vault-sidekick/main.go

/*
Copyright 2015 Home Office All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"os/signal"
	"strings"
	"syscall"

	"github.com/golang/glog"
	"gopkg.in/yaml.v2"
)

func main() {
	// step: parse and validate the command line / environment options
	if err := parseOptions(); err != nil {
		showUsage("invalid options, %s", err)
	}

	// step: create a client to vault
	vault, err := newVaultService(options.vaultURL)
	if err != nil {
		showUsage("unable to create the vault client: %s", err)
	}

	// step: setup the termination signals
	signalChannel := make(chan os.Signal)
	signal.Notify(signalChannel, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)

	// step: create a channel to receive events upon and add our resources for renewal
	ch := make(chan vaultResourceEvent, 10)

	for _, rn := range options.resources.items {
		// step: valid the resource
		if err := rn.isValid(); err != nil {
			showUsage("%s", err)
		}
		vault.watch(rn, ch)
	}

	// step: we simply wait for events i.e. secrets from vault and write them to the output directory
	for {
		select {
		case evt := <-ch:
			// step: write the secret to the output directory
			go processResource(evt.resource, evt.secret)

		case <-signalChannel:
			glog.Infof("recieved a termination signal, shutting down the service")
			os.Exit(0)
		}
	}

}

// processResource ... write the resource to file, converting into the selected format
func processResource(rn *vaultResource, data map[string]interface{}) error {
	var content []byte
	var err error

	// step: determine the resource path
	resourcePath := rn.filename()
	if !strings.HasPrefix(resourcePath, "/") {
		resourcePath = fmt.Sprintf("%s/%s", options.outputDir, resourcePath)
	}

	// step: get the output format
	glog.V(3).Infof("saving resource: %s, format: %s", rn, rn.format)

	switch rn.format {
	case "yaml":
		// marshall the content to yaml
		if content, err = yaml.Marshal(data); err != nil {
			return err
		}
	case "ini":
		var buf bytes.Buffer
		for key, val := range data {
			buf.WriteString(fmt.Sprintf("%s = %s\n", key, val))
		}
		content = buf.Bytes()
	// Less of a format and more of a standard naming scheme
	case "cert":
		files := map[string]string{
			"certificate": "crt",
			"issuing_ca":  "ca",
			"private_key": "key",
		}
		for key, suffix := range files {
			filename := fmt.Sprintf("%s.%s", resourcePath, suffix)
			content, found := data[key]
			if !found {
				continue
			}

			// step: write the file
			if err := writeFile(filename, []byte(fmt.Sprintf("%s", content))); err != nil {
				glog.Errorf("failed to write resource: %s, elemment: %s, filename: %s, error: %s", rn, suffix, filename, err)
				continue
			}
		}
		return nil

	case "csv":
		var buf bytes.Buffer
		for key, val := range data {
			buf.WriteString(fmt.Sprintf("%s,%s\n", key, val))
		}
		content = buf.Bytes()

	case "txt":
		keys := getKeys(data)
		if len(keys) > 1 {
			// step: for plain formats we need to iterate the keys and produce a file per key
			for suffix, content := range data {
				filename := fmt.Sprintf("%s.%s", resourcePath, suffix)
				if err := writeFile(filename, []byte(fmt.Sprintf("%s", content))); err != nil {
					glog.Errorf("failed to write resource: %s, elemment: %s, filename: %s, error: %s",
						rn, suffix, filename, err)
					continue
				}
			}
			return nil
		}

		// step: we only have the one key, so will write plain
		value, _ := data[keys[0]]
		content = []byte(fmt.Sprintf("%s", value))
	case "json":
		if content, err = json.MarshalIndent(data, "", "    "); err != nil {
			return err
		}
	}

	// step: write the content to file
	if err := writeFile(resourcePath, content); err != nil {
		glog.Errorf("failed to write the resource: %s to file: %s, error: %s", rn, resourcePath, err)
		return err
	}

	return nil
}

// writeFile ... writes the content of a file
func writeFile(filename string, content []byte) error {
	// step: are we dry running?
	if options.dryRun {
		glog.Infof("dry-run: filename: %s, content:", filename)
		fmt.Printf("%s\n", string(content))
		return nil
	}

	err := ioutil.WriteFile(filename, content, 0660)
	if err != nil {
		return err
	}

	return nil
}
- adding the initial commit 2015-09-18 05:14:15 -04:00			`/*`
			`Copyright 2015 Home Office All rights reserved.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package main`

			`import (`
			`"bytes"`
			`"encoding/json"`
			`"fmt"`
- added the cert file format; essentially a hack to create the three file 2015-09-18 12:45:34 -04:00			`"io/ioutil"`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`"os"`
			`"os/signal"`
			`"strings"`
			`"syscall"`

			`"github.com/golang/glog"`
			`"gopkg.in/yaml.v2"`
			`)`

			`func main() {`
			`// step: parse and validate the command line / environment options`
			`if err := parseOptions(); err != nil {`
			`showUsage("invalid options, %s", err)`
			`}`

			`// step: create a client to vault`
- added the csv output format - adding the auth backends - general cleanup of the code - fixed up the tests 2015-09-21 06:31:12 -04:00			`vault, err := newVaultService(options.vaultURL)`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`if err != nil {`
- added the csv output format - adding the auth backends - general cleanup of the code - fixed up the tests 2015-09-21 06:31:12 -04:00			`showUsage("unable to create the vault client: %s", err)`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`

