foreman_vault 0.2.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a11fc63d2584b7fd9f4ad6b561cdbdd471503d3de307d4a77610094d67d26b62
-  data.tar.gz: 215b5f6e87ed318a16b7623bedccb25d17dd001ee73281f144b6726a44aee28b
+  metadata.gz: 39553e728b4ff3661a8b0fc008ee0959e5fdbba5f915a9f7f9d09bdd24d9d65a
+  data.tar.gz: 34b06a3ffc2cfdd6055356c4af15e91bb7d94de7954983d0becc20881c85fef3
 SHA512:
-  metadata.gz: b73b1a230f9982752e8ede2a38b2afd1a071a7ca397fe5f518d6447dbd30ca4f94efcbf29d4c39430cb8f8bf5b9508d9c4edd542aead2ebde60d00e82f889833
-  data.tar.gz: 3b85d123010e4ff958ed12885792b759cddd81b550c4f3cc287cce45b38881ea6589e700caa99751f0f0baf79002a89c2089f5a5784b23d6dafbf3509dc938cd
+  metadata.gz: 04fe38f150fb63017eeb3803c14ea02fe6eb557a8a51d13f7f089bc4a7e5ca12f08182ede2c642e5dd6b47d5ab53e5adcc80e45117ad714ad6154cec2df486de
+  data.tar.gz: d6ecb38160b4180a137a6db4f0d9e7fa6e9e14d32ebc5e98cae09a92f18997946bacc548adc4a55f7e19107ae6f2fcdbe7e43ab5a540b0d96706239dd81aa462

data/README.md

@@ -18,11 +18,20 @@ Auth methods also get deleted after the host is removed from Foreman.
 
 This allows Foreman to create everything needed to access Hashicorp Vault directly from a VM using it's Puppet certificate (e.g. for _Deferred functions_ in Puppet or other CLI tools).
 
+## Compatibility
+
+| Foreman Version | Plugin Version |
+| --------------- | -------------- |
+| >= 2.3          | ~> 1.0         |
+| >= 1.23         | ~> 0.3, ~> 0.4 |
+| >= 1.20         | ~> 0.2         |
+
 ## Requirements
 
 - Foreman >= 1.20
 - Working Vault instance
   - with _cert_ auth enabled
+  - with _approle_ auth enabled
   - with _kv_ secret store enabled
 - valid Vault Token
 
@@ -41,6 +50,27 @@ $ vault token create -period=60m
 [...]
 ```
 
+To interact with Vault you can use Vault UI, which is available at `http://127.0.0.1:8200/ui`.
+
+- The AppRole auth method
+
+```
+$ vault auth enable approle
+$ vault write auth/approle/role/my-role policies="default"
+Success! Data written to: auth/approle/role/my-role
+$ vault read auth/approle/role/my-role/role-id
+Key        Value
+---        -----
+role_id    8403910c-e563-d2f2-1c77-6e26319be8b5
+$ vault write -f auth/approle/role/my-role/secret-id
+Key                   Value
+---                   -----
+secret_id             1058434b-b4aa-bf5a-b376-a15d9efb1059
+secret_id_accessor    9cc19ed7-201f-7438-782e-561edd12b2a8
+```
+
+See also [Vault CLI testing AppRole](https://gist.github.com/kamils-iRonin/d099908eaf0500de8ad9c2cea5658d01)
+
 ## Installation
 
 See [Plugins install instructions](https://theforeman.org/plugins/) for how to install Foreman plugins.

data/app/controllers/concerns/foreman_vault/controller/parameters/vault_connection.rb

@@ -9,7 +9,7 @@ module ForemanVault
         class_methods do
           def vault_connection_params_filter
             Foreman::ParameterFilter.new(::VaultConnection).tap do |filter|
-              filter.permit :name, :url, :token
+              filter.permit :name, :url, :token, :role_id, :secret_id
             end
           end
         end

data/app/lib/foreman_vault/macros.rb

@@ -4,7 +4,7 @@ module ForemanVault
   module Macros
     def vault_secret(vault_connection_name, secret_path)
       vault = VaultConnection.find_by!(name: vault_connection_name)
-      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) if vault.with_token? && !vault.token_valid?
