yaml-vault/main.go

package main

import (
	"bytes"
	"fmt"
	"io/ioutil"
	"os"
	"strings"
	"text/template"

	"gopkg.in/yaml.v2"

	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/go-homedir"
	"github.com/pkg/errors"
	log "github.com/sirupsen/logrus"

	korvike "github.com/Luzifer/korvike/functions"
	"github.com/Luzifer/rconfig"
)

var (
	cfg = struct {
		File           string   `flag:"file,f" default:"vault.yaml" description:"File to import from / export to" validate:"non-zero"`
		Import         bool     `flag:"import" default:"false" description:"Enable importing data into Vault"`
		Export         bool     `flag:"export" default:"false" description:"Enable exporting data from Vault"`
		ExportPaths    []string `flag:"export-paths" default:"secret" description:"Which paths to export"`
		IgnoreErrors   bool     `flag:"ignore-errors" default:"false" description:"Do not exit on read/write errors"`
		LogLevel       string   `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"`
		VaultAddress   string   `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
		VaultToken     string   `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth" validate:"non-zero"`
		VersionAndExit bool     `flag:"version" default:"false" description:"Print program version and exit"`
		Verbose        bool     `flag:"verbose,v" default:"false" description:"Print verbose output [DEPRECATED]"`
	}{}

	version = "dev"
)

type importFile struct {
	Keys []importField
}

type importField struct {
	Key    string
	State  string
	Values map[string]interface{}
}

type execFunction func(*api.Client) error

func vaultTokenFromDisk() string {
	vf, err := homedir.Expand("~/.vault-token")
	if err != nil {
		return ""
	}

	data, err := ioutil.ReadFile(vf)
	if err != nil {
		return ""
	}

	return string(data)
}

func init() {
	rconfig.SetVariableDefaults(map[string]string{
		"vault-token": vaultTokenFromDisk(),
	})
	if err := rconfig.ParseAndValidate(&cfg); err != nil {
		log.WithError(err).Fatal("Unable to parse commandline options")
	}

	if cfg.VersionAndExit {
		fmt.Printf("vault2env %s\n", version)
		os.Exit(0)
	}

	if l, err := log.ParseLevel(cfg.LogLevel); err != nil {
		log.WithError(err).Fatal("Unable to parse log level")
	} else {
		log.SetLevel(l)
	}

	if cfg.Verbose {
		// Backwards compatibility
		log.SetLevel(log.DebugLevel)
	}

	if cfg.Export == cfg.Import {
		log.Fatal("You need to either import or export")
	}

	if _, err := os.Stat(cfg.File); (err == nil && cfg.Export) || (err != nil && cfg.Import) {
		if cfg.Export {
			log.Fatal("Output file exists, stopping now.")
		}
		log.Fatal("Input file does not exist, stopping now.")
	}
}

func main() {
	client, err := api.NewClient(&api.Config{
		Address: cfg.VaultAddress,
	})
	if err != nil {
		log.WithError(err).Fatal("Unable to create client")
	}

	client.SetToken(cfg.VaultToken)

	var ex execFunction

	if cfg.Export {
		ex = exportFromVault
	} else {
		ex = importToVault
	}

	if err = ex(client); err != nil {
		log.WithError(err).Fatal("Unable to execute requested action")
	}
}

func exportFromVault(client *api.Client) error {
	out := importFile{}

	for _, path := range cfg.ExportPaths {
		if path[0] == '/' {
			path = path[1:]
		}

		if !strings.HasSuffix(path, "/") {
			path = path + "/"
		}

		if err := readRecurse(client, path, &out); err != nil {
			return errors.Wrap(err, "Unable to read from Vault")
		}
	}

	data, err := yaml.Marshal(out)
	if err != nil {
		return errors.Wrap(err, "Unable to marshal yaml")
	}

	return ioutil.WriteFile(cfg.File, data, 0600)
}

func readRecurse(client *api.Client, path string, out *importFile) error {
	if !strings.HasSuffix(path, "/") {
		secret, err := client.Logical().Read(path)
		if err != nil {
			return errors.Wrapf(err, "Unable to read path %q", path)
		}

