././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/0000755000175000017500000000000000000000000015764 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/.coveragerc0000664000175000017500000000011000000000000020077 0ustar00jamespagejamespage00000000000000[run] branch = True source = vaultlocker [report] ignore_errors = True ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/.mailmap0000664000175000017500000000013100000000000017402 0ustar00jamespagejamespage00000000000000# Format is: # # ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/.settings/0000755000175000017500000000000000000000000017702 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1531208385.0 vaultlocker-1.0.6/.settings/org.eclipse.core.resources.prefs0000664000175000017500000000107700000000000026124 0ustar00jamespagejamespage00000000000000eclipse.preferences.version=1 encoding//vaultlocker/__init__.py=utf-8 encoding//vaultlocker/dmcrypt.py=utf-8 encoding//vaultlocker/shell.py=utf-8 encoding//vaultlocker/systemd.py=utf-8 encoding//vaultlocker/tests/functional/__init__.py=utf-8 encoding//vaultlocker/tests/functional/base.py=utf-8 encoding//vaultlocker/tests/functional/test_keystorage.py=utf-8 encoding//vaultlocker/tests/unit/base.py=utf-8 encoding//vaultlocker/tests/unit/test_dmcrypt.py=utf-8 encoding//vaultlocker/tests/unit/test_systemd.py=utf-8 encoding//vaultlocker/tests/unit/test_vaultlocker.py=utf-8 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/.stestr.conf0000664000175000017500000000006300000000000020236 0ustar00jamespagejamespage00000000000000[DEFAULT] test_path=./vaultlocker/tests top_dir=./ ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1568728230.0 vaultlocker-1.0.6/.travis.yml0000644000175000017500000000076100000000000020101 0ustar00jamespagejamespage00000000000000language: python python: - "2.7" - "3.5" - "3.6" - "3.7" before_install: - sudo -E bash ./gate/travis-vault.sh install: - pip install -r requirements.txt -c https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt - pip install -r test-requirements.txt -c https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt script: - stestr run "^vaultlocker.tests.unit.*" - pifpaf run vault -- stestr run "^vaultlocker.tests.functional.*" ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/AUTHORS0000664000175000017500000000051400000000000017036 0ustar00jamespagejamespage00000000000000David Ames Edward Hope-Morley Frode Nordahl James Page Liam Young Nicolas Pochet Rodrigo Barbieri Ryan Beisner ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/CONTRIBUTING.rst0000664000175000017500000000121700000000000020430 0ustar00jamespagejamespage00000000000000If you would like to contribute to the development of OpenStack, you must follow the steps in this page: http://docs.openstack.org/infra/manual/developers.html If you already have a good understanding of how the system works and your OpenStack accounts are set up, you can skip to the development workflow section of this documentation to learn how changes to OpenStack should be submitted for review via the Gerrit tool: http://docs.openstack.org/infra/manual/developers.html#development-workflow Pull requests submitted through GitHub will be ignored. Bugs should be filed on Launchpad, not GitHub: https://bugs.launchpad.net/vaultlocker ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/ChangeLog0000664000175000017500000000471600000000000017550 0ustar00jamespagejamespage00000000000000CHANGES ======= 1.0.6 ----- * Wait for dns to be configured 1.0.5 ----- * Skip trying to decrypt device if it already exists 1.0.4 ----- * Remove systemd-networkd-wait-online * Remove py34 and add py37 test targets * Unblock network-online.target 1.0.3 ----- * Specialize udevadm rescan to target block device 1.0.2 ----- * Add unit tests for new udevadm helpers * Force rescan for block devices after luksFormat 1.0.1 ----- * Ensure udev creates sym link for encyprted device 1.0.0 ----- * Updates to make use of secret\_id * Update systemd unit def post testing * Drop default systemd deps for early boot usage * Drop wants/requires on local-fs target * Ensure functional tests are skipped if vault is not pifpaf'ed * Tidy up exception handling in retry decorator, add test case * Ensure section and key used for configuration operations * Install vault during travis testing * Add basic functional tests for interaction with vault * Move unit tests in to specific tests directory * Add py34 for trusty testing * Use OpenStack Upper Constraints * Add Travis CI Logo * Add travis configuration * Docstring for \_vault\_client * Add basic encrypt/decrypt tests * Add systemd module tests, deal with py36 unit test failures * Add tests for dmcrypt module * Add more docstrings * Update HACKING formatting * General Tidy * Break out systemd service management * Enable systemd unit for each encrypted block device * Install sample config and systemd unit * Drop absolute\_import * Drop file support * Correct typo * Switch to new syntax for luks open * Switch to using check\_output * Misc refactoring + logging for dmcrypt * Tidy lint * Correct types for py3 * Don't use key * Add decrypt systemd service * Add spike of dm-crypt support * Add pifpaf for functional testing * Print uuid of secret after storage * Add README updates * Subdir systemd unit * Add example config file * Use native vaultlocker retries * Use tenacity to support retries * Update to use timeout * Fixup nargs usage * Fixup argparse usage * Correct use of six * Tidy * Add basic config file support * Refactor to drop args for vault config * Correct source path kv * Use correct arg * Correct params for retrieve parser * Refactor to not do crappy event loop * Ensure stored files are not group and world accessible * Tidy logging * Misc tidy * Use hostname as top level key, with digest and key for actual file storage * Create proper entry point * Misc tidy during testing * Initial version * Initial Cookiecutter Commit ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523366822.0 vaultlocker-1.0.6/HACKING.rst0000664000175000017500000000022000000000000017556 0ustar00jamespagejamespage00000000000000vaultlocker Style Commandments ============================== Read the OpenStack Style Commandments https://docs.openstack.org/hacking/latest/ ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/LICENSE0000664000175000017500000002363700000000000017006 0ustar00jamespagejamespage00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/PKG-INFO0000644000175000017500000000566000000000000017070 0ustar00jamespagejamespage00000000000000Metadata-Version: 1.1 Name: vaultlocker Version: 1.0.6 Summary: Utility to store and retrieve dm-crypt encryption keys in Hashicorp Vault Home-page: http://www.openstack.org/ Author: OpenStack Charms Team Author-email: openstack-dev@lists.openstack.org License: UNKNOWN Description: =========== vaultlocker =========== .. image:: https://travis-ci.org/openstack-charmers/vaultlocker.svg?branch=master :target: https://travis-ci.org/openstack-charmers/vaultlocker Utility to store and retrieve dm-crypt keys in Hashicorp Vault. Vault provides a nice way to manage secrets within complex software deployments. vaultlocker provides a way to store and retrieve dm-crypt encryption keys in Vault, automatically retrieving keys and opening LUKS dm-crypt devices on boot. vaultlocker is configured using `/etc/vaultlocker/vaultlocker.conf`:: [vault] url = https://vault.internal:8200 approle = 4a1b84d2-7bb2-4c07-9804-04d1683ac925 backend = secret vaultlocker defaults to using a backend with the name `secret`. A block device can be encrypted and its key stored in vault:: sudo vaultlocker encrypt /dev/sdd1 This will automatically create a new systemd unit which will automatically retrieve the key and open the LUKS/dm-crypt device on boot. Unless a UUID is provided (using the optional --uuid flag) vaultlocker will generate a UUID to label and identify the block device during subsequent operations. A block device can also be opened from the command line using its UUID (hint - the block device or partition will be labelled with the UUID):: sudo vaultlocker decrypt f65b9e66-8f0c-4cae-b6f5-6ec85ea134f2 Authentication to Vault is done using an AppRole with a secret_id; its assumed that a CIDR based ACL is in use to only allow permitted systems within the Data Center to login and retrieve