 
       vault.fetch_secret(secret_path)
     rescue ActiveRecord::RecordNotFound => e
@@ -13,7 +13,7 @@ module ForemanVault
 
     def vault_issue_certificate(vault_connection_name, secret_path, *options)
       vault = VaultConnection.find_by!(name: vault_connection_name)
-      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) if vault.with_token? && !vault.token_valid?
       vault.issue_certificate(secret_path, *options)
     rescue ActiveRecord::RecordNotFound => e
       raise VaultError, e.message

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -16,6 +16,7 @@ module ForemanVault
 
       def queue_vault_push
         return if !managed? || errors.any?
+        return unless orchestration_enabled?
         return unless vault_policy.valid?
         return unless vault_auth_method.valid?
 
@@ -25,6 +26,8 @@ module ForemanVault
 
       def queue_vault_destroy
         return if !managed? || errors.any?
+        return unless orchestration_enabled?
+        return unless vault_auth_method.valid?
 
         queue.create(name: _('Clear %s Vault data') % self, priority: 60,
                      action: [self, :del_vault])
@@ -35,11 +38,8 @@ module ForemanVault
         logger.info "Pushing #{name} data to Vault"
 
         vault_policy.save if vault_policy.new?
-
-        if vault_auth_method.name != old&.vault_auth_method&.name
-          old&.vault_auth_method&.delete
-          vault_auth_method.save
-        end
+        vault_auth_method.save
+        true
       rescue StandardError => e
         Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
         failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
@@ -54,6 +54,13 @@ module ForemanVault
         Foreman::Logging.exception("Failed to clear #{name} Vault data", e)
         failure format(_("Failed to clear %{name} Vault data: %{message}\n "), name: name, message: e.message), e
       end
+
+      def orchestration_enabled?
+        return false unless Setting[:vault_orchestration_enabled]
+        return false if vault_connection.nil?
+
+        true
+      end
     end
   end
 end

data/app/models/concerns/foreman_vault/provisioning_template_extensions.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module ProvisioningTemplateExtensions
+    extend ActiveSupport::Concern
+
+    # rubocop:disable Metrics/ParameterLists
+    def render(renderer: Foreman::Renderer, host: nil, params: {}, variables: {}, mode: Foreman::Renderer::REAL_MODE, template_input_values: {}, source_klass: nil)
+      source_klass = Foreman::Renderer::Source::Database if template_kind == TemplateKind.find_by(name: 'VaultPolicy')
+
+      super
+    end
+    # rubocop:enable Metrics/ParameterLists
+  end
+end

data/app/models/setting/vault.rb

@@ -6,19 +6,37 @@ class Setting
     BLANK_ATTRS << 'vault_policy_template'
 
     def self.default_settings
-      [set_vault_connection, set_vault_policy_template]
+      [set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
     end
 
+    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     def self.load_defaults
       # Check the table exists
       return unless super
 
       transaction do
-        default_settings.each { |s| create! s.update(category: 'Setting::Vault') }
+        default_settings.each do |s|
+          setting = create! s.update(category: 'Setting::Vault')
+
+          Foreman.try(:settings)&._add(
+            s[:name],
+            s.slice(:description, :default, :full_name, :encrypted)
+             .merge(category: 'Setting::Vault')
+             .yield_self do |params|
+               unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
+                 params[:context] = :vault
+                 params[:type] = setting.settings_type
+               end
+               params
+             end
+          )
+        end
       end
 
+      Foreman.try(:settings)&.load
       true
     end
+    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
 
     def self.humanized_category
       N_('Vault')
@@ -40,12 +58,15 @@ class Setting
       end
 
       def default_vault_connection
+        return nil unless VaultConnection.table_exists?
         return unless VaultConnection.unscoped.count == 1
 
         VaultConnection.unscoped.first.name
       end
 
       def vault_connections_collection
+        return [] unless VaultConnection.table_exists?
+
         proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
       end
 
@@ -68,6 +89,15 @@ class Setting
       def vault_policy_templates_collection
         proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
       end
+
+      def set_vault_orchestration_enabled
+        set(
+          'vault_orchestration_enabled',
+          N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
+          false,
+          N_('Vault Orchestration enabled')
+        )
+      end
     end
   end
 end

data/app/models/vault_connection.rb

@@ -5,20 +5,42 @@ class VaultConnection < ApplicationRecord
 
   validates_lengths_from_database
   validates :name, presence: true, uniqueness: true
-  validates :url, :token, presence: true
+  validates :url, presence: true
   validates :url, format: URI.regexp(['http', 'https'])
 
-  before_create :set_expire_time
-  before_update :update_expire_time
+  validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
+  validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
+  validates :role_id, presence: true, if: -> { token.nil? }
+  validates :role_id, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { token.nil? }
+  validates :secret_id, presence: true, if: -> { token.nil? }
+  validates :secret_id, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { token.nil? }
 
-  scope :with_valid_token, -> { where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
+  before_validation :normalize_blank_values
+  before_create :set_expire_time, unless: -> { token.nil? }
+  before_update :update_expire_time, unless: -> { token.nil? }
+
+  scope :with_approle, -> { where.not(role_id: nil).where.not(secret_id: nil) }
+  scope :with_token, -> { where.not(token: nil) }
+  scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
 
   delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
            :policy, :policies, :put_policy, :delete_policy,
            :set_certificate, :certificates, :delete_certificate, to: :client
 
+  def with_token?
