eising/sshecret
1
0
Fork 0
Code Issues 28 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Implement podman-compatible commands
All checks were successful
Build and push image / build-containers (push) Successful in 8m46s
Details

Browse Source
This commit is contained in:
Allan Eising
2025-06-10 10:28:17 +02:00
parent 782ec19137
commit 0eaa913e35
8 changed files with 414 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/sshecret-admin/src/sshecret_admin/services/admin_backend.py
View File

@ -16,7 +16,7 @@ from sshecret.backend import (
Operation,
SubSystem,
)
from sshecret.backend.models import DetailedSecrets, Secret
from sshecret.backend.models import DetailedSecrets
from sshecret.backend.api import AuditAPI, KeySpec
from sshecret.crypto import encrypt_string, load_public_key

8
packages/sshecret-backend/src/sshecret_backend/api/clients/operations.py
View File

@ -130,6 +130,7 @@ class ClientOperations:
if not db_client:
raise HTTPException(status_code=404, detail="Client not found.")
if db_client.is_deleted:
LOG.warning("Client %r was already deleted!", client)
return
db_client.is_deleted = True
db_client.deleted_at = datetime.now(timezone.utc)
@ -271,7 +272,12 @@ async def get_clients(
filter_query: ClientListParams,
) -> ClientQueryResult:
"""Get Clients."""
count_statement = select(func.count("*")).select_from(Client).where(Client.is_deleted.is_not(True)).where(Client.is_active.is_not(False))
count_statement = (
select(func.count("*"))
.select_from(Client)
.where(Client.is_deleted.is_not(True))
.where(Client.is_active.is_not(False))
)
count_statement = cast(
Select[tuple[int]],
filter_client_statement(count_statement, filter_query, True),

11
packages/sshecret-backend/src/sshecret_backend/api/clients/schemas.py
View File

@ -40,7 +40,9 @@ class ClientView(BaseModel):
return responses
@classmethod
def from_client(cls, client: models.Client) -> Self:
def from_client(
cls, client: models.Client, include_deleted_secrets: bool = False
) -> Self:
"""Instantiate from a client."""
view = cls(
id=client.id,
@ -54,7 +56,12 @@ class ClientView(BaseModel):
is_deleted=client.is_deleted,
)
if client.secrets:
view.secrets = [secret.name for secret in client.secrets]
if include_deleted_secrets:
view.secrets = [secret.name for secret in client.secrets]
else:
view.secrets = [
secret.name for secret in client.secrets if not secret.deleted
]
if client.policies:
view.policies = [policy.source for policy in client.policies]

36
packages/sshecret-backend/src/sshecret_backend/api/common.py
View File

@ -116,24 +116,18 @@ async def resolve_client_id(
return None
async def get_client_by_id(session: AsyncSession, id: uuid.UUID) -> Client | None:
async def get_client_by_id(
session: AsyncSession, id: uuid.UUID, include_deleted: bool = False
) -> Client | None:
"""Get client by ID."""
client_filter = client_with_relationships().where(Client.id == id)
if include_deleted:
client_filter = client_with_relationships().where(Client.id == id)
else:
client_filter = query_active_clients().where(Client.id == id)
client_results = await session.execute(client_filter)
return client_results.scalars().first()
async def get_client_by_id_or_name(
session: AsyncSession, id_or_name: str
) -> Client | None:
"""Get client either by id or name."""
if RE_UUID.match(id_or_name):
id = uuid.UUID(id_or_name)
return await get_client_by_id(session, id)
return await get_client_by_name(session, id_or_name)
def query_active_clients() -> Select[tuple[Client]]:
"""Get all active clients."""
client_filter = (
@ -144,22 +138,6 @@ def query_active_clients() -> Select[tuple[Client]]:
return client_filter
async def get_client_by_name(session: AsyncSession, name: str) -> Client | None:
"""Get client by name.
This will get the latest client version, unless it's deleted.
"""
client_filter = (
client_with_relationships()
.where(Client.is_active.is_(True))
.where(Client.is_deleted.is_not(True))
.where(Client.name == name)
.order_by(Client.version.desc())
)
client_result = await session.execute(client_filter)
return client_result.scalars().first()
async def refresh_client(session: AsyncSession, client: Client) -> None:
"""Refresh the client and load in all relationships."""
await session.refresh(

2
packages/sshecret-backend/src/sshecret_backend/api/secrets/operations.py
View File

@ -182,8 +182,10 @@ class ClientSecretOperations:
async def delete_client_secret(self, secret_identifier: FlexID) -> None:
"""Delete a client secret."""
LOG.debug("delete_client_secret called with identifier %r", secret_identifier)
client_secret = await self._get_client_secret(secret_identifier)
if not client_secret:
LOG.warning("Could not find any secret matching client secret.")
return
client_secret.deleted = True

17
packages/sshecret-sshd/src/sshecret_sshd/commands/dispatcher.py
View File

@ -7,14 +7,19 @@ import logging
from typing import cast, final, override
import asyncssh
from sshecret_sshd import exceptions, constants
from sshecret_sshd import constants, exceptions
from .base import CommandDispatcher
from .get_secret import GetSecret
from .register import Register
from .list_secrets import ListSecrets
from .ping import PingCommand
from .register import Register
from .shelldriver import (
ShellDeleteSecret,
ShellListSecrets,
ShellLookupSecret,
ShellStoreSecret,
)
SYNOPSIS = """[bold]Sshecret SSH Server[/bold]
@ -29,9 +34,13 @@ encoded as base64.
COMMANDS = [
GetSecret,
Register,
ListSecrets,
PingCommand,
Register,
ShellDeleteSecret,
ShellListSecrets,
ShellLookupSecret,
ShellStoreSecret,
]
LOG = logging.getLogger(__name__)

163
packages/sshecret-sshd/src/sshecret_sshd/commands/shelldriver.py Normal file
View File

@ -0,0 +1,163 @@
"""Podman Shelldriver compatible commands."""
import logging
from typing import final, override
import asyncssh
from sshecret.backend.models import Operation
from sshecret.crypto import encrypt_string, load_public_key
from .base import CommandDispatcher
LOG = logging.getLogger(__name__)
# These error messages are taken verbatim from podman, and while they don't seem
# to make complete sense, they will be used regardless.
ERR_SECRET_NOT_FOUND = "no such secret"
ERR_SECRET_EXISTS = "secret data with ID already exists"
ERR_INVALID_SECRET = "invalid key"
@final
class ShellListSecrets(CommandDispatcher):
"""List secrets.
This command lists secrets in a format compatible with podman's ShellDriver.
"""
name = "list"
@override
async def exec(self) -> None:
"""List secrets."""
LOG.debug("ShellListSecret called.")
await self.audit(Operation.READ, "Listed available secret names")
for secret_name in self.client.secrets:
self.print(secret_name)
@final
class ShellDeleteSecret(CommandDispatcher):
"""Delete a secret.
If the identifier for a secret does not exist, an error will be printed.
"""
name = "delete"
mandatory_argument = "KEY"
@override
async def exec(self) -> None:
"""Delete a secret."""
secret_name = self.arguments[0]
LOG.debug("ShellDeleteSecret called withg arguments %r.", self.arguments)
await self.audit(
operation=Operation.DELETE,
message="ClientSecret deleted",
secret=secret_name,
)
await self.backend.delete_client_secret(
("id", str(self.client.id)), ("name", secret_name)
)
@final
class ShellLookupSecret(CommandDispatcher):
"""Look up a secret.
The identifier for the secret must be provided as the argument.
"""
name = "lookup"
mandatory_argument = "KEY"
@override
async def exec(self) -> None:
"""Lookup secret."""
LOG.debug("ShellLookupSecret called with arguments %r", self.arguments)
secret_name = self.arguments[0]
secret = await self.backend.get_client_secret(
("id", str(self.client.id)), secret_name
)
if not secret:
LOG.debug(
"Secret %s not found for client %s (%s)",
secret_name,
self.client.id,
self.client.name,
)
self.print(ERR_SECRET_NOT_FOUND, stderr=True)
return
await self.audit(
Operation.READ, message="Client requested secret", secret=secret_name
)
self.print(secret)
@final
class ShellStoreSecret(CommandDispatcher):
"""Store a secret.
Secret will be read from command argument, or via STDIN.
"""
name = "store"
mandatory_argument = "KEY"
@override
async def exec(self) -> None:
"""Store a secret."""
LOG.debug("ShellStoreSecret called with arguments %r", self.arguments)
secret_name = self.arguments[0]
if secret_name in self.client.secrets:
self.print(ERR_SECRET_EXISTS, stderr=True)
return
secret_data: str | None = None
if len(self.arguments) == 2:
secret_data = self.arguments[1]
if not secret_data:
LOG.debug("No secret set as input, trying stdin.")
secret_data = await self.get_secret_on_stdin()
if not secret_data:
self.print(ERR_INVALID_SECRET, stderr=True)
return
# Encrypt secret
encrypted = self.encrypt_secret(secret_data)
await self.backend.create_client_secret(
("id", str(self.client.id)), secret_name, encrypted
)
await self.audit(
operation=Operation.CREATE,
message="Secret created from 'store' command",
secret=secret_name,
)
def encrypt_secret(self, value: str) -> str:
"""Encrypt a secret."""
public_key = load_public_key(self.client.public_key.encode())
return encrypt_string(value, public_key)
async def get_secret_on_stdin(self) -> str | None:
"""Get secret from stdin."""
secret_data = ""
try:
async for line in self.process.stdin:
if self.process.stdin.at_eof():
break
if not line:
break
secret_data += line.rstrip()
except asyncssh.BreakReceived:
pass
if not secret_data:
return None
return secret_data