foreman_vault 0.0.1 → 1.0.0

data/app/services/foreman_vault/vault_auth_method.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  class VaultAuthMethod
+    def initialize(host)
+      @host = host
+    end
+
+    def valid?
+      name.present? && options[:certificate].present?
+    end
+
+    def name
+      return if !host || !vault_policy_name
+
+      [host, vault_policy_name].join('-').parameterize
+    end
+
+    def save
+      return false unless valid?
+
+      set_certificate(name, options)
+    end
+
+    def delete
+      return false unless valid?
+
+      delete_certificate(name)
+    end
+
+    private
+
+    attr_reader :host
+    delegate :vault_policy, :vault_connection, :fqdn, to: :host
+    delegate :name, to: :vault_policy, prefix: true
+    delegate :set_certificate, :delete_certificate, to: :vault_connection
+
+    def options
+      {
+        certificate: certificate,
+        token_policies: vault_policy_name,
+        allowed_common_names: allowed_common_names
+      }
+    end
+
+    def allowed_common_names
+      [fqdn].compact
+    end
+
+    def certificate
+      return unless Setting['ssl_ca_file']
+
+      File.read(Setting['ssl_ca_file'])
+    rescue Errno::ENOENT
+      nil
+    end
+  end
+end

data/app/services/foreman_vault/vault_client.rb

@@ -1,22 +1,34 @@
 # frozen_string_literal: true
 
-require 'vault'
-
 module ForemanVault
   class VaultClient
-    def initialize(base_url, token)
+    def initialize(base_url, token, role_id, secret_id)
       @base_url = base_url
       @token = token
+      @role_id = role_id
+      @secret_id = secret_id
     end
 
+    delegate :sys, :auth_tls, to: :client
+    delegate :policy, :policies, :put_policy, :delete_policy, to: :sys
+    delegate :certificate, :certificates, :set_certificate, :delete_certificate, to: :auth_tls
+
     def fetch_expire_time
       response = client.auth_token.lookup_self
-      Time.zone.parse(response.data[:expire_time])
+      expire_time = response.data[:expire_time]
+      expire_time && Time.zone.parse(expire_time)
     end
 
     def fetch_secret(secret_path)
       response = client.logical.read(secret_path)
       raise NoDataError.new(N_('There is no available data for path: %s'), secret_path) unless response
+
+      response.data
+    end
+
+    def issue_certificate(secret_path, *options)
+      response = client.logical.write(secret_path, *options)
+      raise NoDataError.new(N_('Could not issue certificate: %s'), secret_path) unless response
       response.data
     end
 
@@ -29,10 +41,16 @@ module ForemanVault
     class VaultClientError < Foreman::Exception; end
     class NoDataError < VaultClientError; end
 
-    attr_reader :base_url, :token
+    attr_reader :base_url, :token, :role_id, :secret_id
 
     def client
-      @client ||= Vault::Client.new(address: base_url, token: token)
+      @client ||= if role_id.present? && secret_id.present?
+                    Vault::Client.new(address: base_url).tap do |client|
+                      client.auth.approle(role_id, secret_id)
+                    end
+                  else
+                    Vault::Client.new(address: base_url, token: token)
+                  end
     end
   end
 end

data/app/services/foreman_vault/vault_policy.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  class VaultPolicy
+    MAGIC_COMMENT_NAME_PREFIX = '# NAME: '
+
+    def initialize(host)
+      @host = host
+    end
+
+    def valid?
+      name.present? && rules.present?
+    end
+
+    def name
+      magic_comment_name&.chomp&.remove(MAGIC_COMMENT_NAME_PREFIX)&.parameterize
+    end
+
+    def new?
+      return unless name
+
+      policies.index(name).nil?
+    end
+
+    def save
+      return false unless valid?
+
+      put_policy(name, rules)
+    end
+
+    def delete
+      return false unless valid?
+
+      delete_policy(name)
+    end
+
+    private
+
+    attr_reader :host
+    delegate :params, :render_template, :vault_connection, to: :host
+    delegate :policy, :policies, :put_policy, :delete_policy, to: :vault_connection
+
+    def rules
+      rendered&.remove(magic_comment_name)
+              &.lines
+              &.reject { |l| l.strip.empty? }
+              &.join
+              &.presence
+    end
+
+    def magic_comment_name
+      rendered&.lines&.find { |l| l.start_with?(MAGIC_COMMENT_NAME_PREFIX) }
+    end
+
+    def rendered
+      return unless template
+
+      render_template(template: template)
+    end
+
+    def template
+      ::ProvisioningTemplate.find_by(name: Setting['vault_policy_template'])
+    end
+  end
+end