+    token.present?
+  end
+
+  def with_approle?
+    role_id.present? && secret_id.present?
+  end
+
   def token_valid?
-    vault_error.nil? && expire_time && expire_time > Time.zone.now
+    return false unless with_token?
+    return false unless vault_error.nil?
+    return true unless expire_time
+
+    expire_time > Time.zone.now
   end
 
   def renew_token!
@@ -52,7 +74,13 @@ class VaultConnection < ApplicationRecord
     self.vault_error = e.message
   end
 
+  def normalize_blank_values
+    attributes.each do |column, _value|
+      self[column].present? || self[column] = nil
+    end
+  end
+
   def client
-    @client ||= ForemanVault::VaultClient.new(url, token)
+    @client ||= ForemanVault::VaultClient.new(url, token, role_id, secret_id)
   end
 end

data/app/services/foreman_vault/vault_auth_method.rb

@@ -11,9 +11,9 @@ module ForemanVault
     end
 
     def name
-      return if !host || !vault_policy_name
+      return unless host
 
-      [host, vault_policy_name].join('-').parameterize
+      host.name.parameterize
     end
 
     def save
@@ -23,7 +23,7 @@ module ForemanVault
     end
 
     def delete
-      return false unless name
+      return false unless valid?
 
       delete_certificate(name)
     end

data/app/services/foreman_vault/vault_client.rb

@@ -2,9 +2,11 @@
 
 module ForemanVault
   class VaultClient
-    def initialize(base_url, token)
+    def initialize(base_url, token, role_id, secret_id)
       @base_url = base_url
       @token = token
+      @role_id = role_id
+      @secret_id = secret_id
     end
 
     delegate :sys, :auth_tls, to: :client
@@ -13,7 +15,8 @@ module ForemanVault
 
     def fetch_expire_time
       response = client.auth_token.lookup_self
-      Time.zone.parse(response.data[:expire_time])
+      expire_time = response.data[:expire_time]
+      expire_time && Time.zone.parse(expire_time)
     end
 
     def fetch_secret(secret_path)
@@ -38,10 +41,16 @@ module ForemanVault
     class VaultClientError < Foreman::Exception; end
     class NoDataError < VaultClientError; end
 
-    attr_reader :base_url, :token
+    attr_reader :base_url, :token, :role_id, :secret_id
 
     def client
-      @client ||= Vault::Client.new(address: base_url, token: token)
+      @client ||= if role_id.present? && secret_id.present?
+                    Vault::Client.new(address: base_url).tap do |client|
+                      client.auth.approle(role_id, secret_id)
+                    end
+                  else
+                    Vault::Client.new(address: base_url, token: token)
+                  end
     end
   end
 end

data/app/services/foreman_vault/vault_policy.rb

@@ -29,7 +29,7 @@ module ForemanVault
     end
 
     def delete
-      return false unless name
+      return false unless valid?
