examples: export secrets as files

ibodrov · ibodrov · commit b7b10979c61b · 2018-01-29T11:31:36.000-05:00
diff --git a/examples/README.md b/examples/README.md
@@ -52,6 +52,7 @@
 * [forms_wizard](forms_wizard) - multi-step forms;
 * [inventory](inventory) - using Concord Inventory to retrieve Ansible's inventory data;
 * [inventory_lookup](inventory_lookup) - using the inventory lookup plugin for Ansible;
+* [secret_files](secret_files) - how to store and export secrets as files;
 * [secrets_lookup](secret_lookup) - using the secret lookup plugin for Ansible;
 * [secrets](secrets) - working with Concord's Secrets storage;
 
diff --git a/examples/secret_files/README.md b/examples/secret_files/README.md
@@ -0,0 +1,38 @@
+# Secrets
+
+Example of exporting "secrets" as files.
+
+## Running
+
+1. upload a couple of files as secrets:
+```
+$ curl -u AD_USERNAME -F name=myFileA -F type=DATA -F storePassword=12345678 -F data=@myFileA.txt 'http://localhost:8001/api/v1/org/Default/secret'
+$ curl -u AD_USERNAME -F name=myFileB -F type=DATA -F storePassword=12345678 -F data=@myFileB.txt 'http://localhost:8001/api/v1/org/Default/secret'
+
+{
+  "id" : "8febf8ae-0511-11e8-8c13-fa163ec7b48b",
+  "result" : "CREATED",
+  "password" : "12345678",
+  "ok" : true
+}
+```
+
+The `storePassword` value is the password you must use to decrypt/export the secret later.
+
+2. start the process:
+```
+$ ./run.sh localhost:8001
+{
+  "instanceId" : "8ea63d60-10f5-43dd-ba8b-87150fb20182",
+  "ok" : true
+}
+```
+
+5. open [the UI](http://localhost:8080), find the process entry and
+open its log. You should see messages like these:
+```
+12:00:55.817 [INFO ] c.w.c.runner.engine.LoggingTask - Public key file: .tmp/public1856673009465277934.key
+12:00:55.821 [INFO ] c.w.c.runner.engine.LoggingTask - Private key file: .tmp/private5358774395817724546.key
+12:00:55.832 [INFO ] c.w.c.runner.engine.LoggingTask - Credentials: {password=myPassword, username=myUser}
+12:00:55.846 [INFO ] c.w.c.runner.engine.LoggingTask - Plain secret: my horrible secret
+```
diff --git a/examples/secret_files/concord.yml b/examples/secret_files/concord.yml
@@ -0,0 +1,17 @@
+configuration:
+  arguments:
+    # alternatively, a form, an encrypted value or an external
+    # service can be used to retrieve the password
+    pwd: "12345678"
+
+flows:
+  default:
+
+  # exporting secrets as files
+  - set:
+      myFileA: ${crypto.exportAsFile('myFileA', pwd)}
+      myFileB: ${crypto.exportAsFile('myFileB', pwd)}
+
+  # the resulting variables will contain the path of the exported files
+  - log: "My file A: ${myFileA}"
+  - log: "My file B: ${myFileB}"
diff --git a/examples/secret_files/myFileA.txt b/examples/secret_files/myFileA.txt
@@ -0,0 +1 @@
+FILE A
diff --git a/examples/secret_files/myFileB.txt b/examples/secret_files/myFileB.txt
@@ -0,0 +1 @@
+FILE B
diff --git a/examples/secret_files/run.sh b/examples/secret_files/run.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+SERVER_ADDR="$1"
+
+rm -rf target && mkdir target
+cp -R concord.yml target/
+
+cd target && zip -r payload.zip ./* > /dev/null && cd ..
+
+read -p "Username: " CURL_USER
+curl -u ${CURL_USER} -F archive=@target/payload.zip http://${SERVER_ADDR}/api/v1/process
diff --git a/examples/secrets/README.md b/examples/secrets/README.md
@@ -6,7 +6,7 @@ Example of using "secrets" in processes.
 
 1. create a new SSH key pair:
 ```
-$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F storePassword=12345678 'http://localhost:8001/api/v1/org/Default/secret/keypair?name=myKey'
+$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F storePassword=12345678 -F name=myKey -F type=KEY_PAIR 'http://localhost:8001/api/v1/org/Default/secret'
 {
   "name" : "myKey",
   "publicKey" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmV6+q6Uh8j8GYl0nzcwTGpjBwY1Dvv3QIAfmdwC8N6HredMl5hV3RCtpplYR7aItTorWVUYF1MMmXYKr6tjgU9hha2N2NogRjgPWzSVuR8GVa7CF155NB4nlUxt5cGidLj5Uwmy/uQm4Mni5pg/kZMGyIf+gMmcuQXDG3TOHwmJ48HOrpqxkUKaft3SYYOy7F8TjWFnmyXNlMCskSEJd5XdLDhyuDhDEXGpDSsT1brsq0WRXtFyBDjjNeYfI4J9jyOCpAXzbDCt7eYoYK+kod/b6RV8nbaxWALx2fwJS0bDhV3a9chwEyat24Ml66Z5LfCabCE7SGpFhTas56xYkH concord-server",
@@ -19,7 +19,7 @@ The `storePassword` value is the password you must use to decrypt/export the sec
 
 2. create a new username/password pair:
 ```
-$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F username=myUser -F password=myPassword -F storePassword=12345678 'http://localhost:8001/api/v1/org/Default/secret/password?name=myCreds'
+$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F username=myUser -F password=myPassword -F storePassword=12345678 -F name=myCreds -F type=USERNAME_PASSWORD 'http://localhost:8001/api/v1/org/Default/secret'
 {
   "exportPassword" : "12345678",
   "ok" : true
@@ -30,7 +30,7 @@ For the sake of the example, the same `storePassword` value is used.
 
 3. create a plain value secret:
 ```
-$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F secret='my horrible secret' -F storePassword=12345678 'http://localhost:8001/api/v1/org/Default/secret/plain?name=myValue'
+$ curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" -F secret='my horrible secret' -F storePassword=12345678 -F name=myValue -F type=DATA 'http://localhost:8001/api/v1/org/Default/secret'
 {
   "exportPassword" : "12345678",
   "ok" : true
