foreman_vault 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 340e62f20ed55a76d6d22ef7e5bf7b3b58a8197a42224019e48384fd10e8b090
-  data.tar.gz: 5f5d0490d9d4ea43d46653abba3120b8a4e1eb08da85ff1927d1364fe7ab2de3
+  metadata.gz: a11fc63d2584b7fd9f4ad6b561cdbdd471503d3de307d4a77610094d67d26b62
+  data.tar.gz: 215b5f6e87ed318a16b7623bedccb25d17dd001ee73281f144b6726a44aee28b
 SHA512:
-  metadata.gz: 142d5f6e82b6c30674c03653ebde20cdecece4f093f2a7b3fd0e3e621aaff4a7fa892683d69f14497d579b8b84167bbe1cc1e908eefef527e1cd26c3f49ffe15
-  data.tar.gz: 134ba4aee2e7db7ebe52174cc936a079978daf0c2e73edab230bdeada75e6bec317589ac789e0dc5003b6d092e36f86a4e40298e316b43469030537a495a4e53
+  metadata.gz: b73b1a230f9982752e8ede2a38b2afd1a071a7ca397fe5f518d6447dbd30ca4f94efcbf29d4c39430cb8f8bf5b9508d9c4edd542aead2ebde60d00e82f889833
+  data.tar.gz: 3b85d123010e4ff958ed12885792b759cddd81b550c4f3cc287cce45b38881ea6589e700caa99751f0f0baf79002a89c2089f5a5784b23d6dafbf3509dc938cd

data/README.md

@@ -2,31 +2,63 @@
 
 [<img src="https://opensourcelogos.aws.dmtech.cloud/dmTECH_opensource_logo.svg" height="21" width="130">](https://www.dmtech.de/)
 
-This is a plugin for Foreman that adds support for using credentials from Hashicorp Vault.
+**Foreman Vault** is a plugin for Foreman that integrates with Hashicorp Vault for different things. Currently, it offers two distinct features.
 
-## Installation
+## 1. Vault secrets in Foreman templates
 
-See [Plugins install instructions](https://theforeman.org/plugins/) for how to install Foreman plugins.
+This adds two new macros which can be used in Foreman templates:
+
+- `vault_secret` - Retreive secrets at a given Vault path
+- `vault_issue_certificate` - Issues new certificates
+
+## 2. Management of Vault Policies and AuthMethods
+
+Vault [policies](https://www.vaultproject.io/docs/concepts/policies) and [auth methods](https://www.vaultproject.io/docs/concepts/auth) (of type _cert_) can be created automatically as part of the **host orchestration**.
+Auth methods also get deleted after the host is removed from Foreman.
+
+This allows Foreman to create everything needed to access Hashicorp Vault directly from a VM using it's Puppet certificate (e.g. for _Deferred functions_ in Puppet or other CLI tools).
+
+## Requirements
+
+- Foreman >= 1.20
+- Working Vault instance
+  - with _cert_ auth enabled
+  - with _kv_ secret store enabled
+- valid Vault Token
 
-## Usage
+**Dev Vault Instance**
 
-Setup Vault "Dev" mode:
+To run a local Vault dev environment on MacOS use:
 
 ```
 $ brew install vault
 $ vault server -dev
 $ export VAULT_ADDR='http://127.0.0.1:8200'
 $ vault secrets enable kv
+$ vault auth enable cert
+
+$ vault token create -period=60m
+[...]
 ```
 
-To set up a connection between Foreman and Vault first navigate to the "Infrastructure" > "Vault Connections" menu and then hit the button labeled "Create Vault Connection". Now you should see a form. You have to fill in name, url and token (you can receive a token with the `$ vault token create -period=60m` command) and hit the "Submit" button.
+## Installation
+
+See [Plugins install instructions](https://theforeman.org/plugins/) for how to install Foreman plugins.
+
+## Basic configuration
+
+To create a new Vault connection navigate to `Infrastructure -> Vault Connections` and hit the `Create Vault Connection` button. There you can enter a name, the Vault URL and a secret token.
+
+## Vault secrets in templates
 
-You can now utilize two new macros in your templates:
- - vault_secret(vault_connection_name, secret_path)
- - vault_issue_certificate(vault_connection_name, pki_role_path, options...)
+At this point you can utilize two new macros in your templates:
+
+- vault_secret(vault_connection_name, secret_path)
+- vault_issue_certificate(vault_connection_name, pki_role_path, options...)
 
