🧹 remove internal vault since it is easier to configure via inventory…

… file
mondoohq · Aug 13, 2023 · fd08d5d · fd08d5d
1 parent aa233e3
commit fd08d5d
Showing 1 changed file with 77 additions and 157 deletions.
diff --git a/apps/cnspec/cmd/vault.go b/apps/cnspec/cmd/vault.go
@@ -3,39 +3,34 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
+	v1 "go.mondoo.com/cnquery/motor/inventory/v1"
+
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.mondoo.com/cnquery/motor/vault"
-	"go.mondoo.com/cnquery/motor/vault/config"
 )
 
 func init() {
-	vaultListCmd.Flags().Bool("show-options", false, "displays configured options")
-	vaultCmd.AddCommand(vaultListCmd)
-
 	vaultConfigureCmd.Flags().String("type", "", "possible values: "+strings.Join(vault.TypeIds(), " | "))
 	vaultConfigureCmd.Flags().StringToString("option", nil, "addition vault connection options, multiple options via --option key=value")
+	vaultConfigureCmd.Flags().String("inventory-file", "", "Set the path to the inventory file.")
 	vaultCmd.AddCommand(vaultConfigureCmd)
 
+	vaultAddSecretCmd.Flags().String("inventory-file", "", "Set the path to the inventory file.")
+	vaultAddSecretCmd.MarkFlagRequired("inventory-file")
+
+	vaultListCmd.Flags().Bool("show-options", false, "displays configured options")
+	vaultCmd.AddCommand(vaultListCmd)
 	vaultCmd.AddCommand(vaultRemoveCmd)
 	vaultCmd.AddCommand(vaultResetCmd)
-
 	vaultCmd.AddCommand(vaultAddSecretCmd)
-
 	rootCmd.AddCommand(vaultCmd)
 }
 
-func emptyVaultConfigSecret() *vault.Secret {
-	return &vault.Secret{
-		Key:   config.VaultConfigStoreKey,
-		Label: "User Vault Settings",
-		Data:  config.ClientVaultConfig{}.SecretData(),
-	}
-}
-
 // vaultCmd represents the vault command
 var vaultCmd = &cobra.Command{
 	Use:   "vault",
@@ -44,40 +39,37 @@ var vaultCmd = &cobra.Command{
 }
 
 var vaultListCmd = &cobra.Command{
-	Use:   "list",
-	Short: "List vault environments.",
-	Long:  ``,
+	Use:    "list",
+	Short:  "List vault environments.",
+	Long:   ``,
+	Hidden: true,
 	PreRun: func(cmd *cobra.Command, args []string) {
 		viper.BindPFlag("show-options", cmd.Flags().Lookup("show-options"))
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		v := config.GetInternalVault()
-		ctx := context.Background()
-		secret, err := v.Get(ctx, &vault.SecretID{
-			Key: config.VaultConfigStoreKey,
-		})
-		if err != nil {
-			log.Fatal().Msg("no vault configured")
-		}
-
-		showOptions := viper.GetBool("show-options")
+		log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
+	},
+}
 
-		vCfgs, err := config.NewClientVaultConfig(secret)
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not unmarshal credential")
-		}
+var vaultRemoveCmd = &cobra.Command{
+	Use:    "remove VAULTNAME",
+	Short:  "Remove a configured vault environment.",
+	Long:   ``,
+	Hidden: true,
+	Args:   cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
+	},
+}
 
-		for k, vCfg := range vCfgs {
-			// print configured vault
-			fmt.Printf("vault  : %s (%s)\n", k, vCfg.Type.Value())
-			// print options if requested
-			if showOptions {
-				fmt.Printf("options:\n")
-				for ko, vo := range vCfg.Options {
-					fmt.Printf("  %s = %s\n", ko, vo)
-				}
-			}
-		}
+var vaultResetCmd = &cobra.Command{
+	Use:    "reset",
+	Short:  "Reset the vault configuration to defaults.",
+	Long:   ``,
+	Hidden: true,
+	Args:   cobra.ExactArgs(0),
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Fatal().Msg("sub-command is not supported anymore, see https://mondoo.com/docs/platform/infra/opsys/automation/vault/ for how to use vault environments")
 	},
 }
 
@@ -87,154 +79,82 @@ var vaultConfigureCmd = &cobra.Command{
 	Short:   "Configure a vault environment.",
 	Long: `
 
-cnquery vault set mondoo-client-vault --type linux-kernel-keyring
+cnspec vault configure mondoo-client-vault --type linux-kernel-keyring
 
 `,
 	Args: cobra.ExactArgs(1),
 	PreRun: func(cmd *cobra.Command, args []string) {
 		viper.BindPFlag("type", cmd.Flags().Lookup("type"))
 		viper.BindPFlag("option", cmd.Flags().Lookup("option"))
+		viper.BindPFlag("inventory-file", cmd.Flags().Lookup("inventory-file"))
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		v := config.GetInternalVault()
-		ctx := context.Background()
-
-		secret, err := v.Get(ctx, &vault.SecretID{
-			Key: config.VaultConfigStoreKey,
-		})
-		// error happens on initial use, create a new configuration
-		if err != nil {
-			secret = emptyVaultConfigSecret()
-		}
-
-		vCfgs, err := config.NewClientVaultConfig(secret)
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not load vault configuration")
-		}
-
-		// overwrite existing / set vault config
-		// field name = vault name
 		vt, err := vault.NewVaultType(viper.GetString("type"))
 		if err != nil {
-			log.Fatal().Err(err).Msg("could not load vault configuration")
+			log.Fatal().Err(err).Msg("invalid vault configuration type")
 		}
 
 		vaultName := args[0]
-		cfg := vault.VaultConfiguration{
+		cfg := &v1.VaultConfiguration{
 			Name:    vaultName,
-			Type:    vt,
+			Type:    vt.Value(),
 			Options: viper.GetStringMapString("option"),
 		}
 