data/app/views/unattended/provisioning_templates/VaultPolicy/default.erb

@@ -0,0 +1,6 @@
+# NAME: <%= @host.owner %>-<%= @host.environment %>
+
+# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>
+path "secrets/data/<%= @host.owner %>/<%= @host.environment %>/*" {
+    capabilities = ["create", "read", "update"]
+}

data/app/views/vault_connections/_form.html.erb

@@ -1,7 +1,23 @@
-<%= form_for @vault_connection, :url => (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(:id => @vault_connection)) do |f| %>
+<%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
   <%= base_errors_for @vault_connection %>
-  <%= text_f f, :name, :help_inline => _("Vault Connection name") %>
-  <%= text_f f, :url, :help_inline => _("Vault Server url") %>
-  <%= text_f f, :token, :help_inline => _("Vault Connection token") %>
+  <%= text_f f, :name, help_inline: _("Vault Connection name") %>
+  <%= text_f f, :url, help_inline: _("Vault Server url") %>
+  <div class="auth_methods">
+    <h4><%=_("Auth Methods")%></h4>
+    <%= alert(text: _('Please only fill in one auth method'), class: 'alert-info', close: false) %>
+    <ul class="nav nav-tabs" data-tabs="tabs">
+      <li class="active"><a href="#approle" data-toggle="tab"><%= _('AppRole') %></a></li>
+      <li><a href="#token" data-toggle="tab"><%= _('Token') %></a></li>
+    </ul>
+    <div class="tab-content">
+      <div class="tab-pane active" id="approle">
+        <%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
+        <%= text_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
+      </div>
+      <div class="tab-pane" id="token">
+        <%= text_f f, :token, help_inline: _("Vault Connection token") %>
+      </div>
+    </div>
+  </div>
   <%= submit_or_cancel f %>
 <% end %>

data/app/views/vault_connections/index.html.erb

@@ -4,9 +4,11 @@
 <table class="<%= table_css_classes 'table-fixed' %>">
   <thead>
     <tr>
-      <th class="col-md-9"><%= sort :name, :as => s_('Vault Connections|Name') %></th>
-      <th class="col-md-1"><%= _('Valid') %></th>
-      <th class="col-md-1"><%= _('Expire time') %></th>
+      <th class="col-md-2"><%= sort :name, as: s_('Vault Connections|Name') %></th>
+      <th class="col-md-2"><%= _('URL') %></th>
+      <th class="col-md-2"><%= _('Role ID') %></th>
+      <th class="col-md-1"><%= _('Token Valid') %></th>
+      <th class="col-md-1"><%= _('Token Expire time') %></th>
       <th class="col-md-1"><%= _('Actions') %></th>
     </tr>
   </thead>
@@ -14,17 +16,29 @@
     <% @vault_connections.each do |vault_connection| %>
       <tr>
         <td class="ellipsis">
-          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(:id => vault_connection) %>
+          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(id: vault_connection) %>
+        </td>
+        <td class="ellipsis">
+          <code class="transparent"><%= vault_connection.url %></code>
+        </td>
+        <td class="ellipsis">
+          <% if vault_connection.with_approle? %>
+            <code class="transparent"><%= vault_connection.role_id %></code>
+          <% end %>
         </td>
         <td align='center'>
-          <% if vault_connection.token_valid? %>
+          <% vault_connection.with_token? && if vault_connection.token_valid? %>
             <%= ('<span class="glyphicon glyphicon-ok"/>').html_safe %>
           <% else %>
             <%= ('<span class="glyphicon glyphicon-remove" title="%s"/>' % vault_connection.vault_error).html_safe %>
           <% end %>
         </td>
-        <td><%= date_time_absolute(vault_connection.expire_time) %></td>
-        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(:id => vault_connection), :data => { :confirm => _("Delete %s?") % vault_connection.name } %></td>
+        <td>
+          <% if vault_connection.with_token? %>
+            <%= date_time_absolute(vault_connection.expire_time) %>
+          <% end %>
+        </td>
+        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(id: vault_connection), data: { confirm: _("Delete %s?") % vault_connection.name } %></td>
       </tr>
     <% end %>
   </tbody>

