init commit

1eec51f8 · Raphael JOIE · 1eec51f8 · 1eec51f8 · 1eec51f8 · 1eec51f8
Commit 1eec51f8 authored 1 year ago by Raphael JOIE
--- a/.coveragerc
+++ b/.coveragerc
+[run]
+branch = True
+source = .
+omit =
+    venv/*
+    */site-packages/*
+    # Don't complain if non-runnable code isn't run
+    */__main__.py
+
+[report]
+show_missing = True
+skip_covered = True
+exclude_lines =
+    # Have to re-enable the standard pragma
+    \#\s*pragma: no cover
+    # We optionally substitute this
+    ${COVERAGE_IGNORE_WINDOWS}
+
+    # Don't complain if tests don't hit defensive assertion code:
+    ^\s*raise AssertionError\b
+    ^\s*raise NotImplementedError\b
+    ^\s*return NotImplemented\b
+    ^\s*raise$
+
+    # Don't complain if non-runnable code isn't run:
+    ^if __name__ == ['"]__main__['"]:$
+
+# vim:ft=dosini
--- a/.flake8
+++ b/.flake8
+# file: $PROJ/.flake8
+#
+# This config expects that the flake8-bugbear extension to be installed.
+# bugbear looks at the line length and allows a slight variance as opposed
+# to a hard limit.  When it detects excessive line lengths, it returns B950.
+# This config looks for B950 and ignores the default flake8 E501 line length error.
+
+[flake8]
+max-complexity = 10
+max-line-length = 131
+select = C,E,F,W,B,B950
+# B,C,E,F,W,T4,B9
+ignore =
+       # Use bugbear line length detection instead of default
+       E501,
+       # PEP8 allows hanging indent, but E126 dosn't seem to.
+       E126,
+       # E402 refers to imports only being at the top of a file.
+       E402
+       # W503 Should a Line Break Before or After a Binary Operator? pep is not consistant
+       # https://www.python.org/dev/peps/pep-0008/#should-a-line-break-before-or-after-a-binary-operator
+       W503
+       # E203, E266, F403, F401
+       # C901 is too complex
+       C901
+
+# Local Variables:
+# mode: conf
+# End:
--- a/.gitignore
+++ b/.gitignore
+syntax: glob
+log/
+debian-iso/
+*.bak
+*.pid
+.*.swp
+*.pyc
+*backup*
+*Logs*
+
+*.retry
+*~
+.\#*
+*.log
+*.bak
+*.pid
+*.iso
+*.pp
+__pycache__
+
+# To check
+.ssh/
--- a/.hgignore
+++ b/.hgignore
+syntax: glob
+log/
+*.retry
+*~
+.\#*
+*.log
+*.bak
+*.pid
+*~
+.*.swp
+*.pyc
+*.iso
+*.pp
+__pycache__
+
+
+syntax: regexp
--- a/.isort.cfg
+++ b/.isort.cfg
+# file: $PROJ/.isort.cfg
+#
+[settings]
+multi_line_output=3
+include_trailing_comma=True
+force_grid_wrap=0
+combine_as_imports=True
+line_length=131
+check_skip=True
+# skip=snet,snet.diego,snet.scrat
+skip_glob=snet.*,snet\.*
+known_first_party=snet
+# default_section=FIRSTPARTY
+show_diff=True
--- a/.perltidyrc
+++ b/.perltidyrc
+#
+# This file is managed by Snet Ansible configuration.
+# Any manual changes will be OVERWRITTEN.