secrets from Vault. * Free software: Apache license * Documentation: https://docs.openstack.org/vaultlocker/latest * Source: https://git.openstack.org/cgit/openstack/vaultlocker * Bugs: https://bugs.launchpad.net/vaultlocker Platform: UNKNOWN Classifier: Environment :: OpenStack Classifier: Intended Audience :: Information Technology Classifier: Intended Audience :: System Administrators Classifier: License :: OSI Approved :: Apache Software License Classifier: Operating System :: POSIX :: Linux Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.5 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1525433274.0 vaultlocker-1.0.6/README.rst0000664000175000017500000000336000000000000017457 0ustar00jamespagejamespage00000000000000=========== vaultlocker =========== .. image:: https://travis-ci.org/openstack-charmers/vaultlocker.svg?branch=master :target: https://travis-ci.org/openstack-charmers/vaultlocker Utility to store and retrieve dm-crypt keys in Hashicorp Vault. Vault provides a nice way to manage secrets within complex software deployments. vaultlocker provides a way to store and retrieve dm-crypt encryption keys in Vault, automatically retrieving keys and opening LUKS dm-crypt devices on boot. vaultlocker is configured using `/etc/vaultlocker/vaultlocker.conf`:: [vault] url = https://vault.internal:8200 approle = 4a1b84d2-7bb2-4c07-9804-04d1683ac925 backend = secret vaultlocker defaults to using a backend with the name `secret`. A block device can be encrypted and its key stored in vault:: sudo vaultlocker encrypt /dev/sdd1 This will automatically create a new systemd unit which will automatically retrieve the key and open the LUKS/dm-crypt device on boot. Unless a UUID is provided (using the optional --uuid flag) vaultlocker will generate a UUID to label and identify the block device during subsequent operations. A block device can also be opened from the command line using its UUID (hint - the block device or partition will be labelled with the UUID):: sudo vaultlocker decrypt f65b9e66-8f0c-4cae-b6f5-6ec85ea134f2 Authentication to Vault is done using an AppRole with a secret_id; its assumed that a CIDR based ACL is in use to only allow permitted systems within the Data Center to login and retrieve secrets from Vault. * Free software: Apache license * Documentation: https://docs.openstack.org/vaultlocker/latest * Source: https://git.openstack.org/cgit/openstack/vaultlocker * Bugs: https://bugs.launchpad.net/vaultlocker ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/RELEASENOTES.rst0000644000175000017500000000004400000000000020405 0ustar00jamespagejamespage00000000000000=========== vaultlocker =========== ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/babel.cfg0000664000175000017500000000002100000000000017505 0ustar00jamespagejamespage00000000000000[python: **.py] ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.94729 vaultlocker-1.0.6/doc/0000755000175000017500000000000000000000000016531 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/0000755000175000017500000000000000000000000020031 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/admin/0000755000175000017500000000000000000000000021121 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/admin/index.rst0000664000175000017500000000014500000000000022764 0ustar00jamespagejamespage00000000000000==================== Administrators guide ==================== Administrators guide of vaultlocker. ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/cli/0000755000175000017500000000000000000000000020600 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/cli/index.rst0000664000175000017500000000020200000000000022435 0ustar00jamespagejamespage00000000000000================================ Command line interface reference ================================ CLI reference of vaultlocker. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/conf.py0000775000175000017500000000506200000000000021340 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. import os import sys sys.path.insert(0, os.path.abspath('../..')) # -- General configuration ---------------------------------------------------- # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones. extensions = [ 'sphinx.ext.autodoc', 'openstackdocstheme', #'sphinx.ext.intersphinx', ] # autodoc generation is a bit aggressive and a nuisance when doing heavy # text edit cycles. # execute "export SPHINX_DEBUG=1" in your terminal to disable # The suffix of source filenames. source_suffix = '.rst' # The master toctree document. master_doc = 'index' # General information about the project. project = u'vaultlocker' copyright = u'2017, OpenStack Developers' # openstackdocstheme options repository_name = 'openstack/vaultlocker' bug_project = 'vaultlocker' bug_tag = '' # If true, '()' will be appended to :func: etc. cross-reference text. add_function_parentheses = True # If true, the current module name will be prepended to all description # unit titles (such as .. function::). add_module_names = True # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # -- Options for HTML output -------------------------------------------------- # The theme to use for HTML and HTML Help pages. Major themes that come with # Sphinx are currently 'default' and 'sphinxdoc'. # html_theme_path = ["."] # html_theme = '_theme' # html_static_path = ['static'] html_theme = 'openstackdocs' # Output file base name for HTML help builder. htmlhelp_basename = '%sdoc' % project # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, author, documentclass # [howto/manual]). latex_documents = [ ('index', '%s.tex' % project, u'%s Documentation' % project, u'OpenStack Developers', 'manual'), ] # Example configuration for intersphinx: refer to the Python standard library. #intersphinx_mapping = {'http://docs.python.org/': None} ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/configuration/0000755000175000017500000000000000000000000022700 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/configuration/index.rst0000664000175000017500000000011100000000000024534 0ustar00jamespagejamespage00000000000000============= Configuration ============= Configuration of vaultlocker. ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/contributor/0000755000175000017500000000000000000000000022403 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/contributor/contributing.rst0000664000175000017500000000011600000000000025644 0ustar00jamespagejamespage00000000000000============ Contributing ============ .. include:: ../../../CONTRIBUTING.rst ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/contributor/index.rst0000664000175000017500000000020300000000000024241 0ustar00jamespagejamespage00000000000000=========================== Contributor Documentation =========================== .. toctree:: :maxdepth: 2 contributing ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/index.rst0000664000175000017500000000117500000000000021700 0ustar00jamespagejamespage00000000000000.. vaultlocker documentation master file, created by sphinx-quickstart on Tue Jul 9 22:26:36 2013. You can adapt this file completely to your liking, but it should at least contain the root `toctree` directive. =========================================== Welcome to the documentation of vaultlocker =========================================== Contents: .. toctree:: :maxdepth: 2 readme install/index library/index contributor/index configuration/index cli/index user/index admin/index reference/index Indices and tables ================== * :ref:`genindex` * :ref:`modindex` * :ref:`search` ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/install/0000755000175000017500000000000000000000000021477 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/common_configure.rst0000664000175000017500000000046300000000000025567 0ustar00jamespagejamespage000000000000002. Edit the ``/etc/vaultlocker/vaultlocker.conf`` file and complete the following actions: * In the ``[database]`` section, configure database access: .. code-block:: ini [database] ... connection = mysql+pymysql://vaultlocker:VAULTLOCKER_DBPASS@controller/vaultlocker ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/common_prerequisites.rst0000664000175000017500000000402400000000000026507 0ustar00jamespagejamespage00000000000000Prerequisites ------------- Before you install and configure the vaultlocker service, you must create a database, service credentials, and API endpoints. #. To create the database, complete these steps: * Use the database access client to connect to the database server as the ``root`` user: .. code-block:: console $ mysql -u root -p * Create the ``vaultlocker`` database: .. code-block:: none CREATE DATABASE vaultlocker; * Grant proper access to the ``vaultlocker`` database: .. code-block:: none GRANT ALL PRIVILEGES ON vaultlocker.* TO 'vaultlocker'@'localhost' \ IDENTIFIED BY 'VAULTLOCKER_DBPASS'; GRANT ALL PRIVILEGES ON vaultlocker.* TO 'vaultlocker'@'%' \ IDENTIFIED BY 'VAULTLOCKER_DBPASS'; Replace ``VAULTLOCKER_DBPASS`` with a suitable password. * Exit the database access client. .. code-block:: none exit; #. Source the ``admin`` credentials to gain access to admin-only CLI commands: .. code-block:: console $ . admin-openrc #. To create the service credentials, complete these steps: * Create the ``vaultlocker`` user: .. code-block:: console $ openstack user create --domain default --password-prompt vaultlocker * Add the ``admin`` role to the ``vaultlocker`` user: .. code-block:: console $ openstack role add --project service --user vaultlocker admin * Create the vaultlocker service entities: .. code-block:: console $ openstack service create --name vaultlocker --description "vaultlocker" vaultlocker #. Create the vaultlocker service API endpoints: .. code-block:: console $ openstack endpoint create --region RegionOne \ vaultlocker public http://controller:XXXX/vY/%\(tenant_id\)s $ openstack endpoint create --region RegionOne \ vaultlocker internal http://controller:XXXX/vY/%\(tenant_id\)s $ openstack endpoint create --region RegionOne \ vaultlocker admin http://controller:XXXX/vY/%\(tenant_id\)s ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/get_started.rst0000664000175000017500000000041700000000000024542 0ustar00jamespagejamespage00000000000000============================ vaultlocker service overview ============================ The vaultlocker service provides... The vaultlocker service consists of the following components: ``vaultlocker-api`` service Accepts and responds to end user compute API calls... ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/index.rst0000664000175000017500000000065000000000000023343 0ustar00jamespagejamespage00000000000000====================================== vaultlocker service installation guide ====================================== .. toctree:: :maxdepth: 2 get_started.rst install.rst verify.rst next-steps.rst The vaultlocker service (vaultlocker) provides... This chapter assumes a working setup of OpenStack following the `OpenStack Installation Tutorial `_. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/install-obs.rst0000664000175000017500000000143200000000000024462 0ustar00jamespagejamespage00000000000000.. _install-obs: Install and configure for openSUSE and SUSE Linux Enterprise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section describes how to install and configure the vaultlocker service for openSUSE Leap 42.1 and SUSE Linux Enterprise Server 12 SP1. .. include:: common_prerequisites.rst Install and configure components -------------------------------- #. Install the packages: .. code-block:: console # zypper --quiet --non-interactive install .. include:: common_configure.rst Finalize installation --------------------- Start the vaultlocker services and configure them to start when the system boots: .. code-block:: console # systemctl enable openstack-vaultlocker-api.service # systemctl start openstack-vaultlocker-api.service ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/install-rdo.rst0000664000175000017500000000135300000000000024465 0ustar00jamespagejamespage00000000000000.. _install-rdo: Install and configure for Red Hat Enterprise Linux and CentOS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section describes how to install and configure the vaultlocker service for Red Hat Enterprise Linux 7 and CentOS 7. .. include:: common_prerequisites.rst Install and configure components -------------------------------- #. Install the packages: .. code-block:: console # yum install .. include:: common_configure.rst Finalize installation --------------------- Start the vaultlocker services and configure them to start when the system boots: .. code-block:: console # systemctl enable openstack-vaultlocker-api.service # systemctl start openstack-vaultlocker-api.service ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/install-ubuntu.rst0000664000175000017500000000111100000000000025213 0ustar00jamespagejamespage00000000000000.. _install-ubuntu: Install and configure for Ubuntu ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section describes how to install and configure the vaultlocker service for Ubuntu 14.04 (LTS). .. include:: common_prerequisites.rst Install and configure components -------------------------------- #. Install the packages: .. code-block:: console # apt-get update # apt-get install .. include:: common_configure.rst Finalize installation --------------------- Restart the vaultlocker services: .. code-block:: console # service openstack-vaultlocker-api restart ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/install.rst0000664000175000017500000000101200000000000023673 0ustar00jamespagejamespage00000000000000.. _install: Install and configure ~~~~~~~~~~~~~~~~~~~~~ This section describes how to install and configure the vaultlocker service, code-named vaultlocker, on the controller node. This section assumes that you already have a working OpenStack environment with at least the following components installed: .. (add the appropriate services here and further notes) Note that installation and configuration vary by distribution. .. toctree:: :maxdepth: 2 install-obs.rst install-rdo.rst install-ubuntu.rst ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/next-steps.rst0000664000175000017500000000030300000000000024341 0ustar00jamespagejamespage00000000000000.. _next-steps: Next steps ~~~~~~~~~~ Your OpenStack environment now includes the vaultlocker service. To add additional services, see https://docs.openstack.org/project-install-guide/ocata/. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/install/verify.rst0000664000175000017500000000071700000000000023544 0ustar00jamespagejamespage00000000000000.. _verify: Verify operation ~~~~~~~~~~~~~~~~ Verify operation of the vaultlocker service. .. note:: Perform these commands on the controller node. #. Source the ``admin`` project credentials to gain access to admin-only CLI commands: .. code-block:: console $ . admin-openrc #. List service components to verify successful launch and registration of each process: .. code-block:: console $ openstack vaultlocker service list ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/library/0000755000175000017500000000000000000000000021475 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/library/index.rst0000664000175000017500000000012300000000000023334 0ustar00jamespagejamespage00000000000000======== Usage ======== To use vaultlocker in a project:: import vaultlocker ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/readme.rst0000664000175000017500000000003600000000000022021 0ustar00jamespagejamespage00000000000000.. include:: ../../README.rst ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/reference/0000755000175000017500000000000000000000000021767 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/reference/index.rst0000664000175000017500000000007500000000000023634 0ustar00jamespagejamespage00000000000000========== References ========== References of vaultlocker. ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/doc/source/user/0000755000175000017500000000000000000000000021007 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/doc/source/user/index.rst0000664000175000017500000000010100000000000022642 0ustar00jamespagejamespage00000000000000=========== Users guide =========== Users guide of vaultlocker. ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/etc/0000755000175000017500000000000000000000000016537 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1525433179.0 vaultlocker-1.0.6/etc/vaultlocker.conf0000664000175000017500000000022500000000000021742 0ustar00jamespagejamespage00000000000000[vault] url = http://10.5.0.13:8200 approle = e256bf3b-fb28-b1d6-f2fb-3adc8339d3ad secret_id = 9428ad25-7b4a-442f-8f20-f23be0575146 backend = secret ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/gate/0000755000175000017500000000000000000000000016704 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523524519.0 vaultlocker-1.0.6/gate/travis-vault.sh0000775000175000017500000000102200000000000021701 0ustar00jamespagejamespage00000000000000#!/usr/bin/env bash set -o errexit VERSION=0.9.6 OS="linux" if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then OS="darwin" fi DOWNLOAD=https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_${OS}_amd64.zip function install_vault() { if [[ -e /usr/bin/vault ]] ; then if [ "v${VERSION}" = "$(vault version | head -n1 | awk '{print $2}')" ] ; then return fi fi wget -q -O /tmp/vault.zip ${DOWNLOAD} unzip -d /tmp /tmp/vault.zip mv /tmp/vault /usr/local/bin/vault chmod +x /usr/local/bin/vault } install_vault ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.94729 vaultlocker-1.0.6/releasenotes/0000755000175000017500000000000000000000000020455 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1584977226.9512901 vaultlocker-1.0.6/releasenotes/notes/0000755000175000017500000000000000000000000021605 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/releasenotes/notes/.placeholder0000664000175000017500000000000000000000000024060 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/releasenotes/notes/reno.cache0000644000175000017500000000004000000000000023527 0ustar00jamespagejamespage00000000000000--- file-contents: {} notes: [] ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/releasenotes/source/0000755000175000017500000000000000000000000021755 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/releasenotes/source/_static/0000755000175000017500000000000000000000000023403 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/releasenotes/source/_static/.placeholder0000664000175000017500000000000000000000000025656 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/releasenotes/source/_templates/0000755000175000017500000000000000000000000024112 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/releasenotes/source/_templates/.placeholder0000664000175000017500000000000000000000000026365 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/releasenotes/source/conf.py0000664000175000017500000002163700000000000023267 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. # This file is execfile()d with the current directory set to its # containing dir. # # Note that not all possible configuration values are present in this # autogenerated file. # # All configuration values have a default; values that are commented out # serve to show the default. # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. # sys.path.insert(0, os.path.abspath('.')) # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. # needs_sphinx = '1.0' # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ 'openstackdocstheme', 'reno.sphinxext', ] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # The suffix of source filenames. source_suffix = '.rst' # The encoding of source files. # source_encoding = 'utf-8-sig' # The master toctree document. master_doc = 'index' # General information about the project. project = u'vaultlocker Release Notes' copyright = u'2017, OpenStack Developers' # openstackdocstheme options repository_name = 'openstack/vaultlocker' bug_project = 'vaultlocker' bug_tag = '' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. # The full version, including alpha/beta/rc tags. release = '' # The short X.Y version. version = '' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. # language = None # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: # today = '' # Else, today_fmt is used as the format for a strftime call. # today_fmt = '%B %d, %Y' # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = [] # The reST default role (used for this markup: `text`) to use for all # documents. # default_role = None # If true, '()' will be appended to :func: etc. cross-reference text. # add_function_parentheses = True # If true, the current module name will be prepended to all description # unit titles (such as .. function::). # add_module_names = True # If true, sectionauthor and moduleauthor directives will be shown in the # output. They are ignored by default. # show_authors = False # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # A list of ignored prefixes for module index sorting. # modindex_common_prefix = [] # If true, keep warnings as "system message" paragraphs in the built documents. # keep_warnings = False # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. html_theme = 'openstackdocs' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. # html_theme_options = {} # Add any paths that contain custom themes here, relative to this directory. # html_theme_path = [] # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". # html_title = None # A shorter title for the navigation bar. Default is the same as html_title. # html_short_title = None # The name of an image file (relative to this directory) to place at the top # of the sidebar. # html_logo = None # The name of an image file (within the static path) to use as favicon of the # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 # pixels large. # html_favicon = None # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] # Add any extra paths that contain custom files (such as robots.txt or # .htaccess) here, relative to this directory. These files are copied # directly to the root of the documentation. # html_extra_path = [] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. # html_last_updated_fmt = '%b %d, %Y' # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. # html_use_smartypants = True # Custom sidebar templates, maps document names to template names. # html_sidebars = {} # Additional templates that should be rendered to pages, maps page names to # template names. # html_additional_pages = {} # If false, no module index is generated. # html_domain_indices = True # If false, no index is generated. # html_use_index = True # If true, the index is split into individual pages for each letter. # html_split_index = False # If true, links to the reST sources are added to the pages. # html_show_sourcelink = True # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. # html_show_sphinx = True # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. # html_show_copyright = True # If true, an OpenSearch description file will be output, and all pages will # contain a tag referring to it. The value of this option must be the # base URL from which the finished HTML is served. # html_use_opensearch = '' # This is the file name suffix for HTML files (e.g. ".xhtml"). # html_file_suffix = None # Output file base name for HTML help builder. htmlhelp_basename = 'vaultlockerReleaseNotesdoc' # -- Options for LaTeX output --------------------------------------------- latex_elements = { # The paper size ('letterpaper' or 'a4paper'). # 'papersize': 'letterpaper', # The font size ('10pt', '11pt' or '12pt'). # 'pointsize': '10pt', # Additional stuff for the LaTeX preamble. # 'preamble': '', } # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, # author, documentclass [howto, manual, or own class]). latex_documents = [ ('index', 'vaultlockerReleaseNotes.tex', u'vaultlocker Release Notes Documentation', u'OpenStack Foundation', 'manual'), ] # The name of an image file (relative to this directory) to place at the top of # the title page. # latex_logo = None # For "manual" documents, if this is true, then toplevel headings are parts, # not chapters. # latex_use_parts = False # If true, show page references after internal links. # latex_show_pagerefs = False # If true, show URL addresses after external links. # latex_show_urls = False # Documents to append as an appendix to all manuals. # latex_appendices = [] # If false, no module index is generated. # latex_domain_indices = True # -- Options for manual page output --------------------------------------- # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). man_pages = [ ('index', 'vaultlockerrereleasenotes', u'vaultlocker Release Notes Documentation', [u'OpenStack Foundation'], 1) ] # If true, show URL addresses after external links. # man_show_urls = False # -- Options for Texinfo output ------------------------------------------- # Grouping the document tree into Texinfo files. List of tuples # (source start file, target name, title, author, # dir menu entry, description, category) texinfo_documents = [ ('index', 'vaultlocker ReleaseNotes', u'vaultlocker Release Notes Documentation', u'OpenStack Foundation', 'vaultlockerReleaseNotes', 'One line description of project.', 'Miscellaneous'), ] # Documents to append as an appendix to all manuals. # texinfo_appendices = [] # If false, no module index is generated. # texinfo_domain_indices = True # How to display URL addresses: 'footnote', 'no', or 'inline'. # texinfo_show_urls = 'footnote' # If true, do not generate a @detailmenu in the "Top" node's menu. # texinfo_no_detailmenu = False # -- Options for Internationalization output ------------------------------ locale_dirs = ['locale/'] ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523352818.0 vaultlocker-1.0.6/releasenotes/source/index.rst0000664000175000017500000000017600000000000023624 0ustar00jamespagejamespage00000000000000========================== vaultlocker Release Notes ========================== .. toctree:: :maxdepth: 1 unreleased ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/releasenotes/source/unreleased.rst0000664000175000017500000000016000000000000024635 0ustar00jamespagejamespage00000000000000============================== Current Series Release Notes ============================== .. release-notes:: ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1522337845.0 vaultlocker-1.0.6/requirements.txt0000664000175000017500000000036700000000000021260 0ustar00jamespagejamespage00000000000000# The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. pbr>=2.0 # Apache-2.0 hvac tenacity ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95929 vaultlocker-1.0.6/setup.cfg0000664000175000017500000000256400000000000017616 0ustar00jamespagejamespage00000000000000[metadata] name = vaultlocker summary = Utility to store and retrieve dm-crypt encryption keys in Hashicorp Vault description-file = README.rst author = OpenStack Charms Team author-email = openstack-dev@lists.openstack.org home-page = http://www.openstack.org/ classifier = Environment :: OpenStack Intended Audience :: Information Technology Intended Audience :: System Administrators License :: OSI Approved :: Apache Software License Operating System :: POSIX :: Linux Programming Language :: Python Programming Language :: Python :: 2 Programming Language :: Python :: 2.7 Programming Language :: Python :: 3 Programming Language :: Python :: 3.5 [files] packages = vaultlocker data_files = lib/systemd/system = tools/vaultlocker-decrypt@.service etc/vaultlocker = etc/vaultlocker.conf [build_sphinx] all-files = 1 warning-is-error = 1 source-dir = doc/source build-dir = doc/build [upload_sphinx] upload-dir = doc/build/html [compile_catalog] directory = vaultlocker/locale domain = vaultlocker [update_catalog] domain = vaultlocker output_dir = vaultlocker/locale input_file = vaultlocker/locale/vaultlocker.pot [extract_messages] keywords = _ gettext ngettext l_ lazy_gettext mapping_file = babel.cfg output_file = vaultlocker/locale/vaultlocker.pot [entry_points] console_scripts = vaultlocker = vaultlocker.shell:main [egg_info] tag_build = tag_date = 0 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/setup.py0000664000175000017500000000177700000000000017514 0ustar00jamespagejamespage00000000000000# Copyright (c) 2013 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. # THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT import setuptools # In python < 2.7.4, a lazy loading of package `pbr` will break # setuptools if some other modules registered functions in `atexit`. # solution from: http://bugs.python.org/issue15881#msg170215 try: import multiprocessing # noqa except ImportError: pass setuptools.setup( setup_requires=['pbr'], pbr=True) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1522742363.0 vaultlocker-1.0.6/test-requirements.txt0000664000175000017500000000077400000000000022237 0ustar00jamespagejamespage00000000000000# The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. hacking>=0.12.0,<0.13 # Apache-2.0 coverage>=4.0,!=4.4 # Apache-2.0 python-subunit>=0.0.18 # Apache-2.0/BSD sphinx>=1.6.2 # BSD oslotest>=1.10.0 # Apache-2.0 stestr>=1.0.0 # Apache-2.0 testtools>=1.4.0 # MIT pifpaf openstackdocstheme>=1.11.0 # Apache-2.0 # releasenotes reno>=1.8.0 # Apache-2.0 ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/tools/0000755000175000017500000000000000000000000017124 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977187.0 vaultlocker-1.0.6/tools/vaultlocker-decrypt@.service0000644000175000017500000000047600000000000024620 0ustar00jamespagejamespage00000000000000[Unit] Description=vaultlocker retrieve: %i DefaultDependencies=no After=networking.service After=nss-lookup.target [Service] Type=oneshot KillMode=none Environment=VAULTLOCKER_TIMEOUT=10000 ExecStart=/bin/sh -c 'vaultlocker --retry $VAULTLOCKER_TIMEOUT decrypt %i' TimeoutSec=0 [Install] WantedBy=multi-user.target ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523523995.0 vaultlocker-1.0.6/tox.ini0000664000175000017500000000300600000000000017300 0ustar00jamespagejamespage00000000000000[tox] minversion = 2.0 envlist = py35,py36,py27,pep8 skipsdist = True skip_missing_interpreters = True [testenv] usedevelop = True install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages} setenv = VIRTUAL_ENV={envdir} PYTHONWARNINGS=default::DeprecationWarning OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 deps = -r{toxinidir}/test-requirements.txt commands = stestr run "^vaultlocker.tests.unit.*" {posargs} [testenv:pep8] commands = flake8 {posargs} [testenv:venv] commands = {posargs} [testenv:func27] basepython = python2.7 commands = pifpaf run vault -- stestr run "^vaultlocker.tests.functional.*" [testenv:func36] basepython = python3.6 commands = pifpaf run vault -- stestr run "^vaultlocker.tests.functional.*" [testenv:cover] setenv = VIRTUAL_ENV={envdir} PYTHON=coverage run --source vaultlocker --parallel-mode commands = stestr run "^vaultlocker.tests.unit.*" {posargs} coverage combine coverage html -d cover coverage xml -o cover/coverage.xml [testenv:docs] commands = python setup.py build_sphinx [testenv:releasenotes] commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html [testenv:debug] commands = oslo_debug_helper {posargs} [flake8] # E123, E125 skipped as they are invalid PEP-8. show-source = True ignore = E123,E125 builtins = _ exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/vaultlocker/0000755000175000017500000000000000000000000020317 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521541440.0 vaultlocker-1.0.6/vaultlocker/__init__.py0000664000175000017500000000123300000000000022431 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import pbr.version __version__ = pbr.version.VersionInfo( 'vaultlocker').version_string() ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1534319141.0 vaultlocker-1.0.6/vaultlocker/dmcrypt.py0000664000175000017500000000624700000000000022366 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import base64 import logging import os import subprocess logger = logging.getLogger(__name__) KEY_SIZE = 4096 def generate_key(): """Generate a 4096 bit random key for use with dm-crypt :returns: str. Base64 encoded 4096 bit key """ data = os.urandom(int(KEY_SIZE / 8)) key = base64.b64encode(data).decode('utf-8') return key def luks_format(key, device, uuid): """LUKS format a block device Format a block device using dm-crypt/LUKS with the provided key and uuid :param: key: string containing the encryption key to use. :param: device: full path to block device to use. :param: uuid: uuid to use for encrypted block device. """ logger.info('LUKS formatting {} using UUID:{}'.format(device, uuid)) command = [ 'cryptsetup', '--batch-mode', '--uuid', uuid, '--key-file', '-', 'luksFormat', device, ] subprocess.check_output(command, input=key.encode('UTF-8')) def luks_open(key, uuid): """LUKS open a block device by UUID Open a block device using dm-crypt/LUKS with the provided key and uuid :param: key: string containing the encryption key to use. :param: uuid: uuid to use for encrypted block device. :returns: str. dm-crypt mapping """ logger.info('LUKS opening {}'.format(uuid)) handle = 'crypt-{}'.format(uuid) command = [ 'cryptsetup', '--batch-mode', '--key-file', '-', 'open', 'UUID={}'.format(uuid), handle, '--type', 'luks', ] subprocess.check_output(command, input=key.encode('UTF-8')) return handle def udevadm_rescan(device): """udevadm trigger for block device addition Rescan for block devices to ensure that by-uuid devices are created before use. :param: device: full path to block device to use. """ logger.info('udevadm trigger block/add for {}'.format(device)) command = [ 'udevadm', 'trigger', '--name-match={}'.format(device), '--action=add' ] subprocess.check_output(command) def udevadm_settle(uuid): """udevadm settle the newly created encrypted device Ensure udev has created the by-uuid symlink for newly created encyprted device. :param: uuid: uuid to use for encrypted block device. """ logger.info('udevadm settle /dev/disk/by-uuid/{}'.format(uuid)) command = [ 'udevadm', 'settle', '--exit-if-exists=/dev/disk/by-uuid/{}'.format(uuid), ] subprocess.check_output(command) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584974751.0 vaultlocker-1.0.6/vaultlocker/shell.py0000644000175000017500000001547700000000000022016 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import argparse import hvac import logging import os import socket import tenacity import uuid from six.moves import configparser from vaultlocker import dmcrypt from vaultlocker import systemd logger = logging.getLogger(__name__) RUN_VAULTLOCKER = '/run/vaultlocker' CONF_FILE = '/etc/vaultlocker/vaultlocker.conf' def _vault_client(config): """Helper wrapper to create Vault Client :param: config: configparser object of vaultlocker config :returns: hvac.Client. configured Vault Client object """ client = hvac.Client(url=config.get('vault', 'url')) client.auth_approle(config.get('vault', 'approle'), secret_id=config.get('vault', 'secret_id')) return client def _get_vault_path(device_uuid, config): """Generate full vault path for a given block device UUID :param: device_uuid: String of the device UUID :param: config: configparser object of vaultlocker config :returns: str: Path to vault resource for device """ return '{}/{}/{}'.format(config.get('vault', 'backend'), socket.gethostname(), device_uuid) def _encrypt_block_device(args, client, config): """Encrypt and open a block device Stores the dm-crypt key direct in vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_device = args.block_device[0] key = dmcrypt.generate_key() block_uuid = str(uuid.uuid4()) if not args.uuid else args.uuid vault_path = _get_vault_path(block_uuid, config) dmcrypt.luks_format(key, block_device, block_uuid) # Ensure sym link for new encrypted device is created # LP Bug #1780332 dmcrypt.udevadm_rescan(block_device) dmcrypt.udevadm_settle(block_uuid) # NOTE: store and validate key client.write(vault_path, dmcrypt_key=key) stored_data = client.read(vault_path) assert key == stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid) systemd.enable('vaultlocker-decrypt@{}.service'.format(block_uuid)) def _decrypt_block_device(args, client, config): """Open a LUKS/dm-crypt encrypted block device The devices dm-crypt key is retrieved from Vault :param: args: argparser generated cli arguments :param: client: hvac.Client for Vault access :param: config: configparser object of vaultlocker config """ block_uuid = args.uuid[0] if _device_exists(block_uuid): logger.info('Skipping setup of {} because ' 'it already exists.'.format(block_uuid)) return vault_path = _get_vault_path(block_uuid, config) stored_data = client.read(vault_path) if stored_data is None: raise ValueError('Unable to locate key for {}'.format(block_uuid)) key = stored_data['data']['dmcrypt_key'] dmcrypt.luks_open(key, block_uuid) def _device_exists(block_uuid): """Checks if the device already exists.""" handle = 'crypt-{}'.format(block_uuid) path = "/dev/mapper/{}".format(handle) logger.info('Checking if {} exists.'.format(path)) return os.path.exists(path) def _do_it_with_persistence(func, args, config): """Exec func with retries based on provided cli flags :param: func: function to attempt to execute :param: args: argparser generated cli arguments :param: config: configparser object of vaultlocker config """ @tenacity.retry( wait=tenacity.wait_fixed(1), reraise=True, stop=( tenacity.stop_after_delay(args.retry) if args.retry > 0 else tenacity.stop_after_attempt(1) ), retry=( tenacity.retry_if_exception(hvac.exceptions.VaultNotInitialized) | tenacity.retry_if_exception(hvac.exceptions.VaultDown) ) ) def _do_it(): client = _vault_client(config) func(args, client, config) _do_it() def encrypt(args, config): """Encrypt and open handler :param: args: argparser generated cli arguments :param: config: configparser object of vaultlocker config """ _do_it_with_persistence(_encrypt_block_device, args, config) def decrypt(args, config): """Decrypt and open handler :param: args: argparser generated cli arguments :param: config: configparser object of vaultlocker config """ _do_it_with_persistence(_decrypt_block_device, args, config) def get_config(): """Read vaultlocker configuration from config file :returns: configparser. Parsed configuration options """ config = configparser.ConfigParser() if os.path.exists(CONF_FILE): config.read(CONF_FILE) return config def main(): parser = argparse.ArgumentParser('vaultlocker') parser.set_defaults(prog=parser.prog) subparsers = parser.add_subparsers( title="subcommands", description="valid subcommands", help="sub-command help", ) parser.add_argument( '--retry', default=-1, type=int, help="Time in seconds to continue retrying to connect to Vault" ) encrypt_parser = subparsers.add_parser( 'encrypt', help='Encrypt a block device and store its key in Vault' ) encrypt_parser.add_argument('--uuid', dest="uuid", help="UUID to use to reference encryption key") encrypt_parser.add_argument('block_device', metavar='BLOCK_DEVICE', nargs=1, help="Full path to block device to encrypt") encrypt_parser.set_defaults(func=encrypt) decrypt_parser = subparsers.add_parser( 'decrypt', help='Decrypt a block device retrieving its key from Vault' ) decrypt_parser.add_argument('uuid', metavar='uuid', nargs=1, help='UUID of block device to decrypt') decrypt_parser.set_defaults(func=decrypt) args = parser.parse_args() logging.basicConfig(level=logging.DEBUG) try: args.func(args, get_config()) except Exception as e: raise SystemExit( '{prog}: {msg}'.format( prog=args.prog, msg=e, ) ) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523454047.0 vaultlocker-1.0.6/vaultlocker/systemd.py0000664000175000017500000000162200000000000022364 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import logging import subprocess logger = logging.getLogger(__name__) def enable(service_name): """Enable a systemd unit :param: service_name: Name of the service to enable. """ logging.info('Enabling systemd unit for {}'.format(service_name)) cmd = ['systemctl', 'enable', service_name] subprocess.check_call(cmd) ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/vaultlocker/tests/0000755000175000017500000000000000000000000021461 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523462037.0 vaultlocker-1.0.6/vaultlocker/tests/__init__.py0000664000175000017500000000000000000000000023562 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/vaultlocker/tests/functional/0000755000175000017500000000000000000000000023623 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523523833.0 vaultlocker-1.0.6/vaultlocker/tests/functional/__init__.py0000664000175000017500000000000000000000000025724 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1525433500.0 vaultlocker-1.0.6/vaultlocker/tests/functional/base.py0000664000175000017500000000643200000000000025116 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Copyright 2010-2011 OpenStack Foundation # Copyright (c) 2013 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import hvac import mock import os import uuid from oslotest import base from testtools import testcase TEST_POLICY = ''' path "{backend}/*" {{ capabilities = ["create", "read", "update", "delete", "list"] }} ''' class VaultlockerFuncBaseTestCase(base.BaseTestCase): """Test case base class for all functional tests.""" def setUp(self): super(VaultlockerFuncBaseTestCase, self).setUp() self.vault_client = None self.vault_addr = os.environ.get('PIFPAF_VAULT_ADDR') self.root_token = os.environ.get('PIFPAF_ROOT_TOKEN') self.test_uuid = str(uuid.uuid4()) self.vault_backend = 'vaultlocker-test-{}'.format(self.test_uuid) self.vault_policy = 'vaultlocker-policy-{}'.format(self.test_uuid) self.vault_approle = 'vaultlocker-approle-{}'.format(self.test_uuid) if not self.vault_addr or not self.root_token: raise testcase.TestSkipped('Vault not running') self.vault_client = hvac.Client(url=self.vault_addr, token=self.root_token) self.vault_client.enable_secret_backend( backend_type='kv', description='vault test backend', mount_point=self.vault_backend ) try: self.vault_client.enable_auth_backend('approle') except hvac.exceptions.InvalidRequest: pass self.vault_client.set_policy( name=self.vault_policy, rules=TEST_POLICY.format(backend=self.vault_backend) ) self.vault_client.create_role( self.vault_approle, token_ttl='60s', token_max_ttl='60s', policies=[self.vault_policy], bind_secret_id='true', bound_cidr_list='127.0.0.1/32') self.approle_uuid = self.vault_client.get_role_id(self.vault_approle) self.secret_id = self.vault_client.write( 'auth/approle/role/{}/secret-id'.format(self.vault_approle) )['data']['secret_id'] self.test_config = { 'vault': { 'url': self.vault_addr, 'approle': self.approle_uuid, 'secret_id': self.secret_id, 'backend': self.vault_backend, } } self.config = mock.MagicMock() self.config.get.side_effect = \ lambda s, k: self.test_config.get(s).get(k) def tearDown(self): super(VaultlockerFuncBaseTestCase, self).tearDown() if self.vault_client: self.vault_client.disable_secret_backend(self.vault_backend) self.vault_client.delete_policy(self.vault_policy) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1534319141.0 vaultlocker-1.0.6/vaultlocker/tests/functional/test_keystorage.py0000664000175000017500000000710700000000000027420 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Copyright 2010-2011 OpenStack Foundation # Copyright (c) 2013 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import mock from vaultlocker import shell from vaultlocker.tests.functional import base @mock.patch.object(shell.dmcrypt, 'udevadm_settle') @mock.patch.object(shell.dmcrypt, 'udevadm_rescan') @mock.patch.object(shell, 'systemd') @mock.patch.object(shell.dmcrypt, 'luks_format') @mock.patch.object(shell.dmcrypt, 'luks_open') class KeyStorageTestCase(base.VaultlockerFuncBaseTestCase): """Test storage and retrieval of dm-crypt keys from vault""" def test_encrypt(self, _luks_open, _luks_format, _systemd, _udevadm_rescan, _udevadm_settle): """Test encrypt function stores correct data in vault""" args = mock.MagicMock() args.uuid = 'passed-UUID' args.block_device = ['/dev/sdb'] args.retry = -1 shell.encrypt(args, self.config) _luks_format.assert_called_once_with(mock.ANY, '/dev/sdb', 'passed-UUID') _luks_open.assert_called_once_with(mock.ANY, 'passed-UUID') _systemd.enable.assert_called_once_with( 'vaultlocker-decrypt@passed-UUID.service' ) _udevadm_rescan.assert_called_once_with('/dev/sdb') _udevadm_settle.assert_called_once_with('passed-UUID') stored_data = self.vault_client.read( shell._get_vault_path('passed-UUID', self.config) ) self.assertIsNotNone(stored_data, 'Key data missing from vault') self.assertTrue('dmcrypt_key' in stored_data['data'], 'dm-crypt key data is missing') def test_decrypt(self, _luks_open, _luks_format, _systemd, _udevadm_rescan, _udevadm_settle): """Test decrypt function retrieves correct key from vault""" args = mock.MagicMock() args.uuid = ['passed-UUID'] args.retry = -1 self.vault_client.write(shell._get_vault_path('passed-UUID', self.config), dmcrypt_key='testkey') shell.decrypt(args, self.config) _luks_format.assert_not_called() _systemd.enable.assert_not_called() _luks_open.assert_called_once_with('testkey', 'passed-UUID') def test_decrypt_missing_key(self, _luks_open, _luks_format, _systemd, _udevadm_rescan, _udevadm_settle): """Test decrypt function errors if a key is missing from vault""" args = mock.MagicMock() args.uuid = ['passed-UUID'] args.retry = -1 self.assertRaises(ValueError, shell.decrypt, args, self.config) _luks_format.assert_not_called() _systemd.enable.assert_not_called() _luks_open.assert_not_called() ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/vaultlocker/tests/unit/0000755000175000017500000000000000000000000022440 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523462163.0 vaultlocker-1.0.6/vaultlocker/tests/unit/__init__.py0000664000175000017500000000000000000000000024541 0ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523462163.0 vaultlocker-1.0.6/vaultlocker/tests/unit/base.py0000664000175000017500000000143200000000000023726 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Copyright 2010-2011 OpenStack Foundation # Copyright (c) 2013 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslotest import base class TestCase(base.BaseTestCase): """Test case base class for all unit tests.""" ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1534319141.0 vaultlocker-1.0.6/vaultlocker/tests/unit/test_dmcrypt.py0000664000175000017500000000506600000000000025544 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ test_dmcrypt ---------------------------------- Tests for `dmcrypt` module. """ import base64 import mock from vaultlocker import dmcrypt from vaultlocker.tests.unit import base class TestDMCrypt(base.TestCase): @mock.patch.object(dmcrypt, 'subprocess') def test_luks_format(self, _subprocess): dmcrypt.luks_format('mykey', '/dev/sdb', 'test-uuid') _subprocess.check_output.assert_called_once_with( ['cryptsetup', '--batch-mode', '--uuid', 'test-uuid', '--key-file', '-', 'luksFormat', '/dev/sdb'], input='mykey'.encode('UTF-8') ) @mock.patch.object(dmcrypt, 'subprocess') def test_luks_open(self, _subprocess): dmcrypt.luks_open('mykey', 'test-uuid') _subprocess.check_output.assert_called_once_with( ['cryptsetup', '--batch-mode', '--key-file', '-', 'open', 'UUID=test-uuid', 'crypt-test-uuid', '--type', 'luks'], input='mykey'.encode('UTF-8') ) @mock.patch.object(dmcrypt, 'os') def test_generate_key(self, _os): _key = b'randomdatastringfromentropy' _os.urandom.return_value = _key self.assertEqual(dmcrypt.generate_key(), base64.b64encode(_key).decode('UTF-8')) _os.urandom.assert_called_with(dmcrypt.KEY_SIZE / 8) @mock.patch.object(dmcrypt, 'subprocess') def test_udevadm_rescan(self, _subprocess): dmcrypt.udevadm_rescan('/dev/vdb') _subprocess.check_output.assert_called_once_with( ['udevadm', 'trigger', '--name-match=/dev/vdb', '--action=add'] ) @mock.patch.object(dmcrypt, 'subprocess') def test_udevadm_settle(self, _subprocess): dmcrypt.udevadm_settle('myuuid') _subprocess.check_output.assert_called_once_with( ['udevadm', 'settle', '--exit-if-exists=/dev/disk/by-uuid/myuuid'] ) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1523462163.0 vaultlocker-1.0.6/vaultlocker/tests/unit/test_systemd.py0000664000175000017500000000201200000000000025536 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ test_systemd ---------------------------------- Tests for `systemd` module. """ import mock from vaultlocker import systemd from vaultlocker.tests.unit import base class TestSystemD(base.TestCase): @mock.patch.object(systemd, 'subprocess') def test_enable(self, _subprocess): systemd.enable('my-service.service') _subprocess.check_call.assert_called_once_with( ['systemctl', 'enable', 'my-service.service'] ) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584974751.0 vaultlocker-1.0.6/vaultlocker/tests/unit/test_vaultlocker.py0000644000175000017500000001057300000000000026412 0ustar00jamespagejamespage00000000000000# -*- coding: utf-8 -*- # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """ test_vaultlocker ---------------------------------- Tests for `vaultlocker` module. """ import mock from vaultlocker import shell from vaultlocker.tests.unit import base class TestVaultlocker(base.TestCase): _test_config = { 'url': 'https://vaultlocker.test.com', 'approle': '85e4c349-7547-4ad5-9172-d82a45d87b3e', 'secret_id': '9428ad25-7b4a-442f-8f20-f23be0575146', 'backend': 'vaultlocker-test', } def __init__(self, *args, **kwds): super(TestVaultlocker, self).