foreman_vault 1.1.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -2
- data/Rakefile +2 -2
- data/app/controllers/api/v2/vault_connections_controller.rb +2 -1
- data/app/controllers/vault_connections_controller.rb +2 -1
- data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb +2 -4
- data/app/models/vault_connection.rb +4 -3
- data/app/services/foreman_vault/vault_auth_method.rb +2 -1
- data/app/services/foreman_vault/vault_policy.rb +1 -0
- data/app/views/vault_connections/_form.html.erb +3 -3
- data/db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb +7 -0
- data/db/seeds.d/103-provisioning_templates.rb +2 -2
- data/lib/foreman_vault/engine.rb +31 -17
- data/lib/foreman_vault/version.rb +1 -1
- data/lib/tasks/foreman_vault_tasks.rake +14 -39
- data/test/functional/api/v2/vault_connections_controller_test.rb +8 -2
- data/test/models/foreman_vault/orchestration/vault_policy_test.rb +1 -1
- data/test/models/vault_connection_test.rb +6 -0
- data/test/unit/foreman_vault/access_permissions_test.rb +18 -0
- data/test/unit/lib/foreman_vault/macros_test.rb +1 -1
- data/test/unit/services/foreman_vault/vault_auth_method_test.rb +6 -4
- data/test/unit/services/foreman_vault/vault_client_test.rb +4 -4
- metadata +28 -23
- data/app/models/setting/vault.rb +0 -103
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c5fe8746df7815f6129640d07776dcc4e32108fcd751c35fdb20f6facf95b87f
|
|
4
|
+
data.tar.gz: 48a412989b2ce3dda9389f9a6ea9a06fc881157cb959536c618b6395d5b6ed83
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d45fa891dc392701f2cdb08ed00216fabff042a63b3d097cd71caf43630366b245c70ef06bd5860963fa1d9179f239bc0e3e7b79f94a288109d9c97b2dbe068c
|
|
7
|
+
data.tar.gz: 48f5a92159bccc41cea54144f88ce47875d1f83f6158ba812a2b36c1289087aadf41f2caad431f52ebf2c917267f9432e2cf6cbc2a221a35b9ed2b1a924958a1
|
data/README.md
CHANGED
|
@@ -22,6 +22,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
|
|
|
22
22
|
|
|
23
23
|
| Foreman Version | Plugin Version |
|
|
24
24
|
| --------------- | -------------- |
|
|
25
|
+
| >= 3.9 | ~> 2.0 |
|
|
25
26
|
| >= 2.3 | ~> 1.0 |
|
|
26
27
|
| >= 1.23 | ~> 0.3, ~> 0.4 |
|
|
27
28
|
| >= 1.20 | ~> 0.2 |
|
|
@@ -32,7 +33,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
|
|
|
32
33
|
- Working Vault instance
|
|
33
34
|
- with _cert_ auth enabled
|
|
34
35
|
- with _approle_ auth enabled
|
|
35
|
-
- with
|
|
36
|
+
- with _kv v1_ secret store enabled
|
|
36
37
|
- valid Vault Token
|
|
37
38
|
|
|
38
39
|
**Dev Vault Instance**
|
|
@@ -43,7 +44,7 @@ To run a local Vault dev environment on MacOS use:
|
|
|
43
44
|
$ brew install vault
|
|
44
45
|
$ vault server -dev
|
|
45
46
|
$ export VAULT_ADDR='http://127.0.0.1:8200'
|
|
46
|
-
$ vault secrets enable kv
|
|
47
|
+
$ vault secrets enable -version=1 kv
|
|
47
48
|
$ vault auth enable cert
|
|
48
49
|
|
|
49
50
|
$ vault token create -period=60m
|
data/Rakefile
CHANGED
|
@@ -20,7 +20,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
|
|
|
20
20
|
rdoc.rdoc_files.include('lib/**/*.rb')
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
-
APP_RAKEFILE = File.expand_path('
|
|
23
|
+
APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
|
|
24
24
|
|
|
25
25
|
Bundler::GemHelper.install_tasks
|
|
26
26
|
|
|
@@ -38,7 +38,7 @@ task default: :test
|
|
|
38
38
|
begin
|
|
39
39
|
require 'rubocop/rake_task'
|
|
40
40
|
RuboCop::RakeTask.new
|
|
41
|
-
rescue =>
|
|
41
|
+
rescue StandardError => _e
|
|
42
42
|
puts 'Rubocop not loaded.'
