91 lines
3.2 KiB
Python
91 lines
3.2 KiB
Python
"""
|
|
title: Hashicorp Vault Tool
|
|
author: Josh Knapp
|
|
version: 0.4.5
|
|
"""
|
|
|
|
import subprocess
|
|
import os
|
|
import hvac
|
|
import urllib3
|
|
from pydantic import BaseModel, Field
|
|
|
|
|
|
# Try to import hvac, install if not present
|
|
try:
|
|
import hvac
|
|
except ImportError:
|
|
print("hvac package not found. Attempting to install...")
|
|
try:
|
|
subprocess.check_call([sys.executable, "-m", "pip", "install", "hvac"])
|
|
import hvac
|
|
|
|
print("hvac package installed successfully")
|
|
except subprocess.CalledProcessError as e:
|
|
print(f"Failed to install hvac package: {str(e)}")
|
|
|
|
|
|
class Tools:
|
|
class Valves(BaseModel):
|
|
VAULT_ADDR: str = Field(
|
|
default="",
|
|
description="The Web Address for the Vault Server",
|
|
)
|
|
TLS_VERIFY: bool = Field(
|
|
default="False",
|
|
description="Check the TLS Certificate for the Vault Server",
|
|
)
|
|
|
|
def __init__(self):
|
|
self.valves = self.Valves()
|
|
pass
|
|
|
|
def get_vault_secret(self, path: str, token: str) -> str:
|
|
"""
|
|
Read secrets stored within HashiCorp Vault based on the path provided by the user.
|
|
:param token: Vault authentication token
|
|
:param path: Path to the secret in Vault
|
|
:return: The value of the secret or the error message if one is produced
|
|
|
|
"""
|
|
# Check if Vault Address has been set
|
|
if not self.valves.VAULT_ADDR:
|
|
return "The Vault Address has not been set. Please define it in the Tool's Valves"
|
|
# Check if a Token is set
|
|
if not token:
|
|
return f"No token defined, please either provide one in the prompt or via an Environment Variable {token}"
|
|
vault_addr = self.valves.VAULT_ADDR
|
|
# Attempt to connect to HashiCorp Vault
|
|
try:
|
|
if self.valves.TLS_VERIFY == True:
|
|
client = hvac.Client(
|
|
url=vault_addr, token=token, verify=self.valves.TLS_VERIFY
|
|
)
|
|
else:
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
client = hvac.Client(
|
|
url=vault_addr, token=token, verify=self.valves.TLS_VERIFY
|
|
)
|
|
# Check Authentication
|
|
if not client.is_authenticated():
|
|
return "Failed to authenticate with Vault"
|
|
|
|
# Split path to separate the key if it exists
|
|
path_parts = path.rsplit(".", 1)
|
|
secret_path = path_parts[0]
|
|
key = path_parts[1] if len(path_parts) > 1 else "value"
|
|
try:
|
|
secret = client.read(secret_path)
|
|
if secret and "data" in secret:
|
|
secret_data = secret["data"]
|
|
if key in secret_data:
|
|
return secret_data[key]
|
|
else:
|
|
return f"Key '{key}' not found in KV v1 secret path. Check your secret path and ensure the token used has the appropriate permissions."
|
|
|
|
except Exception as e:
|
|
print(f"KV v1 attempt failed: {str(e)}")
|
|
return f"Secret not found at path: {path}"
|
|
except Exception as e:
|
|
return f"Error connecting to Vault: {str(e)}"
|