 
       delete_policy(name)
     end

data/app/views/unattended/provisioning_templates/VaultPolicy/default.erb

@@ -1,6 +1,6 @@
-# NAME: <%= @host.owner %>-<%= @host.environment %>
+# NAME: <%= @host.owner %>-<%= @host.name %>
 
-# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>
-path "secrets/data/<%= @host.owner %>/<%= @host.environment %>/*" {
+# allow access to secrets from puppet hosts from <foreman_owner>-<hostname>
+path "secrets/data/<%= @host.owner %>/<%= @host.name %>/*" {
     capabilities = ["create", "read", "update"]
 }

data/app/views/vault_connections/_form.html.erb

@@ -1,7 +1,23 @@
-<%= form_for @vault_connection, :url => (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(:id => @vault_connection)) do |f| %>
+<%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
   <%= base_errors_for @vault_connection %>
-  <%= text_f f, :name, :help_inline => _("Vault Connection name") %>
-  <%= text_f f, :url, :help_inline => _("Vault Server url") %>
-  <%= text_f f, :token, :help_inline => _("Vault Connection token") %>
+  <%= text_f f, :name, help_inline: _("Vault Connection name") %>
+  <%= text_f f, :url, help_inline: _("Vault Server url") %>
+  <div class="auth_methods">
+    <h4><%=_("Auth Methods")%></h4>
+    <%= alert(text: _('Please only fill in one auth method'), class: 'alert-info', close: false) %>
+    <ul class="nav nav-tabs" data-tabs="tabs">
+      <li class="active"><a href="#approle" data-toggle="tab"><%= _('AppRole') %></a></li>
+      <li><a href="#token" data-toggle="tab"><%= _('Token') %></a></li>
+    </ul>
+    <div class="tab-content">
+      <div class="tab-pane active" id="approle">
+        <%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
+        <%= text_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
+      </div>
+      <div class="tab-pane" id="token">
+        <%= text_f f, :token, help_inline: _("Vault Connection token") %>
+      </div>
+    </div>
+  </div>
   <%= submit_or_cancel f %>
 <% end %>

data/app/views/vault_connections/index.html.erb

@@ -4,9 +4,11 @@
 <table class="<%= table_css_classes 'table-fixed' %>">
   <thead>
     <tr>
-      <th class="col-md-9"><%= sort :name, :as => s_('Vault Connections|Name') %></th>
-      <th class="col-md-1"><%= _('Valid') %></th>
-      <th class="col-md-1"><%= _('Expire time') %></th>
+      <th class="col-md-2"><%= sort :name, as: s_('Vault Connections|Name') %></th>
+      <th class="col-md-2"><%= _('URL') %></th>
+      <th class="col-md-2"><%= _('Role ID') %></th>
+      <th class="col-md-1"><%= _('Token Valid') %></th>
+      <th class="col-md-1"><%= _('Token Expire time') %></th>
       <th class="col-md-1"><%= _('Actions') %></th>
     </tr>
   </thead>
@@ -14,17 +16,29 @@
     <% @vault_connections.each do |vault_connection| %>
       <tr>
         <td class="ellipsis">
-          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(:id => vault_connection) %>
+          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(id: vault_connection) %>
+        </td>
+        <td class="ellipsis">
+          <code class="transparent"><%= vault_connection.url %></code>
+        </td>
+        <td class="ellipsis">
+          <% if vault_connection.with_approle? %>
+            <code class="transparent"><%= vault_connection.role_id %></code>
+          <% end %>
         </td>
         <td align='center'>
-          <% if vault_connection.token_valid? %>
+          <% vault_connection.with_token? && if vault_connection.token_valid? %>
             <%= ('<span class="glyphicon glyphicon-ok"/>').html_safe %>
           <% else %>
             <%= ('<span class="glyphicon glyphicon-remove" title="%s"/>' % vault_connection.vault_error).html_safe %>
           <% end %>
         </td>
-        <td><%= date_time_absolute(vault_connection.expire_time) %></td>
-        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(:id => vault_connection), :data => { :confirm => _("Delete %s?") % vault_connection.name } %></td>
+        <td>
+          <% if vault_connection.with_token? %>
+            <%= date_time_absolute(vault_connection.expire_time) %>
+          <% end %>
+        </td>
+        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(id: vault_connection), data: { confirm: _("Delete %s?") % vault_connection.name } %></td>
       </tr>
     <% end %>
   </tbody>

data/db/migrate/20201203220058_add_approle_to_vault_connection.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddApproleToVaultConnection < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vault_connections, :role_id, :string
+    add_column :vault_connections, :secret_id, :string
+  end
+end

data/lib/foreman_vault/engine.rb

@@ -29,7 +29,7 @@ module ForemanVault
 
     initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
       Foreman::Plugin.register :foreman_vault do