|
|
43
43
|
end
|
|
44
44
|
|
|
@@ -16,7 +16,8 @@ module Api
|
|
|
16
16
|
|
|
17
17
|
api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
|
|
18
18
|
param :id, :identifier, required: true
|
|
19
|
-
def show
|
|
19
|
+
def show
|
|
20
|
+
end
|
|
20
21
|
|
|
21
22
|
def_param_group :vault_connection do
|
|
22
23
|
param :vault_connection, Hash, action_aware: true, required: true do
|
|
@@ -21,7 +21,7 @@ module ForemanVault
|
|
|
21
21
|
return unless vault_auth_method.valid?
|
|
22
22
|
|
|
23
23
|
queue.create(name: _('Push %s data to Vault') % self, priority: 100,
|
|
24
|
-
|
|
24
|
+
action: [self, :set_vault])
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def queue_vault_destroy
|
|
@@ -30,10 +30,9 @@ module ForemanVault
|
|
|
30
30
|
return unless vault_auth_method.valid?
|
|
31
31
|
|
|
32
32
|
queue.create(name: _('Clear %s Vault data') % self, priority: 60,
|
|
33
|
-
|
|
33
|
+
action: [self, :del_vault])
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
-
# rubocop:disable Metrics/AbcSize
|
|
37
36
|
def set_vault
|
|
38
37
|
logger.info "Pushing #{name} data to Vault"
|
|
39
38
|
|
|
@@ -44,7 +43,6 @@ module ForemanVault
|
|
|
44
43
|
Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
|
|
45
44
|
failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
|
|
46
45
|
end
|
|
47
|
-
# rubocop:enable Metrics/AbcSize
|
|
48
46
|
|
|
49
47
|
def del_vault
|
|
50
48
|
logger.info "Clearing #{name} Vault data"
|
|
@@ -5,8 +5,9 @@ class VaultConnection < ApplicationRecord
|
|
|
5
5
|
|
|
6
6
|
validates_lengths_from_database
|
|
7
7
|
validates :name, presence: true, uniqueness: true
|
|
8
|
+
validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
|
|
8
9
|
validates :url, presence: true
|
|
9
|
-
validates :url, format: URI.
|
|
10
|
+
validates :url, format: URI::DEFAULT_PARSER.make_regexp(['http', 'https'])
|
|
10
11
|
|
|
11
12
|
validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
|
|
12
13
|
validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
|
|
@@ -24,8 +25,8 @@ class VaultConnection < ApplicationRecord
|
|
|
24
25
|
scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
|
|
25
26
|
|
|
26
27
|
delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
|
|
27
|
-
|
|
28
|
-
|
|
28
|
+
:policy, :policies, :put_policy, :delete_policy,
|
|
29
|
+
:set_certificate, :certificates, :delete_certificate, to: :client
|
|
29
30
|
|
|
30
31
|
def with_token?
|
|
31
32
|
token.present?
|
|
@@ -31,6 +31,7 @@ module ForemanVault
|
|
|
31
31
|
private
|
|
32
32
|
|
|
33
33
|
attr_reader :host
|
|
34
|
+
|
|
34
35
|
delegate :vault_policy, :vault_connection, :fqdn, to: :host
|
|
35
36
|
delegate :name, to: :vault_policy, prefix: true
|
|
36
37
|
delegate :set_certificate, :delete_certificate, to: :vault_connection
|
|
@@ -39,7 +40,7 @@ module ForemanVault
|
|
|
39
40
|
{
|
|
40
41
|
certificate: certificate,
|
|
41
42
|
token_policies: vault_policy_name,
|
|
42
|
-
allowed_common_names: allowed_common_names
|
|
43
|
+
allowed_common_names: allowed_common_names,
|
|
43
44
|
}
|
|
44
45
|
end
|
|
45
46
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
|
|
2
2
|
<%= base_errors_for @vault_connection %>
|
|
3
|
-
<%= text_f f, :name, help_inline: _("Vault Connection name") %>
|
|
3
|
+
<%= text_f f, :name, disabled: @vault_connection.persisted?, help_inline: _("Vault Connection name") %>
|
|
4
4
|
<%= text_f f, :url, help_inline: _("Vault Server url") %>
|
|
5
5
|
<div class="auth_methods">
|
|
6
6
|
<h4><%=_("Auth Methods")%></h4>
|
|
@@ -12,10 +12,10 @@
|
|
|
12
12
|
<div class="tab-content">
|
|
13
13
|
<div class="tab-pane active" id="approle">
|
|
14
14
|
<%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
|
|
15
|
-
<%=
|
|
15
|
+
<%= password_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
|
|
16
16
|
</div>
|
|
17
17
|
<div class="tab-pane" id="token">
|
|
18
|
-
<%=
|
|
18
|
+
<%= password_f f, :token, help_inline: _("Vault Connection token") %>