data/app/views/vault_connections/welcome.html.erb

@@ -0,0 +1,12 @@
+<div class="blank-slate-pf">
+  <div class="blank-slate-pf-icon">
+    <%= icon_text("shield", "", :kind => "fa") %>
+  </div>
+  <h1><%= _('Vault Connections') %></h1>
+  <p>
+    <%= _("HashiCorp Vault is a secrets management solution that brokers access for both humans and machines, through programmatic access, to systems. Secrets can be stored, dynamically generated, and in the case of encryption, keys can be consumed as a service without the need to expose the underlying key materials.") %></br>
+  </p>
+  <div class="blank-slate-pf-main-action">
+      <%= new_link(_("New Vault Connection"), {}, { :class => "btn-lg" }) %>
+  </div>
+</div>

data/db/migrate/20201203220058_add_approle_to_vault_connection.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddApproleToVaultConnection < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vault_connections, :role_id, :string
+    add_column :vault_connections, :secret_id, :string
+  end
+end

data/db/seeds.d/103-provisioning_templates.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+User.as_anonymous_admin do
+  templates = [
+    {
+      name: 'Default Vault Policy',
+      source: 'VaultPolicy/default.erb',
+      template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
+    }
+  ]
+
+  templates.each do |template|
+    template[:contents] = File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates', template[:source]))
+
+    ProvisioningTemplate.where(name: template[:name]).first_or_create do |pt|
+      pt.vendor = 'ForemanVault'
+      pt.default = true
+      pt.locked = true
+      pt.name = template[:name]
+      pt.template = template[:contents]
+      pt.template_kind = template[:template_kind] if template[:template_kind]
+      pt.snippet = template[:snippet] if template[:snippet]
+    end
+  end
+end

data/lib/foreman_vault/engine.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'vault'
+
 module ForemanVault
   class Engine < ::Rails::Engine
     engine_name 'foreman_vault'
@@ -10,6 +12,14 @@ module ForemanVault
     config.autoload_paths += Dir["#{config.root}/app/lib"]
     config.autoload_paths += Dir["#{config.root}/app/jobs"]
 
+    initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
+      require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
+                                                                                             Setting.table_exists?
+                                                                                           rescue StandardError
+                                                                                             (false)
+                                                                                           end
+    end
+
     # Add any db migrations
     initializer 'foreman_vault.load_app_instance_data' do |app|
       ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
@@ -19,7 +29,7 @@ module ForemanVault
 
     initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
       Foreman::Plugin.register :foreman_vault do
-        requires_foreman '>= 1.20'
+        requires_foreman '>= 2.3'
 
         apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
 
@@ -44,8 +54,10 @@ module ForemanVault
 
     config.to_prepare do
       begin
-        Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
-        Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret] }
+        ::Host::Managed.include(ForemanVault::HostExtensions)
+        ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
+        ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
+        ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
       rescue StandardError => e
         Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
       end

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.0.1'
+  VERSION = '1.0.0'
 end

data/test/factories/{foreman_vault_factories.rb → vault_connection.rb}

@@ -3,12 +3,12 @@
 FactoryBot.define do
   factory :vault_connection, class: VaultConnection do
     sequence(:name) { |n| "VaultServer-#{n}" }
-    url 'http://localhost:8200'
-    token '16aa4f29-035d-b604-f3d3-8cd9a6a6921c'
+    url { 'http://localhost:8200' }
+    token { '16aa4f29-035d-b604-f3d3-8cd9a6a6921c' }
     expire_time { Time.zone.now + 1.year }
 
     trait :invalid do
-      expire_time nil
+      expire_time { Time.zone.now - 1.year }
     end
 
     trait :without_callbacks do

data/test/factories/vault_policy_template.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+FactoryBot.modify do
+  factory :provisioning_template do
+    trait :vault_policy do
+      name { Setting['vault_policy_template'] || 'Default Vault Policy' }
+      template_kind { TemplateKind.find_or_create_by(name: 'VaultPolicy') }
+      template { File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates/VaultPolicy/default.erb')) }
+    end
+  end
+end

data/test/factories/vault_setting.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.modify do
+  factory :setting do
+    trait :vault_policy do
+      name { 'vault_policy_template' }
+      value { 'Default Vault Policy' }
+    end
+  end
+end

data/test/fixtures/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmgCCQDSQhCJzHnXejANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
+cGwxDjAMBgNVBAgMBXN0YXRlMQ0wCwYDVQQHDARjaXR5MRAwDgYDVQQKDAdjb21w
+YW55MRAwDgYDVQQLDAdzZWN0aW9uMQ0wCwYDVQQDDARob3N0MSAwHgYJKoZIhvcN
+AQkBFhFlbWFpbEBleGFtcGxlLmNvbTAeFw0yMDA0MjkxMzQ1MjdaFw0yMzAyMTcx
+MzQ1MjdaMIGBMQswCQYDVQQGEwJwbDEOMAwGA1UECAwFc3RhdGUxDTALBgNVBAcM
+BGNpdHkxEDAOBgNVBAoMB2NvbXBhbnkxEDAOBgNVBAsMB3NlY3Rpb24xDTALBgNV
+BAMMBGhvc3QxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQxWM6dJbtdDrIUvG5SBp8XadSst
+D5Lu/WBwazdiRQI6mF6bOrAviZUJVoN0sFphZHjQpzTkxS9N929fdChBB7fjrP7b
+vydvcbc8eH+HhK5tYzOjhjw/K2WHriNlSY7tD/Au8ZBkM7PYSM7411GG4Ubxh60+
+vamBX8rdAp5wEVKWHabdFswqtNbnmFWa00gMRA44ZMoBA5KdDCNnVA+wiA1hSLYl
+SdSPrKRmYw5gRul7h8lilrvf04Df87NEtRFMjuaHcxrIklVJZMsZ1Mvw5VhlpV3f
+q1kMGG3wXyeTAOlMDPEFXJ4gs8ZIEqS1T1gfCUF4w/rSDQ0u49WBu2TstQIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBAQBBsovBY2r1+PXJhGTOXvZUMqz+IN/AKi52GIwC
+dPmVOhFTaztL1LbRTKgtg1cyQGmIdZ8skHGFKVAkESPa1dHu+E5uGs+rFEI1A+KA
+xKIN2dNXFUEnKDEywcjZhilDHeKqthf1gkcJwkMgv5+DczOtZvtsu7tDF2kcyedw
+6/A+0GJVG7S72VaL5hcfgglmGXNT5BRjLAWV6ZPViXWSJj43oXLGqqwHWhRBs+d6
+0+0kNukYjyPLVSLpFpj/DvxvPjQWoDTVzMeT7iTtahd4S9FGPZuHXG2yxnTjCycH
+jHNvGHXHfYJCJ10RxaeyP1Dz9qG9hH0GiiCCYAuPnf6Eu1qO
+-----END CERTIFICATE-----

data/test/functional/api/v2/vault_connections_controller_test.rb

@@ -72,7 +72,7 @@ module Api
           assert VaultConnection.exists?(@vault_connection.id)
           delete :destroy, params: { id: @vault_connection.to_param }
           assert_response :success
-          refute VaultConnection.exists?(@vault_connection.id)
+          assert_not VaultConnection.exists?(@vault_connection.id)
         end
       end
     end