-        requires_foreman '>= 1.20'
+        requires_foreman '>= 2.3'
 
         apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
 
@@ -55,6 +55,7 @@ module ForemanVault
     config.to_prepare do
       begin
         ::Host::Managed.include(ForemanVault::HostExtensions)
+        ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
         ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
         ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
       rescue StandardError => e

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.2.0'
+  VERSION = '1.1.0'
 end

data/lib/tasks/foreman_vault_tasks.rake

@@ -3,7 +3,50 @@
 require 'rake/testtask'
 
 # Tasks
-namespace :foreman_vault do
+namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
+  namespace :auth_methods do
+    desc 'Push auth methods for all hosts to Vault'
+    task push: :environment do
+      User.as_anonymous_admin do
+        hosts = Host::Managed.where(managed: true)
+
+        hosts.each_with_index do |host, index|
+          begin
+            result = host.reload.vault_auth_method.save
+            if result
+              puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+            else
+              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
+            end
+          rescue StandardError => err
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          end
+        end
+      end
+    end
+  end
+
+  namespace :policies do
+    desc 'Push policies for all hosts to Vault'
+    task push: :environment do
+      User.as_anonymous_admin do
+        hosts = Host::Managed.where(managed: true)
+
+        hosts.each_with_index do |host, index|
+          begin
+            result = host.reload.vault_policy.save
+            if result
+              puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+            else
+              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
+            end
+          rescue StandardError => err
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          end
+        end
+      end
+    end
+  end
 end
 
 # Tests

data/test/factories/vault_connection.rb

@@ -8,7 +8,7 @@ FactoryBot.define do
     expire_time { Time.zone.now + 1.year }
 
     trait :invalid do
-      expire_time { nil }
+      expire_time { Time.zone.now - 1.year }
     end
 
     trait :without_callbacks do

data/test/factories/vault_policy_template.rb

@@ -4,6 +4,7 @@ FactoryBot.modify do
   factory :provisioning_template do
     trait :vault_policy do
       name { Setting['vault_policy_template'] || 'Default Vault Policy' }
+      template_kind { TemplateKind.find_or_create_by(name: 'VaultPolicy') }
       template { File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates/VaultPolicy/default.erb')) }
     end
   end

data/test/lib/tasks/push_auth_methods_test.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+require 'rake'
+
+module ForemanVault
+  class PushAuthMethodsTest < ActiveSupport::TestCase
+    TASK_NAME = 'foreman_vault:auth_methods:push'
+
+    let(:host) { FactoryBot.create(:host, :managed) }
+    let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+    setup do
+      Rake.application.rake_require 'tasks/foreman_vault_tasks'
+
+      Rake::Task.define_task(:environment)
+      Rake::Task[TASK_NAME].reenable
+
+      FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+
+      ForemanVault::VaultAuthMethod.any_instance.stubs(:vault_policy_name).returns('vault_policy_name')
+      ForemanVault::VaultAuthMethod.any_instance.stubs(:certificate).returns('cert')
+
+      ForemanVault::VaultClient.any_instance.stubs(:set_certificate).returns(true)
+    end
+
+    it 'does successfully push auth methods' do
+      host
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\"", stdout)
+    end
+
+    it 'does throw an error when host was deleted' do
+      host
+
+      Host::Managed.any_instance.stubs(:reload).raises(ActiveRecord::RecordNotFound)
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Failed to push \"#{host.name}\"", stdout)
+    end
+  end
+end

data/test/lib/tasks/push_policies_test.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+require 'rake'
+
+module ForemanVault
+  class PushPoliciesTest < ActiveSupport::TestCase
+    TASK_NAME = 'foreman_vault:policies:push'
+
+    let(:host) { FactoryBot.create(:host, :managed) }
+    let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+    setup do
+      Rake.application.rake_require 'tasks/foreman_vault_tasks'
+
+      Rake::Task.define_task(:environment)
+      Rake::Task[TASK_NAME].reenable
+
+      FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+
+      ForemanVault::VaultPolicy.any_instance.stubs(:name).returns('vault_policy_name')
+      ForemanVault::VaultPolicy.any_instance.stubs(:rules).returns('rules')
+
+      ForemanVault::VaultClient.any_instance.stubs(:put_policy).returns(true)
