foreman_vault 0.0.1

data/README.md

@@ -0,0 +1,55 @@
+# ForemanVault
+
+[<img src="https://opensourcelogos.aws.dmtech.cloud/dmTECH_opensource_logo.svg" height="21" width="130">](https://www.dmtech.de/)
+
+This is a plugin for Foreman that adds support for using credentials from Hashicorp Vault.
+
+## Installation
+
+See [Plugins install instructions](https://theforeman.org/plugins/) for how to install Foreman plugins.
+
+## Usage
+
+Setup Vault "Dev" mode:
+
+```
+$ brew install vault
+$ vault server -dev
+$ export VAULT_ADDR='http://127.0.0.1:8200'
+$ vault secrets enable kv
+```
+
+To set up a connection between Foreman and Vault first navigate to the "Infrastructure" > "Vault Connections" menu and then hit the button labeled "Create Vault Connection". Now you should see a form. You have to fill in name, url and token (you can receive a token with the `$ vault token create -period=60m` command) and hit the "Submit" button.
+
+You can now use `vault_secret(vault_connection_name, secret_path)` macro in your templates to fetch secrets from Vault (you can write secrets with the `$ vault write kv/my_secret foo=bar` command), e.g.
+
+```
+<%= vault_secret('MyVault', 'kv/my_secret') %>
+```
+
+As result you should get secret data, e.g.
+
+```
+{:foo=>"bar"}
+```
+
+## Contributing
+
+Fork and send a Pull Request. Thanks!
+
+## Copyright
+
+Copyright (c) 2018 dmTECH GmbH, [dmtech.de](https://www.dmtech.de/)
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/Rakefile

@@ -0,0 +1,47 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ForemanVault'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('../test/dummy/Rakefile', __FILE__)
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+rescue => _
+  puts 'Rubocop not loaded.'
+end
+
+task :default do
+  Rake::Task['rubocop'].execute
+end

data/app/controllers/api/v2/vault_connections_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Api
+  module V2
+    class VaultConnectionsController < V2::BaseController
+      include Api::Version2
+      include ForemanVault::Controller::Parameters::VaultConnection
+
+      before_action :find_resource, only: [:show, :update, :destroy]
+
+      api :GET, '/vault_connections/', N_('List VaultConnections')
+      param_group :search_and_pagination, ::Api::V2::BaseController
+      def index
+        @vault_connections = resource_scope_for_index
+      end
+
+      api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
+      param :id, :identifier, required: true
+      def show; end
+
+      def_param_group :vault_connection do
+        param :vault_connection, Hash, action_aware: true, required: true do
+          param :name, String, required: true
+          param :url, String, required: true
+          param :token, String, required: true
+        end
+      end
+
+      api :POST, '/vault_connections/', N_('Create a Vault Connection')
+      param_group :vault_connection, as: :create
+
+      def create
+        @vault_connection = VaultConnection.new(vault_connection_params)
+        process_response @vault_connection.save
+      end
+
+      api :PUT, '/vault_connections/:id', N_('Update a VaultConnection')
+      param :id, :identifier, required: true
+      param_group :vault_connection
+      def update
+        process_response @vault_connection.update(vault_connection_params)
+      end
+
+      api :DELETE, '/vault_connections/:id', N_('Delete a VaultConnection')
+      param :id, :identifier, required: true
+      def destroy
+        process_response @vault_connection.destroy
+      end
+
+      private
+
+      # Overload this method to avoid using search_for method
+      def resource_scope_for_index(options = {})
+        resource_scope(options).paginate(paginate_options)
+      end
+    end
+  end
+end

data/app/controllers/concerns/foreman_vault/controller/parameters/vault_connection.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module Controller
+    module Parameters
+      module VaultConnection
+        extend ActiveSupport::Concern
+
+        class_methods do
+          def vault_connection_params_filter
+            Foreman::ParameterFilter.new(::VaultConnection).tap do |filter|
+              filter.permit :name, :url, :token
+            end
+          end
+        end
+
+        def vault_connection_params
+          self.class.vault_connection_params_filter.filter_params(params, parameter_filter_context)
+        end
+      end
+    end
+  end
+end

data/app/controllers/vault_connections_controller.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+class VaultConnectionsController < ::ApplicationController
+  include ForemanVault::Controller::Parameters::VaultConnection
+
+  before_action :find_resource, only: [:edit, :update, :destroy]
+
+  def index
+    @vault_connections = resource_base.all
+  end
+
+  def new
+    @vault_connection = VaultConnection.new
+  end
+
+  def create
+    @vault_connection = VaultConnection.new(vault_connection_params)
+    if @vault_connection.save
+      process_success
+    else
+      process_error
+    end
+  end
+
+  def edit; end
+
+  def update
+    if @vault_connection.update(vault_connection_params)
+      process_success
+    else
+      process_error
+    end
+  end
+
+  def destroy
+    if @vault_connection.destroy
+      process_success
+    else
+      process_error
+    end
+  end
+end

