From 1772a587f81b6164befaa81e5eee8c2001df3aee Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Fri, 28 Apr 2023 15:33:12 +0200 Subject: [PATCH 01/23] v0.1.0 --- .gitignore | 4 + Cargo.lock | 434 ++++++++++++++++++++++++++++++++++++++++++++++++++++ Cargo.toml | 12 ++ flake.lock | 61 ++++++++ flake.nix | 21 +++ src/main.rs | 59 +++++++ 6 files changed, 591 insertions(+) create mode 100644 .gitignore create mode 100644 Cargo.lock create mode 100644 Cargo.toml create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 src/main.rs diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a08c3d9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +/target +keys.json +.env +result \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..07a4b26 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,434 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "adler" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" + +[[package]] +name = "base64" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" + +[[package]] +name = "bumpalo" +version = "3.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8" + +[[package]] +name = "cc" +version = "1.0.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "crc32fast" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "dotenv" +version = "0.15.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77c90badedccf4105eca100756a0b1289e191f6fcbdadd3cee1d2f614f97da8f" + +[[package]] +name = "flate2" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8a2db397cb1c8772f31494cb8917e48cd1e64f0fa7efac59fbd741a0a8ce841" +dependencies = [ + "crc32fast", + "miniz_oxide", +] + +[[package]] +name = "form_urlencoded" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8" +dependencies = [ + "percent-encoding", +] + +[[package]] +name = "idna" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6" +dependencies = [ + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "itoa" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" + +[[package]] +name = "js-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" +dependencies = [ + "wasm-bindgen", +] + +[[package]] +name = "libc" +version = "0.2.142" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317" + +[[package]] +name = "log" +version = "0.4.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "miniz_oxide" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b275950c28b37e794e8c55d88aeb5e139d0ce23fdbbeda68f8d7174abdf9e8fa" +dependencies = [ + "adler", +] + +[[package]] +name = "once_cell" +version = "1.17.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" + +[[package]] +name = "percent-encoding" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" + +[[package]] +name = "proc-macro2" +version = "1.0.56" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b63bdb0cd06f1f4dedf69b254734f9b45af66e4a031e42a7480257d9898b435" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi", +] + +[[package]] +name = "rustls" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f" +dependencies = [ + "log", + "ring", + "sct", + "webpki", +] + +[[package]] +name = "ryu" +version = "1.0.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041" + +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "serde" +version = "1.0.160" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb2f3770c8bce3bcda7e149193a069a0f4365bda1fa5cd88e03bca26afc1216c" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.160" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.15", +] + +[[package]] +name = "serde_json" +version = "1.0.96" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "057d394a50403bcac12672b2b18fb387ab6d289d957dab67dd201875391e52f1" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + +[[package]] +name = "syn" +version = "1.0.109" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "syn" +version = "2.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a34fcf3e8b60f57e6a14301a2e916d323af98b0ea63c599441eec8558660c822" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "tinyvec" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + +[[package]] +name = "unicode-bidi" +version = "0.3.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" + +[[package]] +name = "unicode-ident" +version = "1.0.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" + +[[package]] +name = "unicode-normalization" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +dependencies = [ + "tinyvec", +] + +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + +[[package]] +name = "ureq" +version = "2.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "338b31dd1314f68f3aabf3ed57ab922df95ffcd902476ca7ba3c4ce7b908c46d" +dependencies = [ + "base64", + "flate2", + "log", + "once_cell", + "rustls", + "serde", + "serde_json", + "url", + "webpki", + "webpki-roots", +] + +[[package]] +name = "url" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + +[[package]] +name = "vault-unseal" +version = "0.1.0" +dependencies = [ + "dotenv", + "serde", + "serde_json", + "ureq", +] + +[[package]] +name = "wasm-bindgen" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b" +dependencies = [ + "cfg-if", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn 1.0.109", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" + +[[package]] +name = "web-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "webpki-roots" +version = "0.22.