 ### vault_secret(vault_connection_name, secret_path)
-To fetch secrets from Vault (you can write secrets with the `$ vault write kv/my_secret foo=bar` command), e.g.
+
+To fetch secrets from Vault (you can write secrets with the `vault write kv/my_secret foo=bar` command), e.g.
 
 ```
 <%= vault_secret('MyVault', 'kv/my_secret') %>
@@ -39,14 +71,42 @@ As result you should get secret data, e.g.
 ```
 
 ### vault_issue_certificate(vault_connection_name, pki_role_path, options...)
-Issueing certificates is just as easy. Be sure to have a correctly set-up PKI, meaning, configure it so you can generate certificates from within the Vault UI. This means that you'll have had to set-up a CA or Intermediate CA. Once done, you can generate a certificate like this:
 
+Issueing certificates is just as easy. Be sure to have a correctly set-up PKI, meaning, configure it so you can generate certificates from within the Vault UI. This means that you'll have to set-up a CA or Intermediate CA. Once done, you can generate a certificate like this:
 
 ```
 <%= vault_issue_certificate('MyVault', 'pkiEngine/issue/testRole', common_name: 'test.mydomain.com', ttl: '10s') %>
 ```
 
-The common_name and ttl are optional, but there are [more options to configure](https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate)
+The _common_name_ and _ttl_ are optional, but there are [more options to configure](https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate)
+
+## Vault policies and auth methods
+
+### Policies
+
+The policy is based on a new template kind `VaultPolicy` which is basically a [Vault Policy](https://www.vaultproject.io/docs/concepts/policies#policy-syntax) extended with ERB.
+
+The name of the policy is extracted from a _Magic comment_ within the template. Therefore you can use ERB to influence the name:
+
+```
+# NAME: <%= @host.owner %>-<%= @host.environment %>
+
+path "secret/foo" {
+  capabilities = ["read"]
+}
+```
+
+You can create multiple `VaultPolicy` templates and configure the default policy used in host orchestration by setting the Foreman Setting `vault_policy_template` to the desired one.
+
+**Note: If the policy renders empty (yes, you can use conditions within ERB), the orchestration is skipped!**
+
+### Auth methods
+
+[Auth methods of type `cert`](https://www.vaultproject.io/docs/auth/cert) are created with three attributes:
+
+- **certificate**: content of the Foreman setting `ssl_ca_file`
+- **allowed_common_names**: FQDN of the host which triggered the orchestration
+- **token_policies**: This is automatically linked to the policy from above
 
 ## Contributing
 
@@ -63,8 +123,8 @@ the Free Software Foundation, either version 3 of the License, or
 
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+along with this program. If not, see <http://www.gnu.org/licenses/>.

data/app/models/concerns/foreman_vault/host_extensions.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module HostExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      include ForemanVault::Orchestration::VaultPolicy
+    end
+
+    def vault_policy
+      VaultPolicy.new(self)
+    end
+
+    def vault_auth_method
+      VaultAuthMethod.new(self)
+    end
+
+    def vault_connection
+      return unless vault_connection_name
+
+      ::VaultConnection.find_by(name: vault_connection_name)
+    end
+
+    private
+
+    def vault_connection_name
+      params['vault_connection'] || Setting['vault_connection']
+    end
+  end
+end

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module Orchestration
+    module VaultPolicy
+      extend ActiveSupport::Concern
+
+      MAGIC_COMMENT_PREFIX = '# NAME: '
+
+      included do
+        after_validation :queue_vault_push
+        before_destroy :queue_vault_destroy
+      end
+
+      protected
+
+      def queue_vault_push
+        return if !managed? || errors.any?
+        return unless vault_policy.valid?
+        return unless vault_auth_method.valid?
+
+        queue.create(name: _('Push %s data to Vault') % self, priority: 100,
+                     action: [self, :set_vault])
+      end
+
+      def queue_vault_destroy
+        return if !managed? || errors.any?
+
+        queue.create(name: _('Clear %s Vault data') % self, priority: 60,
+                     action: [self, :del_vault])
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      def set_vault
+        logger.info "Pushing #{name} data to Vault"
+
+        vault_policy.save if vault_policy.new?
+
+        if vault_auth_method.name != old&.vault_auth_method&.name
+          old&.vault_auth_method&.delete
+          vault_auth_method.save
+        end
+      rescue StandardError => e
+        Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
+        failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
+      end
+      # rubocop:enable Metrics/AbcSize
+
+      def del_vault
+        logger.info "Clearing #{name} Vault data"
+
+        vault_auth_method&.delete
+      rescue StandardError => e
+        Foreman::Logging.exception("Failed to clear #{name} Vault data", e)
+        failure format(_("Failed to clear %{name} Vault data: %{message}\n "), name: name, message: e.message), e
+      end
+    end
+  end
+end

data/app/models/setting/vault.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+class Setting
+  class Vault < ::Setting
+    BLANK_ATTRS << 'vault_connection'
+    BLANK_ATTRS << 'vault_policy_template'
+
+    def self.default_settings
+      [set_vault_connection, set_vault_policy_template]
+    end
+
+    def self.load_defaults
+      # Check the table exists
+      return unless super
+
+      transaction do
+        default_settings.each { |s| create! s.update(category: 'Setting::Vault') }
+      end
+
+      true
+    end
+
+    def self.humanized_category
+      N_('Vault')
+    end
+
+    class << self
+      private
+
+      def set_vault_connection
+        set(
+          'vault_connection',
+          N_('Default Vault Connection that can be override using parameters'),
+          default_vault_connection,
+          N_('Default Vault Connection'),
+          nil,
+          collection: vault_connections_collection,
+          include_blank: _('Select Vault Connection')
+        )
+      end
+
+      def default_vault_connection
+        return unless VaultConnection.unscoped.count == 1
+
+        VaultConnection.unscoped.first.name
+      end
+
+      def vault_connections_collection
+        proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
+      end
+
+      def set_vault_policy_template
+        set(
+          'vault_policy_template',
+          N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
+          default_vault_policy_template,
+          N_('Vault Policy template name'),
+          nil,
+          collection: vault_policy_templates_collection,
+          include_blank: _('Select Template')
+        )
+      end
+
+      def default_vault_policy_template
+        ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
+      end
+
+      def vault_policy_templates_collection
+        proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
+      end
+    end
+  end
+end

data/app/models/vault_connection.rb

@@ -13,7 +13,9 @@ class VaultConnection < ApplicationRecord
 
   scope :with_valid_token, -> { where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
 
-  delegate :fetch_expire_time, :fetch_secret, :issue_certificate, to: :client
+  delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
+           :policy, :policies, :put_policy, :delete_policy,
+           :set_certificate, :certificates, :delete_certificate, to: :client
 
   def token_valid?
     vault_error.nil? && expire_time && expire_time > Time.zone.now

data/app/services/foreman_vault/vault_auth_method.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  class VaultAuthMethod
+    def initialize(host)
+      @host = host
+    end
+
+    def valid?
+      name.present? && options[:certificate].present?
+    end
+
+    def name
+      return if !host || !vault_policy_name
+
+      [host, vault_policy_name].join('-').parameterize
+    end
+
+    def save
+      return false unless valid?
+
+      set_certificate(name, options)
+    end
+
+    def delete
+      return false unless name
+
+      delete_certificate(name)
+    end
+
+    private
+
+    attr_reader :host
+    delegate :vault_policy, :vault_connection, :fqdn, to: :host
+    delegate :name, to: :vault_policy, prefix: true
+    delegate :set_certificate, :delete_certificate, to: :vault_connection
+
+    def options
+      {
+        certificate: certificate,
+        token_policies: vault_policy_name,
+        allowed_common_names: allowed_common_names
+      }
+    end
+
+    def allowed_common_names
+      [fqdn].compact
+    end
+
+    def certificate
+      return unless Setting['ssl_ca_file']
+
+      File.read(Setting['ssl_ca_file'])
+    rescue Errno::ENOENT
+      nil
+    end
+  end
+end

data/app/services/foreman_vault/vault_client.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'vault'
-
 module ForemanVault
   class VaultClient
     def initialize(base_url, token)
@@ -9,6 +7,10 @@ module ForemanVault
       @token = token
     end
 
+    delegate :sys, :auth_tls, to: :client
+    delegate :policy, :policies, :put_policy, :delete_policy, to: :sys
+    delegate :certificate, :certificates, :set_certificate, :delete_certificate, to: :auth_tls
+
     def fetch_expire_time
       response = client.auth_token.lookup_self
       Time.zone.parse(response.data[:expire_time])

data/app/services/foreman_vault/vault_policy.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  class VaultPolicy
+    MAGIC_COMMENT_NAME_PREFIX = '# NAME: '
+
+    def initialize(host)
+      @host = host
+    end
+
+    def valid?
+      name.present? && rules.present?
+    end
+
+    def name
+      magic_comment_name&.chomp&.remove(MAGIC_COMMENT_NAME_PREFIX)&.parameterize
+    end
+
+    def new?
+      return unless name
+
+      policies.index(name).nil?
+    end
+
+    def save
+      return false unless valid?
+
+      put_policy(name, rules)
+    end
+
+    def delete
+      return false unless name
+
+      delete_policy(name)
+    end
+
+    private
+
+    attr_reader :host
+    delegate :params, :render_template, :vault_connection, to: :host
+    delegate :policy, :policies, :put_policy, :delete_policy, to: :vault_connection
+
+    def rules
+      rendered&.remove(magic_comment_name)
+              &.lines
+              &.reject { |l| l.strip.empty? }
+              &.join
+              &.presence
+    end
+
+    def magic_comment_name
+      rendered&.lines&.find { |l| l.start_with?(MAGIC_COMMENT_NAME_PREFIX) }
+    end
+
+    def rendered
+      return unless template
+
+      render_template(template: template)
+    end
+
+    def template
+      ::ProvisioningTemplate.find_by(name: Setting['vault_policy_template'])
+    end
+  end
+end

data/app/views/unattended/provisioning_templates/VaultPolicy/default.erb

@@ -0,0 +1,6 @@
+# NAME: <%= @host.owner %>-<%= @host.environment %>
+
+# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>
+path "secrets/data/<%= @host.owner %>/<%= @host.environment %>/*" {
+    capabilities = ["create", "read", "update"]
+}

data/db/seeds.d/103-provisioning_templates.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+User.as_anonymous_admin do
+  templates = [
+    {
+      name: 'Default Vault Policy',
+      source: 'VaultPolicy/default.erb',
+      template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
+    }
+  ]
+
+  templates.each do |template|
+    template[:contents] = File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates', template[:source]))
+
+    ProvisioningTemplate.where(name: template[:name]).first_or_create do |pt|
+      pt.vendor = 'ForemanVault'
+      pt.default = true
+      pt.locked = true
+      pt.name = template[:name]
+      pt.template = template[:contents]
+      pt.template_kind = template[:template_kind] if template[:template_kind]
+      pt.snippet = template[:snippet] if template[:snippet]
+    end
+  end
+end

data/lib/foreman_vault/engine.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'vault'
+
 module ForemanVault
   class Engine < ::Rails::Engine
     engine_name 'foreman_vault'
@@ -10,6 +12,14 @@ module ForemanVault
     config.autoload_paths += Dir["#{config.root}/app/lib"]
     config.autoload_paths += Dir["#{config.root}/app/jobs"]
 
+    initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
+      require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
+                                                                                             Setting.table_exists?
+                                                                                           rescue StandardError
+                                                                                             (false)
+                                                                                           end
+    end
+
     # Add any db migrations
     initializer 'foreman_vault.load_app_instance_data' do |app|
       ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
@@ -44,8 +54,9 @@ module ForemanVault
 
     config.to_prepare do
       begin
-        Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
-        Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
+        ::Host::Managed.include(ForemanVault::HostExtensions)
+        ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
+        ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
       rescue StandardError => e
         Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
       end

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.1.0'
+  VERSION = '0.2.0'
 end

data/test/factories/vault_policy_template.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.modify do
+  factory :provisioning_template do
+    trait :vault_policy do
+      name { Setting['vault_policy_template'] || 'Default Vault Policy' }
+      template { File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates/VaultPolicy/default.erb')) }
+    end
+  end
+end

data/test/factories/vault_setting.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.modify do
+  factory :setting do
+    trait :vault_policy do
+      name { 'vault_policy_template' }
+      value { 'Default Vault Policy' }
+    end
+  end
+end

data/test/fixtures/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmgCCQDSQhCJzHnXejANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
+cGwxDjAMBgNVBAgMBXN0YXRlMQ0wCwYDVQQHDARjaXR5MRAwDgYDVQQKDAdjb21w
+YW55MRAwDgYDVQQLDAdzZWN0aW9uMQ0wCwYDVQQDDARob3N0MSAwHgYJKoZIhvcN
+AQkBFhFlbWFpbEBleGFtcGxlLmNvbTAeFw0yMDA0MjkxMzQ1MjdaFw0yMzAyMTcx
+MzQ1MjdaMIGBMQswCQYDVQQGEwJwbDEOMAwGA1UECAwFc3RhdGUxDTALBgNVBAcM
+BGNpdHkxEDAOBgNVBAoMB2NvbXBhbnkxEDAOBgNVBAsMB3NlY3Rpb24xDTALBgNV
+BAMMBGhvc3QxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQxWM6dJbtdDrIUvG5SBp8XadSst
+D5Lu/WBwazdiRQI6mF6bOrAviZUJVoN0sFphZHjQpzTkxS9N929fdChBB7fjrP7b
+vydvcbc8eH+HhK5tYzOjhjw/K2WHriNlSY7tD/Au8ZBkM7PYSM7411GG4Ubxh60+
+vamBX8rdAp5wEVKWHabdFswqtNbnmFWa00gMRA44ZMoBA5KdDCNnVA+wiA1hSLYl
+SdSPrKRmYw5gRul7h8lilrvf04Df87NEtRFMjuaHcxrIklVJZMsZ1Mvw5VhlpV3f
+q1kMGG3wXyeTAOlMDPEFXJ4gs8ZIEqS1T1gfCUF4w/rSDQ0u49WBu2TstQIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBAQBBsovBY2r1+PXJhGTOXvZUMqz+IN/AKi52GIwC
+dPmVOhFTaztL1LbRTKgtg1cyQGmIdZ8skHGFKVAkESPa1dHu+E5uGs+rFEI1A+KA
+xKIN2dNXFUEnKDEywcjZhilDHeKqthf1gkcJwkMgv5+DczOtZvtsu7tDF2kcyedw
+6/A+0GJVG7S72VaL5hcfgglmGXNT5BRjLAWV6ZPViXWSJj43oXLGqqwHWhRBs+d6
+0+0kNukYjyPLVSLpFpj/DvxvPjQWoDTVzMeT7iTtahd4S9FGPZuHXG2yxnTjCycH
+jHNvGHXHfYJCJ10RxaeyP1Dz9qG9hH0GiiCCYAuPnf6Eu1qO
+-----END CERTIFICATE-----