data/app/jobs/refresh_vault_token.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class RefreshVaultToken < ApplicationJob
+  def self.retry_wait
+    (SETTINGS&.[](:foreman_vault)&.[](:refresh_token_retry_wait) || 5).minutes
+  end
+
+  def self.retry_attempts
+    SETTINGS&.[](:foreman_vault)&.[](:refresh_token_retry_attempts) || 3
+  end
+
+  queue_as :vault_tokens_queue
+
+  retry_on StandardError, wait: retry_wait, attempts: retry_attempts
+
+  def perform(vault_connection_id)
+    vault_connection = VaultConnection.with_valid_token.find(vault_connection_id)
+    vault_connection.try(:renew_token!)
+  end
+
+  rescue_from(StandardError) do |error|
+    Foreman::Logging.logger('background').error("Refresh Vault token: Error #{error}: #{error.backtrace}")
+  end
+
+  def humanized_name
+    _('Refresh Vault token')
+  end
+end

data/app/jobs/refresh_vault_tokens.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class RefreshVaultTokens < ApplicationJob
+  def self.wait_time
+    (SETTINGS&.[](:foreman_vault)&.[](:refresh_tokens_wait_time) || 30).minutes
+  end
+
+  queue_as :vault_tokens_queue
+
+  after_perform do
+    self.class.set(wait: self.class.wait_time).perform_later
+  end
+
+  def perform
+    VaultConnection.with_valid_token.each(&:perform_renew_token)
+  end
+
+  rescue_from(StandardError) do |error|
+    Foreman::Logging.logger('background').error("Refresh Vault tokens: Error #{error}: #{error.backtrace}")
+  end
+
+  def humanized_name
+    _('Refresh Vault tokens')
+  end
+end

data/app/lib/foreman_vault/macros.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module Macros
+    def vault_secret(vault_connection_name, secret_path)
+      vault = VaultConnection.find_by!(name: vault_connection_name)
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      vault.fetch_secret(secret_path)
+    rescue ActiveRecord::RecordNotFound => e
+      raise VaultError, e.message
+    end
+
+    class VaultError < Foreman::Exception; end
+  end
+end

data/app/models/vault_connection.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+class VaultConnection < ApplicationRecord
+  include Authorizable
+
+  validates_lengths_from_database
+  validates :name, presence: true, uniqueness: true
+  validates :url, :token, presence: true
+  validates :url, format: URI.regexp(['http', 'https'])
+
+  before_create :set_expire_time
+  before_update :update_expire_time
+
+  scope :with_valid_token, -> { where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
+
+  delegate :fetch_expire_time, :fetch_secret, to: :client
+
+  def token_valid?
+    vault_error.nil? && expire_time && expire_time > Time.zone.now
+  end
+
+  def renew_token!
+    client.renew_token
+    save!
+  rescue StandardError => e
+    # rubocop:disable Rails/SkipsModelValidations
+    update_column(:vault_error, e.message)
+    # rubocop:enable Rails/SkipsModelValidations
+  end
+
+  def perform_renew_token
+    RefreshVaultToken.perform_later(id)
+  end
+
+  private
+
+  def set_expire_time
+    self.expire_time = fetch_expire_time
+  rescue StandardError => e
+    errors.add(:base, e.message)
+    throw(:abort)
+  end
+
+  def update_expire_time
+    self.expire_time = fetch_expire_time
+    self.vault_error = nil
+  rescue StandardError => e
+    self.expire_time = nil
+    self.vault_error = e.message
+  end
+
+  def client
+    @client ||= ForemanVault::VaultClient.new(url, token)
+  end
+end

data/app/services/foreman_vault/vault_client.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'vault'
+
+module ForemanVault
+  class VaultClient
+    def initialize(base_url, token)
+      @base_url = base_url
+      @token = token
+    end
+
+    def fetch_expire_time
+      response = client.auth_token.lookup_self
+      Time.zone.parse(response.data[:expire_time])
+    end
+
+    def fetch_secret(secret_path)
+      response = client.logical.read(secret_path)
+      raise NoDataError.new(N_('There is no available data for path: %s'), secret_path) unless response
+      response.data
+    end
+
+    def renew_token
+      client.auth_token.renew_self
+    end
+
+    private
+
+    class VaultClientError < Foreman::Exception; end
+    class NoDataError < VaultClientError; end
+
+    attr_reader :base_url, :token
+
+    def client
+      @client ||= Vault::Client.new(address: base_url, token: token)
+    end
+  end
+end

data/app/views/api/v2/vault_connections/base.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @vault_connection
+
+attributes :id, :name, :url, :token, :expire_time, :vault_status

data/app/views/api/v2/vault_connections/create.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @vault_connection
+
+extends 'api/v2/vault_connections/show'

data/app/views/api/v2/vault_connections/index.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+collection @vault_connections
+
+extends 'api/v2/vault_connections/main'

data/app/views/api/v2/vault_connections/main.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @vault_connection
+
+extends 'api/v2/vault_connections/base'

data/app/views/api/v2/vault_connections/show.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @vault_connection
+
+extends 'api/v2/vault_connections/main'

data/app/views/api/v2/vault_connections/update.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @vault_connection
+
+extends 'api/v2/vault_connections/main'