Page MenuHomeDevCentral
Files F3754856

D2686.id6859.diff
No OneTemporary
Actions

D2686.id6859.diff
View Options

diff --git a/Core.tcl b/Core.tcl
--- a/Core.tcl
+++ b/Core.tcl
@@ -253,10 +253,15 @@
sql disconnect
sql2 disconnect
}
- sql connect $sql(host) $sql(user) $sql(pass)
- sql2 connect $sql(host) $sql(user) $sql(pass)
+
+ set sql_credentials [dict get [vault_get mysql] data]
+
+ sql connect $sql(host) [dict get $sql_credentials username] [dict get $sql_credentials password]
+ sql2 connect $sql(host) [dict get $sql_credentials username] [dict get $sql_credentials password]
sql selectdb $sql(database)
sql2 selectdb $sql(database)
+
+ unset sql_credentials
}
#Escape a string to use as sql query parameter
diff --git a/Vault.tcl b/Vault.tcl
new file mode 100644
--- /dev/null
+++ b/Vault.tcl
@@ -0,0 +1,22 @@
+package require vault
+
+proc vault_login {} {
+ global vault
+
+ ::vault::init $vault(host)
+ ::vault::appRoleLogin $vault(roleID) $vault(secretID)
+}
+
+proc vault_get {property {key {}}} {
+ if {[catch {set credential [::vault::readKV apps/viperserv/$property $key]} err]} {
+ if {[string match "*403 Forbidden*" $err]} {
+ # Token expired?
+ vault_login
+ return [::vault::readKV apps/viperserv/$property $key]
+ }
+ }
+
+ return $credential
+}
+
+vault_login
diff --git a/Wearg/Broker.tcl b/Wearg/Broker.tcl
--- a/Wearg/Broker.tcl
+++ b/Wearg/Broker.tcl
@@ -17,7 +17,7 @@
}
proc connect {} {
- mq connect [registry get broker.host] [registry get broker.user] [registry get broker.password] [registry get broker.vhost]
+ mq connect [registry get broker.host] [vault_get broker username] [vault_get broker password] [registry get broker.vhost]
}
proc is_timer_started {} {
diff --git a/vendor/README.md b/vendor/README.md
--- a/vendor/README.md
+++ b/vendor/README.md
@@ -15,3 +15,4 @@
- bseen1.4.2.tcl - Bass's Seen - provides `!seen` command
- proxycheck.tcl - Open proxy checker by James Seward (GPL)
+ - vault.tcl - Vault API client WIP o be integrated in tcllib (BSD-2-Clause)
diff --git a/vendor/vault.tcl b/vendor/vault.tcl
new file mode 100644
--- /dev/null
+++ b/vendor/vault.tcl
@@ -0,0 +1,113 @@
+# -*- tcl -*-
+#
+# Copyright (c) 2022 by Sébastien Santoro <dereckson@espace-win.org>
+#
+# A client to use HashiCorp Vault through the HTTP API.
+
+package require http
+package require json
+package require json::write
+package require tls
+
+::http::register https 443 ::tls::socket
+
+package provide vault 0.1
+
+namespace eval ::vault {
+
+ variable addr
+ variable token
+
+}
+
+###
+### Initialize parameters
+###
+
+proc ::vault::init {{address ""}} {
+ variable addr
+ variable token
+
+ if {$address == ""} {
+ # Try to read VAULT_ADDR standard environment variable
+ if {[info exists env(VAULT_ADDR)]} {
+ set addr $env(VAULT_ADDR)
+ return
+ }
+
+ error "Address must be specified as argument or available in VAULT_ADDR environment variable."
+ }
+
+ set addr $address
+ set token ""
+}
+
+proc ::vault::setToken {sessionToken} {
+ variable token
+ set token $sessionToken
+}
+
+###
+### Helper methods
+###
+
+proc ::vault::request {method url {params {}}} {
+ variable addr
+ variable token
+
+ set command [list ::http::geturl $addr$url -method $method]
+
+ if {[llength $params] > 0} {
+ lappend command -query
+ lappend command [::vault::payload $params]
+ }
+
+ if {$token != ""} {
+ lappend command -headers
+ lappend command [list X-Vault-Token $token]
+ }
+
+ set httpToken [{*}$command]
+ if {[::http::ncode $httpToken] != 200} {
+ error "Vault returned [::http::code $httpToken], 200 OK was expected."
+ }
+
+ set response [::json::json2dict [::http::data $httpToken]]
+ ::http::cleanup $httpToken
+ return $response
+}
+
+proc ::vault::payload {params} {
+ ::json::write object {*}[dict map {k v} $params {
+ set v [::json::write string $v]
+ }]
+}
+
+proc ::vault::resolveKVPath {path} {
+ set parts [split $path /]
+
+ return /v1/[lindex $parts 0]/data/[join [lrange $parts 1 end] /]
+}
+
+###
+### API methods
+###
+
+proc ::vault::appRoleLogin {roleID secretID} {
+ set params [list role_id $roleID secret_id $secretID]
+ set response [::vault::request POST /v1/auth/approle/login $params]
+
+ variable token
+ set token [dict get [dict get $response auth] client_token]
+}
+
+proc ::vault::readKV {path {key {}}} {
+ set response [::vault::request GET [::vault::resolveKVPath $path]]
+ set response [dict get $response data]
+
+ if {$key == ""} {
+ return $response
+ }
+
+ dict get [dict get $response data] $key
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Nov 19, 10:32 (21 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2252399
Default Alt Text
D2686.id6859.diff (4 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator