foreman_vault 0.0.1 → 1.0.0

data/test/models/vault_policy_template_test.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultPolicyTemplateTest < ActiveSupport::TestCase
+  let(:host) { FactoryBot.create(:host, :managed) }
+  let(:template) { FactoryBot.create(:provisioning_template, :vault_policy) }
+
+  it 'is rendered from a database' do
+    Foreman::Renderer.expects(:get_source).with(has_entry(klass: Foreman::Renderer::Source::Database))
+    Foreman::Renderer.stubs(:get_scope)
+    Foreman::Renderer.stubs(:render)
+
+    template.render
+  end
+
+  test 'render in default mode' do
+    assert_nothing_raised { template.render(host: host) }
+  end
+
+  test 'render in safe mode' do
+    assert_nothing_raised { template.render(renderer: Foreman::Renderer::SafeModeRenderer, host: host) }
+  end
+
+  test 'render in unsafe mode' do
+    assert_nothing_raised { template.render(renderer: Foreman::Renderer::UnsafeModeRenderer, host: host) }
+  end
+end

data/test/test_plugin_helper.rb

@@ -2,7 +2,6 @@
 
 # This calls the main test_helper in Foreman-core
 require 'test_helper'
-require 'vault'
 
 # Add plugin to FactoryBot's paths
 FactoryBot.definition_file_paths << File.join(File.dirname(__FILE__), 'factories')

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultAuthMethodTest < ActiveSupport::TestCase
+  subject { ForemanVault::VaultAuthMethod.new(host) }
+
+  let(:host) { FactoryBot.create(:host, :managed) }
+
+  describe '#name' do
+    context 'with host and vault_policy_name' do
+      setup do
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+      end
+
+      it { assert_equal "#{host}-vault_policy_name".parameterize, subject.name }
+    end
+
+    context 'without host' do
+      setup do
+        subject.stubs(:host).returns(nil)
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+      end
+
+      it { assert_nil subject.name }
+    end
+
+    context 'without vault_policy_name' do
+      setup do
+        subject.stubs(:vault_policy_name).returns(nil)
+      end
+
+      it { assert_nil subject.name }
+    end
+  end
+
+  describe 'valid?' do
+    context 'with name and certificate' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:certificate).returns('cert')
+      end
+
+      it { assert subject.valid? }
+    end
+
+    context 'without name' do
+      setup do
+        subject.stubs(:name).returns(nil)
+        subject.stubs(:certificate).returns('cert')
+      end
+
+      it { assert_not subject.valid? }
+    end
+
+    context 'without certificate' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:certificate).returns(nil)
+      end
+
+      it { assert_not subject.valid? }
+    end
+  end
+
+  describe '#save' do
+    context 'when valid' do
+      it 'creates auth method in the Vault' do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+        subject.stubs(:certificate).returns('cert')
+
+        subject.expects(:set_certificate).once.with(
+          'name',
+          certificate: 'cert',
+          token_policies: 'vault_policy_name',
+          allowed_common_names: [host.fqdn]
+        )
+        subject.save
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not create auth method in the Vault' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:set_certificate).never
+        subject.save
+      end
+    end
+  end
+
+  describe '#delete' do
+    context 'when valid' do
+      it 'deletes Certificate' do
+        subject.stubs(:valid?).returns(true)
+
+        subject.expects(:delete_certificate).once.with(subject.name)
+        subject.delete
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not delete Certificate' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:delete_certificate).never
+        subject.delete
+      end
+    end
+  end
+
+  describe '#certificate' do
+    setup do
+      Setting.find_by(name: 'ssl_ca_file').update(value: cert_path)
+    end
+
+    context 'when certificate file can be read' do
+      let(:cert_path) { File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt') }
+
+      it { assert_equal File.read(cert_path), subject.send(:certificate) }
+    end
+
+    context 'when certificate file cannot be read' do
+      let(:cert_path) { '/tmp/invalid.crt' }
+
+      it { assert_not subject.send(:certificate) }
+    end
+  end
+end

data/test/unit/services/foreman_vault/vault_client_test.rb

@@ -3,10 +3,46 @@
 require 'test_plugin_helper'
 
 class VaultClientTest < ActiveSupport::TestCase
-  setup do
-    @subject = ForemanVault::VaultClient.new('http://127.0.0.1:8200', 'e57e5ef2-b25c-a0e5-65a6-863ab095dff6')
-    @client = mock
-    Vault::Client.expects(:new).returns(@client)
+  subject do
+    ForemanVault::VaultClient.new(base_url, token, nil, nil).tap do |vault_client|
+      vault_client.instance_variable_set(:@client, client)
+    end
+  end
+
+  let(:client) { Vault::Client }
+  let(:base_url) { 'http://127.0.0.1:8200' }
+  let(:token) { 's.opkr0MAqme5e5nr3i2or5wZC' }
+
+  describe 'auth with AppRole' do
+    subject { ForemanVault::VaultClient.new(base_url, nil, role_id, secret_id) }
+
+    let(:role_id) { '8403910c-e563-d2f2-1c77-6e26319be8b5' }
+    let(:secret_id) { '1058434b-b4aa-bf5a-b376-a15d9efb1059' }
+
+    setup do
+      stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
+        body: {
+          role_id: role_id,
+          secret_id: secret_id
+        }
+      ).to_return(
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: {
+          auth: {
+            client_token: token
+          }
+        }.to_json
+      )
+    end
+
+    it { assert_equal token, subject.send(:client).token }
+  end
+
+  describe 'auth with token' do
+    subject { ForemanVault::VaultClient.new(base_url, token, nil, nil) }
+
+    it { assert_equal token, subject.send(:client).token }
   end
 
   describe '#fetch_expire_time' do
@@ -14,11 +50,11 @@ class VaultClientTest < ActiveSupport::TestCase
       @time = '2018-08-01T20:08:55.525830559+02:00'
       response = OpenStruct.new(data: { expire_time: @time })
       auth_token = mock.tap { |object| object.expects(:lookup_self).once.returns(response) }
-      @client.expects(:auth_token).once.returns(auth_token)
+      client.expects(:auth_token).once.returns(auth_token)
     end
 
     test 'should return expire time' do
-      assert_equal Time.zone.parse(@time), @subject.fetch_expire_time
+      assert_equal Time.zone.parse(@time), subject.fetch_expire_time
     end
   end
 
@@ -29,11 +65,34 @@ class VaultClientTest < ActiveSupport::TestCase
       response = OpenStruct.new(data: @data)
       logical = mock.tap { |object| object.expects(:read).once.with(@secret_path).returns(response) }
 
-      @client.expects(:logical).once.returns(logical)
+      client.expects(:logical).once.returns(logical)
     end
 
     test 'should return expire time' do
-      assert_equal @data, @subject.fetch_secret(@secret_path)
+      assert_equal @data, subject.fetch_secret(@secret_path)
+    end
+  end
+
+  describe '#fetch_certificate' do
+    setup do
+      @pki_path = '/pkiEngine/issue/testRole'
+      @data = {
+        certificate: 'CERTIFICATE_DATA',
+        expiration: 1_582_116_230,
+        issuing_ca: 'CA_CERTIFICATE_DATA',
+        private_key: 'PRIVATE_KEY_DATA',
+        private_key_type: 'rsa',
+        serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
+      }
+
+      response = OpenStruct.new(data: @data)
+      logical = mock.tap { |object| object.expects(:write).once.with(@pki_path).returns(response) }
+
+      client.expects(:logical).once.returns(logical)
+    end
+
+    test 'should return new certificate' do
+      assert_equal @data, subject.issue_certificate(@pki_path)
     end
   end
 end