+#
+#
+-ce
+-lp
+-pt=0
+-l=200
+-bar
+-sbl
+# -bli -bbvt=2
+# -sbt=1 (default)
+# -bt=1 (default)
+-nolq
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-ast
+      - id: check-json
+      - id: check-yaml
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: check-merge-conflict
+      - id: check-docstring-first
+      - id: requirements-txt-fixer
+      - id: flake8
+        # args: [--max-line-length=131]  in the .flake8 config file
+      # - id: detect-aws-credentials
+      - id: detect-private-key
+      # - id: double-quote-string-fixer
+      - id: debug-statements
+      - id: pretty-format-json
+        args: [--autofix, --indent=2]
+      # - id: no-commit-to-branch --branch master
+
+#  - repo: https://github.com/psf/black
+#    rev: 19.3b0
+#    hooks:
+#      - id: black
+#        args: [--check, --diff]
+
+  - repo: https://github.com/pre-commit/mirrors-isort
+    rev: v4.3.21
+    hooks:
+      - id: isort
+
+#   - repo: https://github.com/pre-commit/mirrors-yapf
+#     rev: v0.28.0
+#     hooks:
+#      - id: yapf
+#        args: [--diff]
+
+  # bandit - check for python code vulnerabilities
+  - repo: https://github.com/Lucas-C/pre-commit-hooks-bandit
+    rev: v1.0.3
+    hooks:
+      - id: python-bandit-vulnerability-check
+        args: [-l, --recursive, -x, tests]
+        files: .py$
+
+  - repo: https://github.com/Lucas-C/pre-commit-hooks-safety
+    rev: v1.1.0
+    hooks:
+      - id: python-safety-dependencies-check
+
+  - repo: https://github.com/henryykt/pre-commit-perl
+    rev: v0.0.4
+    hooks:
+      - id: perlcritic
+      - id: perltidy
+
+  - repo: https://www.shore.co.il/git/ansible-pre-commit/  # https://github.com/adarnimrod/ansible-pre-commit
+    rev: v0.6.0
+    hooks:
+      - id: ansible-syntax-check
+        files: site.yml #In case you want to specify other playbook files.
+      - id: ansible-vault-check
+
+  - repo: https://github.com/detailyang/pre-commit-shell
+    rev: v1.0.6
+    hooks:
+    - id: shell-lint
+      args: [--format=json]
+
+  # shellcheck, shfmt - for shell scripts
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 1.8.0
+    hooks:
+      - id: shfmt
+        args: ['-w', '-i', '4', '-ci']
+      - id: shellcheck
+
+  - repo: local
+    hooks:
+      - id: tests
+        name: run tests
+        entry: pytest -v
+        language: system
+        types: [python]
+        stages: [push]
+
+#  - repo: local
+#    hooks:
+#      - id: test_api
+#        name: run test_api
+#        entry: ./test_api/test_api.pl
+#        args: [./test_api/valid_configs/dca.ini]
+#        language: system
+#        always_run: true
+#        pass_filenames: false
+#        require_serial: true
+
+
+# -   repo: local
+#     hooks:
+#     -   id: python-safety-dependencies-check
+#         entry: safety
+#         args: [check, --full-report]
+#         language: system
+#         files: requirements
+
+# blacken-docs - runsblack on python code blocks in documentation files
+# encryption-check - ensure ansible vault files are encrypted
+# sign-commit - adds signature verification
+# dockerfile and teraform linter
+
+# messages=("Commit denied..Friday protocol violation" "Dude! Stop!Its Friday" "You really wanna do this on a Friday" "Someone wants to check-in code on Friday and lose a weekend" "Nope!! Not on a Friday" "Its Friday Friday! No commits on a Friday!")