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" +dependencies = [ + "webpki", +] + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..353c368 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "vault-unseal" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +ureq = { version = "*", features = ["json"] } +serde_json = "*" +dotenv = "*" +serde = { version = "*", features = ["derive"] } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d38d8c5 --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1682526928, + "narHash": "sha256-2cKh4O6t1rQ8Ok+v16URynmb0rV7oZPEbXkU0owNLQs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d6b863fd9b7bb962e6f9fdf292419a775e772891", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..ff026c4 --- /dev/null +++ b/flake.nix @@ -0,0 +1,21 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, flake-utils }: + let inherit (flake-utils.lib) eachSystem system; + in eachSystem [ system.x86_64-linux ] (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in { + packages = { + default = pkgs.rustPlatform.buildRustPackage { + pname = "vault-unseal"; + version = "0.1.0"; + src = ./.; + cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; + }; + }; + }); +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..683f7be --- /dev/null +++ b/src/main.rs @@ -0,0 +1,59 @@ +use dotenv::dotenv; +use serde::Deserialize; +use serde_json::json; +use std::error::Error; +use std::io::Read; +use std::thread; +use std::time::Duration; +use std::{env, fs::File}; + +#[derive(Debug, Deserialize)] +struct KeyFile { + keys: Vec, +} + +#[derive(Debug, Deserialize)] +struct HealthCheck { + sealed: bool, +} + +fn main() -> Result<(), Box> { + dotenv().ok(); + let vault_addr = env::var("VAULT_ADDR")?; + let file = env::var("VAULT_KEY_FILE")?; + let interval = env::var("UNSEAL_INTERVAL").unwrap_or(String::from("15")); + let interval = Duration::from_secs(interval.parse()?); + + let mut file = File::open(file)?; + let mut data = String::new(); + file.read_to_string(&mut data)?; + + let keyfile: KeyFile = serde_json::from_str(&data)?; + + let unseal_url = format!("{vault_addr}/v1/sys/unseal"); + let health_url = format!("{vault_addr}/v1/sys/health"); + + println!("Starting vault unsealer ..."); + loop { + match ureq::get(&health_url).call() { + Err(ureq::Error::Status(code, resp)) if code == 503 => { + if let Ok(HealthCheck { sealed: true }) = resp.into_json() { + for key in &keyfile.keys { + match ureq::post(&unseal_url).send_json(json!({ "key": key })) { + Ok(resp) if resp.status() != 200 => eprintln!("error unsealing vault"), + Ok(_) => println!("unsealed vault partially"), + Err(err) => eprintln!("error unsealing vault: {err}"), + } + } + } else { + eprintln!("Can't unseal"); + } + } + Err(ureq::Error::Status(_, _)) => (), + Err(e) => eprintln!("{e}"), + _ => (), + } + + thread::sleep(interval); + } +} From 954038f565de12f2710cf8634c28b4cf63d5f091 Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 28 Apr 2023 15:33:12 +0200 Subject: [PATCH 02/23] v0.1.0 --- .gitignore | 4 + Cargo.lock | 434 ++++++++++++++++++++++++++++++++++++++++++++++++++++ Cargo.toml | 12 ++ flake.lock | 61 ++++++++ flake.nix | 21 +++ src/main.rs | 59 +++++++ 6 files changed, 591 insertions(+) create mode 100644 .gitignore create mode 100644 Cargo.lock create mode 100644 Cargo.toml create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 src/main.rs diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a08c3d9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +/target +keys.json +.env +result \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..07a4b26 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,434 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "adler" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" + +[[package]] +name = "base64" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" + +[[package]] +name = "bumpalo" +version = "3.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8" + +[[package]] +name = "cc" +version = "1.0.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "crc32fast" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "dotenv" +version = "0.15.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77c90badedccf4105eca100756a0b1289e191f6fcbdadd3cee1d2f614f97da8f" + +[[package]] +name = "flate2" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8a2db397cb1c8772f31494cb8917e48cd1e64f0fa7efac59fbd741a0a8ce841" +dependencies = [ + "crc32fast", + "miniz_oxide", +] + +[[package]] +name = "form_urlencoded" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8" +dependencies = [ + "percent-encoding", +] + +[[package]] +name = "idna" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6" +dependencies = [ + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "itoa" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" + +[[package]] +name = "js-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" +dependencies = [ + "wasm-bindgen", +] + +[[package]] +name = "libc" +version = "0.2.142" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317" + +[[package]] +name = "log" +version = "0.4.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "miniz_oxide" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b275950c28b37e794e8c55d88aeb5e139d0ce23fdbbeda68f8d7174abdf9e8fa" +dependencies = [ + "adler", +] + +[[package]] +name = "once_cell" +version = "1.17.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" + +[[package]] +name = "percent-encoding" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" + +[[package]] +name = "proc-macro2" +version = "1.0.56" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b63bdb0cd06f1f4dedf69b254734f9b45af66e4a031e42a7480257d9898b435" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4424af4bf778aae2051a77b60283332f386554255d722233d09fbfc7e30da2fc" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi", +] + +[[package]] +name = "rustls" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f" +dependencies = [ + "log", + "ring", + "sct", + "webpki", +] + +[[package]] +name = "ryu" +version = "1.0.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041" + +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "serde" +version = "1.0.160" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb2f3770c8bce3bcda7e149193a069a0f4365bda1fa5cd88e03bca26afc1216c" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.160" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.15", +] + +[[package]] +name = "serde_json" +version = "1.0.96" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "057d394a50403bcac12672b2b18fb387ab6d289d957dab67dd201875391e52f1" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + +[[package]] +name = "syn" +version = "1.0.109" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "syn" +version = "2.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a34fcf3e8b60f57e6a14301a2e916d323af98b0ea63c599441eec8558660c822" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "tinyvec" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + +[[package]] +name = "unicode-bidi" +version = "0.3.