foreman_vault 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2ae077f554e08226360e85ff0f76687f9c54e312b78bedc70efef11bc7e8f334
-  data.tar.gz: dc35f0f802d0596c0f826d4220eb86006b3f58dec734d9cfd95871f26d002b6f
+  metadata.gz: 340e62f20ed55a76d6d22ef7e5bf7b3b58a8197a42224019e48384fd10e8b090
+  data.tar.gz: 5f5d0490d9d4ea43d46653abba3120b8a4e1eb08da85ff1927d1364fe7ab2de3
 SHA512:
-  metadata.gz: fcd8996dc26ffd1f5eb6f66b34aedd7859cfb866a8dc3a84b5043293fafc78475845e92b19e0e2742f0bdabd8dd6b0af6086521e35f82734fedbdb8c12f14583
-  data.tar.gz: e99e99aa6338c7d2438f1f4e9a49039161bdb40e9034e53b4d60a8e59a6971f8f001b812796dfd928e3f038ddb08e0d0434679eee8513cb44a3bd2e1bc03484f
+  metadata.gz: 142d5f6e82b6c30674c03653ebde20cdecece4f093f2a7b3fd0e3e621aaff4a7fa892683d69f14497d579b8b84167bbe1cc1e908eefef527e1cd26c3f49ffe15
+  data.tar.gz: 134ba4aee2e7db7ebe52174cc936a079978daf0c2e73edab230bdeada75e6bec317589ac789e0dc5003b6d092e36f86a4e40298e316b43469030537a495a4e53

data/README.md

@@ -21,7 +21,12 @@ $ vault secrets enable kv
 
 To set up a connection between Foreman and Vault first navigate to the "Infrastructure" > "Vault Connections" menu and then hit the button labeled "Create Vault Connection". Now you should see a form. You have to fill in name, url and token (you can receive a token with the `$ vault token create -period=60m` command) and hit the "Submit" button.
 
-You can now use `vault_secret(vault_connection_name, secret_path)` macro in your templates to fetch secrets from Vault (you can write secrets with the `$ vault write kv/my_secret foo=bar` command), e.g.
+You can now utilize two new macros in your templates:
+ - vault_secret(vault_connection_name, secret_path)
+ - vault_issue_certificate(vault_connection_name, pki_role_path, options...)
+
+### vault_secret(vault_connection_name, secret_path)
+To fetch secrets from Vault (you can write secrets with the `$ vault write kv/my_secret foo=bar` command), e.g.
 
 ```
 <%= vault_secret('MyVault', 'kv/my_secret') %>
@@ -33,13 +38,23 @@ As result you should get secret data, e.g.
 {:foo=>"bar"}
 ```
 
+### vault_issue_certificate(vault_connection_name, pki_role_path, options...)
+Issueing certificates is just as easy. Be sure to have a correctly set-up PKI, meaning, configure it so you can generate certificates from within the Vault UI. This means that you'll have had to set-up a CA or Intermediate CA. Once done, you can generate a certificate like this:
+
+
+```
+<%= vault_issue_certificate('MyVault', 'pkiEngine/issue/testRole', common_name: 'test.mydomain.com', ttl: '10s') %>
+```
+
+The common_name and ttl are optional, but there are [more options to configure](https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate)
+
 ## Contributing
 
 Fork and send a Pull Request. Thanks!
 
 ## Copyright
 
-Copyright (c) 2018 dmTECH GmbH, [dmtech.de](https://www.dmtech.de/)
+Copyright (c) 2018-2020 dmTECH GmbH, [dmtech.de](https://www.dmtech.de/)
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -52,4 +67,4 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/app/lib/foreman_vault/macros.rb

@@ -5,11 +5,20 @@ module ForemanVault
     def vault_secret(vault_connection_name, secret_path)
       vault = VaultConnection.find_by!(name: vault_connection_name)
       raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+
       vault.fetch_secret(secret_path)
     rescue ActiveRecord::RecordNotFound => e
       raise VaultError, e.message
     end
 
+    def vault_issue_certificate(vault_connection_name, secret_path, *options)
+      vault = VaultConnection.find_by!(name: vault_connection_name)
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      vault.issue_certificate(secret_path, *options)
+    rescue ActiveRecord::RecordNotFound => e
+      raise VaultError, e.message
+    end
+
     class VaultError < Foreman::Exception; end
   end
 end

data/app/models/vault_connection.rb

@@ -13,7 +13,7 @@ class VaultConnection < ApplicationRecord
 
   scope :with_valid_token, -> { where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
 
