diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 08:03:44 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 08:03:44 +0200 |
commit | d57fd66d687211a0fa62ad515872749d2946bb8e (patch) | |
tree | 8b1f3233e66da75ad764888aefa6e1ee533cc82d /scripts/vault-client-retrieve.sh | |
parent | f0f39288d640a0b0a755c49fdc08f1219c386ca7 (diff) | |
download | pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.tar.gz pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.tar.xz pki-dev-d57fd66d687211a0fa62ad515872749d2946bb8e.zip |
Added vault scripts.
Diffstat (limited to 'scripts/vault-client-retrieve.sh')
-rwxr-xr-x | scripts/vault-client-retrieve.sh | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/scripts/vault-client-retrieve.sh b/scripts/vault-client-retrieve.sh new file mode 100755 index 0000000..0980ddd --- /dev/null +++ b/scripts/vault-client-retrieve.sh @@ -0,0 +1,87 @@ +#!/bin/python + +import base64 +import getopt +import subprocess +import sys + +from cryptography.fernet import Fernet +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + +import pki +import pki.client +import pki.crypto +import pki.key +import pki.kra +import pki.systemcert + +def usage(): + print "usage: vault-client-retrieve --user-id <user ID> --secret-id <secret ID> --vault-password <password>" + +def main(argv): + + try: + opts, _ = getopt.getopt(argv[1:], 'hv', [ + 'user-id=', 'secret-id=', 'vault-password=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print 'ERROR: ' + str(e) + usage() + sys.exit(1) + + verbose = False + + user_id = None + secret_id = None + vault_password = None + + for o, a in opts: + if o == '-v': + verbose = True + + elif o == '--user-id': + user_id = a + + elif o == '--secret-id': + secret_id = a + + elif o == '--vault-password': + vault_password = a + + if user_id is None or secret_id is None or vault_password is None: + usage() + sys.exit(1) + + backend = default_backend() + + # generate key from vault password + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt="0000000000000000", + iterations=100000, + backend=backend + ) + vault_key = base64.b64encode(kdf.derive(vault_password)) + + if verbose: + print "Vault Key: " + vault_key + + # send user ID, secret ID, and encrypted secret to server + p = subprocess.Popen(['./vault-server-retrieve.sh', '--user-id', user_id, '--secret-id', secret_id], stdout=subprocess.PIPE) + data = p.stdout.read().strip() + + if verbose: + print "Encrypted secret: " + data + + # decrypt secret with key + f = Fernet(vault_key) + secret = f.decrypt(data) + + print secret + +if __name__ == '__main__': + main(sys.argv) |