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" + +[[package]] +name = "unicode-ident" +version = "1.0.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" + +[[package]] +name = "unicode-normalization" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +dependencies = [ + "tinyvec", +] + +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + +[[package]] +name = "ureq" +version = "2.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "338b31dd1314f68f3aabf3ed57ab922df95ffcd902476ca7ba3c4ce7b908c46d" +dependencies = [ + "base64", + "flate2", + "log", + "once_cell", + "rustls", + "serde", + "serde_json", + "url", + "webpki", + "webpki-roots", +] + +[[package]] +name = "url" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + +[[package]] +name = "vault-unseal" +version = "0.1.0" +dependencies = [ + "dotenv", + "serde", + "serde_json", + "ureq", +] + +[[package]] +name = "wasm-bindgen" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b" +dependencies = [ + "cfg-if", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn 1.0.109", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.84" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" + +[[package]] +name = "web-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "webpki-roots" +version = "0.22.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" +dependencies = [ + "webpki", +] + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..353c368 --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "vault-unseal" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +ureq = { version = "*", features = ["json"] } +serde_json = "*" +dotenv = "*" +serde = { version = "*", features = ["derive"] } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d38d8c5 --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1682526928, + "narHash": "sha256-2cKh4O6t1rQ8Ok+v16URynmb0rV7oZPEbXkU0owNLQs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d6b863fd9b7bb962e6f9fdf292419a775e772891", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..ff026c4 --- /dev/null +++ b/flake.nix @@ -0,0 +1,21 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, flake-utils }: + let inherit (flake-utils.lib) eachSystem system; + in eachSystem [ system.x86_64-linux ] (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in { + packages = { + default = pkgs.rustPlatform.buildRustPackage { + pname = "vault-unseal"; + version = "0.1.0"; + src = ./.; + cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; + }; + }; + }); +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..683f7be --- /dev/null +++ b/src/main.rs @@ -0,0 +1,59 @@ +use dotenv::dotenv; +use serde::Deserialize; +use serde_json::json; +use std::error::Error; +use std::io::Read; +use std::thread; +use std::time::Duration; +use std::{env, fs::File}; + +#[derive(Debug, Deserialize)] +struct KeyFile { + keys: Vec, +} + +#[derive(Debug, Deserialize)] +struct HealthCheck { + sealed: bool, +} + +fn main() -> Result<(), Box> { + dotenv().ok(); + let vault_addr = env::var("VAULT_ADDR")?; + let file = env::var("VAULT_KEY_FILE")?; + let interval = env::var("UNSEAL_INTERVAL").unwrap_or(String::from("15")); + let interval = Duration::from_secs(interval.parse()?); + + let mut file = File::open(file)?; + let mut data = String::new(); + file.read_to_string(&mut data)?; + + let keyfile: KeyFile = serde_json::from_str(&data)?; + + let unseal_url = format!("{vault_addr}/v1/sys/unseal"); + let health_url = format!("{vault_addr}/v1/sys/health"); + + println!("Starting vault unsealer ..."); + loop { + match ureq::get(&health_url).call() { + Err(ureq::Error::Status(code, resp)) if code == 503 => { + if let Ok(HealthCheck { sealed: true }) = resp.into_json() { + for key in &keyfile.keys { + match ureq::post(&unseal_url).send_json(json!({ "key": key })) { + Ok(resp) if resp.status() != 200 => eprintln!("error unsealing vault"), + Ok(_) => println!("unsealed vault partially"), + Err(err) => eprintln!("error unsealing vault: {err}"), + } + } + } else { + eprintln!("Can't unseal"); + } + } + Err(ureq::Error::Status(_, _)) => (), + Err(e) => eprintln!("{e}"), + _ => (), + } + + thread::sleep(interval); + } +} From bc295a3890cb43dee86a1bf8d04fd94e0f2a55b3 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Fri, 28 Apr 2023 15:44:54 +0200 Subject: [PATCH 03/23] fixup flake --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index ff026c4..970755f 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ default = pkgs.rustPlatform.buildRustPackage { pname = "vault-unseal"; version = "0.1.0"; - src = ./.; + src = self; cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; }; }; From 3393123d5814d572eeccb6c6163bab9f374550ca Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 28 Apr 2023 15:44:54 +0200 Subject: [PATCH 04/23] fixup flake --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index ff026c4..970755f 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ default = pkgs.rustPlatform.buildRustPackage { pname = "vault-unseal"; version = "0.1.0"; - src = ./.; + src = self; cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; }; }; From 9895ca5bd8fc4d2dec60436eee20c82794a4bb74 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Fri, 28 Apr 2023 15:54:51 +0200 Subject: [PATCH 05/23] add readme.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..96d9af6 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# Vault Unsealer +This is a simple Rust program that automatically unseals a hashicorp vault instance From 5af2f123dcd9dcf7ddb3856434f8ea1c76b699b3 Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 28 Apr 2023 15:54:51 +0200 Subject: [PATCH 06/23] add readme.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..96d9af6 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# Vault Unsealer +This is a simple Rust program that automatically unseals a hashicorp vault instance From d369e50d341774ff5511190207eaec8054a19c7a Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Mon, 1 May 2023 13:38:37 +0200 Subject: [PATCH 07/23] cleaned up the code --- Cargo.lock | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++- Cargo.toml | 4 +- flake.nix | 15 ++++--- src/main.rs | 82 +++++++++++++++++++++++++++-------- 4 files changed, 196 insertions(+), 26 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 07a4b26..d62f8a1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -91,6 +91,12 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "lazy_static" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" + [[package]] name = "libc" version = "0.2.142" @@ -115,18 +121,40 @@ dependencies = [ "adler", ] +[[package]] +name = "nu-ansi-term" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84" +dependencies = [ + "overload", + "winapi", +] + [[package]] name = "once_cell" version = "1.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" +[[package]] +name = "overload" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" + [[package]] name = "percent-encoding" version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" +[[package]] +name = "pin-project-lite" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" + [[package]] name = "proc-macro2" version = "1.0.56" @@ -219,6 +247,21 @@ dependencies = [ "serde", ] +[[package]] +name = "sharded-slab" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +dependencies = [ + "lazy_static", +] + +[[package]] +name = "smallvec" +version = "1.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" + [[package]] name = "spin" version = "0.5.2" @@ -247,6 +290,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "thread_local" +version = "1.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +dependencies = [ + "cfg-if", + "once_cell", +] + [[package]] name = "tinyvec" version = "1.6.0" @@ -262,6 +315,64 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tracing" +version = "0.1.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" +dependencies = [ + "cfg-if", + "pin-project-lite", + "tracing-attributes", + "tracing-core", +] + +[[package]] +name = "tracing-attributes" +version = "0.1.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f57e3ca2a01450b1a921183a9c9cbfda207fd822cef4ccb00a65402cbba7a74" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.15", +] + +[[package]] +name = "tracing-core" +version = "0.1.30" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24eb03ba0eab1fd845050058ce5e616558e8f8d8fca633e6b163fe25c797213a" +dependencies = [ + "once_cell", + "valuable", +] + +[[package]] +name = "tracing-log" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78ddad33d2d10b1ed7eb9d1f518a5674713876e97e5bb9b7345a7984fbb4f922" +dependencies = [ + "lazy_static", + "log", + "tracing-core", +] + +[[package]] +name = "tracing-subscriber" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30a651bc37f915e81f087d86e62a18eec5f79550c7faff886f7090b4ea757c77" +dependencies = [ + "nu-ansi-term", + "sharded-slab", + "smallvec", + "thread_local", + "tracing-core", + "tracing-log", +] + [[package]] name = "unicode-bidi" version = "0.3.13" @@ -319,12 +430,20 @@ dependencies = [ ] [[package]] -name = "vault-unseal" +name = "valuable" version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" + +[[package]] +name = "vault-unseal" +version = "0.2.0" dependencies = [ "dotenv", "serde", "serde_json", + "tracing", + "tracing-subscriber", "ureq", ] diff --git a/Cargo.toml b/Cargo.toml index 353c368..96bbe99 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "vault-unseal" -version = "0.1.0" +version = "0.2.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html @@ -10,3 +10,5 @@ ureq = { version = "*", features = ["json"] } serde_json = "*" dotenv = "*" serde = { version = "*", features = ["derive"] } +tracing = "0.1" +tracing-subscriber = "0.3" diff --git a/flake.nix b/flake.nix index 970755f..956bc89 100644 --- a/flake.nix +++ b/flake.nix @@ -10,12 +10,15 @@ let pkgs = nixpkgs.legacyPackages.${system}; in { packages = { - default = pkgs.rustPlatform.buildRustPackage { - pname = "vault-unseal"; - version = "0.1.0"; - src = self; - cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; - }; + default = + let toml = (builtins.fromTOML (builtins.readFile ./Cargo.toml)); + in pkgs.rustPlatform.buildRustPackage { + pname = toml.package.name; + version = toml.package.version; + src = self; + cargoSha256 = + "sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo="; + }; }; }); } diff --git a/src/main.rs b/src/main.rs index 683f7be..b9e0e51 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,10 @@ use std::io::Read; use std::thread; use std::time::Duration; use std::{env, fs::File}; +use tracing::{info, subscriber, warn}; +use tracing_subscriber::FmtSubscriber; +use ureq::Error::Status; +use ureq::Response; #[derive(Debug, Deserialize)] struct KeyFile { @@ -17,8 +21,65 @@ struct HealthCheck { sealed: bool, } +fn is_sealed(health_url: &str) -> bool { + fn parse_hc(x: Response) -> bool { + match x.into_json() { + Ok(HealthCheck { sealed }) => sealed, + Err(_) => false, + } + } + + let resp = ureq::get(health_url).call(); + match resp { + Ok(x) => parse_hc(x), + Err(Status(503, resp)) => parse_hc(resp), + Err(Status(429, _)) => { + info!("got code 429: too many requests, waiting"); + // too many requests + thread::sleep(Duration::from_secs(15)); + false + } + Err(Status(code, resp)) => { + info!( + "error checking health, got code: '{code}', with message: {}", + resp.status_text() + ); + false + } + Err(e) => { + warn!("Got error: {e}"); + false + } + } +} + +fn unseal(keyfile: &KeyFile, unseal_url: &str) { + let len = keyfile.keys.len(); + for (i, key) in keyfile.keys.iter().enumerate() { + let i = i + 1; + match ureq::post(unseal_url).send_json(json!({ "key": key })) { + Ok(resp) if resp.status() == 200 => { + if i < len { + info!("unsealed vault partially {i}/{len}"); + } else { + info!("fully unsealed vault {i}/{len}"); + } + } + Ok(resp) => warn!( + "error unsealing vault, got code '{}', with message: {}", + resp.status(), + resp.status_text() + ), + Err(err) => warn!("error unsealing vault: {err}"), + } + } +} + fn main() -> Result<(), Box> { dotenv().ok(); + let subscriber = FmtSubscriber::new(); + subscriber::set_global_default(subscriber)?; + let vault_addr = env::var("VAULT_ADDR")?; let file = env::var("VAULT_KEY_FILE")?; let interval = env::var("UNSEAL_INTERVAL").unwrap_or(String::from("15")); @@ -33,25 +94,10 @@ fn main() -> Result<(), Box> { let unseal_url = format!("{vault_addr}/v1/sys/unseal"); let health_url = format!("{vault_addr}/v1/sys/health"); - println!