%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/renderers/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/renderers/aws_kms.pyo

�
���^c@@sZdZddlmZmZmZddlZddlZddlZddl	m
Z
y5ddlZddl
Z
ejd�jej�Wnek
r�nXyddljZeZWnek
r�eZnXd�Zeje�Zdd�Zd�Zd	�Zd
�Zd�Zd�Z d
�Z!ed�Z"ed�Z#dddd�Z$dS(u+	
Renderer that will decrypt ciphers encrypted using `AWS KMS Envelope Encryption`_.

.. _`AWS KMS Envelope Encryption`: https://docs.aws.amazon.com/kms/latest/developerguide/workflow.html

Any key in the data to be rendered can be a urlsafe_b64encoded string, and this renderer will attempt
to decrypt it before passing it off to Salt. This allows you to safely store secrets in
source control, in such a way that only your Salt master can decrypt them and
distribute them only to the minions that need them.

The typical use-case would be to use ciphers in your pillar data, and keep the encrypted
data key on your master. This way developers with appropriate AWS IAM privileges can add new secrets
quickly and easily.

This renderer requires the boto3_ Python library.

.. _boto3: https://boto3.readthedocs.io/

Setup
-----

First, set up your AWS client. For complete instructions on configuration the AWS client,
please read the `boto3 configuration documentation`_. By default, this renderer will use
the default AWS profile. You can override the profile name in salt configuration.
For example, if you have a profile in your aws client configuration named "salt",
you can add the following salt configuration:

.. code-block:: yaml

    aws_kms:
      profile_name: salt

.. _boto3 configuration documentation: https://boto3.readthedocs.io/en/latest/guide/configuration.html

The rest of these instructions assume that you will use the default profile for key generation
and setup. If not, export AWS_PROFILE and set it to the desired value.

Once the aws client is configured, generate a KMS customer master key and use that to generate
a local data key.

.. code-block:: bash

    # data_key=$(aws kms generate-data-key --key-id your-key-id --key-spec AES_256
                 --query 'CiphertextBlob' --output text)
    # echo 'aws_kms:'
    # echo '  data_key: !!binary "%s"\n' "$data_key" >> config/master

To apply the renderer on a file-by-file basis add the following line to the
top of any pillar with gpg data in it:

.. code-block:: yaml

    #!yaml|aws_kms

Now with your renderer configured, you can include your ciphers in your pillar
data like so:

.. code-block:: yaml

    #!yaml|aws_kms

    a-secret: gAAAAABaj5uzShPI3PEz6nL5Vhk2eEHxGXSZj8g71B84CZsVjAAtDFY1mfjNRl-1Su9YVvkUzNjI4lHCJJfXqdcTvwczBYtKy0Pa7Ri02s10Wn1tF0tbRwk=
i(tabsolute_importtprint_functiontunicode_literalsN(tsixuboto3cC@stotjjj�S(ug
    Only load if boto libraries exist and if boto libraries are greater than
    a given version.
    (t
HAS_FERNETtsalttutilstversionstcheck_boto_reqs(((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt__virtual__[scC@s4tjdtj�}|di�}|j||�S(uz
    Return the requested value from the aws_kms key in salt configuration.

    If it's not set, return the default.
    u
config.getuaws_kms(t__salt__tgett__opts__(tkeytdefaulttroot_cfgtkms_cfg((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_cfgfscC@s/tdd�}|r|Stjjd��dS(un
    Return the encrypted KMS data key from configuration.

    Raises SaltConfigurationError if not set.
    udata_keyuuaws_kms:data_key is not setN(RRt
exceptionstSaltConfigurationError(tdata_key((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt
_cfg_data_keyqscC@s�td�}|r%tjd|�n
tjd�ytjd|�SWn�tjjk
r�}dj|pmd�}t	jj
|�}tj||�nPtjj
k
r�}dj|p�d�}t	jj
|�}tj||�nXdS(	uH
    Return the boto3 session to use for the KMS client.

    If aws_kms:profile_name is set in the salt configuration, use that profile.
    Otherwise, fall back on the default aws profile.

