+"/app", field="secret-key-base")}}'
 # The salt for the hashing of ips
-referral_srv_ip_salt: '{{lookup("passwordstore", "services/referral-service/"+stage+"/ip-salt")}}'
+referral_srv_ip_salt: '{{lookup("bitwarden", "referral-service/"+stage+"/app", field="ip-salt")}}'

 # GeoIP API Auth
-referral_srv_geoip_account_id: '{{lookup("passwordstore", "services/referral-service/"+stage+"/geoip/account-id")}}'
-referral_srv_geoip_license_key: '{{lookup("passwordstore", "services/referral-service/"+stage+"/geoip/license-key")}}'
+referral_srv_geoip_account_id: '{{lookup("bitwarden", "referral-service/"+stage+"/geoip", field="account-id")}}'
+referral_srv_geoip_license_key: '{{lookup("bitwarden", "referral-service/"+stage+"/geoip", field="license-key")}}'
 # NOTE: For now we don't do campaigns in US so we disable GeoIP to save money.
 referral_srv_geoip_enabled: false

--- a/ansible/lookup_plugins/bitwarden.py
+++ b/ansible/lookup_plugins/bitwarden.py
@ -0,0 +1,219 @@
+#!/usr/bin/env python
+
+# (c) 2018, Matt Stofko <matt@mjslabs.com>
+# GNU General Public License v3.0+ (see LICENSE or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+#
+# This plugin can be run directly by specifying the field followed by a list of
+# entries, e.g.  bitwarden.py password google.com wufoo.com
+#
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import json
+import os
+import sys
+
+from subprocess import Popen, PIPE, STDOUT, check_output
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+    display = Display()
+
+
+DOCUMENTATION = """
+lookup: bitwarden
+author:
+  - Matt Stofko <matt@mjslabs.com>
+requirements:
+  - bw (command line utility)
+  - BW_SESSION environment var (from `bw login` or `bw unlock`)
+short_description: look up data from a bitwarden vault
+description:
+  - use the bw command line utility to grab one or more items stored in a
+    bitwarden vault
+options:
+  _terms:
+    description: name of item that contains the field to fetch
+    required: true
+field:
+  description: field to return from bitwarden
+  default: 'password'
+sync:
+  description: If True, call `bw sync` before lookup
+"""
+
+EXAMPLES = """
+- name: get 'username' from Bitwarden entry 'Google'
+  debug:
+    msg: "{{ lookup('bitwarden', 'Google', field='username') }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - Items from Bitwarden vault
+"""
+
+
+class Bitwarden(object):
+    def __init__(self, path):
+        self._cli_path = path
+        self._bw_session = ""
+        try:
+            check_output([self._cli_path, "--version"])
+        except OSError:
+            raise AnsibleError("Command not found: {0}".format(self._cli_path))
+
+    @property
+    def session(self):
+        return self._bw_session
+
+    @session.setter
+    def session(self, value):
+        self._bw_session = value
+
+    @property
+    def cli_path(self):
+        return self._cli_path
+
+    @property
+    def logged_in(self):
+        # Parse Bitwarden status to check if logged in
+        if self.status() == 'unlocked':
+            return True
+        else:
+            return False
+
+    def _run(self, args):
+        my_env = os.environ.copy()
+        if self.session != "":
+            my_env["BW_SESSION"] = self.session
+        p = Popen([self.cli_path] + args, stdin=PIPE,
+                  stdout=PIPE, stderr=STDOUT, env=my_env)
+        out, _ = p.communicate()
+        out = out.decode()
+        rc = p.wait()
+        if rc != 0:
+            display.debug("Received error when running '{0} {1}': {2}"
+                          .format(self.cli_path, args, out))
+            if out.startswith("Vault is locked."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Run 'bw unlock' to unlock the vault.")
+            elif out.startswith("You are not logged in."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Run 'bw login' to login.")
+            elif out.startswith("Failed to decrypt."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Make sure BW_SESSION is set properly.")
+            elif out.startswith("More than one result was found."):
+                raise AnsibleError("More than one object found with this name.")
