yaml-vault/main.go

package main

import (
	"bytes"
	"fmt"
	"os"
	"strings"
	"text/template"

	"gopkg.in/yaml.v3"

	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/go-homedir"
	"github.com/sirupsen/logrus"

	korvike "github.com/Luzifer/korvike/functions"
	"github.com/Luzifer/rconfig/v2"
)

const filePermissionUserWrite = 0o600

var (
	cfg = struct {
		File           string   `flag:"file,f" default:"vault.yaml" description:"File to import from / export to" validate:"nonzero"`
		Import         bool     `flag:"import" default:"false" description:"Enable importing data into Vault"`
		Export         bool     `flag:"export" default:"false" description:"Enable exporting data from Vault"`
		ExportPaths    []string `flag:"export-paths" default:"secret" description:"Which paths to export"`
		IgnoreErrors   bool     `flag:"ignore-errors" default:"false" description:"Do not exit on read/write errors"`
		LogLevel       string   `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"`
		VaultAddress   string   `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
		VaultToken     string   `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth" validate:"nonzero"`
		VersionAndExit bool     `flag:"version" default:"false" description:"Print program version and exit"`
	}{}

	version = "dev"
)

type importFile struct {
	Keys []importField
}

type importField struct {
	Key    string
	State  string
	Values map[string]interface{}
}

type execFunction func(*api.Client) error

func vaultTokenFromDisk() string {
	vf, err := homedir.Expand("~/.vault-token")
	if err != nil {
		return ""
	}

	data, err := os.ReadFile(vf) //#nosec G304 // Intended to read file from disk
	if err != nil {
		return ""
	}

	return string(data)
}

func initApp() error {
	rconfig.AutoEnv(true)
	rconfig.SetVariableDefaults(map[string]string{
		"vault-token": vaultTokenFromDisk(),
	})
	if err := rconfig.ParseAndValidate(&cfg); err != nil {
		return fmt.Errorf("parsing CLI options: %w", err)
	}

	l, err := logrus.ParseLevel(cfg.LogLevel)
	if err != nil {
		return fmt.Errorf("parsing log-level: %w", err)
	}
	logrus.SetLevel(l)

	return nil
}

func main() {
	var err error
	if err = initApp(); err != nil {
		logrus.WithError(err).Fatal("initializing app")
	}

	if cfg.VersionAndExit {
		fmt.Printf("yaml-vault %s\n", version) //nolint:forbidigo
		os.Exit(0)
	}

	if cfg.Export == cfg.Import {
		logrus.Fatal("either import or export must be set")
	}

	if _, err := os.Stat(cfg.File); (err == nil && cfg.Export) || (err != nil && cfg.Import) {
		if cfg.Export {
			logrus.Fatal("output file exists, stopping now.")
		}
		logrus.Fatal("input file does not exist, stopping now.")
	}

	client, err := api.NewClient(&api.Config{
		Address: cfg.VaultAddress,
	})
	if err != nil {
		logrus.WithError(err).Fatal("creating Vault client")
	}

	client.SetToken(cfg.VaultToken)

	var ex execFunction
	if cfg.Export {
		ex = exportFromVault
	} else {
		ex = importToVault
	}

	if err = ex(client); err != nil {
		logrus.WithError(err).Fatal("executing requested action")
	}
}

func exportFromVault(client *api.Client) error {
	out := importFile{}

	for _, path := range cfg.ExportPaths {
		if path[0] == '/' {
			path = path[1:]
		}

		if !strings.HasSuffix(path, "/") {
			path += "/"
		}

		if err := readRecurse(client, path, &out); err != nil {
			return fmt.Errorf("reading from Vault: %w", err)
		}
	}

	data, err := yaml.Marshal(out)
	if err != nil {
		return fmt.Errorf("marshalling YAML: %w", err)
	}

	if err = os.WriteFile(cfg.File, data, filePermissionUserWrite); err != nil {
		return fmt.Errorf("writing file: %w", err)
	}