			`// step: setup the termination signals`
			`signalChannel := make(chan os.Signal)`
			`signal.Notify(signalChannel, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)`

			`// step: create a channel to receive events upon and add our resources for renewal`
- added the csv output format - adding the auth backends - general cleanup of the code - fixed up the tests 2015-09-21 06:31:12 -04:00			`ch := make(chan vaultResourceEvent, 10)`
- adding the initial commit 2015-09-18 05:14:15 -04:00
			`for _, rn := range options.resources.items {`
			`// step: valid the resource`
			`if err := rn.isValid(); err != nil {`
			`showUsage("%s", err)`
			`}`
- fixed up and clean some of the code - added the scenerio, lease expired but asking to renew - added the actual renew of lease code, rather than retrieve new lease for autditing purposes 2015-09-18 09:12:09 -04:00			`vault.watch(rn, ch)`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`

			`// step: we simply wait for events i.e. secrets from vault and write them to the output directory`
			`for {`
			`select {`
			`case evt := <-ch:`
			`// step: write the secret to the output directory`
			`go processResource(evt.resource, evt.secret)`

			`case <-signalChannel:`
			`glog.Infof("recieved a termination signal, shutting down the service")`
			`os.Exit(0)`
			`}`
			`}`

			`}`

			`// processResource ... write the resource to file, converting into the selected format`
			`func processResource(rn *vaultResource, data map[string]interface{}) error {`
			`var content []byte`
			`var err error`

			`// step: determine the resource path`
			`resourcePath := rn.filename()`
			`if !strings.HasPrefix(resourcePath, "/") {`
- added the csv output format - adding the auth backends - general cleanup of the code - fixed up the tests 2015-09-21 06:31:12 -04:00			`resourcePath = fmt.Sprintf("%s/%s", options.outputDir, resourcePath)`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`

			`// step: get the output format`
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`glog.V(3).Infof("saving resource: %s, format: %s", rn, rn.format)`
- adding the initial commit 2015-09-18 05:14:15 -04:00
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`switch rn.format {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`case "yaml":`
			`// marshall the content to yaml`
			`if content, err = yaml.Marshal(data); err != nil {`
			`return err`
			`}`
			`case "ini":`
			`var buf bytes.Buffer`
			`for key, val := range data {`
			`buf.WriteString(fmt.Sprintf("%s = %s\n", key, val))`
			`}`
			`content = buf.Bytes()`
- added the cert file format; essentially a hack to create the three file 2015-09-18 12:45:34 -04:00			`// Less of a format and more of a standard naming scheme`
			`case "cert":`
			`files := map[string]string{`
			`"certificate": "crt",`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`"issuing_ca": "ca",`
- added the cert file format; essentially a hack to create the three file 2015-09-18 12:45:34 -04:00			`"private_key": "key",`
			`}`
			`for key, suffix := range files {`
			`filename := fmt.Sprintf("%s.%s", resourcePath, suffix)`
			`content, found := data[key]`
			`if !found {`
			`continue`
			`}`

			`// step: write the file`
			`if err := writeFile(filename, []byte(fmt.Sprintf("%s", content))); err != nil {`
			`glog.Errorf("failed to write resource: %s, elemment: %s, filename: %s, error: %s", rn, suffix, filename, err)`
			`continue`
			`}`
			`}`
			`return nil`

- added the csv output format - adding the auth backends - general cleanup of the code - fixed up the tests 2015-09-21 06:31:12 -04:00			`case "csv":`
			`var buf bytes.Buffer`
			`for key, val := range data {`
			`buf.WriteString(fmt.Sprintf("%s,%s\n", key, val))`
			`}`
			`content = buf.Bytes()`

- adding the initial commit 2015-09-18 05:14:15 -04:00			`case "txt":`
			`keys := getKeys(data)`
			`if len(keys) > 1 {`
			`// step: for plain formats we need to iterate the keys and produce a file per key`
			`for suffix, content := range data {`
			`filename := fmt.Sprintf("%s.%s", resourcePath, suffix)`
			`if err := writeFile(filename, []byte(fmt.Sprintf("%s", content))); err != nil {`
			`glog.Errorf("failed to write resource: %s, elemment: %s, filename: %s, error: %s",`
			`rn, suffix, filename, err)`
			`continue`
			`}`
			`}`
			`return nil`
			`}`

			`// step: we only have the one key, so will write plain`
			`value, _ := data[keys[0]]`
			`content = []byte(fmt.Sprintf("%s", value))`
			`case "json":`
			`if content, err = json.MarshalIndent(data, "", " "); err != nil {`
			`return err`
			`}`
			`}`

			`// step: write the content to file`
			`if err := writeFile(resourcePath, content); err != nil {`
			`glog.Errorf("failed to write the resource: %s to file: %s, error: %s", rn, resourcePath, err)`
			`return err`
			`}`

			`return nil`
			`}`

			`// writeFile ... writes the content of a file`
			`func writeFile(filename string, content []byte) error {`
			`// step: are we dry running?`
			`if options.dryRun {`
			`glog.Infof("dry-run: filename: %s, content:", filename)`
			`fmt.Printf("%s\n", string(content))`
			`return nil`
			`}`

- added the cert file format; essentially a hack to create the three file 2015-09-18 12:45:34 -04:00			`err := ioutil.WriteFile(filename, content, 0660)`
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`if err != nil {`
			`return err`
			`}`
- adding the initial commit 2015-09-18 05:14:15 -04:00
			`return nil`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`}`