		if secret == nil {
			if cfg.IgnoreErrors {
				log.WithField("path", path).Info("Unable to read nil secret")
				return nil
			}
			return errors.Errorf("Unable to read non-existent path %s", path)
		}

		out.Keys = append(out.Keys, importField{Key: path, Values: secret.Data})
		log.WithField("path", path).Debug("Successfully read data from key")
		return nil
	}

	secret, err := client.Logical().List(path)
	if err != nil {
		if cfg.IgnoreErrors {
			log.WithError(err).WithField("path", path).Error("Error reading secret")
			return nil
		}
		return errors.Wrapf(err, "Error reading %s", path)
	}

	if secret != nil && secret.Data["keys"] != nil {
		for _, k := range secret.Data["keys"].([]interface{}) {
			if err := readRecurse(client, path+k.(string), out); err != nil {
				return err
			}
		}
		return nil
	}

	return nil
}

func importToVault(client *api.Client) error {
	keysRaw, err := ioutil.ReadFile(cfg.File)
	if err != nil {
		return errors.Wrap(err, "Unable to read input file")
	}

	keysRaw, err = parseImportFile(keysRaw)
	if err != nil {
		return errors.Wrap(err, "Unable to parse input file")
	}

	var keys importFile
	if err := yaml.Unmarshal(keysRaw, &keys); err != nil {
		return errors.Wrap(err, "Unable to unmarshal input file")
	}

	for _, field := range keys.Keys {
		if field.State == "absent" {
			if _, err := client.Logical().Delete(field.Key); err != nil {
				if cfg.IgnoreErrors {
					log.WithError(err).WithField("path", field.Key).Error("Error while deleting key")
					continue
				}
				return errors.Wrapf(err, "Unable to delete path %q", field.Key)
			}
			log.WithField("path", field.Key).Info("Successfully deleted key")
		} else {
			if _, err := client.Logical().Write(field.Key, field.Values); err != nil {
				if cfg.IgnoreErrors {
					log.WithError(err).WithField("path", field.Key).Error("Error while writing data to key")
					continue
				}
				return errors.Wrapf(err, "Unable to write path %q", field.Key)
			}
			log.WithField("path", field.Key).Debug("Successfully wrote data to key")
		}
	}

	return nil
}

func parseImportFile(in []byte) (out []byte, err error) {
	t, err := template.New("input file").Funcs(korvike.GetFunctionMap()).Parse(string(in))
	if err != nil {
		return nil, errors.Wrap(err, "Unable to parse template")
	}

	buf := bytes.NewBuffer([]byte{})
	err = t.Execute(buf, nil)
	return buf.Bytes(), errors.Wrap(err, "Unable to execute template")
}
add initial version 2016-07-11 14:56:35 +00:00			`package main`

			`import (`
allow templating in input file 2016-07-11 15:22:05 +00:00			`"bytes"`
add initial version 2016-07-11 14:56:35 +00:00			`"fmt"`
			`"io/ioutil"`
			`"os"`
			`"strings"`
Fix: Use text/template instead of html/template 2016-08-23 14:58:14 +00:00			`"text/template"`
add initial version 2016-07-11 14:56:35 +00:00
			`"gopkg.in/yaml.v2"`

			`"github.com/hashicorp/vault/api"`
			`"github.com/mitchellh/go-homedir"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`"github.com/pkg/errors"`
			`log "github.com/sirupsen/logrus"`

			`korvike "github.com/Luzifer/korvike/functions"`
			`"github.com/Luzifer/rconfig"`
add initial version 2016-07-11 14:56:35 +00:00			`)`

