Add source

2020-02-01 19:55:31 +01:00 · 2020-02-01 19:55:31 +01:00 · 677f316176
parent 936d87ba9b
commit 677f316176
8 changed files with 119 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,44 @@
 # passbolt-salt
 Script to retrieve Passbolt passwords for Saltstack Pillars
+
+# Installation
+
+1. Clone this repo 
+
+2. Go to directory, run
+    ```
+    python3 setup.py
+    ```
+
+3. Create an Passbolt account for the Salt master.
+
+4. Copy the private and public PGP key files to `/etc/salt`.
+
+5. Create a `/etc/salt/passbolt.ini` file with the following content:
+    ```
+    [PASSBOLT]
+    SERVER = https://pass.netzbegruenung.de
+    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
+    USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
+    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
+    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
+    PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
+    ```
+
+6. Change file permissions:
+    ```
+    chown salt /etc/salt/passbolt*
+    chmod 600 /etc/salt/passbolt*
+    ```
+
+7. Create Pillar sls files where required with the content, replace the group UUID. Look into the example directory. Hint: you can find the Group UUID with the network tool of the browser by clicking on a group.
+    ```
+    #!py
+    fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
+    ```
+
+8. In state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.
+    ```
+    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
+    ```
+
--- a/example/pillars/passbolt/myapp.sls
+++ b/example/pillars/passbolt/myapp.sls
@ -0,0 +1,3 @@
+#!py
+fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
+
--- a/example/pillars/top.sls
+++ b/example/pillars/top.sls
@ -0,0 +1,4 @@
+base:
+  'myappserver*':
+    - passbolt.myapp
+
--- a/example/states/important_secret/files/secret.conf
+++ b/example/states/important_secret/files/secret.conf
@ -0,0 +1,2 @@
+user=public
+password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
--- a/example/states/important_secret/init.sls
+++ b/example/states/important_secret/init.sls
@ -0,0 +1,6 @@
+important_secrets:
+  file.managed:
+    - name: /etc/secret.conf
+    - source: salt://important_secrets/files/secret.conf
+    - template: jinja
+
--- a/example/states/top.sls
+++ b/example/states/top.sls
@ -0,0 +1,4 @@
+base:
+  '*':
+    - important_secrets
+
--- a/setup.py
+++ b/setup.py
@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+"""
+Setup script
+"""
+
+from setuptools import find_packages, setup
+
+setup(
+    name="salt-passbolt",
+    version="1.0.0",
+    packages=find_packages("src"),
+    package_dir={'': 'src'},
+    include_package_data=True,
+    install_requires=[
+        "passbolt-python-api>=0.1.2",
+    ],
+    author="Sven Seeberg (Netzbegrünung e.V.)",
+    author_email="mail@sven-seeberg.de",
+    description="Fetch passwords from Passbolt to build Saltstack pillars",
+    license="MIT",
+    keywords="Passbolt Salt Pillar",
+    url="http://github.com/netzbegruenung/salt-passbolt",
+    classifiers=[
+        'Development Status :: 5 - Production/Stable',
+        'Intended Audience :: Developers',
+        'Programming Language :: Python :: 3.4',
+        'Programming Language :: Python :: 3.5',
+        'Programming Language :: Python :: 3.6',
+    ]
+)
--- a/src/salt_passbolt.py
+++ b/src/salt_passbolt.py
@ -0,0 +1,28 @@
+"""
+Provides functions to fetch passwords from passbolt api
+"""
+import passboltapi  # pylint: disable=E0401
+
+def get_password_list(passbolt_obj, group_uuid):
+    result = list()
+    for i in passbolt_obj.get(url="/resources.json?/resources.json?filter[is-shared-with-group]={}&api-version=v2".format(group_uuid))["body"]:
+        result.append({
+            "id": i["id"],
+            "name": i["name"],
+            "username": i["username"],
+            "uri": i["uri"]
+        })
+    return result
+
+def generate_pillar(passbolt_obj, group_uuid):
+    result = get_password_list(passbolt_obj, group_uuid)
+    salt = {'passbolt': {}}
+    for i in result:
+        resource = passbolt_obj.get("/secrets/resource/{}.json?api-version=v2".format(i["id"]))
+        salt['passbolt'][i["id"]] = passbolt_obj.decrypt(resource["body"]["data"])
+    return salt
+
+def fetch_passbolt_passwords(group_uuid):
+    with passboltapi.PassboltAPI(config_path="/etc/salt/passbolt.ini") as passbolt:
+        salt = generate_pillar(passbolt_obj=passbolt, group_uuid)
+    return salt