("Starting vault unsealer ..."); + info!("Starting vault unsealer at {vault_addr}"); loop { - match ureq::get(&health_url).call() { - Err(ureq::Error::Status(code, resp)) if code == 503 => { - if let Ok(HealthCheck { sealed: true }) = resp.into_json() { - for key in &keyfile.keys { - match ureq::post(&unseal_url).send_json(json!({ "key": key })) { - Ok(resp) if resp.status() != 200 => eprintln!("error unsealing vault"), - Ok(_) => println!("unsealed vault partially"), - Err(err) => eprintln!("error unsealing vault: {err}"), - } - } - } else { - eprintln!("Can't unseal"); - } - } - Err(ureq::Error::Status(_, _)) => (), - Err(e) => eprintln!("{e}"), - _ => (), + if is_sealed(&health_url) { + unseal(&keyfile, &unseal_url); } thread::sleep(interval); From a3dca9e818eea43d32e2a3cc7498bf883f49ab01 Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 1 May 2023 13:38:37 +0200 Subject: [PATCH 08/23] cleaned up the code --- Cargo.lock | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++- Cargo.toml | 4 +- flake.nix | 15 ++++--- src/main.rs | 82 +++++++++++++++++++++++++++-------- 4 files changed, 196 insertions(+), 26 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 07a4b26..d62f8a1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -91,6 +91,12 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "lazy_static" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" + [[package]] name = "libc" version = "0.2.142" @@ -115,18 +121,40 @@ dependencies = [ "adler", ] +[[package]] +name = "nu-ansi-term" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84" +dependencies = [ + "overload", + "winapi", +] + [[package]] name = "once_cell" version = "1.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" +[[package]] +name = "overload" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" + [[package]] name = "percent-encoding" version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" +[[package]] +name = "pin-project-lite" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" + [[package]] name = "proc-macro2" version = "1.0.56" @@ -219,6 +247,21 @@ dependencies = [ "serde", ] +[[package]] +name = "sharded-slab" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +dependencies = [ + "lazy_static", +] + +[[package]] +name = "smallvec" +version = "1.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" + [[package]] name = "spin" version = "0.5.2" @@ -247,6 +290,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "thread_local" +version = "1.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" +dependencies = [ + "cfg-if", + "once_cell", +] + [[package]] name = "tinyvec" version = "1.6.0" @@ -262,6 +315,64 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tracing" +version = "0.1.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" +dependencies = [ + "cfg-if", + "pin-project-lite", + "tracing-attributes", + "tracing-core", +] + +[[package]] +name = "tracing-attributes" +version = "0.1.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f57e3ca2a01450b1a921183a9c9cbfda207fd822cef4ccb00a65402cbba7a74" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.15", +] + +[[package]] +name = "tracing-core" +version = "0.1.30" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24eb03ba0eab1fd845050058ce5e616558e8f8d8fca633e6b163fe25c797213a" +dependencies = [ + "once_cell", + "valuable", +] + +[[package]] +name = "tracing-log" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78ddad33d2d10b1ed7eb9d1f518a5674713876e97e5bb9b7345a7984fbb4f922" +dependencies = [ + "lazy_static", + "log", + "tracing-core", +] + +[[package]] +name = "tracing-subscriber" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30a651bc37f915e81f087d86e62a18eec5f79550c7faff886f7090b4ea757c77" +dependencies = [ + "nu-ansi-term", + "sharded-slab", + "smallvec", + "thread_local", + "tracing-core", + "tracing-log", +] + [[package]] name = "unicode-bidi" version = "0.3.13" @@ -319,12 +430,20 @@ dependencies = [ ] [[package]] -name = "vault-unseal" +name = "valuable" version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" + +[[package]] +name = "vault-unseal" +version = "0.2.0" dependencies = [ "dotenv", "serde", "serde_json", + "tracing", + "tracing-subscriber", "ureq", ] diff --git a/Cargo.toml b/Cargo.toml index 353c368..96bbe99 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "vault-unseal" -version = "0.1.0" +version = "0.2.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html @@ -10,3 +10,5 @@ ureq = { version = "*", features = ["json"] } serde_json = "*" dotenv = "*" serde = { version = "*", features = ["derive"] } +tracing = "0.1" +tracing-subscriber = "0.3" diff --git a/flake.nix b/flake.nix index 970755f..956bc89 100644 --- a/flake.nix +++ b/flake.nix @@ -10,12 +10,15 @@ let pkgs = nixpkgs.legacyPackages.${system}; in { packages = { - default = pkgs.rustPlatform.buildRustPackage { - pname = "vault-unseal"; - version = "0.1.0"; - src = self; - cargoSha256 = "sha256-nCOHQU62fzJ9uwUK8n5JsVkKmqQwhG/5GI6rvtejZjY="; - }; + default = + let toml = (builtins.fromTOML (builtins.readFile ./Cargo.toml)); + in pkgs.rustPlatform.buildRustPackage { + pname = toml.package.name; + version = toml.package.version; + src = self; + cargoSha256 = + "sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo="; + }; }; }); } diff --git a/src/main.rs b/src/main.rs index 683f7be..b9e0e51 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,10 @@ use std::io::Read; use std::thread; use std::time::Duration; use std::{env, fs::File}; +use tracing::{info, subscriber, warn}; +use tracing_subscriber::FmtSubscriber; +use ureq::Error::Status; +use ureq::Response; #[derive(Debug, Deserialize)] struct KeyFile { @@ -17,8 +21,65 @@ struct HealthCheck { sealed: bool, } +fn is_sealed(health_url: &str) -> bool { + fn parse_hc(x: Response) -> bool { + match x.into_json() { + Ok(HealthCheck { sealed }) => sealed, + Err(_) => false, + } + } + + let resp = ureq::get(health_url).call(); + match resp { + Ok(x) => parse_hc(x), + Err(Status(503, resp)) => parse_hc(resp), + Err(Status(429, _)) => { + info!("got code 429: too many requests, waiting"); + // too many requests + thread::sleep(Duration::from_secs(15)); + false + } + Err(Status(code, resp)) => { + info!