foreman_vault 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/app/models/setting/vault.rb +2 -1
- data/app/models/vault_connection.rb +1 -0
- data/app/views/vault_connections/_form.html.erb +3 -3
- data/lib/foreman_vault/engine.rb +27 -0
- data/lib/foreman_vault/version.rb +1 -1
- data/test/functional/api/v2/vault_connections_controller_test.rb +8 -2
- data/test/models/foreman_vault/orchestration/vault_policy_test.rb +1 -1
- data/test/models/vault_connection_test.rb +6 -0
- data/test/unit/services/foreman_vault/vault_auth_method_test.rb +1 -1
- metadata +16 -16
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1a698b340bc8ac1d8e1f9313548b3f27b971e87863886b4eac7c345c836460f2
|
|
4
|
+
data.tar.gz: 199cfbb6dae934a8dddc047964f068ad68a0fb1dd32590dbf4a976513229a205
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 43759e193861b1ead17c0112b73fb7b36f613348f0041687e84646bb1e9ae869f5833893f4a749ffee880a921e23896a1ff5dfa7488cff7d6079d9056ffb3332
|
|
7
|
+
data.tar.gz: b956c84f73978386e43ad0e095d86ff1a2383f826f747252a176fe1198df2605c0e10d740c1fdacbb99f9105773ebef00e891c643e386f24e448d185389d9e08
|
data/README.md
CHANGED
|
@@ -32,7 +32,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
|
|
|
32
32
|
- Working Vault instance
|
|
33
33
|
- with _cert_ auth enabled
|
|
34
34
|
- with _approle_ auth enabled
|
|
35
|
-
- with
|
|
35
|
+
- with _kv v1_ secret store enabled
|
|
36
36
|
- valid Vault Token
|
|
37
37
|
|
|
38
38
|
**Dev Vault Instance**
|
|
@@ -43,7 +43,7 @@ To run a local Vault dev environment on MacOS use:
|
|
|
43
43
|
$ brew install vault
|
|
44
44
|
$ vault server -dev
|
|
45
45
|
$ export VAULT_ADDR='http://127.0.0.1:8200'
|
|
46
|
-
$ vault secrets enable kv
|
|
46
|
+
$ vault secrets enable -version=1 kv
|
|
47
47
|
$ vault auth enable cert
|
|
48
48
|
|
|
49
49
|
$ vault token create -period=60m
|
data/app/models/setting/vault.rb
CHANGED
|
@@ -11,6 +11,8 @@ class Setting
|
|
|
11
11
|
|
|
12
12
|
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
13
13
|
def self.load_defaults
|
|
14
|
+
return unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('3.4')
|
|
15
|
+
|
|
14
16
|
# Check the table exists
|
|
15
17
|
return unless super
|
|
16
18
|
|
|
@@ -33,7 +35,6 @@ class Setting
|
|
|
33
35
|
end
|
|
34
36
|
end
|
|
35
37
|
|
|
36
|
-
Foreman.try(:settings)&.load
|
|
37
38
|
true
|
|
38
39
|
end
|
|
39
40
|
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
|
@@ -5,6 +5,7 @@ class VaultConnection < ApplicationRecord
|
|
|
5
5
|
|
|
6
6
|
validates_lengths_from_database
|
|
7
7
|
validates :name, presence: true, uniqueness: true
|
|
8
|
+
validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
|
|
8
9
|
validates :url, presence: true
|
|
9
10
|
validates :url, format: URI.regexp(['http', 'https'])
|
|
10
11
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
|
|
2
2
|
<%= base_errors_for @vault_connection %>
|
|
3
|
-
<%= text_f f, :name, help_inline: _("Vault Connection name") %>
|
|
3
|
+
<%= text_f f, :name, disabled: @vault_connection.persisted?, help_inline: _("Vault Connection name") %>
|
|
4
4
|
<%= text_f f, :url, help_inline: _("Vault Server url") %>
|
|
5
5
|
<div class="auth_methods">
|
|
6
6
|
<h4><%=_("Auth Methods")%></h4>
|
|
@@ -12,10 +12,10 @@
|
|
|
12
12
|
<div class="tab-content">
|
|
13
13
|
<div class="tab-pane active" id="approle">
|
|
14
14
|
<%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
|
|
15
|
-
<%=
|
|
15
|
+
<%= password_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
|
|
16
16
|
</div>
|
|
17
17
|
<div class="tab-pane" id="token">
|
|
18
|
-
<%=
|
|
18
|
+
<%= password_f f, :token, help_inline: _("Vault Connection token") %>
|
|
19
19
|
</div>
|
|
20
20
|
</div>
|
|
21
21
|
</div>
|
data/lib/foreman_vault/engine.rb
CHANGED
|
@@ -45,6 +45,33 @@ module ForemanVault
|
|
|
45
45
|
'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
+
# New settings definition DSL is available from Foreman 3.0
|
|
49
|
+
if respond_to?(:settings)
|
|
50
|
+
settings do
|
|
51
|
+
category(:vault, N_('Vault')) do
|
|
52
|
+
setting('vault_connection',
|
|
53
|
+
full_name: N_('Default Vault connection'),
|
|
54
|
+
type: :string,
|
|
55
|
+
description: N_('Default Vault Connection that can be override using parameters'),
|
|
56
|
+
default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
|
|
57
|
+
collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
|
|
58
|
+
include_blank: _('Select Vault Connection'))
|
|
59
|
+
setting('vault_policy_template',
|
|
60
|
+
full_name: N_('Vault Policy template name'),
|
|
61
|
+
type: :string,
|
|
62
|
+
description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
|
63
|
+
default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
|
|
64
|
+
collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
|
|
65
|
+
include_blank: _('Select Template'))
|
|
66
|
+
setting('vault_orchestration_enabled',
|
|
67
|
+
full_name: N_('Vault Orchestration enabled'),