data/test/unit/services/foreman_vault/vault_policy_test.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultPolicyTest < ActiveSupport::TestCase
+  subject { ForemanVault::VaultPolicy.new(host) }
+
+  let(:host) { FactoryBot.create(:host, :managed) }
+
+  setup do
+    FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+  end
+
+  describe 'valid?' do
+    context 'with name and rules' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns('rules')
+      end
+
+      it { assert subject.valid? }
+    end
+
+    context 'without name' do
+      setup do
+        subject.stubs(:name).returns(nil)
+        subject.stubs(:rules).returns('rules')
+      end
+
+      it { assert_not subject.valid? }
+    end
+
+    context 'without rules' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns(nil)
+      end
+
+      it { assert_not subject.valid? }
+    end
+  end
+
+  describe '#name' do
+    context 'without corresponding Vault Policy template' do
+      it { assert_nil subject.name }
+    end
+
+    context 'with corresponding Vault Policy template' do
+      setup do
+        FactoryBot.create(:provisioning_template, :vault_policy, template: template)
+      end
+
+      let(:template) { '# NAME: <%= @host.name %>' }
+
+      it { assert_equal host.name.parameterize, subject.name }
+
+      context 'when name is empty' do
+        let(:template) { '# NAME:' }
+
+        it { assert_nil subject.name }
+      end
+
+      context 'when there is no name magic comment' do
+        let(:template) { '# BLAH:' }
+
+        it { assert_nil subject.name }
+      end
+    end
+  end
+
+  describe '#new?' do
+    setup do
+      FactoryBot.create(:provisioning_template, :vault_policy)
+    end
+
+    context 'policy already exists in the Vault' do
+      setup do
+        subject.stubs(:policies).returns([subject.name])
+      end
+
+      it { assert_not subject.new? }
+    end
+
+    context 'policy does not exist in the Vault' do
+      setup do
+        subject.stubs(:policies).returns([])
+      end
+
+      it { assert subject.new? }
+    end
+  end
+
+  describe '#save' do
+    context 'when valid' do
+      it 'creates Vault Policy' do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns('rules')
+
+        subject.expects(:put_policy).once.with(subject.name, subject.send(:rules))
+        subject.save
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not create Vault Policy' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:set_certificate).never
+        subject.save
+      end
+    end
+  end
+
+  describe '#delete' do
+    context 'when valid' do
+      it 'deletes Vault Policy' do
+        subject.stubs(:valid?).returns(true)
+
+        subject.expects(:delete_policy).once.with(subject.name)
+        subject.delete
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not delete Vault Policy' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:delete_policy).never
+        subject.delete
+      end
+    end
+  end
+
+  describe '#rules' do
+    context 'without corresponding Vault Policy template' do
+      it { assert_nil subject.send(:rules) }
+    end
+
+    context 'with corresponding Vault Policy template' do
+      let(:rules) { 'path "secrets/data/*" { capabilities = ["create", "read", "update"] }' }
+
+      setup do
+        FactoryBot.create(:provisioning_template, :vault_policy, template: template)
+      end
+
+      let(:template) do
+        <<~TEMPLATE
+          # NAME: <%= @host.name %>
+
+          #{rules}
+        TEMPLATE
+      end
+
+      it { assert_equal "#{rules}\n", subject.send(:rules) }
+
+      context 'when Vault Policy template renders empty' do
+        let(:template) do
+          <<~TEMPLATE
+            # NAME: <%= @host.name %>
+
+            <% if false %>
+              #{rules}
+            <% end %>
+          TEMPLATE
+        end
+
+        it { assert_nil subject.send(:rules) }
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 1.0.0
 platform: ruby
 authors:
 - dmTECH GmbH
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-21 00:00:00.000000000 Z
+date: 2021-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -52,7 +52,7 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.54.0
-description: 
+description:
 email:
 - opensource@dm.de
 executables: []
@@ -68,22 +68,32 @@ files:
 - app/jobs/refresh_vault_token.rb
 - app/jobs/refresh_vault_tokens.rb
 - app/lib/foreman_vault/macros.rb
+- app/models/concerns/foreman_vault/host_extensions.rb
+- app/models/concerns/foreman_vault/orchestration/vault_policy.rb
+- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
+- app/models/setting/vault.rb
 - app/models/vault_connection.rb
+- app/services/foreman_vault/vault_auth_method.rb
 - app/services/foreman_vault/vault_client.rb
+- app/services/foreman_vault/vault_policy.rb
 - app/views/api/v2/vault_connections/base.json.rabl
 - app/views/api/v2/vault_connections/create.json.rabl
 - app/views/api/v2/vault_connections/index.json.rabl
 - app/views/api/v2/vault_connections/main.json.rabl
 - app/views/api/v2/vault_connections/show.json.rabl
 - app/views/api/v2/vault_connections/update.json.rabl
+- app/views/unattended/provisioning_templates/VaultPolicy/default.erb
 - app/views/vault_connections/_form.html.erb
 - app/views/vault_connections/edit.html.erb
 - app/views/vault_connections/index.html.erb
 - app/views/vault_connections/new.html.erb
+- app/views/vault_connections/welcome.html.erb
 - config/foreman_vault.yaml.example
 - config/routes.rb
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
 - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
+- db/migrate/20201203220058_add_approle_to_vault_connection.rb
+- db/seeds.d/103-provisioning_templates.rb
 - lib/foreman_vault.rb
 - lib/foreman_vault/engine.rb
 - lib/foreman_vault/version.rb
@@ -92,19 +102,26 @@ files:
 - locale/en/foreman_vault.po
 - locale/foreman_vault.pot
 - locale/gemspec.rb
-- test/factories/foreman_vault_factories.rb
+- test/factories/vault_connection.rb
+- test/factories/vault_policy_template.rb
+- test/factories/vault_setting.rb
+- test/fixtures/ca.crt
 - test/functional/api/v2/vault_connections_controller_test.rb
 - test/jobs/refresh_vault_token_test.rb
 - test/jobs/refresh_vault_tokens_test.rb
+- test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/models/vault_connection_test.rb
+- test/models/vault_policy_template_test.rb
 - test/test_plugin_helper.rb
 - test/unit/lib/foreman_vault/macros_test.rb
+- test/unit/services/foreman_vault/vault_auth_method_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb
+- test/unit/services/foreman_vault/vault_policy_test.rb
 homepage: https://github.com/dm-drogeriemarkt/foreman_vault
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -119,16 +136,22 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
 test_files:
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb
+- test/unit/services/foreman_vault/vault_policy_test.rb
+- test/unit/services/foreman_vault/vault_auth_method_test.rb
+- test/models/vault_policy_template_test.rb
 - test/models/vault_connection_test.rb
-- test/factories/foreman_vault_factories.rb
+- test/models/foreman_vault/orchestration/vault_policy_test.rb
+- test/factories/vault_policy_template.rb
+- test/factories/vault_connection.rb
+- test/factories/vault_setting.rb
+- test/fixtures/ca.crt
 - test/test_plugin_helper.rb
 - test/jobs/refresh_vault_tokens_test.rb
 - test/jobs/refresh_vault_token_test.rb