foreman_vault 1.1.0 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 39553e728b4ff3661a8b0fc008ee0959e5fdbba5f915a9f7f9d09bdd24d9d65a
4
- data.tar.gz: 34b06a3ffc2cfdd6055356c4af15e91bb7d94de7954983d0becc20881c85fef3
3
+ metadata.gz: c5fe8746df7815f6129640d07776dcc4e32108fcd751c35fdb20f6facf95b87f
4
+ data.tar.gz: 48a412989b2ce3dda9389f9a6ea9a06fc881157cb959536c618b6395d5b6ed83
5
5
  SHA512:
6
- metadata.gz: 04fe38f150fb63017eeb3803c14ea02fe6eb557a8a51d13f7f089bc4a7e5ca12f08182ede2c642e5dd6b47d5ab53e5adcc80e45117ad714ad6154cec2df486de
7
- data.tar.gz: d6ecb38160b4180a137a6db4f0d9e7fa6e9e14d32ebc5e98cae09a92f18997946bacc548adc4a55f7e19107ae6f2fcdbe7e43ab5a540b0d96706239dd81aa462
6
+ metadata.gz: d45fa891dc392701f2cdb08ed00216fabff042a63b3d097cd71caf43630366b245c70ef06bd5860963fa1d9179f239bc0e3e7b79f94a288109d9c97b2dbe068c
7
+ data.tar.gz: 48f5a92159bccc41cea54144f88ce47875d1f83f6158ba812a2b36c1289087aadf41f2caad431f52ebf2c917267f9432e2cf6cbc2a221a35b9ed2b1a924958a1
data/README.md CHANGED
@@ -22,6 +22,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
22
22
 
23
23
  | Foreman Version | Plugin Version |
24
24
  | --------------- | -------------- |
25
+ | >= 3.9 | ~> 2.0 |
25
26
  | >= 2.3 | ~> 1.0 |
26
27
  | >= 1.23 | ~> 0.3, ~> 0.4 |
27
28
  | >= 1.20 | ~> 0.2 |
@@ -32,7 +33,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
32
33
  - Working Vault instance
33
34
  - with _cert_ auth enabled
34
35
  - with _approle_ auth enabled
35
- - with _kv_ secret store enabled
36
+ - with _kv v1_ secret store enabled
36
37
  - valid Vault Token
37
38
 
38
39
  **Dev Vault Instance**
@@ -43,7 +44,7 @@ To run a local Vault dev environment on MacOS use:
43
44
  $ brew install vault
44
45
  $ vault server -dev
45
46
  $ export VAULT_ADDR='http://127.0.0.1:8200'
46
- $ vault secrets enable kv
47
+ $ vault secrets enable -version=1 kv
47
48
  $ vault auth enable cert
48
49
 
49
50
  $ vault token create -period=60m
data/Rakefile CHANGED
@@ -20,7 +20,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
20
20
  rdoc.rdoc_files.include('lib/**/*.rb')
21
21
  end
22
22
 
23
- APP_RAKEFILE = File.expand_path('../test/dummy/Rakefile', __FILE__)
23
+ APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
24
24
 
25
25
  Bundler::GemHelper.install_tasks
26
26
 
@@ -38,7 +38,7 @@ task default: :test
38
38
  begin
39
39
  require 'rubocop/rake_task'
40
40
  RuboCop::RakeTask.new
41
- rescue => _
41
+ rescue StandardError => _e
42
42
  puts 'Rubocop not loaded.'
43
43
  end
44
44
 
@@ -16,7 +16,8 @@ module Api
16
16
 
17
17
  api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
18
18
  param :id, :identifier, required: true
19
- def show; end
19
+ def show
20
+ end
20
21
 
21
22
  def_param_group :vault_connection do
22
23
  param :vault_connection, Hash, action_aware: true, required: true do
@@ -22,7 +22,8 @@ class VaultConnectionsController < ::ApplicationController
22
22
  end
23
23
  end
24
24
 
25
- def edit; end
25
+ def edit
26
+ end
26
27
 
27
28
  def update
28
29
  if @vault_connection.update(vault_connection_params)
@@ -21,7 +21,7 @@ module ForemanVault
21
21
  return unless vault_auth_method.valid?
22
22
 
