void FixedUpdate() { if (KeoCacheDriver.editInProgress != editInProgressFlag) { UpdateEvents(); } if (HighLogic.LoadedSceneIsFlight) { switch (vaultStatus) { case VaultStatus.opening: if (_deployAnimation.animTime == 0f) { Events["CloseVault"].active = true; Events["CloseVault"].guiActiveUnfocused = true; vaultStatus = VaultStatus.idle; } break; case VaultStatus.closing: if (_deployAnimation.animTime == 1f) { Events["OpenVault"].active = true; Events["OpenVault"].guiActiveUnfocused = true; vaultStatus = VaultStatus.idle; } break; } } }
public void CloseVault() { Log.Info("KeoCacheModule.CloseVault"); Events["CloseVault"].active = false; Events["CloseVault"].guiActiveUnfocused = false; vaultStatus = VaultStatus.closing; if (_deployAnimation != null) { _deployAnimation.Toggle(); } }
public VaultEditor(string filePath) { InitializeComponent(); _VaultService = new VaultService(); _Vault = _VaultService.OpenVaultFile(filePath); if (_Vault.IsInitialized) { InitializeButton.Visibility = Visibility.Hidden; } if (_Vault.IsUnlocked || !_Vault.IsInitialized) { UnlockButton.Visibility = Visibility.Hidden; } if (!_Vault.IsUnlocked || !_Vault.IsInitialized) { // If we have not unlocked the vault, it cannot be modified. NewSecretButton.IsEnabled = false; } }
/// <inheritdoc/> public override void Run(CommandLine commandLine) { // Split the command line on "--". var split = commandLine.Split(SplitItem); var leftCommandLine = split.Left; var rightCommandLine = split.Right; // Basic initialization. if (leftCommandLine.HasHelpOption) { Console.WriteLine(usage); Program.Exit(0); } // Initialize the hive. var hiveLogin = Program.ConnectHive(); hive = new HiveProxy(hiveLogin); vaultCredentials = hiveLogin.VaultCredentials; if (rightCommandLine == null) { Console.WriteLine("*** ERROR: The [--] command separator is required."); Console.WriteLine(); Console.WriteLine(usage); Program.Exit(1); } // Determine which node we're going to target. SshProxy <NodeDefinition> node; string nodeName = leftCommandLine.GetOption("--node", null); CommandBundle bundle; CommandResponse response; bool failed = false; if (!string.IsNullOrEmpty(nodeName)) { node = hive.GetNode(nodeName); } else { node = hive.GetReachableManager(); } var command = rightCommandLine.Arguments.FirstOrDefault();; switch (command) { case "init": case "rekey": case "server": case "ssh": Console.Error.WriteLine($"*** ERROR: [neon vault {command}] is not supported."); Program.Exit(1); break; case "seal": // Just run the command on the target node if one was specified. if (nodeName != null) { ExecuteOnNode(node, rightCommandLine); return; } // We need to seal the Vault instance on every manager node unless a // specific node was requsted via [--node]. // // Note also that it's not possible to seal a node that's in standby // mode so we'll restart the Vault container instead. Console.WriteLine(); if (!string.IsNullOrEmpty(nodeName)) { response = node.SudoCommand($"vault-direct status"); if (response.ExitCode != 0) { Console.WriteLine($"[{node.Name}] is already sealed"); } else { var vaultStatus = new VaultStatus(response.OutputText); if (vaultStatus.HAMode == "standby") { Console.WriteLine($"[{node.Name}] restarting to seal standby node..."); response = node.SudoCommand($"systemctl restart vault"); if (response.ExitCode == 0) { Console.WriteLine($"[{node.Name}] sealed"); } else { Console.WriteLine($"[{node.Name}] restart failed"); } } else { Console.WriteLine($"[{node.Name}] sealing..."); response = node.SudoCommand($"export VAULT_TOKEN={vaultCredentials.RootToken} && vault-direct operator seal", RunOptions.Redact); if (response.ExitCode == 0) { Console.WriteLine($"[{node.Name}] sealed"); } else { Console.WriteLine($"[{node.Name}] seal failed"); } } } failed = response.ExitCode != 0; } else { foreach (var manager in hive.Managers) { try { response = manager.SudoCommand($"vault-direct