+    end
+
+    it 'does successfully push policies' do
+      host
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\"", stdout)
+    end
+
+    it 'does throw an error when host was deleted' do
+      host
+
+      Host::Managed.any_instance.stubs(:reload).raises(ActiveRecord::RecordNotFound)
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Failed to push \"#{host.name}\"", stdout)
+    end
+  end
+end

data/test/models/foreman_vault/orchestration/vault_policy_test.rb

@@ -10,11 +10,18 @@ module ForemanVault
         let(:queue) { mock('queue') }
         let(:vault_policy) { mock('vault_policy') }
         let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
 
         setup do
           host.stubs(:queue).returns(queue)
           host.stubs(:vault_policy).returns(vault_policy)
           host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
         end
 
         test 'should queue Vault orchestration' do
@@ -50,9 +57,50 @@ module ForemanVault
         end
       end
 
+      describe '#queue_vault_destroy' do
+        let(:host) { FactoryBot.create(:host, :managed) }
+        let(:queue) { mock('queue') }
+        let(:vault_policy) { mock('vault_policy') }
+        let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+        setup do
+          host.stubs(:queue).returns(queue)
+          host.stubs(:vault_policy).returns(vault_policy)
+          host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
+        end
+
+        context 'when auth_method is valid' do
+          test 'should queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(true)
+
+            queue.expects(:create).with(
+              name: "Clear #{host} Vault data",
+              priority: 60,
+              action: [host, :del_vault]
+            ).once
+            host.send(:queue_vault_destroy)
+          end
+        end
+
+        context 'when auth_method is not valid' do
+          test 'should not queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(false)
+
+            queue.expects(:create).never
+            host.send(:queue_vault_destroy)
+          end
+        end
+      end
+
       describe '#set_vault' do
-        let(:environment) { FactoryBot.create(:environment, name: 'MyEnv') }
-        let(:host) { FactoryBot.create(:host, :managed, environment: environment) }
+        let(:host) { FactoryBot.create(:host, :managed) }
         let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
         let(:new_owner) { FactoryBot.create(:usergroup, name: 'MyOwner') }
 
@@ -64,16 +112,16 @@ module ForemanVault
           )
         end
 
-        let(:new_policy_name) { "#{new_owner}-#{host.environment}".parameterize }
+        let(:new_policy_name) { "#{new_owner}-#{host.name}".parameterize }
         let(:put_policy_request) do
           url = "#{vault_connection.url}/v1/sys/policy/#{new_policy_name}"
           # rubocop:disable Metrics/LineLength
-          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>\npath \"secrets/data/MyOwner/MyEnv/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
+          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<hostname>\npath \"secrets/data/MyOwner/#{host.name}/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
           # rubocop:enable Metrics/LineLength
           stub_request(:put, url).with(body: JSON.fast_generate(rules: rules)).to_return(status: 200)
         end
 
-        let(:new_auth_method_name) { "#{host}-#{new_policy_name}".parameterize }
+        let(:new_auth_method_name) { host.name.parameterize }
         let(:post_auth_method_request) do
           url = "#{vault_connection.url}/v1/auth/cert/certs/#{new_auth_method_name}"
           stub_request(:post, url).with(
@@ -85,14 +133,23 @@ module ForemanVault
           ).to_return(status: 200)
         end
 
-        let(:delete_old_auth_method_request) do
+        let(:override_old_auth_method_request) do
           url = "#{vault_connection.url}/v1/auth/cert/certs/#{host.vault_auth_method.name}"
           stub_request(:delete, url).to_return(status: 200)
         end
 
         setup do
           Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
-          FactoryBot.create(:setting, :vault_policy)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
+          if Setting.find_by(name: 'vault_policy_template')
+            Setting['vault_policy_template'] = 'Default Vault Policy'
+          else
+            FactoryBot.create(:setting, :vault_policy)
+          end
           FactoryBot.create(:provisioning_template, :vault_policy, name: Setting['vault_policy_template'])
           FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
           host.stubs(:skip_orchestration_for_testing?).returns(false)
@@ -100,13 +157,11 @@ module ForemanVault
           get_policies_request
           put_policy_request