	return nil
}

func importToVault(client *api.Client) error {
	keysRaw, err := os.ReadFile(cfg.File)
	if err != nil {
		return fmt.Errorf("reading input-file: %w", err)
	}

	keysRaw, err = parseImportFile(keysRaw)
	if err != nil {
		return fmt.Errorf("parsing input file: %w", err)
	}

	var keys importFile
	if err := yaml.Unmarshal(keysRaw, &keys); err != nil {
		return fmt.Errorf("unmarshalling input file: %w", err)
	}

	for _, field := range keys.Keys {
		logger := logrus.WithField("path", field.Key)

		if field.State == "absent" {
			if _, err := client.Logical().Delete(field.Key); err != nil {
				if cfg.IgnoreErrors {
					logger.WithError(err).Error("deleting key")
					continue
				}
				return fmt.Errorf("deleting path %q: %w", field.Key, err)
			}
			logger.Debug("deleted key")
		} else {
			if _, err := client.Logical().Write(field.Key, field.Values); err != nil {
				if cfg.IgnoreErrors {
					logger.WithError(err).Error("writing data to key")
					continue
				}
				return fmt.Errorf("writing path %q: %w", field.Key, err)
			}
			logger.Debug("wrote data to key")
		}
	}

	return nil
}

func parseImportFile(in []byte) (out []byte, err error) {
	t, err := template.New("input file").Funcs(korvike.GetFunctionMap()).Parse(string(in))
	if err != nil {
		return nil, fmt.Errorf("parsing template: %w", err)
	}

	buf := new(bytes.Buffer)
	if err = t.Execute(buf, nil); err != nil {
		return nil, fmt.Errorf("executing template: %w", err)
	}

	return buf.Bytes(), nil
}

func readRecurse(client *api.Client, path string, out *importFile) error {
	if !strings.HasSuffix(path, "/") {
		secret, err := client.Logical().Read(path)
		if err != nil {
			return fmt.Errorf("reading path %q: %w", path, err)
		}

		if secret == nil {
			if cfg.IgnoreErrors {
				logrus.WithField("path", path).Info("read nil secret")
				return nil
			}
			return fmt.Errorf("read non-existent path %q", path)
		}

		out.Keys = append(out.Keys, importField{Key: path, Values: secret.Data})
		logrus.WithField("path", path).Debug("read data from key")
		return nil
	}

	secret, err := client.Logical().List(path)
	if err != nil {
		if cfg.IgnoreErrors {
			logrus.WithError(err).WithField("path", path).Error("reading secret")
			return nil
		}
		return fmt.Errorf("reading path %q: %w", path, err)
	}

	if secret != nil && secret.Data["keys"] != nil {
		for _, k := range secret.Data["keys"].([]interface{}) {
			if err := readRecurse(client, path+k.(string), out); err != nil {
				return err
			}
		}
		return nil
	}

	return nil
}
add initial version 2016-07-11 14:56:35 +00:00			`package main`

			`import (`
allow templating in input file 2016-07-11 15:22:05 +00:00			`"bytes"`
add initial version 2016-07-11 14:56:35 +00:00			`"fmt"`
			`"os"`
			`"strings"`
Fix: Use text/template instead of html/template 2016-08-23 14:58:14 +00:00			`"text/template"`
add initial version 2016-07-11 14:56:35 +00:00
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`"gopkg.in/yaml.v3"`
add initial version 2016-07-11 14:56:35 +00:00
			`"github.com/hashicorp/vault/api"`
			`"github.com/mitchellh/go-homedir"`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`"github.com/sirupsen/logrus"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00
			`korvike "github.com/Luzifer/korvike/functions"`
Add go modules support, update dependencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2021-09-29 11:19:14 +00:00			`"github.com/Luzifer/rconfig/v2"`
add initial version 2016-07-11 14:56:35 +00:00			`)`