			`var (`
			`cfg = struct {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			File string `flag:"file,f" default:"vault.yaml" description:"File to import from / export to" validate:"non-zero"`
add initial version 2016-07-11 14:56:35 +00:00			Import bool `flag:"import" default:"false" description:"Enable importing data into Vault"`
			Export bool `flag:"export" default:"false" description:"Enable exporting data from Vault"`
			ExportPaths []string `flag:"export-paths" default:"secret" description:"Which paths to export"`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			IgnoreErrors bool `flag:"ignore-errors" default:"false" description:"Do not exit on read/write errors"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			LogLevel string `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"`
add initial version 2016-07-11 14:56:35 +00:00			VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			VaultToken string `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth" validate:"non-zero"`
add initial version 2016-07-11 14:56:35 +00:00			VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			Verbose bool `flag:"verbose,v" default:"false" description:"Print verbose output [DEPRECATED]"`
add initial version 2016-07-11 14:56:35 +00:00			`}{}`

			`version = "dev"`
			`)`

			`type importFile struct {`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`Keys []importField`
			`}`

			`type importField struct {`
			`Key string`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`State string`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`Values map[string]interface{}`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`type execFunction func(*api.Client) error`

			`func vaultTokenFromDisk() string {`
			`vf, err := homedir.Expand("~/.vault-token")`
			`if err != nil {`
			`return ""`
			`}`

			`data, err := ioutil.ReadFile(vf)`
			`if err != nil {`
			`return ""`
			`}`

			`return string(data)`
			`}`

			`func init() {`
			`rconfig.SetVariableDefaults(map[string]string{`
			`"vault-token": vaultTokenFromDisk(),`
			`})`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`if err := rconfig.ParseAndValidate(&cfg); err != nil {`
			`log.WithError(err).Fatal("Unable to parse commandline options")`
			`}`
add initial version 2016-07-11 14:56:35 +00:00
			`if cfg.VersionAndExit {`
			`fmt.Printf("vault2env %s\n", version)`
			`os.Exit(0)`
			`}`

Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`if l, err := log.ParseLevel(cfg.LogLevel); err != nil {`
			`log.WithError(err).Fatal("Unable to parse log level")`
			`} else {`
			`log.SetLevel(l)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`if cfg.Verbose {`
			`// Backwards compatibility`
			`log.SetLevel(log.DebugLevel)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`if cfg.Export == cfg.Import {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.Fatal("You need to either import or export")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`if _, err := os.Stat(cfg.File); (err == nil && cfg.Export) \|\| (err != nil && cfg.Import) {`
			`if cfg.Export {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.Fatal("Output file exists, stopping now.")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.Fatal("Input file does not exist, stopping now.")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`func main() {`
			`client, err := api.NewClient(&api.Config{`
			`Address: cfg.VaultAddress,`
			`})`
			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithError(err).Fatal("Unable to create client")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`client.SetToken(cfg.VaultToken)`

			`var ex execFunction`

			`if cfg.Export {`
			`ex = exportFromVault`
			`} else {`
			`ex = importToVault`
			`}`

			`if err = ex(client); err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithError(err).Fatal("Unable to execute requested action")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`func exportFromVault(client *api.Client) error {`
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`out := importFile{}`
add initial version 2016-07-11 14:56:35 +00:00
			`for _, path := range cfg.ExportPaths {`
			`if path[0] == '/' {`
			`path = path[1:]`
			`}`

			`if !strings.HasSuffix(path, "/") {`
			`path = path + "/"`
			`}`

			`if err := readRecurse(client, path, &out); err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrap(err, "Unable to read from Vault")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`data, err := yaml.Marshal(out)`
			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrap(err, "Unable to marshal yaml")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`return ioutil.WriteFile(cfg.File, data, 0600)`
			`}`

