Created
May 12, 2016 17:36
-
-
Save Ginja/f8d9556883b9f3a48af3caed7d25baf2 to your computer and use it in GitHub Desktop.
Chef helper methods for requesting a token from a Smart Proxy instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For use with https://github.com/theforeman/smart_proxy_vault | |
module Vault | |
module Helpers | |
def client_key_path | |
Chef::Config[:client_key] | |
end | |
def node_name | |
Chef::Config[:node_name] | |
end | |
def smartproxy_server | |
'smartproxy.example.com' | |
end | |
def token_url(ttl=nil, port='8443') | |
"https://#{smartproxy_server}:%{port}/vault/token/issue%{ttl}" % {ttl: ttl, port: port} | |
end | |
def sign_request | |
rsa = OpenSSL::PKey::RSA.new File.read client_key_path | |
body = Digest::MD5.hexdigest rsa.public_key.to_s | |
Base64.strict_encode64(rsa.sign(OpenSSL::Digest::SHA512.new, body)) | |
end | |
def vault_http(url) | |
uri = URI.parse(url) | |
http = Net::HTTP.new(uri.host, uri.port) | |
http.use_ssl = true | |
# http.verify_mode = OpenSSL::SSL::VERIFY_NONE | |
http.verify_mode = OpenSSL::SSL::VERIFY_PEER | |
return http, uri | |
end | |
def vault_request(uri) | |
request = Net::HTTP::Get.new(uri.request_uri) | |
request['X-VAULT-CLIENT'] = node_name | |
request['X-VAULT-SIGNATURE'] = sign_request | |
request | |
end | |
def vault_connection(url) | |
http, uri = vault_http(url) | |
request = vault_request(uri) | |
return http, request | |
end | |
def success?(status_code) | |
Chef::Application.fatal!("Could not get a valid Vault token.") unless status_code.eql? '200' | |
end | |
def request_token(ttl) | |
http, request = vault_connection token_url(ttl) | |
response = http.request(request) | |
success? response.code | |
response.body | |
end | |
def set_token(ttl='?ttl=10m') | |
request_token(ttl) | |
end | |
def secret(path) | |
node.run_state[path].data | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment