v/vault-unseal
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

better integration by looking at docs #1

Closed
v wants to merge 0 commits from handle-resp into main
pull from: handle-resp
merge into: v:main
Conversation 0 Commits - Files changed 7 +9 -35
7 changed files with 9 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.woodpecker.yml
View file

@ -1,7 +0,0 @@
pipeline:
build:
image: nixos/nix:2.15.0
environment:
- NIX_CONFIG=experimental-features = nix-command flakes
commands:
- nix build

2
Cargo.lock generated
View file

@ -437,7 +437,7 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
[[package]] [[package]]
name = "vault-unseal" name = "vault-unseal"
version = "0.3.0" version = "0.2.0"
dependencies = [ dependencies = [
"dotenv", "dotenv",
"serde", "serde",

2
Cargo.toml
View file

@ -1,6 +1,6 @@
[package] [package]
name = "vault-unseal" name = "vault-unseal"
version = "0.3.0" version = "0.2.0"
edition = "2021" edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

15
README.md
View file

@ -1,13 +1,2 @@
# Vault Unsealer # Vault Unsealer
| :exclamation: this method of unsealing the vault is not recommended if you have high security requirements! | This is a simple Rust program that automatically unseals a hashicorp vault instance
|-----------------------------------------|
This is a simple Rust program that automatically unseals a hashicorp vault instance given a list of keys.
## Environment Variables
| env var | default | description |
| ---------- | :-------: | ----------- |
| VAULT_ADDR | - | address of the vault server |
| VAULT_KEY_FILE | - | a JSON file containing vault unseal key(s), see [./example_keys.json](./example_keys.json). |
| UNSEAL_INTERVAL | 15 | seconds to wait between checks / unseal attempts |

7
example_keys.json
View file

@ -1,7 +0,0 @@
{
"keys": [
"a",
"b",
"c"
]
}

3
flake.nix
View file

@ -16,7 +16,8 @@
pname = toml.package.name; pname = toml.package.name;
version = toml.package.version; version = toml.package.version;
src = self; src = self;
cargoLock.lockFile = ./Cargo.lock; cargoSha256 =
"sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo=";
}; };
}; };
}); });

8
src/main.rs
View file

@ -9,6 +9,7 @@ use std::{env, fs::File};
use tracing::{info, subscriber, warn}; use tracing::{info, subscriber, warn};
use tracing_subscriber::FmtSubscriber; use tracing_subscriber::FmtSubscriber;
use ureq::Error::Status; use ureq::Error::Status;
use ureq::Response;
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
struct KeyFile { struct KeyFile {
@ -54,11 +55,8 @@ fn is_sealed(health_url: &str) -> bool {
} }
} }
/// Unseals a vault given keys and url
///
/// See: https://developer.hashicorp.com/vault/api-docs/system/unseal
fn unseal(keyfile: &KeyFile, unseal_url: &str) { fn unseal(keyfile: &KeyFile, unseal_url: &str) {
for key in keyfile.keys.iter() { for key in keyfile.keys.iter().enumerate() {
match ureq::post(unseal_url).send_json(json!({ "key": key })) { match ureq::post(unseal_url).send_json(json!({ "key": key })) {
Ok(resp) if resp.status() == 200 => { Ok(resp) if resp.status() == 200 => {
if let Ok(UnsealResponse { if let Ok(UnsealResponse {
@ -75,7 +73,7 @@ fn unseal(keyfile: &KeyFile, unseal_url: &str) {
info!("unsealed vault partially {progress}/{t}"); info!("unsealed vault partially {progress}/{t}");
} }
} }
Ok(resp) | Err(Status(_, resp)) => warn!( Ok(resp) => warn!(
"error unsealing vault, got code '{}', with message: {}", "error unsealing vault, got code '{}', with message: {}",
resp.status(), resp.status(),
resp.status_text() resp.status_text()