diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 21dc64f..a93ea4d 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -17,22 +17,21 @@ jobs: strategy: matrix: include: - - python-version-short: "3.8" - python-version: 3.8.18 - vault-version: "1.12.5-1" - hvac-gh-tag: "v1.1.1" - python-version-short: "3.9" python-version: 3.9.21 - vault-version: "1.12.5-1" - hvac-gh-tag: "v1.1.1" + consul-version: "1.22.7-1" + vault-version: "2.0.0-1" + hvac-gh-tag: "v2.4.0" - python-version-short: "3.10" python-version: 3.10.16 - vault-version: "1.12.5-1" - hvac-gh-tag: "v1.1.1" + consul-version: "1.22.7-1" + vault-version: "2.0.0-1" + hvac-gh-tag: "v2.4.0" - python-version-short: "3.11" python-version: 3.11.11 - vault-version: "1.12.5-1" - hvac-gh-tag: "v1.1.1" + consul-version: "1.22.7-1" + vault-version: "2.0.0-1" + hvac-gh-tag: "v2.4.0" steps: - name: Checkout Pack Repo and CI Repos uses: StackStorm-Exchange/ci/.github/actions/checkout@master @@ -63,20 +62,7 @@ jobs: working-directory: pack shell: bash run: | - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/hashicorp.gpg - echo "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \ - | sudo tee /etc/apt/sources.list.d/hashicorp.list - - sudo apt update \ - -o Dir::Etc::sourceparts="-" \ - -o APT::Get::List-Cleanup="0" \ - -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list" - - sudo apt install consul vault=${{ matrix.vault-version }} - - # We disble cap_ipc_lock here as its generally incompatabile with GitHub - # Actions' runtime environments. - sudo setcap cap_ipc_lock= /usr/bin/vault + ${ROOT_DIR}/tests/scripts/install_vault ${{ matrix.vault-version }} ${{ matrix.consul-version }} - name: Setup hvac symlinks shell: bash diff --git a/CHANGES.md b/CHANGES.md index 711fede..55a168f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,10 @@ # Change Log +## 3.0.0 + +- Removed pinning of hvac to support Python version >= 3.9 and add the sys.wrap/sys.unwrap methods. +- Added wrap/unwrap actions + ## 2.1.0 - Support mount_point parameter for profiles config. diff --git a/actions/unwrap_secret.py b/actions/unwrap_secret.py new file mode 100644 index 0000000..6467541 --- /dev/null +++ b/actions/unwrap_secret.py @@ -0,0 +1,13 @@ +from lib import action +import hvac + + +class VaultUnwrapSecretAction(action.VaultBaseAction): + def run(self, token, profile_name=None): + super().run(profile_name=profile_name) + try: + resp = self.vault.sys.unwrap(token) + except hvac.exceptions.InvalidRequest as e: + return (False, f"{e}") + + return (True, resp) diff --git a/actions/unwrap_secret.yaml b/actions/unwrap_secret.yaml new file mode 100644 index 0000000..d79ac75 --- /dev/null +++ b/actions/unwrap_secret.yaml @@ -0,0 +1,17 @@ +--- +name: unwrap_secret +runner_type: python-script +description: "Read secret from Vault Wrap engine" +enabled: true +entry_point: "unwrap_secret.py" +parameters: + profile_name: + type: "string" + description: "The profile to use to run this action." + required: false + token: + type: "string" + description: "Wrap token to unwrap" + required: true + secret: true + position: 0 diff --git a/actions/wrap_secret.py b/actions/wrap_secret.py new file mode 100644 index 0000000..4e7b29e --- /dev/null +++ b/actions/wrap_secret.py @@ -0,0 +1,8 @@ +from lib import action + + +class VaultWrapSecretAction(action.VaultBaseAction): + def run(self, secret, ttl, profile_name=None): + super().run(profile_name=profile_name) + resp = self.vault.sys.wrap(payload=secret, ttl=ttl) + return (True, resp) diff --git a/actions/wrap_secret.yaml b/actions/wrap_secret.yaml new file mode 100644 index 0000000..388ae4a --- /dev/null +++ b/actions/wrap_secret.yaml @@ -0,0 +1,23 @@ +--- +name: wrap_secret +runner_type: python-script +description: "Write a secret to the Vault Wrap engine" +enabled: true +entry_point: "wrap_secret.py" +parameters: + profile_name: + type: "string" + description: "The profile to use to run this action." + required: false + ttl: + type: "integer" + description: "Time-To-Live before the wrap token expires (Default: 300 seconds)" + default: 300 + required: false + position: 1 + secret: + type: "object" + description: 'Dictionary with secret {"key": "value", "key2": "value2"}' + required: true + secret: true + position: 0 diff --git a/pack.yaml b/pack.yaml index 9b4a965..e1dd2f9 100644 --- a/pack.yaml +++ b/pack.yaml @@ -2,7 +2,7 @@ ref: vault name: vault description: StackStorm pack integration with HashiCorp Vault -version: 2.1.0 +version: 3.0.0 python_versions: - "3" author: steve.neuharth diff --git a/requirements.txt b/requirements.txt index 7846d6c..3e6a595 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -hvac>=1.1.0,<2.0.0 +hvac diff --git a/tests/scripts/install_vault b/tests/scripts/install_vault new file mode 100755 index 0000000..e018d06 --- /dev/null +++ b/tests/scripts/install_vault @@ -0,0 +1,44 @@ +#!/bin/bash + +set -eux + +# Installing consul and vault in the CI/CD environment is complex. That +# complexity is now wrapped inside this shell script for a clearer CI/CD YAML. + +VAULT_VERSION="$1" +CONSUL_VERSION="$2" + +wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg +sudo tee /etc/apt/sources.list.d/hashicorp.list <<<"deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + +sudo apt update -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list" +sudo apt install consul=${CONSUL_VERSION} vault=${VAULT_VERSION} + +# We disble cap_ipc_lock here as its generally incompatabile with GitHub +# Actions' runtime environments. +sudo setcap cap_ipc_lock= /usr/bin/vault + +# Consul needs to be explicitly configured to start in the CI/CD environment. +sudo mkdir -p /srv/consul && sudo chown -R consul:consul /srv/consul + +sudo tee /etc/consul.d/consul.hcl >/dev/null <