|
|
19
19
|
</div>
|
|
20
20
|
</div>
|
|
21
21
|
</div>
|
|
@@ -5,8 +5,8 @@ User.as_anonymous_admin do
|
|
|
5
5
|
{
|
|
6
6
|
name: 'Default Vault Policy',
|
|
7
7
|
source: 'VaultPolicy/default.erb',
|
|
8
|
-
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
|
|
9
|
-
}
|
|
8
|
+
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy'),
|
|
9
|
+
},
|
|
10
10
|
]
|
|
11
11
|
|
|
12
12
|
templates.each do |template|
|
data/lib/foreman_vault/engine.rb
CHANGED
|
@@ -12,14 +12,6 @@ module ForemanVault
|
|
|
12
12
|
config.autoload_paths += Dir["#{config.root}/app/lib"]
|
|
13
13
|
config.autoload_paths += Dir["#{config.root}/app/jobs"]
|
|
14
14
|
|
|
15
|
-
initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
|
|
16
|
-
require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
|
|
17
|
-
Setting.table_exists?
|
|
18
|
-
rescue StandardError
|
|
19
|
-
(false)
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
|
|
23
15
|
# Add any db migrations
|
|
24
16
|
initializer 'foreman_vault.load_app_instance_data' do |app|
|
|
25
17
|
ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
|
|
@@ -29,7 +21,7 @@ module ForemanVault
|
|
|
29
21
|
|
|
30
22
|
initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
|
|
31
23
|
Foreman::Plugin.register :foreman_vault do
|
|
32
|
-
requires_foreman '>=
|
|
24
|
+
requires_foreman '>= 3.9'
|
|
33
25
|
|
|
34
26
|
apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
|
|
35
27
|
|
|
@@ -45,6 +37,30 @@ module ForemanVault
|
|
|
45
37
|
'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
|
|
46
38
|
end
|
|
47
39
|
|
|
40
|
+
settings do
|
|
41
|
+
category(:vault, N_('Vault')) do
|
|
42
|
+
setting('vault_connection',
|
|
43
|
+
full_name: N_('Default Vault connection'),
|
|
44
|
+
type: :string,
|
|
45
|
+
description: N_('Default Vault Connection that can be override using parameters'),
|
|
46
|
+
default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
|
|
47
|
+
collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
|
|
48
|
+
include_blank: _('Select Vault Connection'))
|
|
49
|
+
setting('vault_policy_template',
|
|
50
|
+
full_name: N_('Vault Policy template name'),
|
|
51
|
+
type: :string,
|
|
52
|
+
description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
|
53
|
+
default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
|
|
54
|
+
collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
|
|
55
|
+
include_blank: _('Select Template'))
|
|
56
|
+
setting('vault_orchestration_enabled',
|
|
57
|
+
full_name: N_('Vault Orchestration enabled'),
|
|
58
|
+
type: :boolean,
|
|
59
|
+
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
60
|
+
default: false)
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
48
64
|
# add menu entry
|
|
49
65
|
menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
|
|
50
66
|
caption: N_('Vault Connections'),
|
|
@@ -53,14 +69,12 @@ module ForemanVault
|
|
|
53
69
|
end
|
|
54
70
|
|
|
55
71
|
config.to_prepare do
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
|
63
|
-
end
|
|
72
|
+
::Host::Managed.include(ForemanVault::HostExtensions)
|
|
73
|
+
::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
|
|
74
|
+
::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
|
|
75
|
+
::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
|
|
76
|
+
rescue StandardError => e
|
|
77
|
+
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
|
64
78
|
end
|
|
65
79
|
|
|
66
80
|
initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|
|
|
@@ -11,16 +11,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
|
11
11
|
hosts = Host::Managed.where(managed: true)
|
|
12
12
|
|
|
13
13
|
hosts.each_with_index do |host, index|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
20
|
-
end
|
|
21
|
-
rescue StandardError => err
|
|
22
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
|
14
|
+
result = host.reload.vault_auth_method.save
|
|
15
|
+
if result
|
|
16
|
+
puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
|
17
|
+
else
|
|
18
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
23
19
|
end
|
|
20
|
+
rescue StandardError => e
|
|
21
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
|
24
22
|
end
|
|
25
23
|
end
|
|
26
24
|
end
|
|
@@ -33,16 +31,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
|
33
31
|
hosts = Host::Managed.where(managed: true)
|
|
34
32
|
|
|
35
33
|
hosts.each_with_index do |host, index|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
42
|
-
end
|
|
43
|
-
rescue StandardError => err
|
|
44
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
|
34
|
+
result = host.reload.vault_policy.save
|
|
35
|
+
if result
|
|
36
|
+
puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
|
37
|
+
else
|
|
38
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
45
39
|
end
|
|
40
|
+
rescue StandardError => e
|
|
41
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
|
46
42
|
end
|
|
47
43
|
end
|
|
48
44
|
end
|
|
@@ -61,25 +57,4 @@ namespace :test do
|
|
|
61
57
|
end
|
|
62
58
|
end
|
|
63
59
|
|
|
64
|
-
namespace :foreman_vault do
|
|
65
|
-
task :rubocop do
|
|
66
|
-
begin
|
|
67
|
-
require 'rubocop/rake_task'
|
|
68
|
-
RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
|
|
69
|
-
task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
|
|
70
|
-
"#{ForemanVault::Engine.root}/lib/**/*.rb",
|
|
71
|
-
"#{ForemanVault::Engine.root}/test/**/*.rb"]
|
|
72
|
-
end
|
|
73
|
-
rescue StandardError
|
|
74
|
-
puts 'Rubocop not loaded.'
|
|
75
|
-
end
|
|
76
|
-
|
|
77
|
-
Rake::Task['rubocop_foreman_vault'].invoke
|
|
78
|
-
end
|
|
79
|
-
end
|
|
80
|
-
|
|
81
60
|
Rake::Task[:test].enhance ['test:foreman_vault']
|
|
82
|
-
|
|
83
|
-
load 'tasks/jenkins.rake'
|
|
84
|
-
|
|
85
|
-
Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')
|
|
@@ -53,11 +53,11 @@ module Api
|
|
|
53
53
|
client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
|
|
54
54
|
Vault::Client.expects(:new).returns(client)
|
|
55
55
|
|
|
56
|
-
params = {
|
|
56
|
+
params = { url: 'http://updatedhost:8200', token: 'token' }
|
|
57
57
|
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
58
58
|
response = ActiveSupport::JSON.decode(@response.body)
|
|
59
59
|
assert_response :success
|
|
60
|
-
assert_equal params[:
|
|
60
|
+
assert_equal params[:url], response['url']
|
|
61
61
|
end
|
|
62
62
|
|
|
63
63
|
test 'should not update invalid' do
|
|
@@ -65,6 +65,12 @@ module Api
|
|
|
65
65
|
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
66
66
|
assert_response :unprocessable_entity
|
|
67
67
|
end
|
|
68
|
+
|
|
69
|
+
test 'should not allow to update name' do
|
|
70
|
+
params = { name: 'Updated name' }
|
|
71
|
+
put :update, params: { id: @vault_connection.to_param, vault_connection: params }
|
|
72
|
+
assert_response :unprocessable_entity
|
|
73
|
+
end
|
|
68
74
|
end
|
|
69
75
|
|
|
70
76
|
describe '#destroy' do
|
|
@@ -139,7 +139,7 @@ module ForemanVault
|
|
|
139
139
|
end
|
|
140
140
|
|
|
141
141
|
setup do
|
|
142
|
-
Setting
|
|
142
|
+
Setting['ssl_ca_file'] = File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt')
|
|
143
143
|
if Setting.find_by(name: 'vault_orchestration_enabled')
|
|
144
144
|
Setting['vault_orchestration_enabled'] = true
|
|
145
145
|
else
|
|
@@ -10,4 +10,10 @@ class VaultConnectionTest < ActiveSupport::TestCase
|
|
|
10
10
|
should validate_presence_of(:url)
|
|
11
11
|
should allow_value('http://127.0.0.1:8200').for(:url)
|
|
12
12
|
should_not allow_value('börks').for(:url)
|
|
13
|
+
|
|
14
|
+
test 'validate that the name cannot be changed' do
|
|
15
|
+
assert_raises(ActiveRecord::RecordInvalid, 'Validation failed: Name cannot be changed after creation') do
|
|
16
|
+
subject.update!(name: 'UpdatedName')
|
|
17
|
+
end
|
|
18
|
+
end
|
|
13
19
|
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'test_plugin_helper'
|
|
4
|
+
require 'unit/shared/access_permissions_test_base'