( + "error checking health, got code: '{code}', with message: {}", + resp.status_text() + ); + false + } + Err(e) => { + warn!("Got error: {e}"); + false + } + } +} + +fn unseal(keyfile: &KeyFile, unseal_url: &str) { + let len = keyfile.keys.len(); + for (i, key) in keyfile.keys.iter().enumerate() { + let i = i + 1; + match ureq::post(unseal_url).send_json(json!({ "key": key })) { + Ok(resp) if resp.status() == 200 => { + if i < len { + info!("unsealed vault partially {i}/{len}"); + } else { + info!("fully unsealed vault {i}/{len}"); + } + } + Ok(resp) => warn!( + "error unsealing vault, got code '{}', with message: {}", + resp.status(), + resp.status_text() + ), + Err(err) => warn!("error unsealing vault: {err}"), + } + } +} + fn main() -> Result<(), Box> { dotenv().ok(); + let subscriber = FmtSubscriber::new(); + subscriber::set_global_default(subscriber)?; + let vault_addr = env::var("VAULT_ADDR")?; let file = env::var("VAULT_KEY_FILE")?; let interval = env::var("UNSEAL_INTERVAL").unwrap_or(String::from("15")); @@ -33,25 +94,10 @@ fn main() -> Result<(), Box> { let unseal_url = format!("{vault_addr}/v1/sys/unseal"); let health_url = format!("{vault_addr}/v1/sys/health"); - println!("Starting vault unsealer ..."); + info!("Starting vault unsealer at {vault_addr}"); loop { - match ureq::get(&health_url).call() { - Err(ureq::Error::Status(code, resp)) if code == 503 => { - if let Ok(HealthCheck { sealed: true }) = resp.into_json() { - for key in &keyfile.keys { - match ureq::post(&unseal_url).send_json(json!({ "key": key })) { - Ok(resp) if resp.status() != 200 => eprintln!("error unsealing vault"), - Ok(_) => println!("unsealed vault partially"), - Err(err) => eprintln!("error unsealing vault: {err}"), - } - } - } else { - eprintln!("Can't unseal"); - } - } - Err(ureq::Error::Status(_, _)) => (), - Err(e) => eprintln!("{e}"), - _ => (), + if is_sealed(&health_url) { + unseal(&keyfile, &unseal_url); } thread::sleep(interval); From a2830d8a58c304289cc6a3e1876116ad730dc985 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Mon, 1 May 2023 14:56:24 +0200 Subject: [PATCH 09/23] better integration by looking at docs --- src/main.rs | 52 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/src/main.rs b/src/main.rs index b9e0e51..361a41c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -17,28 +17,30 @@ struct KeyFile { } #[derive(Debug, Deserialize)] -struct HealthCheck { +struct UnsealResponse { sealed: bool, + t: u8, + n: u8, + progress: u8, } +/// returns true if the vault is sealed +/// +/// see: https://developer.hashicorp.com/vault/api-docs/system/health fn is_sealed(health_url: &str) -> bool { - fn parse_hc(x: Response) -> bool { - match x.into_json() { - Ok(HealthCheck { sealed }) => sealed, - Err(_) => false, - } - } - let resp = ureq::get(health_url).call(); match resp { - Ok(x) => parse_hc(x), - Err(Status(503, resp)) => parse_hc(resp), - Err(Status(429, _)) => { - info!("got code 429: too many requests, waiting"); - // too many requests - thread::sleep(Duration::from_secs(15)); + Ok(r) if r.status() == 200 => false, + Ok(r) => { + warn!( + "unexpected status code: '{}': {}", + r.status(), + r.status_text() + ); false } + Err(Status(429, _)) => false, // Unsealed and standby + Err(Status(503, _)) => true, // Sealed Err(Status(code, resp)) => { info!( "error checking health, got code: '{code}', with message: {}", @@ -47,22 +49,28 @@ fn is_sealed(health_url: &str) -> bool { false } Err(e) => { - warn!("Got error: {e}"); + warn!("error checking health: {e}"); false } } } fn unseal(keyfile: &KeyFile, unseal_url: &str) { - let len = keyfile.keys.len(); - for (i, key) in keyfile.keys.iter().enumerate() { - let i = i + 1; + for key in keyfile.keys.iter().enumerate() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { Ok(resp) if resp.status() == 200 => { - if i < len { - info!("unsealed vault partially {i}/{len}"); - } else { - info!("fully unsealed vault {i}/{len}"); + if let Ok(UnsealResponse { + sealed, + t, + progress, + .. + }) = resp.into_json() + { + if !sealed { + info!("vault unsealed"); + return; + } + info!("unsealed vault partially {progress}/{t}"); } } Ok(resp) => warn!( From 1ae049d04d885b2a33389d58f590a639645470c8 Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 1 May 2023 14:56:24 +0200 Subject: [PATCH 10/23] better integration by looking at docs --- src/main.rs | 52 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/src/main.rs b/src/main.rs index b9e0e51..361a41c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -17,28 +17,30 @@ struct KeyFile { } #[derive(Debug, Deserialize)] -struct HealthCheck { +struct UnsealResponse { sealed: bool, + t: u8, + n: u8, + progress: u8, } +/// returns true if the vault is sealed +/// +/// see: https://developer.hashicorp.com/vault/api-docs/system/health fn is_sealed(health_url: &str) -> bool { - fn parse_hc(x: Response) -> bool { - match x.into_json() { - Ok(HealthCheck { sealed }) => sealed, - Err(_) => false, - } - } - let resp = ureq::get(health_url).call(); match resp { - Ok(x) => parse_hc(x), - Err(Status(503, resp)) => parse_hc(resp), - Err(Status(429, _)) => { - info!("got code 429: too many requests, waiting"); - // too many requests - thread::sleep(Duration::from_secs(15)); + Ok(r) if r.status() == 200 => false, + Ok(r) => { + warn!( + "unexpected status code: '{}': {}", + r.status(), + r.status_text() + ); false } + Err(Status(429, _)) => false, // Unsealed and standby + Err(Status(503, _)) => true, // Sealed Err(Status(code, resp)) => { info!( "error checking health, got code: '{code}', with message: {}", @@ -47,22 +49,28 @@ fn is_sealed(health_url: &str) -> bool { false } Err(e) => { - warn!("Got error: {e}"); + warn!("error checking health: {e}"); false } } } fn unseal(keyfile: &KeyFile, unseal_url: &str) { - let len = keyfile.keys.len(); - for (i, key) in keyfile.keys.iter().enumerate() { - let i = i + 1; + for key in keyfile.keys.iter().enumerate() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { Ok(resp) if resp.status() == 200 => { - if i < len { - info!("unsealed vault partially {i}/{len}"); - } else { - info!("fully unsealed vault {i}/{len}"); + if let Ok(UnsealResponse { + sealed, + t, + progress, + .. + }) = resp.into_json() + { + if !sealed { + info!