data/test/models/foreman_vault/orchestration/vault_policy_test.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanVault
+  module Orchestration
+    class VaultPolicyTest < ActiveSupport::TestCase
+      describe '#queue_vault_push' do
+        let(:host) { FactoryBot.create(:host, :managed) }
+        let(:queue) { mock('queue') }
+        let(:vault_policy) { mock('vault_policy') }
+        let(:vault_auth_method) { mock('vault_auth_method') }
+
+        setup do
+          host.stubs(:queue).returns(queue)
+          host.stubs(:vault_policy).returns(vault_policy)
+          host.stubs(:vault_auth_method).returns(vault_auth_method)
+        end
+
+        test 'should queue Vault orchestration' do
+          vault_policy.stubs(:valid?).returns(true)
+          vault_auth_method.stubs(:valid?).returns(true)
+
+          queue.expects(:create).with(
+            name: "Push #{host} data to Vault",
+            priority: 100,
+            action: [host, :set_vault]
+          ).once
+          host.send(:queue_vault_push)
+        end
+
+        context 'when vault_policy is not valid' do
+          test 'should not queue Vault orchestration' do
+            vault_auth_method.stubs(:valid?).returns(true)
+
+            vault_policy.expects(:valid?).returns(false)
+            queue.expects(:create).never
+            host.send(:queue_vault_push)
+          end
+        end
+
+        context 'when vault_auth_method is not valid' do
+          test 'should not queue Vault orchestration' do
+            vault_policy.stubs(:valid?).returns(true)
+
+            vault_auth_method.expects(:valid?).returns(false)
+            queue.expects(:create).never
+            host.send(:queue_vault_push)
+          end
+        end
+      end
+
+      describe '#set_vault' do
+        let(:environment) { FactoryBot.create(:environment, name: 'MyEnv') }
+        let(:host) { FactoryBot.create(:host, :managed, environment: environment) }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+        let(:new_owner) { FactoryBot.create(:usergroup, name: 'MyOwner') }
+
+        let(:vault_policies) { [] }
+        let(:get_policies_request) do
+          stub_request(:get, "#{vault_connection.url}/v1/sys/policy").to_return(
+            status: 200, headers: { 'Content-Type': 'application/json' },
+            body: { policies: vault_policies }.to_json
+          )
+        end
+
+        let(:new_policy_name) { "#{new_owner}-#{host.environment}".parameterize }
+        let(:put_policy_request) do
+          url = "#{vault_connection.url}/v1/sys/policy/#{new_policy_name}"
+          # rubocop:disable Metrics/LineLength
+          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>\npath \"secrets/data/MyOwner/MyEnv/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
+          # rubocop:enable Metrics/LineLength
+          stub_request(:put, url).with(body: JSON.fast_generate(rules: rules)).to_return(status: 200)
+        end
+
+        let(:new_auth_method_name) { "#{host}-#{new_policy_name}".parameterize }
+        let(:post_auth_method_request) do
+          url = "#{vault_connection.url}/v1/auth/cert/certs/#{new_auth_method_name}"
+          stub_request(:post, url).with(
+            body: JSON.fast_generate(
+              certificate: host.vault_auth_method.send(:certificate),
+              token_policies: new_policy_name,
+              allowed_common_names: [host.fqdn]
+            )
+          ).to_return(status: 200)
+        end
+
+        let(:delete_old_auth_method_request) do
+          url = "#{vault_connection.url}/v1/auth/cert/certs/#{host.vault_auth_method.name}"
+          stub_request(:delete, url).to_return(status: 200)
+        end
+
+        setup do
+          Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
+          FactoryBot.create(:setting, :vault_policy)
+          FactoryBot.create(:provisioning_template, :vault_policy, name: Setting['vault_policy_template'])
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          host.stubs(:skip_orchestration_for_testing?).returns(false)
+
+          get_policies_request
+          put_policy_request
+          post_auth_method_request
+          delete_old_auth_method_request
+
+          host.update(owner: new_owner)
+        end
+
+        it { assert_requested(post_auth_method_request) }
+        it { assert_requested(delete_old_auth_method_request) }
+
+        context 'when policy already exists on Vault' do
+          let(:vault_policies) { [new_policy_name] }
+
+          it { assert_not_requested(put_policy_request) }
+        end
+
+        context 'when policy does not exist on Vault' do
+          let(:vault_policies) { [] }
+
+          it { assert_requested(put_policy_request) }
+        end
+      end
+    end
+  end
+end

