* During development access to the Passbolt server may not always be possible. Allow a local file as fallback.
2.3 KiB
About
This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.
For development, a local file named [UUID].txt
can be placed in the pillar directory. It needs to contain lines with the format
3ec2a739-8e51-4c67-89fb-4bbfe9147e17:MY_SECRET
License
MIT
Setup
-
Clone this repo
-
Go to directory, run (requires
python3-setuptools
)python3 setup.py install
-
Create an Passbolt account for the Salt master.
-
Copy the private and public PGP key files to
/etc/salt
. -
Import the private key with
gpg --import /etc/salt/passbolt_private.asc
-
Create a
/etc/salt/passbolt.ini
file with the following content:[PASSBOLT] SERVER = https://passbolt.example.com #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc> USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT] USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
-
Change file permissions:
chown salt /etc/salt/passbolt* chmod 600 /etc/salt/passbolt*
-
Create Pillar sls files where required with the content, replace the group UUID. Look into the example directory. Hint: you can find the Group UUID with the network tool of the browser by clicking on a group.
#!py def run(): passbolt_group = "27b9abd4-af9b-4c9e-9af1-cf8cb963680c" from os import path file_path = path.join(path.dirname(path.realpath(__file__)), passbolt_group + ".txt") if path.isfile(file_path): with open(file_path) as f: data = {"passbolt": {}} for line in f.readlines(): data["passbolt"][line.split(':')[0]] = line.split(':')[1] return data else: from salt_passbolt import fetch_passbolt_passwords return fetch_passbolt_passwords(passbolt_group)
-
In state, reference secrets with their UUID. See the
example/salt/important_secrets/files/secret.conf
. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}