Lint: Add PR linting, fix linter errors Signed-off-by: Knut Ahlers <knut@ahlers.me> 2021-09-29 11:27:35 +00:00			`const filePermissionUserWrite = 0o600`

add initial version 2016-07-11 14:56:35 +00:00			`var (`
			`cfg = struct {`
Fix validate-tags and log-level Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:28:46 +00:00			File string `flag:"file,f" default:"vault.yaml" description:"File to import from / export to" validate:"nonzero"`
add initial version 2016-07-11 14:56:35 +00:00			Import bool `flag:"import" default:"false" description:"Enable importing data into Vault"`
			Export bool `flag:"export" default:"false" description:"Enable exporting data from Vault"`
			ExportPaths []string `flag:"export-paths" default:"secret" description:"Which paths to export"`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			IgnoreErrors bool `flag:"ignore-errors" default:"false" description:"Do not exit on read/write errors"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			LogLevel string `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"`
add initial version 2016-07-11 14:56:35 +00:00			VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
Fix validate-tags and log-level Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:28:46 +00:00			VaultToken string `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth" validate:"nonzero"`
add initial version 2016-07-11 14:56:35 +00:00			VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"`
			`}{}`

			`version = "dev"`
			`)`

			`type importFile struct {`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`Keys []importField`
			`}`

			`type importField struct {`
			`Key string`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`State string`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`Values map[string]interface{}`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`type execFunction func(*api.Client) error`

			`func vaultTokenFromDisk() string {`
			`vf, err := homedir.Expand("~/.vault-token")`
			`if err != nil {`
			`return ""`
			`}`

Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`data, err := os.ReadFile(vf) //#nosec G304 // Intended to read file from disk`
add initial version 2016-07-11 14:56:35 +00:00			`if err != nil {`
			`return ""`
			`}`

			`return string(data)`
			`}`

Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`func initApp() error {`
			`rconfig.AutoEnv(true)`
add initial version 2016-07-11 14:56:35 +00:00			`rconfig.SetVariableDefaults(map[string]string{`
			`"vault-token": vaultTokenFromDisk(),`
			`})`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`if err := rconfig.ParseAndValidate(&cfg); err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("parsing CLI options: %w", err)`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`}`
add initial version 2016-07-11 14:56:35 +00:00
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`l, err := logrus.ParseLevel(cfg.LogLevel)`
			`if err != nil {`
			`return fmt.Errorf("parsing log-level: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.SetLevel(l)`
add initial version 2016-07-11 14:56:35 +00:00
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return nil`
			`}`

			`func main() {`
			`var err error`
			`if err = initApp(); err != nil {`
			`logrus.WithError(err).Fatal("initializing app")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`if cfg.VersionAndExit {`
			`fmt.Printf("yaml-vault %s\n", version) //nolint:forbidigo`
			`os.Exit(0)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`if cfg.Export == cfg.Import {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.Fatal("either import or export must be set")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`if _, err := os.Stat(cfg.File); (err == nil && cfg.Export) \|\| (err != nil && cfg.Import) {`
			`if cfg.Export {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.Fatal("output file exists, stopping now.")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.Fatal("input file does not exist, stopping now.")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`client, err := api.NewClient(&api.Config{`
			`Address: cfg.VaultAddress,`
			`})`
			`if err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.WithError(err).Fatal("creating Vault client")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`client.SetToken(cfg.VaultToken)`

			`var ex execFunction`
			`if cfg.Export {`
			`ex = exportFromVault`
			`} else {`
			`ex = importToVault`
			`}`

			`if err = ex(client); err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logrus.WithError(err).Fatal("executing requested action")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`func exportFromVault(client *api.Client) error {`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`out := importFile{}`
add initial version 2016-07-11 14:56:35 +00:00
			`for _, path := range cfg.ExportPaths {`
			`if path[0] == '/' {`
			`path = path[1:]`
			`}`