data/test/test_plugin_helper.rb

@@ -2,7 +2,6 @@
 
 # This calls the main test_helper in Foreman-core
 require 'test_helper'
-require 'vault'
 
 # Add plugin to FactoryBot's paths
 FactoryBot.definition_file_paths << File.join(File.dirname(__FILE__), 'factories')

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultAuthMethodTest < ActiveSupport::TestCase
+  subject { ForemanVault::VaultAuthMethod.new(host) }
+
+  let(:host) { FactoryBot.create(:host, :managed) }
+
+  describe '#name' do
+    context 'with host and vault_policy_name' do
+      setup do
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+      end
+
+      it { assert_equal "#{host}-vault_policy_name".parameterize, subject.name }
+    end
+
+    context 'without host' do
+      setup do
+        subject.stubs(:host).returns(nil)
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+      end
+
+      it { assert_nil subject.name }
+    end
+
+    context 'without vault_policy_name' do
+      setup do
+        subject.stubs(:vault_policy_name).returns(nil)
+      end
+
+      it { assert_nil subject.name }
+    end
+  end
+
+  describe 'valid?' do
+    context 'with name and certificate' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:certificate).returns('cert')
+      end
+
+      it { assert subject.valid? }
+    end
+
+    context 'without name' do
+      setup do
+        subject.stubs(:name).returns(nil)
+        subject.stubs(:certificate).returns('cert')
+      end
+
+      it { assert_not subject.valid? }
+    end
+
+    context 'without certificate' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:certificate).returns(nil)
+      end
+
+      it { assert_not subject.valid? }
+    end
+  end
+
+  describe '#save' do
+    context 'when valid' do
+      it 'creates auth method in the Vault' do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:vault_policy_name).returns('vault_policy_name')
+        subject.stubs(:certificate).returns('cert')
+
+        subject.expects(:set_certificate).once.with(
+          'name',
+          certificate: 'cert',
+          token_policies: 'vault_policy_name',
+          allowed_common_names: [host.fqdn]
+        )
+        subject.save
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not create auth method in the Vault' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:set_certificate).never
+        subject.save
+      end
+    end
+  end
+
+  describe '#delete' do
+    context 'with name' do
+      it 'deletes Certificate' do
+        subject.stubs(:name).returns('name')
+
+        subject.expects(:delete_certificate).once.with(subject.name)
+        subject.delete
+      end
+    end
+
+    context 'without name' do
+      it 'does not delete Certificate' do
+        subject.stubs(:name).returns(nil)
+
+        subject.expects(:delete_certificate).never
+        subject.delete
+      end
+    end
+  end
+
+  describe '#certificate' do
+    setup do
+      Setting.find_by(name: 'ssl_ca_file').update(value: cert_path)
+    end
+
+    context 'when certificate file can be read' do
+      let(:cert_path) { File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt') }
+
+      it { assert_equal File.read(cert_path), subject.send(:certificate) }
+    end
+
+    context 'when certificate file cannot be read' do
+      let(:cert_path) { '/tmp/invalid.crt' }
+
+      it { assert_not subject.send(:certificate) }
+    end
+  end
+end

