You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
111 lines
3.3 KiB
111 lines
3.3 KiB
#!/usr/bin/env python
|
|
|
|
import sys
|
|
|
|
import json
|
|
import subprocess
|
|
|
|
DICT_LABEL = 'label'
|
|
DICT_SECRET = 'secret'
|
|
DICT_ATTRIBUTES = 'attributes'
|
|
|
|
# Python SecretStorage requires these packages to work:
|
|
# "Jeepney, python-cryptography", which may have their own
|
|
# Common Criteria impact.
|
|
#
|
|
# Also note that the GNOME keyring Python APIs have been removed in
|
|
# RHEL8 and there are no good secret store altervatives
|
|
# that meet Common Criteria requirements.
|
|
# (e.g. "For Linux: The evaluator shall verify that all keys are stored using Linux keyrings")
|
|
# so just invoke secret-tool.
|
|
|
|
class KeyringException(Exception):
|
|
pass
|
|
|
|
def err(desc):
|
|
raise KeyringException(desc)
|
|
|
|
def read_store(krname):
|
|
secret_tool_lookup_cmd = ['secret-tool', 'lookup', krname, 'store']
|
|
p = subprocess.Popen(secret_tool_lookup_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
out, err = p.communicate()
|
|
if len(out) == 0:
|
|
return []
|
|
return json.loads(out.decode('utf-8'))
|
|
|
|
def write_store(store, krname):
|
|
secret_tool_store_cmd = ['secret-tool', 'store', '--label="splunk"', krname, 'store']
|
|
p = subprocess.Popen(secret_tool_store_cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.STDOUT)
|
|
output = p.communicate(input=json.dumps(store).encode("utf-8"))[0]
|
|
|
|
def pretty_print_label(label_str):
|
|
d = label_str
|
|
return '%s [%s] %s' % (d['file'], d['stanza'], d['attribute'])
|
|
|
|
def get_secrets(store, krname):
|
|
items = store
|
|
result = []
|
|
for i in items:
|
|
# Emit this item as a standard Python object.
|
|
tmp = {DICT_LABEL: pretty_print_label(i[DICT_ATTRIBUTES]),
|
|
DICT_SECRET: i[DICT_SECRET],
|
|
DICT_ATTRIBUTES: i[DICT_ATTRIBUTES]}
|
|
result.append(tmp)
|
|
return result
|
|
|
|
def set_secrets(store, krname, to_write, overwrite_all):
|
|
if overwrite_all:
|
|
existing_items = []
|
|
else:
|
|
existing_items = store
|
|
|
|
for i in to_write:
|
|
found = False
|
|
for j in existing_items:
|
|
if j[DICT_ATTRIBUTES] == i[DICT_ATTRIBUTES]:
|
|
j[DICT_SECRET] = i[DICT_SECRET]
|
|
found = True
|
|
break
|
|
if not found:
|
|
existing_items.append(i)
|
|
|
|
write_store(existing_items, krname)
|
|
|
|
def remove_secrets(store, krname, to_remove):
|
|
existing_items = store
|
|
for i in to_remove:
|
|
for j in existing_items:
|
|
if j[DICT_ATTRIBUTES] == i[DICT_ATTRIBUTES]:
|
|
existing_items.remove(j)
|
|
break
|
|
|
|
write_store(store, krname)
|
|
|
|
def process(args):
|
|
krname = args.get('namespace')
|
|
if krname is None:
|
|
err('No namespace (keyring name) specified')
|
|
|
|
to_write = args.get('write', {})
|
|
to_remove = args.get('remove', {})
|
|
overwrite_all = args.get('overwrite', False)
|
|
password = args.get('password')
|
|
|
|
result = {} # By default, emit minimal valid JSON.
|
|
store = read_store(krname)
|
|
if len(to_write) == 0 and len(to_remove) == 0:
|
|
# Given nothing to write, we emit existing secrets.
|
|
result = get_secrets(store, krname)
|
|
|
|
if len(to_write) > 0:
|
|
set_secrets(store, krname, to_write, overwrite_all)
|
|
|
|
if len(to_remove) > 0:
|
|
remove_secrets(store, krname, to_remove)
|
|
|
|
json.dump(result, sys.stdout)
|
|
|
|
if __name__ == '__main__':
|
|
args = json.load(sys.stdin) # error out on bad/empty JSON
|
|
process(args)
|