			`func readRecurse(client api.Client, path string, out importFile) error {`
fix read tries when path has no current children 2016-07-11 16:37:50 +00:00			`if !strings.HasSuffix(path, "/") {`
			`secret, err := client.Logical().Read(path)`
fix bug when reading path and key with same name 2016-07-11 15:43:43 +00:00			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrapf(err, "Unable to read path %q", path)`
fix bug when reading path and key with same name 2016-07-11 15:43:43 +00:00			`}`
add initial version 2016-07-11 14:56:35 +00:00
fix read tries when path has no current children 2016-07-11 16:37:50 +00:00			`if secret == nil {`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`if cfg.IgnoreErrors {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithField("path", path).Info("Unable to read nil secret")`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`return nil`
			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Errorf("Unable to read non-existent path %s", path)`
add initial version 2016-07-11 14:56:35 +00:00			`}`
fix read tries when path has no current children 2016-07-11 16:37:50 +00:00
Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`out.Keys = append(out.Keys, importField{Key: path, Values: secret.Data})`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithField("path", path).Debug("Successfully read data from key")`
fix read tries when path has no current children 2016-07-11 16:37:50 +00:00			`return nil`
add initial version 2016-07-11 14:56:35 +00:00			`}`

fix read tries when path has no current children 2016-07-11 16:37:50 +00:00			`secret, err := client.Logical().List(path)`
add initial version 2016-07-11 14:56:35 +00:00			`if err != nil {`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`if cfg.IgnoreErrors {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithError(err).WithField("path", path).Error("Error reading secret")`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`return nil`
			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrapf(err, "Error reading %s", path)`
add initial version 2016-07-11 14:56:35 +00:00			`}`

fix read tries when path has no current children 2016-07-11 16:37:50 +00:00			`if secret != nil && secret.Data["keys"] != nil {`
			`for _, k := range secret.Data["keys"].([]interface{}) {`
			`if err := readRecurse(client, path+k.(string), out); err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
add initial version 2016-07-11 14:56:35 +00:00			`}`

			`return nil`
			`}`

			`func importToVault(client *api.Client) error {`
			`keysRaw, err := ioutil.ReadFile(cfg.File)`
			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrap(err, "Unable to read input file")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

allow templating in input file 2016-07-11 15:22:05 +00:00			`keysRaw, err = parseImportFile(keysRaw)`
			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrap(err, "Unable to parse input file")`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`

add initial version 2016-07-11 14:56:35 +00:00			`var keys importFile`
			`if err := yaml.Unmarshal(keysRaw, &keys); err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrap(err, "Unable to unmarshal input file")`
add initial version 2016-07-11 14:56:35 +00:00			`}`

Use a slice instead of a map breaking change 2016-08-08 14:26:11 +00:00			`for _, field := range keys.Keys {`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`if field.State == "absent" {`
			`if _, err := client.Logical().Delete(field.Key); err != nil {`
			`if cfg.IgnoreErrors {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithError(err).WithField("path", field.Key).Error("Error while deleting key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`continue`
			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrapf(err, "Unable to delete path %q", field.Key)`
allow ignoring errors (writing sys/auth/ path or similar) 2016-07-19 11:59:55 +00:00			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithField("path", field.Key).Info("Successfully deleted key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`} else {`
			`if _, err := client.Logical().Write(field.Key, field.Values); err != nil {`
			`if cfg.IgnoreErrors {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithError(err).WithField("path", field.Key).Error("Error while writing data to key")`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`continue`
			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return errors.Wrapf(err, "Unable to write path %q", field.Key)`
Add state "absent" to delete keys 2016-10-05 11:21:14 +00:00			`}`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`log.WithField("path", field.Key).Debug("Successfully wrote data to key")`
add initial version 2016-07-11 14:56:35 +00:00			`}`
			`}`

			`return nil`
			`}`
allow templating in input file 2016-07-11 15:22:05 +00:00
			`func parseImportFile(in []byte) (out []byte, err error) {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`t, err := template.New("input file").Funcs(korvike.GetFunctionMap()).Parse(string(in))`
allow templating in input file 2016-07-11 15:22:05 +00:00			`if err != nil {`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return nil, errors.Wrap(err, "Unable to parse template")`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`

			`buf := bytes.NewBuffer([]byte{})`
fix replacing config with empty file 2016-07-11 16:18:03 +00:00			`err = t.Execute(buf, nil)`
Improve code quality Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-01-09 15:17:44 +00:00			`return buf.Bytes(), errors.Wrap(err, "Unable to execute template")`
allow templating in input file 2016-07-11 15:22:05 +00:00			`}`