data/test/unit/services/foreman_vault/vault_policy_test.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultPolicyTest < ActiveSupport::TestCase
+  subject { ForemanVault::VaultPolicy.new(host) }
+
+  let(:host) { FactoryBot.create(:host, :managed) }
+
+  setup do
+    FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+  end
+
+  describe 'valid?' do
+    context 'with name and rules' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns('rules')
+      end
+
+      it { assert subject.valid? }
+    end
+
+    context 'without name' do
+      setup do
+        subject.stubs(:name).returns(nil)
+        subject.stubs(:rules).returns('rules')
+      end
+
+      it { assert_not subject.valid? }
+    end
+
+    context 'without rules' do
+      setup do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns(nil)
+      end
+
+      it { assert_not subject.valid? }
+    end
+  end
+
+  describe '#name' do
+    context 'without corresponding Vault Policy template' do
+      it { assert_nil subject.name }
+    end
+
+    context 'with corresponding Vault Policy template' do
+      setup do
+        FactoryBot.create(:provisioning_template, :vault_policy, template: template)
+      end
+
+      let(:template) { '# NAME: <%= @host.name %>' }
+
+      it { assert_equal host.name.parameterize, subject.name }
+
+      context 'when name is empty' do
+        let(:template) { '# NAME:' }
+
+        it { assert_nil subject.name }
+      end
+
+      context 'when there is no name magic comment' do
+        let(:template) { '# BLAH:' }
+
+        it { assert_nil subject.name }
+      end
+    end
+  end
+
+  describe '#new?' do
+    setup do
+      FactoryBot.create(:provisioning_template, :vault_policy)
+    end
+
+    context 'policy already exists in the Vault' do
+      setup do
+        subject.stubs(:policies).returns([subject.name])
+      end
+
+      it { assert_not subject.new? }
+    end
+
+    context 'policy does not exist in the Vault' do
+      setup do
+        subject.stubs(:policies).returns([])
+      end
+
+      it { assert subject.new? }
+    end
+  end
+
+  describe '#save' do
+    context 'when valid' do
+      it 'creates Vault Policy' do
+        subject.stubs(:name).returns('name')
+        subject.stubs(:rules).returns('rules')
+
+        subject.expects(:put_policy).once.with(subject.name, subject.send(:rules))
+        subject.save
+      end
+    end
+
+    context 'when not valid' do
+      it 'does not create Vault Policy' do
+        subject.stubs(:valid?).returns(false)
+
+        subject.expects(:set_certificate).never
+        subject.save
+      end
+    end
+  end
+
+  describe '#delete' do
+    context 'with name' do
+      it 'deletes Vault Policy' do
+        subject.stubs(:name).returns('name')
+
+        subject.expects(:delete_policy).once.with(subject.name)
+        subject.delete
+      end
+    end
+
+    context 'without name' do
+      it 'does not delete Vault Policy' do
+        subject.stubs(:name).returns(nil)
+
+        subject.expects(:delete_policy).never
+        subject.delete
+      end
+    end
+  end
+
+  describe '#rules' do
+    context 'without corresponding Vault Policy template' do
+      it { assert_nil subject.send(:rules) }
+    end
+
+    context 'with corresponding Vault Policy template' do
+      let(:rules) { 'path "secrets/data/*" { capabilities = ["create", "read", "update"] }' }
+
+      setup do
+        FactoryBot.create(:provisioning_template, :vault_policy, template: template)
+      end
+
+      let(:template) do
+        <<~TEMPLATE
+          # NAME: <%= @host.name %>
+
+          #{rules}
+        TEMPLATE
+      end
+
+      it { assert_equal "#{rules}\n", subject.send(:rules) }
+
+      context 'when Vault Policy template renders empty' do
+        let(:template) do
+          <<~TEMPLATE
+            # NAME: <%= @host.name %>
+
+            <% if false %>
+              #{rules}
+            <% end %>
+          TEMPLATE
+        end
+
+        it { assert_nil subject.send(:rules) }
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - dmTECH GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-02 00:00:00.000000000 Z
+date: 2020-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -68,14 +68,20 @@ files:
 - app/jobs/refresh_vault_token.rb
 - app/jobs/refresh_vault_tokens.rb
 - app/lib/foreman_vault/macros.rb
+- app/models/concerns/foreman_vault/host_extensions.rb
+- app/models/concerns/foreman_vault/orchestration/vault_policy.rb
+- app/models/setting/vault.rb
 - app/models/vault_connection.rb
+- app/services/foreman_vault/vault_auth_method.rb
 - app/services/foreman_vault/vault_client.rb
+- app/services/foreman_vault/vault_policy.rb
 - app/views/api/v2/vault_connections/base.json.rabl
 - app/views/api/v2/vault_connections/create.json.rabl
 - app/views/api/v2/vault_connections/index.json.rabl
 - app/views/api/v2/vault_connections/main.json.rabl
 - app/views/api/v2/vault_connections/show.json.rabl
 - app/views/api/v2/vault_connections/update.json.rabl
+- app/views/unattended/provisioning_templates/VaultPolicy/default.erb
 - app/views/vault_connections/_form.html.erb
 - app/views/vault_connections/edit.html.erb
 - app/views/vault_connections/index.html.erb
@@ -85,6 +91,7 @@ files:
 - config/routes.rb
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
 - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
+- db/seeds.d/103-provisioning_templates.rb
 - lib/foreman_vault.rb
 - lib/foreman_vault/engine.rb
 - lib/foreman_vault/version.rb
@@ -93,14 +100,20 @@ files:
 - locale/en/foreman_vault.po
 - locale/foreman_vault.pot
 - locale/gemspec.rb
-- test/factories/foreman_vault_factories.rb
+- test/factories/vault_connection.rb
+- test/factories/vault_policy_template.rb
+- test/factories/vault_setting.rb
+- test/fixtures/ca.crt
 - test/functional/api/v2/vault_connections_controller_test.rb
 - test/jobs/refresh_vault_token_test.rb
 - test/jobs/refresh_vault_tokens_test.rb
+- test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/models/vault_connection_test.rb
 - test/test_plugin_helper.rb
 - test/unit/lib/foreman_vault/macros_test.rb
+- test/unit/services/foreman_vault/vault_auth_method_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb
+- test/unit/services/foreman_vault/vault_policy_test.rb
 homepage: https://github.com/dm-drogeriemarkt/foreman_vault
 licenses:
 - GPL-3.0
@@ -120,16 +133,21 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
 test_files:
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb
+- test/unit/services/foreman_vault/vault_policy_test.rb
+- test/unit/services/foreman_vault/vault_auth_method_test.rb
 - test/models/vault_connection_test.rb
-- test/factories/foreman_vault_factories.rb
+- test/models/foreman_vault/orchestration/vault_policy_test.rb
+- test/factories/vault_policy_template.rb
+- test/factories/vault_connection.rb
+- test/factories/vault_setting.rb
+- test/fixtures/ca.crt
 - test/test_plugin_helper.rb
 - test/jobs/refresh_vault_tokens_test.rb
 - test/jobs/refresh_vault_token_test.rb