From d57fd66d687211a0fa62ad515872749d2946bb8e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 20 Jul 2017 08:03:44 +0200
Subject: Added vault scripts.

---
 scripts/vault-client-retrieve.sh | 87 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100755 scripts/vault-client-retrieve.sh

(limited to 'scripts/vault-client-retrieve.sh')

diff --git a/scripts/vault-client-retrieve.sh b/scripts/vault-client-retrieve.sh
new file mode 100755
index 0000000..0980ddd
--- /dev/null
+++ b/scripts/vault-client-retrieve.sh
@@ -0,0 +1,87 @@
+#!/bin/python
+
+import base64
+import getopt
+import subprocess
+import sys
+
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.backends import default_backend
+
+import pki
+import pki.client
+import pki.crypto
+import pki.key
+import pki.kra
+import pki.systemcert
+
+def usage():
+    print "usage: vault-client-retrieve --user-id <user ID> --secret-id <secret ID> --vault-password <password>"
+
+def main(argv):
+
+    try:
+        opts, _ = getopt.getopt(argv[1:], 'hv', [
+            'user-id=', 'secret-id=', 'vault-password=',
+            'verbose', 'help'])
+
+    except getopt.GetoptError as e:
+        print 'ERROR: ' + str(e)
+        usage()
+        sys.exit(1)
+
+    verbose = False
+
+    user_id = None
+    secret_id = None
+    vault_password = None
+
+    for o, a in opts:
+        if o == '-v':
+            verbose = True
+
+        elif o == '--user-id':
+            user_id = a
+
+        elif o == '--secret-id':
+            secret_id = a
+
+        elif o == '--vault-password':
+            vault_password = a
+
+    if user_id is None or secret_id is None or vault_password is None:
+        usage()
+        sys.exit(1)
+
+    backend = default_backend()
+
+    # generate key from vault password
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt="0000000000000000",
+        iterations=100000,
+        backend=backend
+    )
+    vault_key = base64.b64encode(kdf.derive(vault_password))
+
+    if verbose:
+       print "Vault Key: " + vault_key
+
+    # send user ID, secret ID, and encrypted secret to server 
+    p = subprocess.Popen(['./vault-server-retrieve.sh', '--user-id', user_id, '--secret-id', secret_id], stdout=subprocess.PIPE)
+    data = p.stdout.read().strip()
+
+    if verbose:
+        print "Encrypted secret: " + data
+
+    # decrypt secret with key
+    f = Fernet(vault_key)
+    secret = f.decrypt(data)
+
+    print secret
+
+if __name__ == '__main__':
+    main(sys.argv)
-- 
cgit