|
|
68
|
+
type: :boolean,
|
|
69
|
+
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
70
|
+
default: false)
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
48
75
|
# add menu entry
|
|
49
76
|
menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
|
|
50
77
|
caption: N_('Vault Connections'),
|
|
@@ -53,11 +53,11 @@ module Api
|
|
|
53
53
|
client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
|
|
54
54
|
Vault::Client.expects(:new).returns(client)
|
|
55
55
|
|
|
56
|
-
params = {
|
|
56
|
+
params = { url: 'http://updatedhost:8200', token: 'token' }
|
|
57
57
|
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
58
58
|
response = ActiveSupport::JSON.decode(@response.body)
|
|
59
59
|
assert_response :success
|
|
60
|
-
assert_equal params[:
|
|
60
|
+
assert_equal params[:url], response['url']
|
|
61
61
|
end
|
|
62
62
|
|
|
63
63
|
test 'should not update invalid' do
|
|
@@ -65,6 +65,12 @@ module Api
|
|
|
65
65
|
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
66
66
|
assert_response :unprocessable_entity
|
|
67
67
|
end
|
|
68
|
+
|
|
69
|
+
test 'should not allow to update name' do
|
|
70
|
+
params = { name: 'Updated name' }
|
|
71
|
+
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
72
|
+
assert_response :unprocessable_entity
|
|
73
|
+
end
|
|
68
74
|
end
|
|
69
75
|
|
|
70
76
|
describe '#destroy' do
|
|
@@ -139,7 +139,7 @@ module ForemanVault
|
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
setup do
|
|
142
|
-
Setting
|
|
142
|
+
Setting['ssl_ca_file'] = File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt')
|
|
143
143
|
if Setting.find_by(name: 'vault_orchestration_enabled')
|
|
144
144
|
Setting['vault_orchestration_enabled'] = true
|
|
145
145
|
else
|
|
@@ -10,4 +10,10 @@ class VaultConnectionTest < ActiveSupport::TestCase
|
|
|
10
10
|
should validate_presence_of(:url)
|
|
11
11
|
should allow_value('http://127.0.0.1:8200').for(:url)
|
|
12
12
|
should_not allow_value('börks').for(:url)
|
|
13
|
+
|
|
14
|
+
test 'validate that the name cannot be changed' do
|
|
15
|
+
assert_raises(ActiveRecord::RecordInvalid, 'Validation failed: Name cannot be changed after creation') do
|
|
16
|
+
subject.update!(name: 'UpdatedName')
|
|
17
|
+
end
|
|
18
|
+
end
|
|
13
19
|
end
|
|
@@ -99,7 +99,7 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
|
|
|
99
99
|
|
|
100
100
|
describe '#certificate' do
|
|
101
101
|
setup do
|
|
102
|
-
Setting
|
|
102
|
+
Setting['ssl_ca_file'] = cert_path
|
|
103
103
|
end
|
|
104
104
|
|
|
105
105
|
context 'when certificate file can be read' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: foreman_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- dmTECH GmbH
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-08-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: vault
|
|
@@ -138,25 +138,25 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
138
|
- !ruby/object:Gem::Version
|
|
139
139
|
version: '0'
|
|
140
140
|
requirements: []
|
|
141
|
-
rubygems_version: 3.
|
|
141
|
+
rubygems_version: 3.3.3
|
|
142
142
|
signing_key:
|
|
143
143
|
specification_version: 4
|
|
144
144
|
summary: Adds support for using credentials from Hashicorp Vault
|
|
145
145
|
test_files:
|
|
146
|
-
- test/unit/lib/foreman_vault/macros_test.rb
|
|
147
|
-
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
148
|
-
- test/unit/services/foreman_vault/vault_policy_test.rb
|
|
149
|
-
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
150
|
-
- test/models/vault_policy_template_test.rb
|
|
151
|
-
- test/models/vault_connection_test.rb
|
|
152
|
-
- test/models/foreman_vault/orchestration/vault_policy_test.rb
|
|
153
|
-
- test/factories/vault_policy_template.rb
|
|
154
146
|
- test/factories/vault_connection.rb
|
|
147
|
+
- test/factories/vault_policy_template.rb
|
|
155
148
|
- test/factories/vault_setting.rb
|
|
156
|
-
- test/lib/tasks/push_policies_test.rb
|
|
157
|
-
- test/lib/tasks/push_auth_methods_test.rb
|
|
158
149
|
- test/fixtures/ca.crt
|
|
159
|
-
- test/test_plugin_helper.rb
|
|
160
|
-
- test/jobs/refresh_vault_tokens_test.rb
|
|
161
|
-
- test/jobs/refresh_vault_token_test.rb
|
|
162
150
|
- test/functional/api/v2/vault_connections_controller_test.rb
|
|
151
|
+
- test/jobs/refresh_vault_token_test.rb
|
|
152
|
+
- test/jobs/refresh_vault_tokens_test.rb
|
|
153
|
+
- test/lib/tasks/push_auth_methods_test.rb
|
|
154
|
+
- test/lib/tasks/push_policies_test.rb
|
|
155
|
+
- test/models/foreman_vault/orchestration/vault_policy_test.rb
|
|
156
|
+
- test/models/vault_connection_test.rb
|
|
157
|
+
- test/models/vault_policy_template_test.rb
|
|
158
|
+
- test/test_plugin_helper.rb
|
|
159
|
+
- test/unit/lib/foreman_vault/macros_test.rb
|
|
160
|
+
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
161
|
+
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
162
|
+
- test/unit/services/foreman_vault/vault_policy_test.rb
|