			`if !strings.HasSuffix(path, "/") {`
Lint: Add PR linting, fix linter errors Signed-off-by: Knut Ahlers <knut@ahlers.me> 2021-09-29 11:27:35 +00:00			`path += "/"`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`if err := readRecurse(client, path, &out); err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("reading from Vault: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`data, err := yaml.Marshal(out)`
			`if err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("marshalling YAML: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`if err = os.WriteFile(cfg.File, data, filePermissionUserWrite); err != nil {`
			`return fmt.Errorf("writing file: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`return nil`
			`}`

			`func importToVault(client *api.Client) error {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`keysRaw, err := os.ReadFile(cfg.File)`
add initial version 2016-07-11 14:56:35 +00:00			`if err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("reading input-file: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

allow templating in input file 2016-07-11 15:22:05 +00:00			`keysRaw, err = parseImportFile(keysRaw)`
			`if err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("parsing input file: %w", err)`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`

add initial version 2016-07-11 14:56:35 +00:00			`var keys importFile`
			`if err := yaml.Unmarshal(keysRaw, &keys); err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("unmarshalling input file: %w", err)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`for _, field := range keys.Keys {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logger := logrus.WithField("path", field.Key)`

Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`if field.State == "absent" {`
			`if _, err := client.Logical().Delete(field.Key); err != nil {`
			`if cfg.IgnoreErrors {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logger.WithError(err).Error("deleting key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`continue`
			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("deleting path %q: %w", field.Key, err)`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logger.Debug("deleted key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`} else {`
			`if _, err := client.Logical().Write(field.Key, field.Values); err != nil {`
			`if cfg.IgnoreErrors {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logger.WithError(err).Error("writing data to key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`continue`
			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return fmt.Errorf("writing path %q: %w", field.Key, err)`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`}`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`logger.Debug("wrote data to key")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`return nil`
			`}`
allow templating in input file 2016-07-11 15:22:05 +00:00
			`func parseImportFile(in []byte) (out []byte, err error) {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`t, err := template.New("input file").Funcs(korvike.GetFunctionMap()).Parse(string(in))`
allow templating in input file 2016-07-11 15:22:05 +00:00			`if err != nil {`
Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return nil, fmt.Errorf("parsing template: %w", err)`
			`}`

			`buf := new(bytes.Buffer)`
			`if err = t.Execute(buf, nil); err != nil {`
			`return nil, fmt.Errorf("executing template: %w", err)`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`

Modernize code, update depdendencies Signed-off-by: Knut Ahlers <knut@ahlers.me> 2024-04-07 12:34:19 +00:00			`return buf.Bytes(), nil`
			`}`

			`func readRecurse(client api.Client, path string, out importFile) error {`
			`if !strings.HasSuffix(path, "/") {`
			`secret, err := client.Logical().Read(path)`
			`if err != nil {`
			`return fmt.Errorf("reading path %q: %w", path, err)`
			`}`

			`if secret == nil {`
			`if cfg.IgnoreErrors {`
			`logrus.WithField("path", path).Info("read nil secret")`
			`return nil`
			`}`
			`return fmt.Errorf("read non-existent path %q", path)`
			`}`

			`out.Keys = append(out.Keys, importField{Key: path, Values: secret.Data})`
			`logrus.WithField("path", path).Debug("read data from key")`
			`return nil`
			`}`

			`secret, err := client.Logical().List(path)`
			`if err != nil {`
			`if cfg.IgnoreErrors {`
			`logrus.WithError(err).WithField("path", path).Error("reading secret")`
			`return nil`
			`}`
			`return fmt.Errorf("reading path %q: %w", path, err)`
			`}`

			`if secret != nil && secret.Data["keys"] != nil {`
			`for _, k := range secret.Data["keys"].([]interface{}) {`
			`if err := readRecurse(client, path+k.(string), out); err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

			`return nil`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`