-		vCfgs.Set(vaultName, cfg)
-		secret.Data = vCfgs.SecretData()
-
-		log.Info().Str("name", vaultName).Msg("set new vault configuration")
-		_, err = v.Set(ctx, secret)
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not store update into vault")
-		}
-
-		log.Info().Msg("stored vault configuration successfully")
-	},
-}
-
-var vaultRemoveCmd = &cobra.Command{
-	Use:   "remove VAULTNAME",
-	Short: "Remove a configured vault environment.",
-	Long:  ``,
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		v := config.GetInternalVault()
-		ctx := context.Background()
-
-		secret, err := v.Get(ctx, &vault.SecretID{
-			Key: config.VaultConfigStoreKey,
-		})
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not retrieve vault configuration")
-		}
-
-		vCfgs, err := config.NewClientVaultConfig(secret)
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not load vault configuration")
-		}
-
-		vaultName := args[0]
-		vCfgs.Delete(vaultName)
-		secret.Data = vCfgs.SecretData()
-
-		log.Info().Str("name", vaultName).Msg("set new vault configuration")
-		_, err = v.Set(ctx, secret)
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not update vault configuration")
-		}
-
-		log.Info().Msg("removed vault configuration successfully")
-	},
-}
-
-var vaultResetCmd = &cobra.Command{
-	Use:   "reset",
-	Short: "Reset the vault configuration to defaults.",
-	Long:  ``,
-	Args:  cobra.ExactArgs(0),
-	Run: func(cmd *cobra.Command, args []string) {
-		v := config.GetInternalVault()
-		ctx := context.Background()
+		inventoryFile := viper.GetString("inventory-file")
+		if inventoryFile != "" {
+			inventory, err := v1.InventoryFromFile(inventoryFile)
+			if err != nil {
+				log.Fatal().Err(err).Msg("could not load inventory")
+			}
+			inventory.Spec.Vault = cfg
 
-		_, err := v.Set(ctx, emptyVaultConfigSecret())
-		if err != nil {
-			log.Fatal().Err(err).Msg("could not retrieve vault configuration")
+			// store inventory file
+			data, err := inventory.ToYAML()
+			if err != nil {
+				log.Fatal().Err(err).Msg("could not marshal inventory")
+			}
+			err = os.WriteFile(viper.GetString("inventory-file"), data, 0o644)
+			log.Info().Msg("stored vault configuration successfully")
+		} else {
+			log.Info().Msg("add the following vault configuration to your inventory file")
+
+			inventory := &v1.Inventory{
+				Spec: &v1.InventorySpec{
+					Vault: cfg,
+				},
+			}
+			data, err := inventory.ToYAML()
+			if err != nil {
+				log.Fatal().Err(err).Msg("could not marshal vault configuration")
+			}
+			fmt.Println(string(data))
 		}
-
-		log.Info().Msg("removed vault configuration successfully")
 	},
 }
 
 var vaultAddSecretCmd = &cobra.Command{
-	Use:   "add-secret VAULTNAME SECRETID SECRETVALUE",
+	Use:   "add-secret SECRETID SECRETVALUE",
 	Short: "Store a secret in a vault.",
-	Args:  cobra.ExactArgs(3),
+	Args:  cobra.ExactArgs(2),
 	PreRun: func(cmd *cobra.Command, args []string) {
+		viper.BindPFlag("inventory-file", cmd.Flags().Lookup("inventory-file"))
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		v := config.GetInternalVault()
-		ctx := context.Background()
-
-		secret, err := v.Get(ctx, &vault.SecretID{
-			Key: config.VaultConfigStoreKey,
-		})
-		// error happens on initial use, create a new configuration
-		if err != nil {
-			secret = emptyVaultConfigSecret()
-		}
-
-		vCfgs, err := config.NewClientVaultConfig(secret)
+		log.Info().Msg("load vault configuration from inventory")
+		inventory, err := v1.InventoryFromFile(viper.GetString("inventory-file"))
 		if err != nil {
-			log.Fatal().Err(err).Msg("could not load vault configuration")
-		}
-
-		// search for vault
-		var selectedVaultCfg *vault.VaultConfiguration
-		for k, vCfg := range vCfgs {
-			if k != args[0] {
-				continue
-			}
-			selectedVaultCfg = &vCfg
-		}
-		if selectedVaultCfg == nil {
-			log.Fatal().Str("vault", args[0]).Msg("could not find vault")
+			log.Fatal().Err(err).Msg("could not load inventory")
 		}
 
-		selectedVault, err := config.New(selectedVaultCfg)
+		v, err := inventory.GetVault()
 		if err != nil {
-			log.Fatal().Msg("could not open vault")
+			log.Fatal().Err(err).Msg("could not load vault configuration from inventory")
 		}
 
-		_, err = selectedVault.Set(ctx, &vault.Secret{
-			Key:  args[1],
-			Data: []byte(args[2]),
+		_, err = v.Set(context.Background(), &vault.Secret{
+			Key:  args[0],
+			Data: []byte(args[1]),
 		})
 		if err != nil {
 			log.Fatal().Msg("could not store secret")