           post_auth_method_request
-          delete_old_auth_method_request
 
           host.update(owner: new_owner)
         end
 
         it { assert_requested(post_auth_method_request) }
-        it { assert_requested(delete_old_auth_method_request) }
 
         context 'when policy already exists on Vault' do
           let(:vault_policies) { [new_policy_name] }

data/test/models/vault_policy_template_test.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultPolicyTemplateTest < ActiveSupport::TestCase
+  let(:host) { FactoryBot.create(:host, :managed) }
+  let(:template) { FactoryBot.create(:provisioning_template, :vault_policy) }
+
+  it 'is rendered from a database' do
+    Foreman::Renderer.expects(:get_source).with(has_entry(klass: Foreman::Renderer::Source::Database))
+    Foreman::Renderer.stubs(:get_scope)
+    Foreman::Renderer.stubs(:render)
+
+    template.render
+  end
+
+  test 'render in default mode' do
+    assert_nothing_raised { template.render(host: host) }
+  end
+
+  test 'render in safe mode' do
+    assert_nothing_raised { template.render(renderer: Foreman::Renderer::SafeModeRenderer, host: host) }
+  end
+
+  test 'render in unsafe mode' do
+    assert_nothing_raised { template.render(renderer: Foreman::Renderer::UnsafeModeRenderer, host: host) }
+  end
+end

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -8,26 +8,13 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
   let(:host) { FactoryBot.create(:host, :managed) }
 
   describe '#name' do
-    context 'with host and vault_policy_name' do
-      setup do
-        subject.stubs(:vault_policy_name).returns('vault_policy_name')
-      end
-
-      it { assert_equal "#{host}-vault_policy_name".parameterize, subject.name }
+    context 'with host' do
+      it { assert_equal host.name.parameterize, subject.name }
     end
 
     context 'without host' do
       setup do
         subject.stubs(:host).returns(nil)
-        subject.stubs(:vault_policy_name).returns('vault_policy_name')
-      end
-
-      it { assert_nil subject.name }
-    end
-
-    context 'without vault_policy_name' do
-      setup do
-        subject.stubs(:vault_policy_name).returns(nil)
       end
 
       it { assert_nil subject.name }
@@ -91,18 +78,18 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
   end
 
   describe '#delete' do
-    context 'with name' do
+    context 'when valid' do
       it 'deletes Certificate' do
-        subject.stubs(:name).returns('name')
+        subject.stubs(:valid?).returns(true)
 
         subject.expects(:delete_certificate).once.with(subject.name)
         subject.delete
       end
     end
 
-    context 'without name' do
+    context 'when not valid' do
       it 'does not delete Certificate' do
-        subject.stubs(:name).returns(nil)
+        subject.stubs(:valid?).returns(false)
 
         subject.expects(:delete_certificate).never
         subject.delete

data/test/unit/services/foreman_vault/vault_client_test.rb

@@ -3,10 +3,46 @@
 require 'test_plugin_helper'
 
 class VaultClientTest < ActiveSupport::TestCase
-  setup do
-    @subject = ForemanVault::VaultClient.new('http://127.0.0.1:8200', 'e57e5ef2-b25c-a0e5-65a6-863ab095dff6')
-    @client = mock
-    Vault::Client.expects(:new).returns(@client)
+  subject do
+    ForemanVault::VaultClient.new(base_url, token, nil, nil).tap do |vault_client|
+      vault_client.instance_variable_set(:@client, client)
+    end
+  end
+
+  let(:client) { Vault::Client }
+  let(:base_url) { 'http://127.0.0.1:8200' }
+  let(:token) { 's.opkr0MAqme5e5nr3i2or5wZC' }
+
+  describe 'auth with AppRole' do
+    subject { ForemanVault::VaultClient.new(base_url, nil, role_id, secret_id) }
+
+    let(:role_id) { '8403910c-e563-d2f2-1c77-6e26319be8b5' }
+    let(:secret_id) { '1058434b-b4aa-bf5a-b376-a15d9efb1059' }
+
+    setup do
+      stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
+        body: {
+          role_id: role_id,
+          secret_id: secret_id
+        }
+      ).to_return(
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: {
+          auth: {
+            client_token: token
+          }
+        }.to_json
+      )
+    end
+
+    it { assert_equal token, subject.send(:client).token }
+  end
+
+  describe 'auth with token' do
+    subject { ForemanVault::VaultClient.new(base_url, token, nil, nil) }
+
+    it { assert_equal token, subject.send(:client).token }
   end
 
   describe '#fetch_expire_time' do
@@ -14,11 +50,11 @@ class VaultClientTest < ActiveSupport::TestCase
       @time = '2018-08-01T20:08:55.525830559+02:00'
       response = OpenStruct.new(data: { expire_time: @time })
       auth_token = mock.tap { |object| object.expects(:lookup_self).once.returns(response) }
-      @client.expects(:auth_token).once.returns(auth_token)
+      client.expects(:auth_token).once.returns(auth_token)
     end
 