+            elif out.startswith("Not found."):
+                raise AnsibleError("Error accessing Bitwarden vault. "
+                                   "Specified item not found: {}".format(args[-1]))
+            else:
+                print("Unknown failure in 'bw' command: \n%s" % out)
+                return None
+        return out.strip()
+
+    def sync(self):
+        self._run(['sync'])
+
+    def status(self):
+        try:
+            data = json.loads(self._run(['status']))
+        except json.decoder.JSONDecodeError as e:
+            raise AnsibleError("Error decoding Bitwarden status: %s" % e)
+        return data['status']
+
+    def get_entry(self, key, field):
+        return self._run(["get", field, key])
+
+    def get_item(self, key):
+        return json.loads(self.get_entry(key, 'item'))
+
+    def get_notes(self, key):
+        return self.get_item(key).get('notes')
+
+    def get_custom_field(self, key, field):
+        rval = self.get_entry(key, 'item')
+        data = json.loads(rval)
+        if 'fields' not in data:
+            return None
+        matching = [x for x in data['fields'] if x['name'] == field]
+        if len(matching) == 0:
+            return None
+        return matching[0]['value']
+
+    def get_itemid(self, key):
+        return self.get_item(key).get('id')
+
+    def get_attachments(self, key, itemid):
+        return self._run(['get', 'attachment', key, '--itemid={}'.format(itemid), '--raw'])
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+        self.bw = Bitwarden(path=kwargs.get('path', 'bw'))
+
+        if not self.bw.logged_in:
+            raise AnsibleError("Not logged into Bitwarden: please run "
+                               "'bw login', or 'bw unlock' and set the "
+                               "BW_SESSION environment variable first")
+
+        values = []
+
+        if kwargs.get('sync'):
+            self.bw.sync()
+        if kwargs.get('session'):
+            self.bw.session = kwargs.get('session')
+
+        for term in terms:
+            rval = self.lookup(term, kwargs)
+            if rval is None:
+                raise AnsibleError("No matching term, field or attachment found!")
+            values.append(rval)
+
+        return values
+
+    def lookup(self, term, kwargs):
+        if 'file' in kwargs:
+            # Try attachments first
+            itemid = self.bw.get_itemid(term)
+            if itemid is None:
+                raise AnsibleError("No such object, wrong name")
+            return self.bw.get_attachments(kwargs['file'], itemid)
+
+        # By default check password
+        field = kwargs.get('field', 'password')
+
+        # Special field which contains notes.
+        if field == 'notes':
+            return self.bw.get_notes(term)
+
+        # Try custom fields second
+        val = self.bw.get_custom_field(term, field)
+        if val:
+            return val
+
+        # If not found check default bw entries
+        return self.bw.get_entry(term, field)
+
+def main():
+    if len(sys.argv) < 3:
+        print("Usage: %s <field> <name> [name name ...]" % os.path.basename(__file__))
+        return -1
+
+    print(LookupModule().run(sys.argv[2:], variables=None, field=sys.argv[1], file='origin.crt'))
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -8,6 +8,7 @@
  tasks:
    - local_action: command ./versioncheck.py
      changed_when: false
+    - debug: msg="{{ True | lower }}"

 - name: Configure Referral service host
  hosts: referral
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -21,7 +21,7 @@

 - name: infra-role-bootstrap
  src: git@github.com:status-im/infra-role-bootstrap.git
-  version: 4dfd3e0b32a93e1f07a73c6794684bae21f2e556
+  version: 75455427dd5e8aef32c6f9045736ab198ef58f42
  scm: git

 - name: consul-service
@ -48,3 +48,8 @@
  src: git@github.com:status-im/infra-role-restic-backups.git
  version: 6031db0c72094aaa09ea70fa6be172ab85f247ee
  scm: git
+
+- name: ansible-modules-bitwarden
+  src: https://github.com/c0sco/ansible-modules-bitwarden
+  version: 126a5e5ea66609ec3aec052f10b84823308b4e25
+  scm: git