__init__(*args, **kwds) self.config = mock.MagicMock() self.config.get.side_effect = lambda _, k: self._test_config.get(k) @mock.patch.object(shell, 'systemd') @mock.patch.object(shell, 'dmcrypt') @mock.patch.object(shell, '_get_vault_path') def test_encrypt(self, _get_vault_path, _dmcrypt, _systemd): _get_vault_path.return_value = 'backend/host/uuid' _dmcrypt.generate_key.return_value = 'testkey' args = mock.MagicMock() args.uuid = 'passed-UUID' args.block_device = ['/dev/sdb'] client = mock.MagicMock() client.read.return_value = { 'data': { 'dmcrypt_key': 'testkey' } } shell._encrypt_block_device(args, client, self.config) _dmcrypt.luks_format.assert_called_with( 'testkey', '/dev/sdb', 'passed-UUID' ) _dmcrypt.luks_open.assert_called_with( 'testkey', 'passed-UUID' ) _systemd.enable.assert_called_with( 'vaultlocker-decrypt@passed-UUID.service' ) @mock.patch.object(shell, 'systemd') @mock.patch.object(shell, 'dmcrypt') @mock.patch.object(shell, '_get_vault_path') def test_encrypt_vault_failure(self, _get_vault_path, _dmcrypt, _systemd): _get_vault_path.return_value = 'backend/host/uuid' _dmcrypt.generate_key.return_value = 'testkey' args = mock.MagicMock() args.uuid = 'passed-UUID' args.block_device = ['/dev/sdb'] client = mock.MagicMock() client.read.return_value = { 'data': { 'dmcrypt_key': 'brokendata' } } self.assertRaises( AssertionError, shell._encrypt_block_device, args, client, self.config ) @mock.patch.object(shell, 'os') @mock.patch.object(shell, 'dmcrypt') @mock.patch.object(shell, '_get_vault_path') def test_decrypt(self, _get_vault_path, _dmcrypt, _os): _get_vault_path.return_value = 'backend/host/uuid' _os.path.exists.return_value = False args = mock.MagicMock() args.uuid = ['passed-UUID'] client = mock.MagicMock() client.read.return_value = { 'data': { 'dmcrypt_key': 'testkey' } } shell._decrypt_block_device(args, client, self.config) _dmcrypt.luks_open.assert_called_with( 'testkey', 'passed-UUID' ) @mock.patch.object(shell, 'os') @mock.patch.object(shell, '_get_vault_path') def test_decrypt_already_exists(self, _get_vault_path, _os): _os.path.exists.return_value = True args = mock.MagicMock() args.uuid = ['passed-UUID'] client = mock.MagicMock() client.read.return_value = { 'data': { 'dmcrypt_key': 'testkey' } } self.assertIsNone( shell._decrypt_block_device(args, client, self.config)) _get_vault_path.assert_not_called() @mock.patch.object(shell, 'socket') def test_get_vault_path(self, _socket): _socket.gethostname.return_value = 'myhost' self.assertEqual(shell._get_vault_path('my-UUID', self.config), 'vaultlocker-test/myhost/my-UUID') ././@PaxHeader0000000000000000000000000000003200000000000011450 xustar000000000000000026 mtime=1584977226.95529 vaultlocker-1.0.6/vaultlocker.egg-info/0000755000175000017500000000000000000000000022011 5ustar00jamespagejamespage00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/PKG-INFO0000664000175000017500000000566000000000000023117 0ustar00jamespagejamespage00000000000000Metadata-Version: 1.1 Name: vaultlocker Version: 1.0.6 Summary: Utility to store and retrieve dm-crypt encryption keys in Hashicorp Vault Home-page: http://www.openstack.org/ Author: OpenStack Charms Team Author-email: openstack-dev@lists.openstack.org License: UNKNOWN Description: =========== vaultlocker =========== .. image:: https://travis-ci.org/openstack-charmers/vaultlocker.svg?branch=master :target: https://travis-ci.org/openstack-charmers/vaultlocker Utility to store and retrieve dm-crypt keys in Hashicorp Vault. Vault provides a nice way to manage secrets within complex software deployments. vaultlocker provides a way to store and retrieve dm-crypt encryption keys in Vault, automatically retrieving keys and opening LUKS dm-crypt devices on boot. vaultlocker is configured using `/etc/vaultlocker/vaultlocker.conf`:: [vault] url = https://vault.internal:8200 approle = 4a1b84d2-7bb2-4c07-9804-04d1683ac925 backend = secret vaultlocker defaults to using a backend with the name `secret`. A block device can be encrypted and its key stored in vault:: sudo vaultlocker encrypt /dev/sdd1 This will automatically create a new systemd unit which will automatically retrieve the key and open the LUKS/dm-crypt device on boot. Unless a UUID is provided (using the optional --uuid flag) vaultlocker will generate a UUID to label and identify the block device during subsequent operations. A block device can also be opened from the command line using its UUID (hint - the block device or partition will be labelled with the UUID):: sudo vaultlocker decrypt f65b9e66-8f0c-4cae-b6f5-6ec85ea134f2 Authentication to Vault is done using an AppRole with a secret_id; its assumed that a CIDR based ACL is in use to only allow permitted systems within the Data Center to login and retrieve secrets from Vault. * Free software: Apache license * Documentation: https://docs.openstack.org/vaultlocker/latest * Source: https://git.openstack.org/cgit/openstack/vaultlocker * Bugs: https://bugs.launchpad.net/vaultlocker Platform: UNKNOWN Classifier: Environment :: OpenStack Classifier: Intended Audience :: Information Technology Classifier: Intended Audience :: System Administrators Classifier: License :: OSI Approved :: Apache Software License Classifier: Operating System :: POSIX :: Linux Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.5 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/SOURCES.txt0000664000175000017500000000353600000000000023706 0ustar00jamespagejamespage00000000000000.coveragerc .mailmap .stestr.conf .travis.yml AUTHORS CONTRIBUTING.rst ChangeLog HACKING.rst LICENSE README.rst babel.cfg requirements.txt setup.cfg setup.py test-requirements.txt tox.ini .settings/org.eclipse.core.resources.prefs doc/source/conf.py doc/source/index.rst doc/source/readme.rst doc/source/admin/index.rst doc/source/cli/index.rst doc/source/configuration/index.rst doc/source/contributor/contributing.rst doc/source/contributor/index.rst doc/source/install/common_configure.rst doc/source/install/common_prerequisites.rst doc/source/install/get_started.rst doc/source/install/index.rst doc/source/install/install-obs.rst doc/source/install/install-rdo.rst doc/source/install/install-ubuntu.rst doc/source/install/install.rst doc/source/install/next-steps.rst doc/source/install/verify.rst doc/source/library/index.rst doc/source/reference/index.rst doc/source/user/index.rst etc/vaultlocker.conf gate/travis-vault.sh releasenotes/notes/.placeholder releasenotes/source/conf.py releasenotes/source/index.rst releasenotes/source/unreleased.rst releasenotes/source/_static/.placeholder releasenotes/source/_templates/.placeholder tools/vaultlocker-decrypt@.service vaultlocker/__init__.py vaultlocker/dmcrypt.py vaultlocker/shell.py vaultlocker/systemd.py vaultlocker.egg-info/PKG-INFO vaultlocker.egg-info/SOURCES.txt vaultlocker.egg-info/dependency_links.txt vaultlocker.egg-info/entry_points.txt vaultlocker.egg-info/not-zip-safe vaultlocker.egg-info/pbr.json vaultlocker.egg-info/requires.txt vaultlocker.egg-info/top_level.txt vaultlocker/tests/__init__.py vaultlocker/tests/functional/__init__.py vaultlocker/tests/functional/base.py vaultlocker/tests/functional/test_keystorage.py vaultlocker/tests/unit/__init__.py vaultlocker/tests/unit/base.py vaultlocker/tests/unit/test_dmcrypt.py vaultlocker/tests/unit/test_systemd.py vaultlocker/tests/unit/test_vaultlocker.py././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/dependency_links.txt0000664000175000017500000000000100000000000026061 0ustar00jamespagejamespage00000000000000 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/entry_points.txt0000664000175000017500000000007000000000000025306 0ustar00jamespagejamespage00000000000000[console_scripts] vaultlocker = vaultlocker.shell:main ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1521544233.0 vaultlocker-1.0.6/vaultlocker.egg-info/not-zip-safe0000664000175000017500000000000100000000000024241 0ustar00jamespagejamespage00000000000000 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/pbr.json0000664000175000017500000000005600000000000023472 0ustar00jamespagejamespage00000000000000{"git_version": "a37250f", "is_release": true}././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/requires.txt0000664000175000017500000000002700000000000024412 0ustar00jamespagejamespage00000000000000hvac pbr>=2.0 tenacity ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1584977226.0 vaultlocker-1.0.6/vaultlocker.egg-info/top_level.txt0000664000175000017500000000001400000000000024540 0ustar00jamespagejamespage00000000000000vaultlocker