("vault unsealed"); + return; + } + info!("unsealed vault partially {progress}/{t}"); } } Ok(resp) => warn!( From 1e5acefff6c9c56125ad186620bfe03f982f381f Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:04:52 +0200 Subject: [PATCH 11/23] fix bug --- src/main.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 361a41c..9a0b185 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,7 +9,6 @@ use std::{env, fs::File}; use tracing::{info, subscriber, warn}; use tracing_subscriber::FmtSubscriber; use ureq::Error::Status; -use ureq::Response; #[derive(Debug, Deserialize)] struct KeyFile { @@ -56,7 +55,7 @@ fn is_sealed(health_url: &str) -> bool { } fn unseal(keyfile: &KeyFile, unseal_url: &str) { - for key in keyfile.keys.iter().enumerate() { + for key in keyfile.keys.iter() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { Ok(resp) if resp.status() == 200 => { if let Ok(UnsealResponse { @@ -73,7 +72,7 @@ fn unseal(keyfile: &KeyFile, unseal_url: &str) { info!("unsealed vault partially {progress}/{t}"); } } - Ok(resp) => warn!( + Ok(resp) | Err(Status(_, resp)) => warn!( "error unsealing vault, got code '{}', with message: {}", resp.status(), resp.status_text() From 9f30a8243adc66f3b4a77ec1d6895f37b602fd80 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:04:52 +0200 Subject: [PATCH 12/23] fix bug --- src/main.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 361a41c..9a0b185 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,7 +9,6 @@ use std::{env, fs::File}; use tracing::{info, subscriber, warn}; use tracing_subscriber::FmtSubscriber; use ureq::Error::Status; -use ureq::Response; #[derive(Debug, Deserialize)] struct KeyFile { @@ -56,7 +55,7 @@ fn is_sealed(health_url: &str) -> bool { } fn unseal(keyfile: &KeyFile, unseal_url: &str) { - for key in keyfile.keys.iter().enumerate() { + for key in keyfile.keys.iter() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { Ok(resp) if resp.status() == 200 => { if let Ok(UnsealResponse { @@ -73,7 +72,7 @@ fn unseal(keyfile: &KeyFile, unseal_url: &str) { info!("unsealed vault partially {progress}/{t}"); } } - Ok(resp) => warn!( + Ok(resp) | Err(Status(_, resp)) => warn!( "error unsealing vault, got code '{}', with message: {}", resp.status(), resp.status_text() From f34cef0f86f066af078688f83acd203d06c967eb Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:05:27 +0200 Subject: [PATCH 13/23] bump version --- Cargo.lock | 2 +- Cargo.toml | 2 +- flake.nix | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d62f8a1..ee22a5a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -437,7 +437,7 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" [[package]] name = "vault-unseal" -version = "0.2.0" +version = "0.3.0" dependencies = [ "dotenv", "serde", diff --git a/Cargo.toml b/Cargo.toml index 96bbe99..a67543d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "vault-unseal" -version = "0.2.0" +version = "0.3.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/flake.nix b/flake.nix index 956bc89..ce3034b 100644 --- a/flake.nix +++ b/flake.nix @@ -16,8 +16,7 @@ pname = toml.package.name; version = toml.package.version; src = self; - cargoSha256 = - "sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo="; + cargoLock.lockFile = ./Cargo.lock; }; }; }); From cafb08b4cd6c1f2a3ddf4acfeccf63dac7a12e4f Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:05:27 +0200 Subject: [PATCH 14/23] bump version --- Cargo.lock | 2 +- Cargo.toml | 2 +- flake.nix | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d62f8a1..ee22a5a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -437,7 +437,7 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" [[package]] name = "vault-unseal" -version = "0.2.0" +version = "0.3.0" dependencies = [ "dotenv", "serde", diff --git a/Cargo.toml b/Cargo.toml index 96bbe99..a67543d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "vault-unseal" -version = "0.2.0" +version = "0.3.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/flake.nix b/flake.nix index 956bc89..ce3034b 100644 --- a/flake.nix +++ b/flake.nix @@ -16,8 +16,7 @@ pname = toml.package.name; version = toml.package.version; src = self; - cargoSha256 = - "sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo="; + cargoLock.lockFile = ./Cargo.lock; }; }; }); From a481f4950a82ef83329665b50cb227160d653e5e Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:34:26 +0200 Subject: [PATCH 15/23] some docs --- README.md | 14 +++++++++++++- example_keys.json | 7 +++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 example_keys.json diff --git a/README.md b/README.md index 96d9af6..f64b699 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,14 @@ # Vault Unsealer -This is a simple Rust program that automatically unseals a hashicorp vault instance +This is a simple Rust program that automatically unseals a hashicorp vault instance. + +| :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | +|-----------------------------------------| + + +## Environment Variables + +| env var | default | description | +| ---------- | ------- | ----------- | +| VAULT_ADDR | - | address of the vault server | +| VAULT_KEY_FILE | - | json file containing vault unseal key(s), see [./example_keys.json](./example_keys.json) | +| UNSEAL_INTERVAL | 15 | seconds to wait between checks / unseal attempts | diff --git a/example_keys.json b/example_keys.json new file mode 100644 index 0000000..84daa77 --- /dev/null +++ b/example_keys.json @@ -0,0 +1,7 @@ +{ + "keys": [ + "a", + "b", + "c" + ] +} From f7a851879c1bcb02863a8e7d17fc789d5dc9c861 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:34:26 +0200 Subject: [PATCH 16/23] some docs --- README.md | 14 +++++++++++++- example_keys.json | 7 +++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 example_keys.json diff --git a/README.md b/README.md index 96d9af6..f64b699 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,14 @@ # Vault Unsealer -This is a simple Rust program that automatically unseals a hashicorp vault instance +This is a simple Rust program that automatically unseals a hashicorp vault instance. + +| :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | +|-----------------------------------------| + + +## Environment Variables + +| env var | default | description | +| ---------- | ------- | ----------- | +| VAULT_ADDR | - | address of the vault server | +| VAULT_KEY_FILE | - | json file containing vault unseal key(s), see [./example_keys.json](./example_keys.json) | +| UNSEAL_INTERVAL | 15 | seconds to wait between checks / unseal attempts | diff --git a/example_keys.json b/example_keys.json new file mode 100644 index 0000000..84daa77 --- /dev/null +++ b/example_keys.json @@ -0,0 +1,7 @@ +{ + "keys": [ + "a", + "b", + "c" + ] +} From 2f560c160745c5ae36f466b17a3b4c2627bce381 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:42:01 +0200 Subject: [PATCH 17/23] minor cleanup --- README.md | 7 +++---- src/main.rs | 3 +++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f64b699..aa2c84e 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,13 @@ # Vault Unsealer -This is a simple Rust program that automatically unseals a hashicorp vault instance. - | :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | |-----------------------------------------| +This is a simple Rust program that automatically unseals a hashicorp vault instance given a list of keys. ## Environment Variables | env var | default | description | -| ---------- | ------- | ----------- | +| ---------- | :-------: | ----------- | | VAULT_ADDR | - | address of the vault server | -| VAULT_KEY_FILE | - | json file containing vault unseal key(s), see [./example_keys.json](./example_keys.json) | +| VAULT_KEY_FILE | - | a JSON file containing vault unseal key(s), see [./example_keys.json](./example_keys.json). | | UNSEAL_INTERVAL | 15 | seconds to wait between checks / unseal attempts | diff --git a/src/main.rs b/src/main.rs index 9a0b185..ae1e26e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -54,6 +54,9 @@ fn is_sealed(health_url: &str) -> bool { } } +/// Unseals a vault given keys and url +/// +/// See: https://developer.hashicorp.com/vault/api-docs/system/unseal fn unseal(keyfile: &KeyFile, unseal_url: &str) { for key in keyfile.keys.iter() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { From 0e4f945e1ee134029954b0b1ab591942c3e5c437 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:42:01 +0200 Subject: [PATCH 18/23] minor cleanup --- README.md | 7 +++---- src/main.rs | 3 +++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f64b699..aa2c84e 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,13 @@ # Vault Unsealer -This is a simple Rust program that automatically unseals a hashicorp vault instance. - | :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | |-----------------------------------------| +This is a simple Rust program that automatically unseals a hashicorp vault instance given a list of keys. ## Environment Variables | env var | default | description | -| ---------- | ------- | ----------- | +| ---------- | :-------: | ----------- | | VAULT_ADDR | - | address of the vault server | -| VAULT_KEY_FILE | - | json file containing vault unseal key(s), see [./example_keys.json](./example_keys.json) | +| VAULT_KEY_FILE | - | a JSON file containing vault unseal key(s), see [./example_keys.json](./example_keys.json). | | UNSEAL_INTERVAL | 15 | seconds to wait between checks / unseal attempts | diff --git a/src/main.rs b/src/main.rs index 9a0b185..ae1e26e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -54,6 +54,9 @@ fn is_sealed(health_url: &str) -> bool { } } +/// Unseals a vault given keys and url +/// +/// See: https://developer.hashicorp.com/vault/api-docs/system/unseal fn unseal(keyfile: &KeyFile, unseal_url: &str) { for key in keyfile.keys.iter() { match ureq::post(unseal_url).send_json(json!({ "key": key })) { From e62bb8d775d6c8f3d745777a1b7218375db0581b Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:47:37 +0200 Subject: [PATCH 19/23] add ci --- .woodpecker.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .woodpecker.yml diff --git a/.woodpecker.yml b/.woodpecker.yml new file mode 100644 index 0000000..144183e --- /dev/null +++ b/.woodpecker.yml @@ -0,0 +1,7 @@ +pipeline: + build: + image: nixos/nix:2.15.0 + environment: + - NIX_CONFIG=experimental-features = nix-command flakes + commands: + - nix build From 6f14773879c0e54aaf04fb5d76a1de480f98c645 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:47:37 +0200 Subject: [PATCH 20/23] add ci --- .woodpecker.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .woodpecker.yml diff --git a/.woodpecker.yml b/.woodpecker.yml new file mode 100644 index 0000000..144183e --- /dev/null +++ b/.woodpecker.yml @@ -0,0 +1,7 @@ +pipeline: + build: + image: nixos/nix:2.15.0 + environment: + - NIX_CONFIG=experimental-features = nix-command flakes + commands: + - nix build From 637a9f90cb7f752069d9d4143bfff1b29b9725d7 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Tue, 2 May 2023 09:51:14 +0200 Subject: [PATCH 21/23] add ci badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aa2c84e..b0d441f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Vault Unsealer +# Vault Unsealer [![ci status badege](https://ci.0x76.dev/api/badges/v/vault-unseal/status.svg)](https://ci.0x76.dev/v/vault-unseal) | :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | |-----------------------------------------| From 91e7262e87878609c2d6619210988b241e8f8f62 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 2 May 2023 09:51:14 +0200 Subject: [PATCH 22/23] add ci badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aa2c84e..b0d441f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Vault Unsealer +# Vault Unsealer [![ci status badege](https://ci.0x76.dev/api/badges/v/vault-unseal/status.svg)](https://ci.0x76.dev/v/vault-unseal) | :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | |-----------------------------------------| From f05093a8d608892d2e4499e02117428b405f82a1 Mon Sep 17 00:00:00 2001 From: Vivian Date: Sun, 20 Oct 2024 09:54:33 +0200 Subject: [PATCH 23/23] remove CI badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b0d441f..cbd127a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Vault Unsealer [![ci status badege](https://ci.0x76.dev/api/badges/v/vault-unseal/status.svg)](https://ci.0x76.dev/v/vault-unseal) +# Vault Unsealer | :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | |-----------------------------------------|