🐛 Fix vault cmds (#2346)

* 🐛 Fix vault sub commands. * bump all go mods.
mondoohq · Oct 24, 2023 · f097889 · f097889
1 parent c1f3c7a
commit f097889
Show file tree

Hide file tree

Showing 42 changed files with 3,979 additions and 214 deletions.
diff --git a/apps/cnquery/cmd/vault.go b/apps/cnquery/cmd/vault.go
@@ -6,13 +6,14 @@ package cmd
 import (
  "context"
  "fmt"
+ "os"
  "strings"
 
  "github.com/rs/zerolog/log"
  "github.com/spf13/cobra"
  "github.com/spf13/viper"
+ "go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault"
- "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/config"
 )
 
 func init() {
@@ -21,24 +22,19 @@ func init() {
 
  vaultConfigureCmd.Flags().String("type", "", "possible values: "+strings.Join(vault.TypeIds(), " | "))
  vaultConfigureCmd.Flags().StringToString("option", nil, "addition vault connection options, multiple options via --option key=value")
+ vaultConfigureCmd.Flags().String("inventory-file", "", "Set the path to the inventory file.")
  VaultCmd.AddCommand(vaultConfigureCmd)
 
  VaultCmd.AddCommand(vaultRemoveCmd)
  VaultCmd.AddCommand(vaultResetCmd)
 
+ vaultAddSecretCmd.Flags().String("inventory-file", "", "Set the path to the inventory file.")
+ vaultAddSecretCmd.MarkFlagRequired("inventory-file")
  VaultCmd.AddCommand(vaultAddSecretCmd)
 
  rootCmd.AddCommand(VaultCmd)
 }
 
-func emptyVaultConfigSecret() *vault.Secret {
- return &vault.Secret{
- Key: config.VaultConfigStoreKey,
- Label: "User Vault Settings",
- Data: config.ClientVaultConfig{}.SecretData(),
- }
-}
-
 // VaultCmd represents the vault command
 var VaultCmd = &cobra.Command{
  Use: "vault",
@@ -47,40 +43,15 @@ var VaultCmd = &cobra.Command{
 }
 
 var vaultListCmd = &cobra.Command{
- Use: "list",
- Short: "List vault environments.",
- Long: ``,
+ Use: "list",
+ Short: "List vault environments.",
+ Long: ``,
+ Hidden: true,
  PreRun: func(cmd *cobra.Command, args []string) {
  viper.BindPFlag("show-options", cmd.Flags().Lookup("show-options"))
  },
  Run: func(cmd *cobra.Command, args []string) {
- v := config.GetInternalVault()
- ctx := context.Background()
- secret, err := v.Get(ctx, &vault.SecretID{
- Key: config.VaultConfigStoreKey,
- })
- if err != nil {
- log.Fatal().Msg("no vault configured")
- }
-
- showOptions := viper.GetBool("show-options")
-
- vCfgs, err := config.NewClientVaultConfig(secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not unmarshal credential")
- }
-
- for k, vCfg := range vCfgs {
- // print configured vault
- fmt.Printf("vault : %s (%s)\n", k, vCfg.Type.Value())
- // print options if requested
- if showOptions {
- fmt.Printf("options:\n")
- for ko, vo := range vCfg.Options {
- fmt.Printf(" %s = %s\n", ko, vo)
- }
- }
- }
+ log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
  },
 }
 
@@ -90,157 +61,112 @@ var vaultConfigureCmd = &cobra.Command{
  Short: "Configure a vault environment.",
  Long: `
 
-cnquery vault set mondoo-client-vault --type linux-kernel-keyring
+cnquery vault configure mondoo-client-vault --type linux-kernel-keyring
 
 `,
  Args: cobra.ExactArgs(1),
  PreRun: func(cmd *cobra.Command, args []string) {
  viper.BindPFlag("type", cmd.Flags().Lookup("type"))
  viper.BindPFlag("option", cmd.Flags().Lookup("option"))
+ viper.BindPFlag("inventory-file", cmd.Flags().Lookup("inventory-file"))
  },
  Run: func(cmd *cobra.Command, args []string) {
- v := config.GetInternalVault()
- ctx := context.Background()
-
- secret, err := v.Get(ctx, &vault.SecretID{
- Key: config.VaultConfigStoreKey,
- })
- // error happens on initial use, create a new configuration
- if err != nil {
- secret = emptyVaultConfigSecret()
- }
-
- vCfgs, err := config.NewClientVaultConfig(secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not load vault configuration")
- }
-
  // overwrite existing / set vault config
  // field name = vault name
  vt, err := vault.NewVaultType(viper.GetString("type"))
  if err != nil {
- log.Fatal().Err(err).Msg("could not load vault configuration")
+ log.Fatal().Err(err).Msg("invalid vault configuration type")
  }
 
  vaultName := args[0]
- cfg := vault.VaultConfiguration{
+ cfg := &vault.VaultConfiguration{
  Name: vaultName,
  Type: vt,
  Options: viper.GetStringMapString("option"),
  }
 
- vCfgs.Set(vaultName, cfg)
- secret.Data = vCfgs.SecretData()
+ inventoryFile := viper.GetString("inventory-file")
+ if inventoryFile != "" {
+ inventory, err := inventory.InventoryFromFile(inventoryFile)
+ if err != nil {
+ log.Fatal().Err(err).Msg("could not load inventory")
+ }
+ inventory.Spec.Vault = cfg
 
- log.Info().Str("name", vaultName).Msg("set new vault configuration")
- _, err = v.Set(ctx, secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not store update into vault")
+ // store inventory file
+ data, err := inventory.ToYAML()
+ if err != nil {
+ log.Fatal().Err(err).Msg("could not marshal inventory")
+ }
+ err = os.WriteFile(viper.GetString("inventory-file"), data, 0o644)
+ if err != nil {
+ log.Fatal().Err(err).Msg("could not write inventory file")
+ }
+ log.Info().Msg("stored vault configuration successfully")
+ } else {
+ log.Info().Msg("add the following vault configuration to your inventory file")
+
+ inventory := &inventory.Inventory{
+ Spec: &inventory.InventorySpec{
+ Vault: cfg,
+ },
+ }
+ data, err := inventory.ToYAML()
+ if err != nil {
+ log.Fatal().Err(err).Msg("could not marshal vault configuration")
+ }
+ fmt.Println(string(data))
  }
-
- log.Info().Msg("stored vault configuration successfully")
  },
 }
 
 var vaultRemoveCmd = &cobra.Command{
- Use: "remove VAULTNAME",
- Short: "Remove a configured vault environment.",
- Long: ``,
- Args: cobra.ExactArgs(1),
+ Use: "remove VAULTNAME",
+ Short: "Remove a configured vault environment.",
+ Long: ``,
+ Args: cobra.ExactArgs(1),
+ Hidden: true,
  Run: func(cmd *cobra.Command, args []string) {
- v := config.GetInternalVault()
- ctx := context.Background()
-
- secret, err := v.Get(ctx, &vault.SecretID{
- Key: config.VaultConfigStoreKey,
- })
- if err != nil {
- log.Fatal().Err(err).Msg("could not retrieve vault configuration")
- }
-
- vCfgs, err := config.NewClientVaultConfig(secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not load vault configuration")
- }
-
- vaultName := args[0]
- vCfgs.Delete(vaultName)
- secret.Data = vCfgs.SecretData()
-
- log.Info().Str("name", vaultName).Msg("set new vault configuration")
- _, err = v.Set(ctx, secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not update vault configuration")
- }
-
- log.Info().Msg("removed vault configuration successfully")
+ log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
  },
 }
 
 var vaultResetCmd = &cobra.Command{
- Use: "reset",
- Short: "Reset the vault configuration to defaults.",
- Long: ``,
- Args: cobra.ExactArgs(0),
+ Use: "reset",
+ Short: "Reset the vault configuration to defaults.",
+ Long: ``,
+ Args: cobra.ExactArgs(0),
+ Hidden: true,
  Run: func(cmd *cobra.Command, args []string) {
- v := config.GetInternalVault()
- ctx := context.Background()
-
- _, err := v.Set(ctx, emptyVaultConfigSecret())
- if err != nil {
- log.Fatal().Err(err).Msg("could not retrieve vault configuration")
- }
-
- log.Info().Msg("removed vault configuration successfully")
+ log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
  },
 }
 
 var vaultAddSecretCmd = &cobra.Command{
- Use: "add-secret VAULTNAME SECRETID SECRETVALUE",
+ Use: "add-secret SECRETID SECRETVALUE",
  Short: "Store a secret in a vault.",
- Args: cobra.ExactArgs(3),
+ Args: cobra.ExactArgs(2),
  PreRun: func(cmd *cobra.Command, args []string) {
+ viper.BindPFlag("inventory-file", cmd.Flags().Lookup("inventory-file"))
  },
  Run: func(cmd *cobra.Command, args []string) {
- v := config.GetInternalVault()
- ctx := context.Background()
-
- secret, err := v.Get(ctx, &vault.SecretID{
- Key: config.VaultConfigStoreKey,
- })
- // error happens on initial use, create a new configuration
+ log.Info().Msg("load vault configuration from inventory")
+ inventory, err := inventory.InventoryFromFile(viper.GetString("inventory-file"))
  if err != nil {
- secret = emptyVaultConfigSecret()
- }
-
- vCfgs, err := config.NewClientVaultConfig(secret)
- if err != nil {
- log.Fatal().Err(err).Msg("could not load vault configuration")
- }
-
- // search for vault
- var selectedVaultCfg *vault.VaultConfiguration
- for k, vCfg := range vCfgs {
- if k != args[0] {
- continue
- }
- selectedVaultCfg = &vCfg
- }
- if selectedVaultCfg == nil {
- log.Fatal().Str("vault", args[0]).Msg("could not find vault")
+ log.Fatal().Err(err).Msg("could not load inventory")
  }
 
- selectedVault, err := config.New(selectedVaultCfg)
+ v, err := inventory.GetVault()
  if err != nil {
- log.Fatal().Msg("could not open vault")
+ log.Fatal().Err(err).Msg("could not load vault configuration from inventory")
  }
 
- _, err = selectedVault.Set(ctx, &vault.Secret{
- Key: args[1],
- Data: []byte(args[2]),
+ _, err = v.Set(context.Background(), &vault.Secret{
+ Key: args[0],
+ Data: []byte(args[1]),
  })
  if err != nil {
- log.Fatal().Msg("could not store secret")
+ log.Fatal().Err(err).Msg("could not store secret")
  }
  log.Info().Msg("stored secret successfully")
  },

diff --git a/providers-sdk/v1/inventory/inventory.go b/providers-sdk/v1/inventory/inventory.go
@@ -12,6 +12,7 @@ import (
  "github.com/rs/zerolog/log"
  "github.com/segmentio/ksuid"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault"
+ "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/config"
  "google.golang.org/protobuf/proto"
  "sigs.k8s.io/yaml"
 )
@@ -106,6 +107,15 @@ func (p *Inventory) ToYAML() ([]byte, error) {
  return yaml.Marshal(p)
 }
 
+func (p *Inventory) GetVault() (vault.Vault, error) {
+ // instantiate with full vault config
+ v, err := config.New(p.Spec.Vault)
+ if err != nil {
+ return nil, err
+ }
+ return v, nil
+}
+
 // PreProcess extracts all the embedded credentials from the assets and migrates those to in the
 // dedicated credentials section. The pre-processed content is optimized for runtime access.
 // Re-generating yaml, results into a different yaml output. While the results are identical,

diff --git a/providers-sdk/v1/inventory/manager/manager.go b/providers-sdk/v1/inventory/manager/manager.go
@@ -11,7 +11,6 @@ import (
  "go.mondoo.com/cnquery/v9/logger"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault"
- "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/config"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/credentials_resolver"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/inmemory"
  "go.mondoo.com/cnquery/v9/providers-sdk/v1/vault/multivault"
@@ -129,28 +128,9 @@ func (im *inventoryManager) loadInventory(inventory *inventory.Inventory, runtim
  // in-memory vault is used as fall-back store embedded credentials
  im.inmemoryVault = inmemory.New(inmemory.WithSecretMap(secrets))
  if inventory.Spec.Vault != nil {
- var v vault.Vault
- // when the type is not provided but a name was given, then look up in our internal vault configuration
- if inventory.Spec.Vault.Name != "" && inventory.Spec.Vault.Type == vault.VaultType_None {
- v, err = config.GetConfiguredVault(inventory.Spec.Vault.Name)
- if err != nil {
- return err
- }
- } else {
- t, err := vault.NewVaultType(inventory.Spec.Vault.Type.String())
- if err != nil {
- return err
- }
-
- // instantiate with full vault config
- v, err = config.New(&vault.VaultConfiguration{
- Name: inventory.Spec.Vault.Name,
- Type: t,
- Options: inventory.Spec.Vault.Options,
- })
- if err != nil {
- return err
- }
+ v, err := inventory.GetVault()
+ if err != nil {
+ return err
  }
  im.vault = v
  }