initial release

README.md

@@ -2,4 +2,4 @@
 
 Manage secrets for your application using Faraday's [Secretfile spec](https://github.com/faradayio/Secretfile)
 
-Warning: This library is a work in progress and has not yet been officially released.
+Warning: This library is a work in progress and has not yet been officially released.

pyproject.toml

@@ -0,0 +1,22 @@
+[tool.poetry]
+name = "secretfile"
+version = "0.1.0"
+description = ""
+authors = ["Tom Caruso <[email protected]>"]
+
+[tool.poetry.dependencies]
+python = "^3.10"
+hvac = "^1.1.1"
+click = "^8.1.3"
+
+[tool.poetry.dev-dependencies]
+pytest = "^5.2"
+
+[tool.poetry.scripts]
+# command_name = module_for_handler : function_for_handler
+secretfile = 'secretfile.cli:main'
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+

secretfile/__init__.py

@@ -0,0 +1,5 @@
+__version__ = '0.1.0'
+
+
+from secretfile.secretfile import Secretfile, set_backend, ensure_backend
+from secretfile import backends

secretfile/backends/__init__.py

@@ -0,0 +1,3 @@
+from secretfile.backends.meta import SecretBackend
+from secretfile.backends.vault import VaultBackend
+from secretfile.backends.memory import MemoryBackend

secretfile/backends/memory.py

@@ -0,0 +1,9 @@
+from secretfile.backends.meta import SecretBackend
+
+
+class MemoryBackend(SecretBackend):
+    def __init__(self, secrets: dict[str, str]):
+        self._secrets = secrets
+
+    def get_secret(self, path):
+        return self._secrets[path]

secretfile/backends/meta.py

@@ -0,0 +1,18 @@
+from abc import ABCMeta, abstractmethod
+
+
+class SecretBackend(metaclass=ABCMeta):
+
+    @abstractmethod
+    def get_secret(self, path):
+        pass
+
+    def get(self, path):
+        return self.deserialize_secret(self.get_secret(path))
+
+    def deserialize_secret(self, secret):
+        """
+        Deserialize the secret from the backend. It's likely that most backends won't need this,
+        but it's here for the ones that do.
+        """
+        return secret

secretfile/backends/vault.py

@@ -0,0 +1,32 @@
+import os
+from typing import Any
+
+import hvac
+
+from secretfile.backends.meta import SecretBackend
+from secretfile.exceptions import BackendConfigurationError
+
+
+class VaultBackend(SecretBackend):
+    def __init__(self):
+        if "VAULT_ADDR" not in os.environ:
+            raise BackendConfigurationError("VAULT_ADDR is not set.")
+        if "VAULT_TOKEN" not in os.environ:
+            raise BackendConfigurationError("VAULT_TOKEN is not set.")
+
+    def get_secret(self, path):
+        return vault_get_path(path)
+
+
+
+def vault_get_path(path: str) -> Any:
+    """Get data at a given path from vault. User is expected to unpack correctly."""
+    hvac_client = hvac.Client(
+        url=os.environ["VAULT_ADDR"], token=os.environ["VAULT_TOKEN"]
+    )
+    response = hvac_client.read(path)
+    if response and "data" in response:
+        return response["data"]
+    else:
+        raise Exception(f"Could not access {path} in Vault: {response}")
+

secretfile/cli.py

@@ -0,0 +1,19 @@
+from typing import List
+import click
+
+from secretfile.secretfile import Secretfile
+
+
+@click.group()
+def main():
+    pass
+
+
+@main.command()
+@click.option('--ignore', '-i', multiple=True, help="Ignore a key in the Secretfile.")
+def read(ignore: List[str]):
+    """Reads the Secretfile and prints out the values in a form which can be `source`d in a shell."""
+    for key, value in Secretfile.items():
+        if key in ignore:
+            continue
+        click.echo(f"export {key}={value}")

secretfile/exceptions.py

@@ -0,0 +1,7 @@
+
+class SecretfileBaseException(Exception):
+    pass
+
+
+class BackendConfigurationError(SecretfileBaseException):
+    pass