data/test/models/foreman_vault/orchestration/vault_policy_test.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanVault
+  module Orchestration
+    class VaultPolicyTest < ActiveSupport::TestCase
+      describe '#queue_vault_push' do
+        let(:host) { FactoryBot.create(:host, :managed) }
+        let(:queue) { mock('queue') }
+        let(:vault_policy) { mock('vault_policy') }
+        let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+        setup do
+          host.stubs(:queue).returns(queue)
+          host.stubs(:vault_policy).returns(vault_policy)
+          host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+        end
+
+        test 'should queue Vault orchestration' do
+          vault_policy.stubs(:valid?).returns(true)
+          vault_auth_method.stubs(:valid?).returns(true)
+
+          queue.expects(:create).with(
+            name: "Push #{host} data to Vault",
+            priority: 100,
+            action: [host, :set_vault]
+          ).once
+          host.send(:queue_vault_push)
+        end
+
+        context 'when vault_policy is not valid' do
+          test 'should not queue Vault orchestration' do
+            vault_auth_method.stubs(:valid?).returns(true)
+
+            vault_policy.expects(:valid?).returns(false)
+            queue.expects(:create).never
+            host.send(:queue_vault_push)
+          end
+        end
+
+        context 'when vault_auth_method is not valid' do
+          test 'should not queue Vault orchestration' do
+            vault_policy.stubs(:valid?).returns(true)
+
+            vault_auth_method.expects(:valid?).returns(false)
+            queue.expects(:create).never
+            host.send(:queue_vault_push)
+          end
+        end
+      end
+
+      describe '#queue_vault_destroy' do
+        let(:host) { FactoryBot.create(:host, :managed) }
+        let(:queue) { mock('queue') }
+        let(:vault_policy) { mock('vault_policy') }
+        let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+        setup do
+          host.stubs(:queue).returns(queue)
+          host.stubs(:vault_policy).returns(vault_policy)
+          host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+        end
+
+        context 'when auth_method is valid' do
+          test 'should queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(true)
+
+            queue.expects(:create).with(
+              name: "Clear #{host} Vault data",
+              priority: 60,
+              action: [host, :del_vault]
+            ).once
+            host.send(:queue_vault_destroy)
+          end
+        end
+
+        context 'when auth_method is not valid' do
+          test 'should not queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(false)
+
+            queue.expects(:create).never
+            host.send(:queue_vault_destroy)
+          end
+        end
+      end
+
+      describe '#set_vault' do
+        let(:environment) { FactoryBot.create(:environment, name: 'MyEnv') }
+        let(:host) { FactoryBot.create(:host, :managed, environment: environment) }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+        let(:new_owner) { FactoryBot.create(:usergroup, name: 'MyOwner') }
+
+        let(:vault_policies) { [] }
+        let(:get_policies_request) do
+          stub_request(:get, "#{vault_connection.url}/v1/sys/policy").to_return(
+            status: 200, headers: { 'Content-Type': 'application/json' },
+            body: { policies: vault_policies }.to_json
+          )
+        end
+
+        let(:new_policy_name) { "#{new_owner}-#{host.environment}".parameterize }
+        let(:put_policy_request) do
+          url = "#{vault_connection.url}/v1/sys/policy/#{new_policy_name}"
+          # rubocop:disable Metrics/LineLength
+          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>\npath \"secrets/data/MyOwner/MyEnv/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
+          # rubocop:enable Metrics/LineLength
+          stub_request(:put, url).with(body: JSON.fast_generate(rules: rules)).to_return(status: 200)
+        end
+
+        let(:new_auth_method_name) { "#{host}-#{new_policy_name}".parameterize }
+        let(:post_auth_method_request) do
+          url = "#{vault_connection.url}/v1/auth/cert/certs/#{new_auth_method_name}"
+          stub_request(:post, url).with(
+            body: JSON.fast_generate(
+              certificate: host.vault_auth_method.send(:certificate),
+              token_policies: new_policy_name,
+              allowed_common_names: [host.fqdn]
+            )
+          ).to_return(status: 200)
+        end
+
+        let(:delete_old_auth_method_request) do
+          url = "#{vault_connection.url}/v1/auth/cert/certs/#{host.vault_auth_method.name}"
+          stub_request(:delete, url).to_return(status: 200)
+        end
+
+        setup do
+          Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          FactoryBot.create(:setting, :vault_policy)
+          FactoryBot.create(:provisioning_template, :vault_policy, name: Setting['vault_policy_template'])
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          host.stubs(:skip_orchestration_for_testing?).returns(false)
+
+          get_policies_request
+          put_policy_request
+          post_auth_method_request
+          delete_old_auth_method_request
+
+          host.update(owner: new_owner)
+        end
+
+        it { assert_requested(post_auth_method_request) }
+        it { assert_requested(delete_old_auth_method_request) }
+
+        context 'when policy already exists on Vault' do
+          let(:vault_policies) { [new_policy_name] }
+
+          it { assert_not_requested(put_policy_request) }
+        end
+
+        context 'when policy does not exist on Vault' do
+          let(:vault_policies) { [] }
+
+          it { assert_requested(put_policy_request) }
+        end
+      end
+    end
+  end
+end