-  delegate :fetch_expire_time, :fetch_secret, to: :client
+  delegate :fetch_expire_time, :fetch_secret, :issue_certificate, to: :client
 
   def token_valid?
     vault_error.nil? && expire_time && expire_time > Time.zone.now
@@ -38,6 +38,7 @@ class VaultConnection < ApplicationRecord
     self.expire_time = fetch_expire_time
   rescue StandardError => e
     errors.add(:base, e.message)
+    Foreman::Logging.exception('Failed to set vault expiry time', e)
     throw(:abort)
   end
 

data/app/services/foreman_vault/vault_client.rb

@@ -17,6 +17,13 @@ module ForemanVault
     def fetch_secret(secret_path)
       response = client.logical.read(secret_path)
       raise NoDataError.new(N_('There is no available data for path: %s'), secret_path) unless response
+
+      response.data
+    end
+
+    def issue_certificate(secret_path, *options)
+      response = client.logical.write(secret_path, *options)
+      raise NoDataError.new(N_('Could not issue certificate: %s'), secret_path) unless response
       response.data
     end
 

data/app/views/vault_connections/welcome.html.erb

@@ -0,0 +1,12 @@
+<div class="blank-slate-pf">
+  <div class="blank-slate-pf-icon">
+    <%= icon_text("shield", "", :kind => "fa") %>
+  </div>
+  <h1><%= _('Vault Connections') %></h1>
+  <p>
+    <%= _("HashiCorp Vault is a secrets management solution that brokers access for both humans and machines, through programmatic access, to systems. Secrets can be stored, dynamically generated, and in the case of encryption, keys can be consumed as a service without the need to expose the underlying key materials.") %></br>
+  </p>
+  <div class="blank-slate-pf-main-action">
+      <%= new_link(_("New Vault Connection"), {}, { :class => "btn-lg" }) %>
+  </div>
+</div>

data/lib/foreman_vault/engine.rb

@@ -45,7 +45,7 @@ module ForemanVault
     config.to_prepare do
       begin
         Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
-        Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret] }
+        Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
       rescue StandardError => e
         Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
       end

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.0.1'
+  VERSION = '0.1.0'
 end

data/test/factories/foreman_vault_factories.rb

@@ -3,12 +3,12 @@
 FactoryBot.define do
   factory :vault_connection, class: VaultConnection do
     sequence(:name) { |n| "VaultServer-#{n}" }
-    url 'http://localhost:8200'
-    token '16aa4f29-035d-b604-f3d3-8cd9a6a6921c'
+    url { 'http://localhost:8200' }
+    token { '16aa4f29-035d-b604-f3d3-8cd9a6a6921c' }
     expire_time { Time.zone.now + 1.year }
 
     trait :invalid do
-      expire_time nil
+      expire_time { nil }
     end
 
     trait :without_callbacks do

data/test/functional/api/v2/vault_connections_controller_test.rb

@@ -72,7 +72,7 @@ module Api
           assert VaultConnection.exists?(@vault_connection.id)
           delete :destroy, params: { id: @vault_connection.to_param }
           assert_response :success
-          refute VaultConnection.exists?(@vault_connection.id)
+          assert_not VaultConnection.exists?(@vault_connection.id)
         end
       end
     end

data/test/unit/services/foreman_vault/vault_client_test.rb

@@ -36,4 +36,27 @@ class VaultClientTest < ActiveSupport::TestCase
       assert_equal @data, @subject.fetch_secret(@secret_path)
     end
   end
+
+  describe '#fetch_certificate' do
+    setup do
+      @pki_path = '/pkiEngine/issue/testRole'
+      @data = {
+        certificate: 'CERTIFICATE_DATA',
+        expiration: 1_582_116_230,
+        issuing_ca: 'CA_CERTIFICATE_DATA',
+        private_key: 'PRIVATE_KEY_DATA',
+        private_key_type: 'rsa',
+        serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
+      }
+
+      response = OpenStruct.new(data: @data)
+      logical = mock.tap { |object| object.expects(:write).once.with(@pki_path).returns(response) }
+
+      @client.expects(:logical).once.returns(logical)
+    end
+
+    test 'should return new certificate' do
+      assert_equal @data, @subject.issue_certificate(@pki_path)
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - dmTECH GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-21 00:00:00.000000000 Z
+date: 2020-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -80,6 +80,7 @@ files:
 - app/views/vault_connections/edit.html.erb
 - app/views/vault_connections/index.html.erb
 - app/views/vault_connections/new.html.erb
+- app/views/vault_connections/welcome.html.erb
 - config/foreman_vault.yaml.example
 - config/routes.rb
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
@@ -120,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault