vault-access-tool/vault_tool.py

import sys
import subprocess
import logging
import urllib3
import os
from typing import Optional, Any


class Tools:
    def __init__(self) -> None:
        pass

    # Configure logging
    logging.basicConfig(
        level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s"
    )
    logger = logging.getLogger(__name__)

    # Try to import hvac, install if not present
    try:
        import hvac
    except ImportError:
        logger.info("hvac package not found. Attempting to install...")
        try:
            subprocess.check_call([sys.executable, "-m", "pip", "install", "hvac"])
            import hvac

            logger.info("hvac package installed successfully")
        except subprocess.CalledProcessError as e:
            logger.error(f"Failed to install hvac package: {str(e)}")
            sys.exit(1)

    import argparse

    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    @staticmethod
    def get_vault_secret(
        token: str,
        path: str,
        vault_addr: str = "http://127.0.0.1:8200",
        verify: bool = True,
    ) -> Optional[Any]:
        try:
            # Initialize the Vault client
            client = hvac.Client(url=vault_addr, token=token, verify=verify)

            # Check if client is authenticated
            if not client.is_authenticated():
                logger.error("Failed to authenticate with Vault")
                return None

            # Split path to separate the key if it exists
            path_parts = path.rsplit(".", 1)
            secret_path = path_parts[0]
            key = path_parts[1] if len(path_parts) > 1 else "value"

            # Try KV v2 first
            try:
                # For KV v2, try with and without /data/ in the path
                try:
                    if "/data/" not in secret_path:
                        v2_path = secret_path.replace("//", "/").strip("/")
                        mount_point = v2_path.split("/")[0]
                        v2_path = "/".join(v2_path.split("/")[1:])
                    else:
                        # Remove /data/ for the API call
                        v2_path = secret_path.replace("/data/", "/")
                        mount_point = v2_path.split("/")[0]
                        v2_path = "/".join(v2_path.split("/")[1:])

                    secret = client.secrets.kv.v2.read_secret_version(
                        path=v2_path,
                        mount_point=mount_point,
                        raise_on_deleted_version=False,
                    )
                    if secret and "data" in secret and "data" in secret["data"]:
                        secret_data = secret["data"]["data"]
                        if key in secret_data:
                            return secret_data[key]
                        logger.warning(f"Key '{key}' not found in KV v2 secret")
                except Exception as e:
                    logger.debug(f"KV v2 attempt failed: {str(e)}")

                # Try KV v1
                try:
                    secret = client.read(secret_path)
                    if secret and "data" in secret:
                        secret_data = secret["data"]
                        if key in secret_data:
                            return secret_data[key]
                        logger.warning(f"Key '{key}' not found in KV v1 secret")
                except Exception as e:
                    logger.debug(f"KV v1 attempt failed: {str(e)}")

                print(f"Secret not found at path: {path}")
                return None

            except Exception as e:
                print(f"Error reading secret: {str(e)}")
                return None

        except Exception as e:
            print(f"Error connecting to Vault: {str(e)}")
            return None

    @staticmethod
    def vault_access() -> None:
        """
        Query Vault for secrets based on path and optionally a key
        User needs to provide a path, optionally a key, and the Vault token if not set in the environment.
        """
        parser = argparse.ArgumentParser(
            description="Retrieve secrets from HashiCorp Vault"
        )
        parser.add_argument(
            "--token",
            default=os.environ.get("VAULT_TOKEN"),
            help="Vault authentication token (defaults to VAULT_TOKEN environment variable)",
        )
        parser.add_argument(
            "--path",
            required=True,
            help="Path to the secret in Vault (with optional .key)",
        )
        parser.add_argument(
            "--vault-addr",
            default="https://192.168.1.8:8200",
            help="Vault server address",
        )
        parser.add_argument(
            "--no-verify", action="store_true", help="Disable TLS verification"
        )

        args: argparse.Namespace = parser.parse_args()

        if not args.token:
            print(
                "No token provided. Please set VAULT_TOKEN environment variable or use --token"
            )
            sys.exit(1)

        secret: Optional[Any] = Tools.get_vault_secret(
            token=args.token,
            path=args.path,
            vault_addr=args.vault_addr,
            verify=not args.no_verify,
        )

        if secret is not None:
            print(secret)
        else:
            print("Failed to retrieve secret")
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`import sys`
			`import subprocess`
			`import logging`
			`import urllib3`
			`import os`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`from typing import Optional, Any`
adding files to be merged into main 2024-12-12 16:02:39 +00:00

			`class Tools:`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`def __init__(self) -> None:`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`pass`

			`# Configure logging`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`logging.basicConfig(`
			`level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s"`
			`)`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`logger = logging.getLogger(__name__)`

			`# Try to import hvac, install if not present`
			`try:`
			`import hvac`
			`except ImportError:`
			`logger.info("hvac package not found. Attempting to install...")`
			`try:`
			`subprocess.check_call([sys.executable, "-m", "pip", "install", "hvac"])`
			`import hvac`
update the script for type secrets 2024-12-12 17:17:00 +00:00
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`logger.info("hvac package installed successfully")`
			`except subprocess.CalledProcessError as e:`
			`logger.error(f"Failed to install hvac package: {str(e)}")`
			`sys.exit(1)`

			`import argparse`

			`urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)`

update the script for type secrets 2024-12-12 17:17:00 +00:00			`@staticmethod`
			`def get_vault_secret(`
			`token: str,`
			`path: str,`
			`vault_addr: str = "http://127.0.0.1:8200",`
			`verify: bool = True,`
			`) -> Optional[Any]:`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`try:`
			`# Initialize the Vault client`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`client = hvac.Client(url=vault_addr, token=token, verify=verify)`
adding files to be merged into main 2024-12-12 16:02:39 +00:00
			`# Check if client is authenticated`
			`if not client.is_authenticated():`
			`logger.error("Failed to authenticate with Vault")`
			`return None`

			`# Split path to separate the key if it exists`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`path_parts = path.rsplit(".", 1)`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`secret_path = path_parts[0]`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`key = path_parts[1] if len(path_parts) > 1 else "value"`
adding files to be merged into main 2024-12-12 16:02:39 +00:00
			`# Try KV v2 first`
			`try:`
			`# For KV v2, try with and without /data/ in the path`
			`try:`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`if "/data/" not in secret_path:`
			`v2_path = secret_path.replace("//", "/").strip("/")`
			`mount_point = v2_path.split("/")[0]`
			`v2_path = "/".join(v2_path.split("/")[1:])`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`else:`
			`# Remove /data/ for the API call`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`v2_path = secret_path.replace("/data/", "/")`
			`mount_point = v2_path.split("/")[0]`
			`v2_path = "/".join(v2_path.split("/")[1:])`
adding files to be merged into main 2024-12-12 16:02:39 +00:00
			`secret = client.secrets.kv.v2.read_secret_version(`
			`path=v2_path,`
			`mount_point=mount_point,`
			`raise_on_deleted_version=False,`
			`)`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`if secret and "data" in secret and "data" in secret["data"]:`
			`secret_data = secret["data"]["data"]`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`if key in secret_data:`
			`return secret_data[key]`
			`logger.warning(f"Key '{key}' not found in KV v2 secret")`
			`except Exception as e:`
			`logger.debug(f"KV v2 attempt failed: {str(e)}")`

			`# Try KV v1`
			`try:`
			`secret = client.read(secret_path)`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`if secret and "data" in secret:`
			`secret_data = secret["data"]`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`if key in secret_data:`
			`return secret_data[key]`
			`logger.warning(f"Key '{key}' not found in KV v1 secret")`
			`except Exception as e:`
			`logger.debug(f"KV v1 attempt failed: {str(e)}")`

			`print(f"Secret not found at path: {path}")`
			`return None`

			`except Exception as e:`
			`print(f"Error reading secret: {str(e)}")`
			`return None`

			`except Exception as e:`
			`print(f"Error connecting to Vault: {str(e)}")`
			`return None`

update the script for type secrets 2024-12-12 17:17:00 +00:00			`@staticmethod`
			`def vault_access() -> None:`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`"""`
			`Query Vault for secrets based on path and optionally a key`
			`User needs to provide a path, optionally a key, and the Vault token if not set in the environment.`
			`"""`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`parser = argparse.ArgumentParser(`
			`description="Retrieve secrets from HashiCorp Vault"`
			`)`
			`parser.add_argument(`
			`"--token",`
			`default=os.environ.get("VAULT_TOKEN"),`
			`help="Vault authentication token (defaults to VAULT_TOKEN environment variable)",`
			`)`
			`parser.add_argument(`
			`"--path",`
			`required=True,`
			`help="Path to the secret in Vault (with optional .key)",`
			`)`
			`parser.add_argument(`
			`"--vault-addr",`
			`default="https://192.168.1.8:8200",`
			`help="Vault server address",`
			`)`
			`parser.add_argument(`
			`"--no-verify", action="store_true", help="Disable TLS verification"`
			`)`
adding files to be merged into main 2024-12-12 16:02:39 +00:00
update the script for type secrets 2024-12-12 17:17:00 +00:00			`args: argparse.Namespace = parser.parse_args()`
adding files to be merged into main 2024-12-12 16:02:39 +00:00
			`if not args.token:`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`print(`
			`"No token provided. Please set VAULT_TOKEN environment variable or use --token"`
			`)`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`sys.exit(1)`

update the script for type secrets 2024-12-12 17:17:00 +00:00			`secret: Optional[Any] = Tools.get_vault_secret(`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`token=args.token,`
			`path=args.path,`
			`vault_addr=args.vault_addr,`
update the script for type secrets 2024-12-12 17:17:00 +00:00			`verify=not args.no_verify,`
adding files to be merged into main 2024-12-12 16:02:39 +00:00			`)`

			`if secret is not None:`
			`print(secret)`
			`else:`
			`print("Failed to retrieve secret")`