23
23
  queue.create(name: _('Push %s data to Vault') % self, priority: 100,
24
- action: [self, :set_vault])
24
+ action: [self, :set_vault])
25
25
  end
26
26
 
27
27
  def queue_vault_destroy
@@ -30,10 +30,9 @@ module ForemanVault
30
30
  return unless vault_auth_method.valid?
31
31
 
32
32
  queue.create(name: _('Clear %s Vault data') % self, priority: 60,
33
- action: [self, :del_vault])
33
+ action: [self, :del_vault])
34
34
  end
35
35
 
36
- # rubocop:disable Metrics/AbcSize
37
36
  def set_vault
38
37
  logger.info "Pushing #{name} data to Vault"
39
38
 
@@ -44,7 +43,6 @@ module ForemanVault
44
43
  Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
45
44
  failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
46
45
  end
47
- # rubocop:enable Metrics/AbcSize
48
46
 
49
47
  def del_vault
50
48
  logger.info "Clearing #{name} Vault data"
@@ -5,8 +5,9 @@ class VaultConnection < ApplicationRecord
5
5
 
6
6
  validates_lengths_from_database
7
7
  validates :name, presence: true, uniqueness: true
8
+ validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
8
9
  validates :url, presence: true
9
- validates :url, format: URI.regexp(['http', 'https'])
10
+ validates :url, format: URI::DEFAULT_PARSER.make_regexp(['http', 'https'])
10
11
 
11
12
  validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
12
13
  validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
@@ -24,8 +25,8 @@ class VaultConnection < ApplicationRecord
24
25
  scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
25
26
 
26
27
  delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
27
- :policy, :policies, :put_policy, :delete_policy,
28
- :set_certificate, :certificates, :delete_certificate, to: :client
28
+ :policy, :policies, :put_policy, :delete_policy,
29
+ :set_certificate, :certificates, :delete_certificate, to: :client
29
30
 
30
31
  def with_token?
31
32
  token.present?
@@ -31,6 +31,7 @@ module ForemanVault
31
31
  private
32
32
 
33
33
  attr_reader :host
34
+
34
35
  delegate :vault_policy, :vault_connection, :fqdn, to: :host
35
36
  delegate :name, to: :vault_policy, prefix: true
36
37
  delegate :set_certificate, :delete_certificate, to: :vault_connection
@@ -39,7 +40,7 @@ module ForemanVault
39
40
  {
40
41
  certificate: certificate,
41
42
  token_policies: vault_policy_name,
42
- allowed_common_names: allowed_common_names
43
+ allowed_common_names: allowed_common_names,
43
44
  }
44
45
  end
45
46
 
@@ -37,6 +37,7 @@ module ForemanVault
37
37
  private
38
38
 
39
39
  attr_reader :host
40
+
40
41
  delegate :params, :render_template, :vault_connection, to: :host
41
42
  delegate :policy, :policies, :put_policy, :delete_policy, to: :vault_connection
42
43
 
@@ -1,6 +1,6 @@
1
1
  <%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
2
2
  <%= base_errors_for @vault_connection %>
3
- <%= text_f f, :name, help_inline: _("Vault Connection name") %>
3
+ <%= text_f f, :name, disabled: @vault_connection.persisted?, help_inline: _("Vault Connection name") %>
4
4
  <%= text_f f, :url, help_inline: _("Vault Server url") %>
5
5
  <div class="auth_methods">
6
6
  <h4><%=_("Auth Methods")%></h4>
@@ -12,10 +12,10 @@
12
12
  <div class="tab-content">
13
13
  <div class="tab-pane active" id="approle">
14
14
  <%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
15
- <%= text_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
15
+ <%= password_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
16
16
  </div>
17
17
  <div class="tab-pane" id="token">
18
- <%= text_f f, :token, help_inline: _("Vault Connection token") %>
18
+ <%= password_f f, :token, help_inline: _("Vault Connection token") %>
19
19
  </div>
20
20
  </div>
21
21
  </div>
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ class FixVaultSettingsCategoryToDsl < ActiveRecord::Migration[6.0]
4
+ def up
5
+ Setting.where(category: 'Setting::Vault').update_all(category: 'Setting') if column_exists?(:settings, :category)
6
+ end
7
+ end
@@ -5,8 +5,8 @@ User.as_anonymous_admin do
5
5
  {
6
6
  name: 'Default Vault Policy',
7
7
  source: 'VaultPolicy/default.erb',
8
- template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
9
- }
8
+ template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy'),
9
+ },
10
10
  ]
11
11
 