|
|
5
|
+
|
|
6
|
+
# Permissions are added in AccessPermissions with lists of controllers and
|
|
7
|
+
# actions that they enable access to. For non-admin users, we need to test
|
|
8
|
+
# that there are permissions available that cover every controller action, else
|
|
9
|
+
# it can't be delegated and this will lead to parts of the application that
|
|
10
|
+
# aren't functional for non-admin users.
|
|
11
|
+
#
|
|
12
|
+
# In particular, it's important that actions for AJAX requests are added to
|
|
13
|
+
# an appropriate permission so views using those requests function.
|
|
14
|
+
class AccessPermissionsTest < ActiveSupport::TestCase
|
|
15
|
+
include AccessPermissionsTestBase
|
|
16
|
+
|
|
17
|
+
check_routes(ForemanVault::Engine.routes, [])
|
|
18
|
+
end
|
|
@@ -22,7 +22,7 @@ class MacrosTest < ActiveSupport::TestCase
|
|
|
22
22
|
|
|
23
23
|
subject = TestScope.new(host: host, source: source)
|
|
24
24
|
|
|
25
|
-
|
|
25
|
+
assert_respond_to subject, :vault_secret
|
|
26
26
|
assert_equal response.data, subject.vault_secret(vault_connection.name, secret_path)
|
|
27
27
|
end
|
|
28
28
|
end
|
|
@@ -59,9 +59,11 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
|
|
|
59
59
|
|
|
60
60
|
subject.expects(:set_certificate).once.with(
|
|
61
61
|
'name',
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
62
|
+
{
|
|
63
|
+
certificate: 'cert',
|
|
64
|
+
token_policies: 'vault_policy_name',
|
|
65
|
+
allowed_common_names: [host.fqdn],
|
|
66
|
+
}
|
|
65
67
|
)
|
|
66
68
|
subject.save
|
|
67
69
|
end
|
|
@@ -99,7 +101,7 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
|
|
|
99
101
|
|
|
100
102
|
describe '#certificate' do
|
|
101
103
|
setup do
|
|
102
|
-
Setting
|
|
104
|
+
Setting['ssl_ca_file'] = cert_path
|
|
103
105
|
end
|
|
104
106
|
|
|
105
107
|
context 'when certificate file can be read' do
|
|
@@ -23,15 +23,15 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
|
23
23
|
stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
|
|
24
24
|
body: {
|
|
25
25
|
role_id: role_id,
|
|
26
|
-
secret_id: secret_id
|
|
26
|
+
secret_id: secret_id,
|
|
27
27
|
}
|
|
28
28
|
).to_return(
|
|
29
29
|
status: 200,
|
|
30
30
|
headers: { 'Content-Type': 'application/json' },
|
|
31
31
|
body: {
|
|
32
32
|
auth: {
|
|
33
|
-
client_token: token
|
|
34
|
-
}
|
|
33
|
+
client_token: token,
|
|
34
|
+
},
|
|
35
35
|
}.to_json
|
|
36
36
|
)
|
|
37
37
|
end
|
|
@@ -82,7 +82,7 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
|
82
82
|
issuing_ca: 'CA_CERTIFICATE_DATA',
|
|
83
83
|
private_key: 'PRIVATE_KEY_DATA',
|
|
84
84
|
private_key_type: 'rsa',
|
|
85
|
-
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
|
|
85
|
+
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7',
|
|
86
86
|
}
|
|
87
87
|
|
|
88
88
|
response = OpenStruct.new(data: @data)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: foreman_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- dmTECH GmbH
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-05-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: vault
|
|
@@ -39,19 +39,19 @@ dependencies:
|
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
|
-
name: rubocop
|
|
42
|
+
name: theforeman-rubocop
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- -
|
|
45
|
+
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: 0.