--- a/.style.yapf
+++ b/.style.yapf
+[style]
+# YAPF uses the chromium style by default
+based_on_style = pep8
+
+# Def: True
+ALIGN_CLOSING_BRACKET_WITH_VISUAL_INDENT=True
+
+# Def: False
+ALLOW_MULTILINE_LAMBDAS=False
+
+# Def: False
+ALLOW_MULTILINE_DICTIONARY_KEYS=False
+
+# Def: False
+BLANK_LINE_BEFORE_NESTED_CLASS_OR_DEF=False
+
+# Def: False
+BLANK_LINE_BEFORE_CLASS_DOCSTRING=False
+
+# Def: False
+COALESCE_BRACKETS=False
+
+# Def: 79
+COLUMN_LIMIT=131
+
+# Def: 4
+CONTINUATION_INDENT_WIDTH=4
+
+# Def: False
+# DEDENT_CLOSING_BRACKETS=False
+DEDENT_CLOSING_BRACKETS = true
+
+# Def: True
+EACH_DICT_ENTRY_ON_SEPARATE_LINE=True
+
+# Def: ''
+I18N_COMMENT=''
+
+# Def: ''
+I18N_FUNCTION_CALL=''
+
+# Def: False CHANGED
+INDENT_DICTIONARY_VALUE=True
+
+# Def: 4
+INDENT_WIDTH=4
+
+# Def: True CHANGED
+JOIN_MULTIPLE_LINES=True
+
+# Def: True
+SPACE_BETWEEN_ENDING_COMMA_AND_CLOSING_BRACKET=True
+
+# Def: False
+SPACES_AROUND_POWER_OPERATOR=False
+
+# Def: False
+SPACES_AROUND_DEFAULT_OR_NAMED_ASSIGN=False
+
+# Def: 2
+SPACES_BEFORE_COMMENT=2
+
+# Def: False
+SPLIT_ARGUMENTS_WHEN_COMMA_TERMINATED=False
+
+# Def: False
+SPLIT_BEFORE_BITWISE_OPERATOR=False
+
+# Def: True
+SPLIT_BEFORE_DICT_SET_GENERATOR=True
+
+# Def: False
+SPLIT_BEFORE_FIRST_ARGUMENT=False
+
+# Def: False
+SPLIT_BEFORE_LOGICAL_OPERATOR=False
+
+# Def: True
+SPLIT_BEFORE_NAMED_ASSIGNS=True
+
+# Def: 30
+SPLIT_PENALTY_AFTER_OPENING_BRACKET=30
+
+# Def: 10000
+SPLIT_PENALTY_AFTER_UNARY_OPERATOR=10000
+
+# Def: 0
+SPLIT_PENALTY_BEFORE_IF_EXPR=0
+
+# Def: 300
+SPLIT_PENALTY_BITWISE_OPERATOR=300
+
+# Def: 4500
+SPLIT_PENALTY_EXCESS_CHARACTER=4500
+
+# Def: 30
+SPLIT_PENALTY_FOR_ADDED_LINE_SPLIT=30
+
+# Def: 0
+SPLIT_PENALTY_IMPORT_NAMES=0
+
+# Def: 300
+SPLIT_PENALTY_LOGICAL_OPERATOR=300
+
+# Def: False
+USE_TABS=False
--- a/README
+++ b/README
+Project Name: Vault Data Retrieval Tool
+
+Description:
+This tool is designed to retrieve secrets and secret metadata from HashiCorp Vault using the AppRole authentication method. It provides functions to fetch passwords and key data from a specified path within the Vault.
+
+Requirements:
+- Python 3.x
+- pip (Python package manager)
+
+Installation:
+1. Clone the repository from https://code.europa.eu/digit-c4/dev/ansible-vault.
+2. Navigate to the project directory.
+3. Create a virtual environment (optional but recommended):
+    ```
+    python3 -m venv venv
+    source venv/bin/activate
+    ```
+4. Install dependencies using the provided requirements.txt file:
+    ```
+    pip install -r requirements.txt
+    ```
+
+Usage:
+1. Ensure you have the necessary permissions and access to the HashiCorp Vault.
+2. Set up the AppRole authentication method in your Vault instance. Refer to the provided links for detailed instructions.
+3. Modify the code to provide your Vault URL, namespace, role ID, secret ID, mount point, and engine details.
+4. EXAMPLE
+sys.path.append(config_global.get('APPLICATION', 'PYTHON-LIBRARY'))
+sys.path.append('/opt/auth')
+from ansible-vault.vault.client import clientV
+password = clientV.getPasswordByAppRole("dev/SNOW/csui", "https://sam-hcavault.cec.eu.int", "EC/DIGIT_C4_SNET_ADMIN-ACC", "role_id", "secret_id", "apps-kv", "dev")
+
+
+Functionality:
+- `getPasswordByAppRole(key, vault_url, namespace_used, role_id, secret_id, mount_point, engine)`: This function retrieves a password from the specified key path in the Vault.