    We use the boto3 profile system to avoid having to duplicate
    individual boto3 configuration settings in salt configuration.
    uprofile_nameuUsing the "%s" aws profile.uIaws_kms:profile_name is not set in salt. Falling back on default profile.tprofile_nameu9Boto3 could not find the "{}" profile configured in Salt.udefaultuKBoto3 was unable to determine the AWS endpoint region using the {} profile.N(Rtlogtinfotboto3tSessiontbotocoreRtProfileNotFoundtformatRRRt
raise_fromt
NoRegionError(Rtorig_excterr_msgtconfig_error((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_session}s 

cC@st�}|jd�S(u2
    Return the boto3 client for the KMS API.
    ukms(R#tclient(tsession((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_kms�s	cC@s�t�}t�}y|jd|�SWnttjjk
r�}|jjdi�jdd�}|dkrq�nd}tjj	|�}t
j||�nXdS(uG
    Return the response dictionary from the KMS decrypt API call.
    tCiphertextBlobuErroruCodeuuInvalidCiphertextExceptionu,aws_kms:data_key is not a valid KMS data keyN(R&RtdecryptRRtClientErrortresponseRRRRR(tkmsRR t
error_codeR!R"((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_api_decrypt�s		!cC@s�ttdd�}|dk	}|s@t�}ttd|�n|d}|d}t|d�ru|jt�}ntj	d||r�dnd�|S(	u�
    Return the configured KMS data key decrypted and encoded in urlsafe base64.

    Cache the result to minimize API calls to AWS.
    uresponseuKeyIdu	PlaintextuencodeuUsing key %s from %sucacheuapi callN(
tgetattrt_plaintext_data_keytNoneR-tsetattrthasattrtencodet__salt_system_encoding__Rtdebug(R*t	cache_hittkey_idt	plaintext((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyR/�s	

cC@st�}tj|�S(uU
    Return the configured KMS data key decrypted and encoded in urlsafe base64.
    (R/tbase64turlsafe_b64encode(tplaintext_data_key((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_base64_plaintext_data_key�s	cC@s�|r|jdd�}nt|d�r<|jt�}nt�}tj|�j|�}t|d�r~|jt�}nt	j
|�S(u�
    Given a blob of ciphertext as a bytestring, try to decrypt
    the cipher and return the decrypted string. If the cipher cannot be
    decrypted, log the error, and return the ciphertext back out.
    u\nu
uencodeudecode(treplaceR2R3R4R<tfernettFernetR(tdecodeRt	text_type(tcipherttranslate_newlinesRt
plain_text((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt_decrypt_ciphertext�s	cC@stjjj|�r(t|j�|�St|tj�royt	|d|�SWqt
jtfk
rk|SXn�t|t
�r�x3tj|�D]"\}}t|d|�||<q�W|St|t�r�x0t|�D]"\}}t|d|�||<q�W|S|SdS(u�
    Recursively try to decrypt any object.
    Recur on objects that are not strings.
    Decrypt strings that are valid Fernet tokens.
    Return the rest unchanged.
    RCN(RRtstringiotis_readablet_decrypt_objecttgetvaluet
isinstanceRtstring_typesRER>tInvalidTokent	TypeErrortdictt	iteritemstlistt	enumerate(tobjRCR
tvalue((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyRH�s&			ubaseucK@s"|jdt�}t|d|�S(u_
    Decrypt the data to be rendered that was encrypted using AWS KMS envelope encryption.
    utranslate_newlinesRC(RtFalseRH(tdatatsaltenvtslstarglinetkwargsRC((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pytrender�s(%t__doc__t
__future__RRRtloggingR9tsalt.utils.stringioRtsalt.extRtbotocore.exceptionsRRt	getLoggertsetLeveltCRITICALtImportErrortcryptography.fernetR>tTrueRRTR	t__name__RR0RRR#R&R-R/R<RERHRZ(((s:/usr/lib/python2.7/site-packages/salt/renderers/aws_kms.pyt<module>@s8



							

Zerion Mini Shell 1.0