|
|
47
|
+
version: 0.1.2
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
|
-
- -
|
|
52
|
+
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: 0.
|
|
54
|
+
version: 0.1.2
|
|
55
55
|
description:
|
|
56
56
|
email:
|
|
57
57
|
- opensource@dm.de
|
|
@@ -71,7 +71,6 @@ files:
|
|
|
71
71
|
- app/models/concerns/foreman_vault/host_extensions.rb
|
|
72
72
|
- app/models/concerns/foreman_vault/orchestration/vault_policy.rb
|
|
73
73
|
- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
|
|
74
|
-
- app/models/setting/vault.rb
|
|
75
74
|
- app/models/vault_connection.rb
|
|
76
75
|
- app/services/foreman_vault/vault_auth_method.rb
|
|
77
76
|
- app/services/foreman_vault/vault_client.rb
|
|
@@ -93,6 +92,7 @@ files:
|
|
|
93
92
|
- db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
|
|
94
93
|
- db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
|
|
95
94
|
- db/migrate/20201203220058_add_approle_to_vault_connection.rb
|
|
95
|
+
- db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb
|
|
96
96
|
- db/seeds.d/103-provisioning_templates.rb
|
|
97
97
|
- lib/foreman_vault.rb
|
|
98
98
|
- lib/foreman_vault/engine.rb
|
|
@@ -115,6 +115,7 @@ files:
|
|
|
115
115
|
- test/models/vault_connection_test.rb
|
|
116
116
|
- test/models/vault_policy_template_test.rb
|
|
117
117
|
- test/test_plugin_helper.rb
|
|
118
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
|
118
119
|
- test/unit/lib/foreman_vault/macros_test.rb
|
|
119
120
|
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
120
121
|
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
@@ -131,32 +132,36 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
131
132
|
requirements:
|
|
132
133
|
- - ">="
|
|
133
134
|
- !ruby/object:Gem::Version
|
|
134
|
-
version: '
|
|
135
|
+
version: '2.5'
|
|
136
|
+
- - "<"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '4'
|
|
135
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
136
140
|
requirements:
|
|
137
141
|
- - ">="
|
|
138
142
|
- !ruby/object:Gem::Version
|
|
139
143
|
version: '0'
|
|
140
144
|
requirements: []
|
|
141
|
-
rubygems_version: 3.
|
|
145
|
+
rubygems_version: 3.4.1
|
|
142
146
|
signing_key:
|
|
143
147
|
specification_version: 4
|
|
144
148
|
summary: Adds support for using credentials from Hashicorp Vault
|
|
145
149
|
test_files:
|
|
146
|
-
- test/unit/lib/foreman_vault/macros_test.rb
|
|
147
|
-
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
148
|
-
- test/unit/services/foreman_vault/vault_policy_test.rb
|
|
149
|
-
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
150
|
-
- test/models/vault_policy_template_test.rb
|
|
151
|
-
- test/models/vault_connection_test.rb
|
|
152
|
-
- test/models/foreman_vault/orchestration/vault_policy_test.rb
|
|
153
|
-
- test/factories/vault_policy_template.rb
|
|
154
150
|
- test/factories/vault_connection.rb
|
|
151
|
+
- test/factories/vault_policy_template.rb
|
|
155
152
|
- test/factories/vault_setting.rb
|
|
156
|
-
- test/lib/tasks/push_policies_test.rb
|
|
157
|
-
- test/lib/tasks/push_auth_methods_test.rb
|
|
158
153
|
- test/fixtures/ca.crt
|
|
159
|
-
- test/test_plugin_helper.rb
|
|
160
|
-
- test/jobs/refresh_vault_tokens_test.rb
|
|
161
|
-
- test/jobs/refresh_vault_token_test.rb
|
|
162
154
|
- test/functional/api/v2/vault_connections_controller_test.rb
|
|
155
|
+
- test/jobs/refresh_vault_token_test.rb
|
|
156
|
+
- test/jobs/refresh_vault_tokens_test.rb
|
|
157
|
+
- test/lib/tasks/push_auth_methods_test.rb
|
|
158
|
+
- test/lib/tasks/push_policies_test.rb
|
|
159
|
+
- test/models/foreman_vault/orchestration/vault_policy_test.rb
|
|
160
|
+
- test/models/vault_connection_test.rb
