-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
- Loading branch information
1 parent
de9461d
commit b4e5f8e
Showing
1 changed file
with
20 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,43 +1,43 @@ | ||
| import os | ||
|
|
||
| import hvac | ||
|
|
||
| # Configuration for Vault | ||
| VAULT_ADDR = 'http://localhost:8200' | ||
| VAULT_OIDC_CLIENT_ID = 'your_oidc_client_id' | ||
| VAULT_OIDC_ISSUER_URL = 'https://your-oidc-issuer-url' | ||
| VAULT_ADDR = "http://localhost:8200" | ||
| VAULT_OIDC_CLIENT_ID = "your_oidc_client_id" | ||
| VAULT_OIDC_ISSUER_URL = "https://your-oidc-issuer-url" | ||
|
|
||
| # Static variables | ||
| STATIC_VARIABLES = { | ||
| 'API_KEY': 'static_api_key', | ||
| 'DATABASE_URL': 'static_database_url' | ||
| } | ||
| STATIC_VARIABLES = {"API_KEY": "static_api_key", "DATABASE_URL": "static_database_url"} | ||
|
|
||
|
|
||
| def get_secret_from_vault(path): | ||
| client = hvac.Client(url=VAULT_ADDR) | ||
| token = client.auth.oidc.login( | ||
| role='your_oidc_role', | ||
| jwt=os.environ['JWT'] | ||
| )['auth']['client_token'] | ||
|
|
||
| token = client.auth.oidc.login(role="your_oidc_role", jwt=os.environ["JWT"])[ | ||
| "auth" | ||
| ]["client_token"] | ||
|
|
||
| client.token = token | ||
| secret = client.secrets.kv.v2.read_secret_version(path=path)['data']['data'] | ||
| secret = client.secrets.kv.v2.read_secret_version(path=path)["data"]["data"] | ||
| return secret | ||
|
|
||
|
|
||
| def generate_env_file(env_path): | ||
| with open(env_path, 'w') as env_file: | ||
| with open(env_path, "w") as env_file: | ||
| for key, value in STATIC_VARIABLES.items(): | ||
| env_file.write(f"{key}={value}\n") | ||
|
|
||
| # Add secrets from Vault | ||
| vault_secrets = { | ||
| 'SECRET_KEY': get_secret_from_vault('secret/key'), | ||
| 'PASSWORD': get_secret_from_vault('secret/password') | ||
| "SECRET_KEY": get_secret_from_vault("secret/key"), | ||
| "PASSWORD": get_secret_from_vault("secret/password"), | ||
| } | ||
|
|
||
| for key, value in vault_secrets.items(): | ||
| env_file.write(f"{key}={value}\n") | ||
|
Check failure Code scanning / CodeQL Clear-text storage of sensitive information High
This expression stores
sensitive data (secret) Error loading related location Loading This expression stores sensitive data (secret) Error loading related location Loading This expression stores sensitive data (secret) Error loading related location Loading This expression stores sensitive data (secret) Error loading related location Loading |
||
|
|
||
| if __name__ == '__main__': | ||
| env_path = '.env' | ||
|
|
||
| if __name__ == "__main__": | ||
| env_path = ".env" | ||
| generate_env_file(env_path) | ||
| print(f"Environment file generated at {env_path}") | ||