status"); } catch (SshOperationTimeoutException) { Console.WriteLine($"[{manager.Name}] ** unavailable **"); continue; } var vaultStatus = new VaultStatus(response.OutputText); if (response.ExitCode != 0) { Console.WriteLine($"[{manager.Name}] is already sealed"); } else { response = manager.SudoCommand($"vault-direct operator seal"); if (vaultStatus.HAMode == "standby") { Console.WriteLine($"[{manager.Name}] restarting to seal standby node..."); response = manager.SudoCommand($"systemctl restart vault"); if (response.ExitCode == 0) { Console.WriteLine($"[{manager.Name}] restart/seal [standby]"); } else { Console.WriteLine($"[{manager.Name}] restart/seal failed [standby]"); } } else { Console.WriteLine($"[{manager.Name}] sealing..."); response = manager.SudoCommand($"export VAULT_TOKEN={vaultCredentials.RootToken} && vault-direct operator seal", RunOptions.Redact); if (response.ExitCode == 0) { Console.WriteLine($"[{manager.Name}] sealed"); } else { failed = true; Console.WriteLine($"[{manager.Name}] seal failed"); } } } } if (!failed) { // Disable auto unseal until the operator explicitly unseals Vault again. hive.Consul.Client.KV.PutBool($"{HiveConst.GlobalKey}/{HiveGlobals.UserDisableAutoUnseal}", true).Wait(); } Program.Exit(failed ? 1 : 0); } break; case "status": // Just run the command on the target node if one was specified. if (nodeName != null) { ExecuteOnNode(node, rightCommandLine); return; } // We need to obtain the status from the Vault instance on every manager node unless a // specific node was requsted via [--node]. Console.WriteLine(); if (!string.IsNullOrEmpty(nodeName)) { response = node.SudoCommand("vault-direct status"); Console.WriteLine(response.AllText); Program.Exit(response.ExitCode); } else { var allSealed = true; foreach (var manager in hive.Managers) { try { response = manager.SudoCommand("vault-direct status"); } catch (SshOperationTimeoutException) { Console.WriteLine($"[{manager.Name}] ** unavailable **"); continue; } var vaultStatus = new VaultStatus(response.OutputText); if (response.ExitCode == 0) { allSealed = false; var status = vaultStatus.HAMode; if (status == "active") { status += " <-- LEADER"; } Console.WriteLine($"[{manager.Name}] unsealed {status}"); } else if (response.ExitCode == 2) { Console.WriteLine($"[{manager.Name}] sealed"); } else { failed = true; Console.WriteLine($"[{manager.Name}] error getting status"); } } if (allSealed) { Program.Exit(2); } else { Program.Exit(failed ? 1 : 0); } } break; case "unseal": // Just run the command on the target node if one was specified. if (nodeName != null) { ExecuteOnNode(node, rightCommandLine); return; } // We need to unseal the Vault instance on every manager node unless a // specific node was requsted via [--node]. Console.WriteLine(); if (!string.IsNullOrEmpty(nodeName)) { // Verify that the instance isn't already unsealed. response = node.SudoCommand($"vault-direct status"); if (response.ExitCode == 2) { Console.WriteLine($"[{node.Name}] unsealing..."); } else if (response.ExitCode == 0) { Console.WriteLine($"[{node.Name}] is already unsealed"); break; } else { Console.WriteLine($"[{node.Name}] unseal failed"); Program.Exit(response.ExitCode); } // Note that we're passing the [-reset] option to ensure that // any keys from previous attempts have been cleared. node.SudoCommand($"vault-direct operator unseal -reset"); foreach (var key in vaultCredentials.UnsealKeys) { response = node.SudoCommand($"vault-direct operator unseal {key}", RunOptions.None); if (response.ExitCode != 0) { Console.WriteLine($"[{node.Name}] unseal failed"); Program.Exit(1); } } Console.WriteLine($"[{node.Name}] unsealed"); } else { var commandFailed = false; foreach (var manager in hive.Managers) { // Verify that the instance isn't already unsealed. try { response = manager.SudoCommand($"vault-direct status"); } catch (SshOperationTimeoutException) { Console.WriteLine($"[{manager.Name}] ** unavailable **"); continue; } if (response.ExitCode == 2) { Console.WriteLine($"[{manager.Name}] unsealing..."); } else if (response.ExitCode == 0) { Console.WriteLine($"[{manager.Name}] is already unsealed"); continue; } else { Console.WriteLine($"[{manager.Name}] unseal failed"); continue; } // Note that we're passing the [-reset] option to ensure that // any keys from previous attempts have been cleared. manager.SudoCommand($"vault-direct operator unseal -reset"); foreach (var key in vaultCredentials.UnsealKeys) { response = manager.SudoCommand($"vault-direct operator unseal {key}", RunOptions.None); if (response.ExitCode != 0) { failed = true; commandFailed = true; Console.WriteLine($"[{manager.Name}] unseal failed"); } } if (!failed) { Console.WriteLine($"[{manager.Name}] unsealed"); } } if (!commandFailed) { // Reenable auto unseal. hive.Consul.Client.KV.PutBool($"{HiveConst.GlobalKey}/{HiveGlobals.UserDisableAutoUnseal}", false).Wait(); } Program.Exit(commandFailed ? 1 : 0); } break; case "write": { // We need handle any [key=@file] arguments specially by including them // in a command bundle as data files. var files = new List <CommandFile>(); var commandString = rightCommandLine.ToString(); foreach (var dataArg in rightCommandLine.Arguments.Skip(2)) { var fields = dataArg.Split(new char[] { '=' }, 2); if (fields.Length == 2 && fields[1].StartsWith("@")) { var fileName = fields[1].Substring(1); var localFileName = $"{files.Count}.data"; files.Add( new CommandFile() { Path = localFileName, Data = File.ReadAllBytes(fileName) }); commandString = commandString.Replace($"@{fileName}", $"@{localFileName}"); } } bundle = new CommandBundle($"export VAULT_TOKEN={vaultCredentials.RootToken} && {remoteVaultPath} {commandString}"); foreach (var file in files) { bundle.Add(file); } response = node.SudoCommand(bundle, RunOptions.IgnoreRemotePath | RunOptions.Redact); Console.WriteLine(response.AllText); Program.Exit(response.ExitCode); } break; case "policy-write": // The last command line item is either: // // * A "-", indicating that the content should come from standard input. // * A file name prefixed by "@" // * A string holding JSON or HCL if (rightCommandLine.Items.Length < 2) { response = node.SudoCommand($"export VAULT_TOKEN={vaultCredentials.RootToken} && {remoteVaultPath} {rightCommandLine}", RunOptions.IgnoreRemotePath | RunOptions.Redact); Console.WriteLine(response.AllText); Program.Exit(response.ExitCode); } var lastItem = rightCommandLine.Items.Last(); var policyText = string.Empty; if (lastItem == "-") { policyText = NeonHelper.ReadStandardInputText(); } else if (lastItem.StartsWith("@")) { policyText = File.ReadAllText(lastItem.Substring(1), Encoding.UTF8); } else { policyText = lastItem; } // We're going to upload a text file holding the policy text and // then run a script piping the policy file into the Vault command passed, // with the last item replaced by a "-". bundle = new CommandBundle("./set-vault-policy.sh.sh"); var sbScript = new StringBuilder(); sbScript.AppendLine($"export VAULT_TOKEN={vaultCredentials.RootToken}"); sbScript.Append($"cat policy | {remoteVaultPath}"); for (int i = 0; i < rightCommandLine.Items.Length - 1; i++) { sbScript.Append(' '); sbScript.Append(rightCommandLine.Items[i]); } sbScript.AppendLine(" -"); bundle.AddFile("set-vault-policy.sh", sbScript.ToString(), isExecutable: true); bundle.AddFile("policy", policyText); response = node.SudoCommand(bundle, RunOptions.IgnoreRemotePath | RunOptions.Redact); Console.WriteLine(response.AllText); Program.Exit(response.ExitCode); break; default: ExecuteOnNode(node, rightCommandLine); break; } }
public InitializeVaultWindow(VaultStatus vaultStatus, VaultEditor editor) { InitializeComponent(); _VaultStatus = vaultStatus; _Editor = editor; }