+- `getKeysData(key, vault_url, namespace_used, role_id, secret_id, mount_point, engine)`: This function retrieves key data (secret metadata) from the specified key path in the Vault.
+
+Notes:
+- Ensure that the AppRole authentication method is correctly configured and enabled in your Vault instance.
+- Modify the code according to your specific Vault configuration and requirements.
+- Handle errors and exceptions appropriately in your code to ensure smooth operation.
+
+References:
+- HashiCorp Vault Documentation: [https://www.vaultproject.io/docs](https://www.vaultproject.io/docs)
+- HVAC Documentation: [https://hvac.readthedocs.io](https://hvac.readthedocs.io)
+
+Author:
+Marcelo teixeira
+Ricardo Silva
\ No newline at end of file
--- a/pyproject.toml
+++ b/pyproject.toml
+[tool.black]
+line-length = 131
+# target-version = py27
+skip-string-normalization = true
+# check = true
+# diff = true
+include = '\.pyi?$'
+exclude = '''
+/(
+    \.git
+  | \.hg
+  | \.mypy_cache
+  | \.tox
+  | \.venv
+  | venv
+  | _build
+  | buck-out
+  | build
+  | dist
+)/
+'''
--- a/requirements.txt
+++ b/requirements.txt
+requests==2.26.0
+pprint==0.1
+json==2.0.9
+datetime==4.3
+logging==0.5.1.2
+hvac==0.12.0
\ No newline at end of file
--- a/vault/client.py
+++ b/vault/client.py
+import logging
+import requests
+from requests import Response, Request
+from pprint import pformat
+from json import dumps as json_dumps
+from datetime import datetime
+import time
+import sys
+import hvac
+
+#https://developer.hashicorp.com/vault/docs/auth/approle
+#https://hvac.readthedocs.io/en/stable/usage/auth_methods/approle.html
+#https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html#read-secret-metadata
+
+class Vault(object):
+
+    def __init__(self):
+        self.session = requests.Session()
+
+    def getPasswordByAppRole(self, key, vault_url, namespace_used, role_id, secret_id, mount_point, engine):
+        # Create a client instance
+        client = hvac.Client(url=vault_url, namespace=namespace_used,  verify=False)
+        response = client.auth.approle.login(role_id=role_id, secret_id=secret_id)
+        # Extract the client token from the response
+        client.token = response['auth']['client_token']
+        #TODO : Acc using version 1 in the past now all is uniform
+        secret = client.secrets.kv.v2.read_secret_version(path=key ,mount_point=mount_point)
+        secret_data = False
+        if secret is not None  and 'data' in secret and secret['data'] is not None:
+            secret_data =secret['data']['data']['data']['password']
+        else:
+            print(secret, "secret")
+            print("Failed to retrieve the secret.")
+        client.logout()
+        return secret_data
+
+        
+    def getKeysData(self, key, vault_url, namespace_used, role_id, secret_id, mount_point, engine):
+        # Create a client instance
+        client = hvac.Client(url=vault_url, namespace=namespace_used,  verify=False)
+        response = client.auth.approle.login(role_id=role_id, secret_id=secret_id)
+        # Extract the client token from the response
+        client.token = response['auth']['client_token']
+        #TODO : Acc using version 1 in the past now all is uniform
+        secret = client.secrets.kv.v2.read_secret_version(path=key ,mount_point=mount_point)
+        secret_data = False
+        if secret is not None  and 'data' in secret and secret['data'] is not None:
+            secret_data =secret['data']['data']
+       
+        else:
+            print(secret, "secret")
+            print("Failed to retrieve the secret.")
+        client.logout()
+        return secret_data
+
+log = logging.getLogger(__name__)
+clientV = Vault()