     test 'should return expire time' do
-      assert_equal Time.zone.parse(@time), @subject.fetch_expire_time
+      assert_equal Time.zone.parse(@time), subject.fetch_expire_time
     end
   end
 
@@ -29,11 +65,11 @@ class VaultClientTest < ActiveSupport::TestCase
       response = OpenStruct.new(data: @data)
       logical = mock.tap { |object| object.expects(:read).once.with(@secret_path).returns(response) }
 
-      @client.expects(:logical).once.returns(logical)
+      client.expects(:logical).once.returns(logical)
     end
 
     test 'should return expire time' do
-      assert_equal @data, @subject.fetch_secret(@secret_path)
+      assert_equal @data, subject.fetch_secret(@secret_path)
     end
   end
 
@@ -52,11 +88,11 @@ class VaultClientTest < ActiveSupport::TestCase
       response = OpenStruct.new(data: @data)
       logical = mock.tap { |object| object.expects(:write).once.with(@pki_path).returns(response) }
 
-      @client.expects(:logical).once.returns(logical)
+      client.expects(:logical).once.returns(logical)
     end
 
     test 'should return new certificate' do
-      assert_equal @data, @subject.issue_certificate(@pki_path)
+      assert_equal @data, subject.issue_certificate(@pki_path)
     end
   end
 end

data/test/unit/services/foreman_vault/vault_policy_test.rb

@@ -8,7 +8,11 @@ class VaultPolicyTest < ActiveSupport::TestCase
   let(:host) { FactoryBot.create(:host, :managed) }
 
   setup do
-    FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+    if Setting.find_by(name: 'vault_policy_template')
+      Setting['vault_policy_template'] = 'Default Vault Policy'
+    else
+      FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+    end
   end
 
   describe 'valid?' do
@@ -112,18 +116,18 @@ class VaultPolicyTest < ActiveSupport::TestCase
   end
 
   describe '#delete' do
-    context 'with name' do
+    context 'when valid' do
       it 'deletes Vault Policy' do
-        subject.stubs(:name).returns('name')
+        subject.stubs(:valid?).returns(true)
 
         subject.expects(:delete_policy).once.with(subject.name)
         subject.delete
       end
     end
 
-    context 'without name' do
+    context 'when not valid' do
       it 'does not delete Vault Policy' do
-        subject.stubs(:name).returns(nil)
+        subject.stubs(:valid?).returns(false)
 
         subject.expects(:delete_policy).never
         subject.delete

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.1.0
 platform: ruby
 authors:
 - dmTECH GmbH
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-03 00:00:00.000000000 Z
+date: 2021-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -52,7 +52,7 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.54.0
-description: 
+description:
 email:
 - opensource@dm.de
 executables: []
@@ -70,6 +70,7 @@ files:
 - app/lib/foreman_vault/macros.rb
 - app/models/concerns/foreman_vault/host_extensions.rb
 - app/models/concerns/foreman_vault/orchestration/vault_policy.rb
+- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
 - app/models/setting/vault.rb
 - app/models/vault_connection.rb
 - app/services/foreman_vault/vault_auth_method.rb
@@ -91,6 +92,7 @@ files:
 - config/routes.rb
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
 - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
+- db/migrate/20201203220058_add_approle_to_vault_connection.rb
 - db/seeds.d/103-provisioning_templates.rb
 - lib/foreman_vault.rb
 - lib/foreman_vault/engine.rb
@@ -107,8 +109,11 @@ files:
 - test/functional/api/v2/vault_connections_controller_test.rb
 - test/jobs/refresh_vault_token_test.rb
 - test/jobs/refresh_vault_tokens_test.rb
+- test/lib/tasks/push_auth_methods_test.rb
+- test/lib/tasks/push_policies_test.rb
 - test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/models/vault_connection_test.rb
+- test/models/vault_policy_template_test.rb
 - test/test_plugin_helper.rb
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
@@ -118,7 +123,7 @@ homepage: https://github.com/dm-drogeriemarkt/foreman_vault
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -133,8 +138,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.28
+signing_key:
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
 test_files:
@@ -142,11 +147,14 @@ test_files:
 - test/unit/services/foreman_vault/vault_client_test.rb
 - test/unit/services/foreman_vault/vault_policy_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
+- test/models/vault_policy_template_test.rb
 - test/models/vault_connection_test.rb
 - test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/factories/vault_policy_template.rb
 - test/factories/vault_connection.rb
 - test/factories/vault_setting.rb
+- test/lib/tasks/push_policies_test.rb
+- test/lib/tasks/push_auth_methods_test.rb
 - test/fixtures/ca.crt
 - test/test_plugin_helper.rb
 - test/jobs/refresh_vault_tokens_test.rb