|
|
161
|
+
- test/models/vault_policy_template_test.rb
|
|
162
|
+
- test/test_plugin_helper.rb
|
|
163
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
|
164
|
+
- test/unit/lib/foreman_vault/macros_test.rb
|
|
165
|
+
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
166
|
+
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
167
|
+
- test/unit/services/foreman_vault/vault_policy_test.rb
|
data/app/models/setting/vault.rb
DELETED
|
@@ -1,103 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
class Setting
|
|
4
|
-
class Vault < ::Setting
|
|
5
|
-
BLANK_ATTRS << 'vault_connection'
|
|
6
|
-
BLANK_ATTRS << 'vault_policy_template'
|
|
7
|
-
|
|
8
|
-
def self.default_settings
|
|
9
|
-
[set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
13
|
-
def self.load_defaults
|
|
14
|
-
# Check the table exists
|
|
15
|
-
return unless super
|
|
16
|
-
|
|
17
|
-
transaction do
|
|
18
|
-
default_settings.each do |s|
|
|
19
|
-
setting = create! s.update(category: 'Setting::Vault')
|
|
20
|
-
|
|
21
|
-
Foreman.try(:settings)&._add(
|
|
22
|
-
s[:name],
|
|
23
|
-
s.slice(:description, :default, :full_name, :encrypted)
|
|
24
|
-
.merge(category: 'Setting::Vault')
|
|
25
|
-
.yield_self do |params|
|
|
26
|
-
unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
|
|
27
|
-
params[:context] = :vault
|
|
28
|
-
params[:type] = setting.settings_type
|
|
29
|
-
end
|
|
30
|
-
params
|
|
31
|
-
end
|
|
32
|
-
)
|
|
33
|
-
end
|
|
34
|
-
end
|
|
35
|
-
|
|
36
|
-
Foreman.try(:settings)&.load
|
|
37
|
-
true
|
|
38
|
-
end
|
|
39
|
-
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
|
40
|
-
|
|
41
|
-
def self.humanized_category
|
|
42
|
-
N_('Vault')
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
class << self
|
|
46
|
-
private
|
|
47
|
-
|
|
48
|
-
def set_vault_connection
|
|
49
|
-
set(
|
|
50
|
-
'vault_connection',
|
|
51
|
-
N_('Default Vault Connection that can be override using parameters'),
|
|
52
|
-
default_vault_connection,
|
|
53
|
-
N_('Default Vault Connection'),
|
|
54
|
-
nil,
|
|
55
|
-
collection: vault_connections_collection,
|
|
56
|
-
include_blank: _('Select Vault Connection')
|
|
57
|
-
)
|
|
58
|
-
end
|
|
59
|
-
|
|
60
|
-
def default_vault_connection
|
|
61
|
-
return nil unless VaultConnection.table_exists?
|
|
62
|
-
return unless VaultConnection.unscoped.count == 1
|
|
63
|
-
|
|
64
|
-
VaultConnection.unscoped.first.name
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
def vault_connections_collection
|
|
68
|
-
return [] unless VaultConnection.table_exists?
|
|
69
|
-
|
|
70
|
-
proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
|
|
71
|
-
end
|
|
72
|
-
|
|
73
|
-
def set_vault_policy_template
|
|
74
|
-
set(
|
|
75
|
-
'vault_policy_template',
|
|
76
|
-
N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
|
77
|
-
default_vault_policy_template,
|
|
78
|
-
N_('Vault Policy template name'),
|
|
79
|
-
nil,
|
|
80
|
-
collection: vault_policy_templates_collection,
|
|
81
|
-
include_blank: _('Select Template')
|
|
82
|
-
)
|
|
83
|
-
end
|
|
84
|
-
|
|
85
|
-
def default_vault_policy_template
|
|
86
|
-
ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
|
|
87
|
-
end
|
|
88
|
-
|
|
89
|
-
def vault_policy_templates_collection
|
|
90
|
-
proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
|
|
91
|
-
end
|
|
92
|
-
|
|
93
|
-
def set_vault_orchestration_enabled
|
|
94
|
-
set(
|
|
95
|
-
'vault_orchestration_enabled',
|
|
96
|
-
N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
97
|
-
false,
|
|
98
|
-
N_('Vault Orchestration enabled')
|
|
99
|
-
)
|
|
100
|
-
end
|
|
101
|
-
end
|
|
102
|
-
end
|
|
103
|
-
end
|