12
12
  templates.each do |template|
@@ -12,14 +12,6 @@ module ForemanVault
12
12
  config.autoload_paths += Dir["#{config.root}/app/lib"]
13
13
  config.autoload_paths += Dir["#{config.root}/app/jobs"]
14
14
 
15
- initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
16
- require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
17
- Setting.table_exists?
18
- rescue StandardError
19
- (false)
20
- end
21
- end
22
-
23
15
  # Add any db migrations
24
16
  initializer 'foreman_vault.load_app_instance_data' do |app|
25
17
  ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
@@ -29,7 +21,7 @@ module ForemanVault
29
21
 
30
22
  initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
31
23
  Foreman::Plugin.register :foreman_vault do
32
- requires_foreman '>= 2.3'
24
+ requires_foreman '>= 3.9'
33
25
 
34
26
  apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
35
27
 
@@ -45,6 +37,30 @@ module ForemanVault
45
37
  'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
46
38
  end
47
39
 
40
+ settings do
41
+ category(:vault, N_('Vault')) do
42
+ setting('vault_connection',
43
+ full_name: N_('Default Vault connection'),
44
+ type: :string,
45
+ description: N_('Default Vault Connection that can be override using parameters'),
46
+ default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
47
+ collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
48
+ include_blank: _('Select Vault Connection'))
49
+ setting('vault_policy_template',
50
+ full_name: N_('Vault Policy template name'),
51
+ type: :string,
52
+ description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
53
+ default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
54
+ collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
55
+ include_blank: _('Select Template'))
56
+ setting('vault_orchestration_enabled',
57
+ full_name: N_('Vault Orchestration enabled'),
58
+ type: :boolean,
59
+ description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
60
+ default: false)
61
+ end
62
+ end
63
+
48
64
  # add menu entry
49
65
  menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
50
66
  caption: N_('Vault Connections'),
@@ -53,14 +69,12 @@ module ForemanVault
53
69
  end
54
70
 
55
71
  config.to_prepare do
56
- begin
57
- ::Host::Managed.include(ForemanVault::HostExtensions)
58
- ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
59
- ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
60
- ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
61
- rescue StandardError => e
62
- Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
63
- end
72
+ ::Host::Managed.include(ForemanVault::HostExtensions)
73
+ ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
74
+ ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
75
+ ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
76
+ rescue StandardError => e
77
+ Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
64
78
  end
65
79
 
66
80
  initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module ForemanVault
4
- VERSION = '1.1.0'
4
+ VERSION = '2.0.0'
5
5
  end
@@ -11,16 +11,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
11
11
  hosts = Host::Managed.where(managed: true)
12
12
 
13
13
  hosts.each_with_index do |host, index|
14
- begin
15
- result = host.reload.vault_auth_method.save
16
- if result
17
- puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
18
- else
19
- puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
20
- end
21
- rescue StandardError => err
22
- puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
14
+ result = host.reload.vault_auth_method.save
15
+ if result
16
+ puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
17
+ else
18
+ puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
23
19
  end
20
+ rescue StandardError => e
21
+ puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
24
22
  end
25
23
  end
26
24
  end
@@ -33,16 +31,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
33
31
  hosts = Host::Managed.where(managed: true)
34
32
 
35
33
  hosts.each_with_index do |host, index|
36
- begin
37
- result = host.reload.vault_policy.save
38
- if result
39
- puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
40
- else
41
- puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
42
- end
43
- rescue StandardError => err
44
- puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
34
+ result = host.reload.vault_policy.save
35
+ if result
36
+ puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
37
+ else
38
+ puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
45
39
  end
40
+ rescue StandardError => e
41
+ puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
46
42
  end
47
43
  end
48
44
  end
@@ -61,25 +57,4 @@ namespace :test do
61
57
  end
62
58
  end
63
59
 
64
- namespace :foreman_vault do
65
- task :rubocop do
66
- begin
67
- require 'rubocop/rake_task'
68
- RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
69
- task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
70
- "#{ForemanVault::Engine.root}/lib/**/*.rb",
71
- "#{ForemanVault::Engine.root}/test/**/*.rb"]
72
- end
73
- rescue StandardError
74
- puts 'Rubocop not loaded.'
75
- end
76
-
77
- Rake::Task['rubocop_foreman_vault'].invoke
78
- end
79
- end
80
-
81
60
  Rake::Task[:test].enhance ['test:foreman_vault']
82
-
83
- load 'tasks/jenkins.rake'
84
-
85
- Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')
@@ -53,11 +53,11 @@ module Api
53
53
  client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
54
54
  Vault::Client.expects(:new).returns(client)
55
55
 
56
- params = { name: 'New name', url: 'http://localhost:8200', token: 'token' }
56
+ params = { url: 'http://updatedhost:8200', token: 'token' }
57
57
  put :update, params: { id: @vault_connection.to_param, vault_connection: params }
58
58
  response = ActiveSupport::JSON.decode(@response.body)
59
59
  assert_response :success
60
- assert_equal params[:name], response['name']
60
+ assert_equal params[:url], response['url']
61
61
  end
62
62
 
63
63
  test 'should not update invalid' do
@@ -65,6 +65,12 @@ module Api
65
65
  put :update, params: { id: @vault_connection.to_param, vault_connection: params }
66
66
  assert_response :unprocessable_entity
67
67
  end
68
+
69
+ test 'should not allow to update name' do
70
+ params = { name: 'Updated name' }
71
+ put :update, params: { id: @vault_connection.to_param, vault_connection: params }
72
+ assert_response :unprocessable_entity
73
+ end
68
74
  end
69
75
 
70
76
  describe '#destroy' do
@@ -139,7 +139,7 @@ module ForemanVault
139
139
  end
140
140
 
141
141
  setup do
142
- Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
142
+ Setting['ssl_ca_file'] = File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt')
143
143
  if Setting.find_by(name: 'vault_orchestration_enabled')
144
144
  Setting['vault_orchestration_enabled'] = true
145
145
  else
@@ -10,4 +10,10 @@ class VaultConnectionTest < ActiveSupport::TestCase
10
10
  should validate_presence_of(:url)
11
11
  should allow_value('http://127.0.0.1:8200').for(:url)
12
12
  should_not allow_value('börks').for(:url)
13
+
14
+ test 'validate that the name cannot be changed' do
15
+ assert_raises(ActiveRecord::RecordInvalid, 'Validation failed: Name cannot be changed after creation') do
16
+ subject.update!(name: 'UpdatedName')
17
+ end
18
+ end
13
19
  end
@@ -0,0 +1,18 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'test_plugin_helper'
4
+ require 'unit/shared/access_permissions_test_base'
5
+
6
+ # Permissions are added in AccessPermissions with lists of controllers and
7
+ # actions that they enable access to. For non-admin users, we need to test
8
+ # that there are permissions available that cover every controller action, else
9
+ # it can't be delegated and this will lead to parts of the application that
10
+ # aren't functional for non-admin users.
11
+ #
12
+ # In particular, it's important that actions for AJAX requests are added to
13
+ # an appropriate permission so views using those requests function.
14
+ class AccessPermissionsTest < ActiveSupport::TestCase
15
+ include AccessPermissionsTestBase
16
+
17
+ check_routes(ForemanVault::Engine.routes, [])
18
+ end
@@ -22,7 +22,7 @@ class MacrosTest < ActiveSupport::TestCase
22
22
 
23
23
  subject = TestScope.new(host: host, source: source)
24
24
 
25
- assert subject.respond_to?(:vault_secret)
25
+ assert_respond_to subject, :vault_secret
26
26
  assert_equal response.data, subject.vault_secret(vault_connection.name, secret_path)
27
27
  end
28
28
  end
@@ -59,9 +59,11 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
59
59
 
60
60
  subject.expects(:set_certificate).once.with(
61
61
  'name',
62
- certificate: 'cert',
63
- token_policies: 'vault_policy_name',
64
- allowed_common_names: [host.fqdn]
62
+ {
63
+ certificate: 'cert',
64
+ token_policies: 'vault_policy_name',
65
+ allowed_common_names: [host.fqdn],
66
+ }
65
67
  )
66
68
  subject.save
67
69
  end
@@ -99,7 +101,7 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
99
101
 
100
102
  describe '#certificate' do
101
103
  setup do
102
- Setting.find_by(name: 'ssl_ca_file').update(value: cert_path)
104
+ Setting['ssl_ca_file'] = cert_path
103
105
  end
104
106
 
105
107
  context 'when certificate file can be read' do
@@ -23,15 +23,15 @@ class VaultClientTest < ActiveSupport::TestCase
23
23
  stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
24
24
  body: {
25
25
  role_id: role_id,
26
- secret_id: secret_id
26
+ secret_id: secret_id,
27
27
  }
28
28
  ).to_return(
29
29
  status: 200,
30
30
  headers: { 'Content-Type': 'application/json' },
31
31
  body: {
32
32
  auth: {
33
- client_token: token
34
- }
33
+ client_token: token,
34
+ },
35
35
  }.to_json
36
36
  )
37
37
  end
@@ -82,7 +82,7 @@ class VaultClientTest < ActiveSupport::TestCase
82
82
  issuing_ca: 'CA_CERTIFICATE_DATA',
83
83
  private_key: 'PRIVATE_KEY_DATA',
84
84
  private_key_type: 'rsa',
85
- serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
85
+ serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7',
86
86
  }
87
87
 
88
88
  response = OpenStruct.new(data: @data)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: foreman_vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - dmTECH GmbH
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-10-21 00:00:00.000000000 Z
11
+ date: 2024-05-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: vault
@@ -39,19 +39,19 @@ dependencies:
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
- name: rubocop
42
+ name: theforeman-rubocop
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - '='
45
+ - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: 0.54.0
47
+ version: 0.1.2
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - '='
52
+ - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: 0.54.0
54
+ version: 0.1.2
55
55
  description:
56
56
  email:
57
57
  - opensource@dm.de
@@ -71,7 +71,6 @@ files:
71
71
  - app/models/concerns/foreman_vault/host_extensions.rb
72
72
  - app/models/concerns/foreman_vault/orchestration/vault_policy.rb
73
73
  - app/models/concerns/foreman_vault/provisioning_template_extensions.rb
74
- - app/models/setting/vault.rb
75
74
  - app/models/vault_connection.rb
76
75
  - app/services/foreman_vault/vault_auth_method.rb
77
76
  - app/services/foreman_vault/vault_client.rb
@@ -93,6 +92,7 @@ files:
93
92
  - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
94
93
  - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
95
94
  - db/migrate/20201203220058_add_approle_to_vault_connection.rb
95
+ - db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb
96
96
  - db/seeds.d/103-provisioning_templates.rb
97
97
  - lib/foreman_vault.rb
98
98
  - lib/foreman_vault/engine.rb
@@ -115,6 +115,7 @@ files:
115
115
  - test/models/vault_connection_test.rb
116
116
  - test/models/vault_policy_template_test.rb
117
117
  - test/test_plugin_helper.rb
118
+ - test/unit/foreman_vault/access_permissions_test.rb
118
119
  - test/unit/lib/foreman_vault/macros_test.rb
119
120
  - test/unit/services/foreman_vault/vault_auth_method_test.rb
120
121
  - test/unit/services/foreman_vault/vault_client_test.rb
@@ -131,32 +132,36 @@ required_ruby_version: !ruby/object:Gem::Requirement
131
132
  requirements:
132
133
  - - ">="
133
134
  - !ruby/object:Gem::Version
134
- version: '0'
135
+ version: '2.5'
136
+ - - "<"
137
+ - !ruby/object:Gem::Version
138
+ version: '4'
135
139
  required_rubygems_version: !ruby/object:Gem::Requirement
136
140
  requirements:
137
141
  - - ">="
138
142
  - !ruby/object:Gem::Version
139
143
  version: '0'
140
144
  requirements: []
141
- rubygems_version: 3.2.28
145
+ rubygems_version: 3.4.1
142
146
  signing_key:
143
147
  specification_version: 4
144
148
  summary: Adds support for using credentials from Hashicorp Vault
145
149
  test_files:
146
- - test/unit/lib/foreman_vault/macros_test.rb
147
- - test/unit/services/foreman_vault/vault_client_test.rb
148
- - test/unit/services/foreman_vault/vault_policy_test.rb
149
- - test/unit/services/foreman_vault/vault_auth_method_test.rb
150
- - test/models/vault_policy_template_test.rb
151
- - test/models/vault_connection_test.rb
152
- - test/models/foreman_vault/orchestration/vault_policy_test.rb
153
- - test/factories/vault_policy_template.rb
154
150
  - test/factories/vault_connection.rb
151
+ - test/factories/vault_policy_template.rb
155
152
  - test/factories/vault_setting.rb
156
- - test/lib/tasks/push_policies_test.rb
157
- - test/lib/tasks/push_auth_methods_test.rb
158
153
  - test/fixtures/ca.crt
159
- - test/test_plugin_helper.rb
160
- - test/jobs/refresh_vault_tokens_test.rb
161
- - test/jobs/refresh_vault_token_test.rb
162
154
  - test/functional/api/v2/vault_connections_controller_test.rb
155
+ - test/jobs/refresh_vault_token_test.rb
156
+ - test/jobs/refresh_vault_tokens_test.rb
157
+ - test/lib/tasks/push_auth_methods_test.rb
158
+ - test/lib/tasks/push_policies_test.rb
159
+ - test/models/foreman_vault/orchestration/vault_policy_test.rb
160
+ - test/models/vault_connection_test.rb
161
+ - test/models/vault_policy_template_test.rb
162
+ - test/test_plugin_helper.rb
163
+ - test/unit/foreman_vault/access_permissions_test.rb
164
+ - test/unit/lib/foreman_vault/macros_test.rb
165
+ - test/unit/services/foreman_vault/vault_auth_method_test.rb
166
+ - test/unit/services/foreman_vault/vault_client_test.rb
167
+ - test/unit/services/foreman_vault/vault_policy_test.rb
@@ -1,103 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- class Setting
4
- class Vault < ::Setting
5
- BLANK_ATTRS << 'vault_connection'
6
- BLANK_ATTRS << 'vault_policy_template'
7
-
8
- def self.default_settings
9
- [set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
10
- end
11
-
12
- # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
13
- def self.load_defaults
14
- # Check the table exists
15
- return unless super
16
-
17
- transaction do
18
- default_settings.each do |s|
19
- setting = create! s.update(category: 'Setting::Vault')
20
-
21
- Foreman.try(:settings)&._add(
22
- s[:name],
23
- s.slice(:description, :default, :full_name, :encrypted)
24
- .merge(category: 'Setting::Vault')
25
- .yield_self do |params|
26
- unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
27
- params[:context] = :vault
28
- params[:type] = setting.settings_type
29
- end
30
- params
31
- end
32
- )
33
- end
34
- end
35
-
36
- Foreman.try(:settings)&.load
37
- true
38
- end
39
- # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
40
-
41
- def self.humanized_category
42
- N_('Vault')
43
- end
44
-
45
- class << self
46
- private
47
-
48
- def set_vault_connection
49
- set(
50
- 'vault_connection',
51
- N_('Default Vault Connection that can be override using parameters'),
52
- default_vault_connection,
53
- N_('Default Vault Connection'),
54
- nil,
55
- collection: vault_connections_collection,
56
- include_blank: _('Select Vault Connection')
57
- )
58
- end
59
-
60
- def default_vault_connection
61
- return nil unless VaultConnection.table_exists?
62
- return unless VaultConnection.unscoped.count == 1
63
-
64
- VaultConnection.unscoped.first.name
65
- end
66
-
67
- def vault_connections_collection
68
- return [] unless VaultConnection.table_exists?
69
-
70
- proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
71
- end
72
-
73
- def set_vault_policy_template
74
- set(
75
- 'vault_policy_template',
76
- N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
77
- default_vault_policy_template,
78
- N_('Vault Policy template name'),
79
- nil,
80
- collection: vault_policy_templates_collection,
81
- include_blank: _('Select Template')
82
- )
83
- end
84
-
85
- def default_vault_policy_template
86
- ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
87
- end
88
-
89
- def vault_policy_templates_collection
90
- proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
91
- end
92
-
93
- def set_vault_orchestration_enabled
94
- set(
95
- 'vault_orchestration_enabled',
96
- N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
97
- false,
98
- N_('Vault Orchestration enabled')
99
- )
100
- end
101
- end
102
- end
103
- end