From 677f316176fbdfb451d39bbfbe2dd0a5a3e6c2d5 Mon Sep 17 00:00:00 2001 From: Sven Seeberg Date: Sat, 1 Feb 2020 19:55:31 +0100 Subject: [PATCH] Add source --- README.md | 42 +++++++++++++++++++ example/pillars/passbolt/myapp.sls | 3 ++ example/pillars/top.sls | 4 ++ .../states/important_secret/files/secret.conf | 2 + example/states/important_secret/init.sls | 6 +++ example/states/top.sls | 4 ++ setup.py | 30 +++++++++++++ src/salt_passbolt.py | 28 +++++++++++++ 8 files changed, 119 insertions(+) create mode 100644 example/pillars/passbolt/myapp.sls create mode 100644 example/pillars/top.sls create mode 100644 example/states/important_secret/files/secret.conf create mode 100644 example/states/important_secret/init.sls create mode 100644 example/states/top.sls create mode 100644 setup.py create mode 100644 src/salt_passbolt.py diff --git a/README.md b/README.md index 59e7621..9b1e320 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,44 @@ # passbolt-salt Script to retrieve Passbolt passwords for Saltstack Pillars + +# Installation + +1. Clone this repo + +2. Go to directory, run + ``` + python3 setup.py + ``` + +3. Create an Passbolt account for the Salt master. + +4. Copy the private and public PGP key files to `/etc/salt`. + +5. Create a `/etc/salt/passbolt.ini` file with the following content: + ``` + [PASSBOLT] + SERVER = https://pass.netzbegruenung.de + #SERVER_PUBLIC_KEY_FILE = + USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT] + USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc + USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc + PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD] + ``` + +6. Change file permissions: + ``` + chown salt /etc/salt/passbolt* + chmod 600 /etc/salt/passbolt* + ``` + +7. Create Pillar sls files where required with the content, replace the group UUID. Look into the example directory. Hint: you can find the Group UUID with the network tool of the browser by clicking on a group. + ``` + #!py + fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c") + ``` + +8. In state, reference secrets with their UUID. See the `example/salt/important_secrets/files/secret.conf`. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret. + ``` + password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }} + ``` + diff --git a/example/pillars/passbolt/myapp.sls b/example/pillars/passbolt/myapp.sls new file mode 100644 index 0000000..35b60b1 --- /dev/null +++ b/example/pillars/passbolt/myapp.sls @@ -0,0 +1,3 @@ +#!py +fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c") + diff --git a/example/pillars/top.sls b/example/pillars/top.sls new file mode 100644 index 0000000..e980bf1 --- /dev/null +++ b/example/pillars/top.sls @@ -0,0 +1,4 @@ +base: + 'myappserver*': + - passbolt.myapp + diff --git a/example/states/important_secret/files/secret.conf b/example/states/important_secret/files/secret.conf new file mode 100644 index 0000000..74c4904 --- /dev/null +++ b/example/states/important_secret/files/secret.conf @@ -0,0 +1,2 @@ +user=public +password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }} diff --git a/example/states/important_secret/init.sls b/example/states/important_secret/init.sls new file mode 100644 index 0000000..5e1247e --- /dev/null +++ b/example/states/important_secret/init.sls @@ -0,0 +1,6 @@ +important_secrets: + file.managed: + - name: /etc/secret.conf + - source: salt://important_secrets/files/secret.conf + - template: jinja + diff --git a/example/states/top.sls b/example/states/top.sls new file mode 100644 index 0000000..1f6d0f5 --- /dev/null +++ b/example/states/top.sls @@ -0,0 +1,4 @@ +base: + '*': + - important_secrets + diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..853bd5c --- /dev/null +++ b/setup.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +""" +Setup script +""" + +from setuptools import find_packages, setup + +setup( + name="salt-passbolt", + version="1.0.0", + packages=find_packages("src"), + package_dir={'': 'src'}, + include_package_data=True, + install_requires=[ + "passbolt-python-api>=0.1.2", + ], + author="Sven Seeberg (Netzbegrünung e.V.)", + author_email="mail@sven-seeberg.de", + description="Fetch passwords from Passbolt to build Saltstack pillars", + license="MIT", + keywords="Passbolt Salt Pillar", + url="http://github.com/netzbegruenung/salt-passbolt", + classifiers=[ + 'Development Status :: 5 - Production/Stable', + 'Intended Audience :: Developers', + 'Programming Language :: Python :: 3.4', + 'Programming Language :: Python :: 3.5', + 'Programming Language :: Python :: 3.6', + ] +) diff --git a/src/salt_passbolt.py b/src/salt_passbolt.py new file mode 100644 index 0000000..128fd2b --- /dev/null +++ b/src/salt_passbolt.py @@ -0,0 +1,28 @@ +""" +Provides functions to fetch passwords from passbolt api +""" +import passboltapi # pylint: disable=E0401 + +def get_password_list(passbolt_obj, group_uuid): + result = list() + for i in passbolt_obj.get(url="/resources.json?/resources.json?filter[is-shared-with-group]={}&api-version=v2".format(group_uuid))["body"]: + result.append({ + "id": i["id"], + "name": i["name"], + "username": i["username"], + "uri": i["uri"] + }) + return result + +def generate_pillar(passbolt_obj, group_uuid): + result = get_password_list(passbolt_obj, group_uuid) + salt = {'passbolt': {}} + for i in result: + resource = passbolt_obj.get("/secrets/resource/{}.json?api-version=v2".format(i["id"])) + salt['passbolt'][i["id"]] = passbolt_obj.decrypt(resource["body"]["data"]) + return salt + +def fetch_passbolt_passwords(group_uuid): + with passboltapi.PassboltAPI(config_path="/etc/salt/passbolt.ini") as passbolt: + salt = generate_pillar(passbolt_obj=passbolt, group_uuid) + return salt