modifying vault utils, separating the client + introducing cli and co…

…nfig for server
CSCfi · Mar 20, 2024 · 3076311 · 3076311
1 parent 427341d
commit 3076311
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 19 deletions.
diff --git a/server/app.py b/server/app.py
@@ -9,7 +9,8 @@
 from tools.docker_utils import get_build_env_image_digests
 from pyspiffe.spiffe_id.spiffe_id import SpiffeId
 
-sys.path.append(os.path.expanduser("../"))
+from tools.config.config import parse_configuration
+from tools.cli.cli import parse_arguments
 from utils.vault.vault_utils import (
  vault_login,
  write_client_policy,
@@ -20,11 +21,14 @@
 
 app = Quart(__name__)
 
+options = parse_arguments()
+configuration = parse_configuration(options.config)
+
 # Defining the trust domain (SPIRE Trust Domain)
-trust_domain = "lumi-sd-dev"
+trust_domain = configuration['spire-server']['trust-domain']
 
 # Perform vault login, to be able to run later operations against vault
-vault_login(get_server_identity_JWT(), "lumi-sd-server")
+hvac_client = vault_login(configuration['vault']['url'], get_server_identity_JWT(), trust_domain)
 
 
 # Dummy endpoint that handles the registration of compute nodes.
@@ -73,7 +77,7 @@ async def handle_client_registration():
  client_id = hashlib.sha256(client_id.encode()).hexdigest()[0:9]
 
  # Write a policy to the vault to authorize the client to write secrets
- write_client_policy(f"client_{client_id}")
+ write_client_policy(hvac_client, f"client_{client_id}")
 
  # Create spiffeID out of this client id
  agent_spiffeID = SpiffeId.parse(f"spiffe://{trust_domain}/c/{client_id}")
@@ -93,7 +97,7 @@ async def handle_client_registration():
  )
 
  # Write the role bound to the workload's spiffeID
- write_client_role(f"client_{client_id}", workload_spiffeID)
+ write_client_role(hvac_client, f"client_{client_id}", workload_spiffeID)
 
  # For each authorized container preparation process (Here, a list of docker container_preaparation image names)
  for digest in get_build_env_image_digests():
@@ -223,10 +227,10 @@ async def handle_workload_creation():
  compute_nodes_added[compute_node]["groups"] = groups_added
 
  # Generate and create a policy that gives read-only access to the application's secret
- write_user_policy(f"client_{client_id}", data["secret"])
+ write_user_policy(hvac_client, f"client_{client_id}", data["secret"])
 
  # Generate and create a role bound to the policy and to the spiffeID
- write_user_role(f"client_{client_id}", data["secret"], spiffeID)
+ write_user_role(hvac_client, f"client_{client_id}", data["secret"], spiffeID)
 
  # Success
  return {

diff --git a/server/tools/cli/cli.py b/server/tools/cli/cli.py
@@ -0,0 +1,20 @@
+import argparse
+
+# Parse arguments from the cli
+def parse_arguments():
+ """Parse arguments from cli
+
+ Returns:
+ ArgumentParser: the ArgumentParser produced
+ """
+ parser = argparse.ArgumentParser(description="CLI Optinons")
+
+ parser.add_argument(
+ "--config",
+ "-c",
+ type=str,
+ default="/tmp/hpcs-server.conf",
+ help="Configuration file (INI Format) (default: /tmp/hpcs-server.conf)",
+ )
+
+ return parser.parse_args()
diff --git a/server/tools/config/config.py b/server/tools/config/config.py
@@ -0,0 +1,19 @@
+from configparser import ConfigParser, NoSectionError, NoOptionError
+
+def parse_configuration(path : str):
+ config = ConfigParser()
+ config.read(path)
+
+ if not 'spire-server' in config:
+ raise NoSectionError("spire-server section missing, aborting")
+
+ if not 'vault' in config:
+ raise NoSectionError("vault section missing, aborting")
+
+ if not 'address' in config['spire-server'] or not 'port' in config['spire-server'] or not 'trust_domain' in config['spire-server']:
+ raise NoOptionError("'spire-server' section is incomplete, aborting")
+
+ if not 'url' in config['vault']:
+ raise NoOptionError("'vault' section is incomplete, aborting")
+
+ return config
diff --git a/utils/ship_a_key.py b/utils/ship_a_key.py
@@ -285,15 +285,15 @@ def create_authorized_workloads(
  )
 
  # Login to the vault using client's certificate
- vault_login(SVID, f"client_{client_id}")
+ hvac_client = vault_login(SVID, f"client_{client_id}")
 
  # Prepare secret
  secret = {}
  with open(pem_path, "r") as pem:
  secret["key"] = pem.read()
 
  # Write secret to the vault
- write_secret(secrets_path, secret)
+ write_secret(hvac_client, secrets_path, secret)
 
  print(
  f"Key successfully written to the vault. Users needs the role {user_role} to access the secret stored at {secrets_path}"

diff --git a/utils/vault/vault_utils.py b/utils/vault/vault_utils.py
@@ -2,20 +2,19 @@
 from pyspiffe.svid.jwt_svid import JwtSvid
 from pyspiffe.spiffe_id.spiffe_id import SpiffeId
 
-client = hvac.Client(url="")
-
-
-def vault_login(SVID: JwtSvid, client_id):
+def vault_login(url : str, SVID: JwtSvid, client_id) -> hvac.Client :
  """Login to vault
 
  Args:
  SVID (JwtSvid): The client's certificate to perform mTLS via OIDC
  client_id (str): client's id, which happens to be the name of the role bound to the client
  """
- return client.auth.jwt.jwt_login(role=client_id, jwt=SVID.token)
+ client = hvac.Client(url=url)
+ client.auth.jwt.jwt_login(role=client_id, jwt=SVID.token)
+ return client
 
 
-def write_client_policy(client_id: str):
+def write_client_policy(client : hvac.Client, client_id: str):
  """Write a client write-only policy to vault
 
  Args:
@@ -30,7 +29,7 @@ def write_client_policy(client_id: str):
  return client.sys.create_or_update_acl_policy(name=f"{client_id}", policy=policy)
 
 
-def write_client_role(client_id: str, spiffeID: SpiffeId):
+def write_client_role(client : hvac.Client, client_id: str, spiffeID: SpiffeId):
  """Write a client role, mapping a "clientID" named role to a spiffeID
 
  Args:
@@ -48,7 +47,7 @@ def write_client_role(client_id: str, spiffeID: SpiffeId):
  )
 
 
-def write_user_policy(client_id: str, application: str):
+def write_user_policy(client : hvac.Client, client_id: str, application: str):
  """Write a user read-only policy to vault
 
  Args:
@@ -66,7 +65,7 @@ def write_user_policy(client_id: str, application: str):
  )
 
 
-def write_user_role(client_id: str, application: str, spiffeID: SpiffeId):
+def write_user_role(client : hvac.Client, client_id: str, application: str, spiffeID: SpiffeId):
  """Write a user role bounding a spiffeID to the read-only policy accessing the client's secret
 
  Args:
@@ -85,7 +84,7 @@ def write_user_role(client_id: str, application: str, spiffeID: SpiffeId):
  )
 
 
-def write_secret(secrets_path: str, secret: any):
+def write_secret(client : hvac.Client, secrets_path: str, secret: any):
  """Write a secret to the vault
 
  Args: