foreman_vault 1.2.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/Rakefile +2 -2
- data/app/controllers/api/v2/vault_connections_controller.rb +2 -1
- data/app/controllers/vault_connections_controller.rb +2 -1
- data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb +2 -4
- data/app/models/vault_connection.rb +3 -3
- data/app/services/foreman_vault/vault_auth_method.rb +2 -1
- data/app/services/foreman_vault/vault_policy.rb +1 -0
- data/db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb +7 -0
- data/db/seeds.d/103-provisioning_templates.rb +2 -2
- data/lib/foreman_vault/engine.rb +28 -41
- data/lib/foreman_vault/version.rb +1 -1
- data/lib/tasks/foreman_vault_tasks.rake +14 -39
- data/test/unit/foreman_vault/access_permissions_test.rb +18 -0
- data/test/unit/lib/foreman_vault/macros_test.rb +1 -1
- data/test/unit/services/foreman_vault/vault_auth_method_test.rb +5 -3
- data/test/unit/services/foreman_vault/vault_client_test.rb +4 -4
- metadata +15 -10
- data/app/models/setting/vault.rb +0 -104
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c5fe8746df7815f6129640d07776dcc4e32108fcd751c35fdb20f6facf95b87f
|
4
|
+
data.tar.gz: 48a412989b2ce3dda9389f9a6ea9a06fc881157cb959536c618b6395d5b6ed83
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d45fa891dc392701f2cdb08ed00216fabff042a63b3d097cd71caf43630366b245c70ef06bd5860963fa1d9179f239bc0e3e7b79f94a288109d9c97b2dbe068c
|
7
|
+
data.tar.gz: 48f5a92159bccc41cea54144f88ce47875d1f83f6158ba812a2b36c1289087aadf41f2caad431f52ebf2c917267f9432e2cf6cbc2a221a35b9ed2b1a924958a1
|
data/README.md
CHANGED
@@ -22,6 +22,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
|
|
22
22
|
|
23
23
|
| Foreman Version | Plugin Version |
|
24
24
|
| --------------- | -------------- |
|
25
|
+
| >= 3.9 | ~> 2.0 |
|
25
26
|
| >= 2.3 | ~> 1.0 |
|
26
27
|
| >= 1.23 | ~> 0.3, ~> 0.4 |
|
27
28
|
| >= 1.20 | ~> 0.2 |
|
data/Rakefile
CHANGED
@@ -20,7 +20,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
|
|
20
20
|
rdoc.rdoc_files.include('lib/**/*.rb')
|
21
21
|
end
|
22
22
|
|
23
|
-
APP_RAKEFILE = File.expand_path('
|
23
|
+
APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
|
24
24
|
|
25
25
|
Bundler::GemHelper.install_tasks
|
26
26
|
|
@@ -38,7 +38,7 @@ task default: :test
|
|
38
38
|
begin
|
39
39
|
require 'rubocop/rake_task'
|
40
40
|
RuboCop::RakeTask.new
|
41
|
-
rescue =>
|
41
|
+
rescue StandardError => _e
|
42
42
|
puts 'Rubocop not loaded.'
|
43
43
|
end
|
44
44
|
|
@@ -16,7 +16,8 @@ module Api
|
|
16
16
|
|
17
17
|
api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
|
18
18
|
param :id, :identifier, required: true
|
19
|
-
def show
|
19
|
+
def show
|
20
|
+
end
|
20
21
|
|
21
22
|
def_param_group :vault_connection do
|
22
23
|
param :vault_connection, Hash, action_aware: true, required: true do
|
@@ -21,7 +21,7 @@ module ForemanVault
|
|
21
21
|
return unless vault_auth_method.valid?
|
22
22
|
|
23
23
|
queue.create(name: _('Push %s data to Vault') % self, priority: 100,
|
24
|
-
|
24
|
+
action: [self, :set_vault])
|
25
25
|
end
|
26
26
|
|
27
27
|
def queue_vault_destroy
|
@@ -30,10 +30,9 @@ module ForemanVault
|
|
30
30
|
return unless vault_auth_method.valid?
|
31
31
|
|
32
32
|
queue.create(name: _('Clear %s Vault data') % self, priority: 60,
|
33
|
-
|
33
|
+
action: [self, :del_vault])
|
34
34
|
end
|
35
35
|
|
36
|
-
# rubocop:disable Metrics/AbcSize
|
37
36
|
def set_vault
|
38
37
|
logger.info "Pushing #{name} data to Vault"
|
39
38
|
|
@@ -44,7 +43,6 @@ module ForemanVault
|
|
44
43
|
Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
|
45
44
|
failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
|
46
45
|
end
|
47
|
-
# rubocop:enable Metrics/AbcSize
|
48
46
|
|
49
47
|
def del_vault
|
50
48
|
logger.info "Clearing #{name} Vault data"
|
@@ -7,7 +7,7 @@ class VaultConnection < ApplicationRecord
|
|
7
7
|
validates :name, presence: true, uniqueness: true
|
8
8
|
validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
|
9
9
|
validates :url, presence: true
|
10
|
-
validates :url, format: URI.
|
10
|
+
validates :url, format: URI::DEFAULT_PARSER.make_regexp(['http', 'https'])
|
11
11
|
|
12
12
|
validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
|
13
13
|
validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
|
@@ -25,8 +25,8 @@ class VaultConnection < ApplicationRecord
|
|
25
25
|
scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
|
26
26
|
|
27
27
|
delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
|
28
|
-
|
29
|
-
|
28
|
+
:policy, :policies, :put_policy, :delete_policy,
|
29
|
+
:set_certificate, :certificates, :delete_certificate, to: :client
|
30
30
|
|
31
31
|
def with_token?
|
32
32
|
token.present?
|
@@ -31,6 +31,7 @@ module ForemanVault
|
|
31
31
|
private
|
32
32
|
|
33
33
|
attr_reader :host
|
34
|
+
|
34
35
|
delegate :vault_policy, :vault_connection, :fqdn, to: :host
|
35
36
|
delegate :name, to: :vault_policy, prefix: true
|
36
37
|
delegate :set_certificate, :delete_certificate, to: :vault_connection
|
@@ -39,7 +40,7 @@ module ForemanVault
|
|
39
40
|
{
|
40
41
|
certificate: certificate,
|
41
42
|
token_policies: vault_policy_name,
|
42
|
-
allowed_common_names: allowed_common_names
|
43
|
+
allowed_common_names: allowed_common_names,
|
43
44
|
}
|
44
45
|
end
|
45
46
|
|
@@ -5,8 +5,8 @@ User.as_anonymous_admin do
|
|
5
5
|
{
|
6
6
|
name: 'Default Vault Policy',
|
7
7
|
source: 'VaultPolicy/default.erb',
|
8
|
-
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
|
9
|
-
}
|
8
|
+
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy'),
|
9
|
+
},
|
10
10
|
]
|
11
11
|
|
12
12
|
templates.each do |template|
|
data/lib/foreman_vault/engine.rb
CHANGED
@@ -12,14 +12,6 @@ module ForemanVault
|
|
12
12
|
config.autoload_paths += Dir["#{config.root}/app/lib"]
|
13
13
|
config.autoload_paths += Dir["#{config.root}/app/jobs"]
|
14
14
|
|
15
|
-
initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
|
16
|
-
require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
|
17
|
-
Setting.table_exists?
|
18
|
-
rescue StandardError
|
19
|
-
(false)
|
20
|
-
end
|
21
|
-
end
|
22
|
-
|
23
15
|
# Add any db migrations
|
24
16
|
initializer 'foreman_vault.load_app_instance_data' do |app|
|
25
17
|
ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
|
@@ -29,7 +21,7 @@ module ForemanVault
|
|
29
21
|
|
30
22
|
initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
|
31
23
|
Foreman::Plugin.register :foreman_vault do
|
32
|
-
requires_foreman '>=
|
24
|
+
requires_foreman '>= 3.9'
|
33
25
|
|
34
26
|
apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
|
35
27
|
|
@@ -45,30 +37,27 @@ module ForemanVault
|
|
45
37
|
'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
|
46
38
|
end
|
47
39
|
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
70
|
-
default: false)
|
71
|
-
end
|
40
|
+
settings do
|
41
|
+
category(:vault, N_('Vault')) do
|
42
|
+
setting('vault_connection',
|
43
|
+
full_name: N_('Default Vault connection'),
|
44
|
+
type: :string,
|
45
|
+
description: N_('Default Vault Connection that can be override using parameters'),
|
46
|
+
default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
|
47
|
+
collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
|
48
|
+
include_blank: _('Select Vault Connection'))
|
49
|
+
setting('vault_policy_template',
|
50
|
+
full_name: N_('Vault Policy template name'),
|
51
|
+
type: :string,
|
52
|
+
description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
53
|
+
default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
|
54
|
+
collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
|
55
|
+
include_blank: _('Select Template'))
|
56
|
+
setting('vault_orchestration_enabled',
|
57
|
+
full_name: N_('Vault Orchestration enabled'),
|
58
|
+
type: :boolean,
|
59
|
+
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
60
|
+
default: false)
|
72
61
|
end
|
73
62
|
end
|
74
63
|
|
@@ -80,14 +69,12 @@ module ForemanVault
|
|
80
69
|
end
|
81
70
|
|
82
71
|
config.to_prepare do
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
90
|
-
end
|
72
|
+
::Host::Managed.include(ForemanVault::HostExtensions)
|
73
|
+
::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
|
74
|
+
::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
|
75
|
+
::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
|
76
|
+
rescue StandardError => e
|
77
|
+
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
91
78
|
end
|
92
79
|
|
93
80
|
initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|
|
@@ -11,16 +11,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
11
11
|
hosts = Host::Managed.where(managed: true)
|
12
12
|
|
13
13
|
hosts.each_with_index do |host, index|
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
20
|
-
end
|
21
|
-
rescue StandardError => err
|
22
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
14
|
+
result = host.reload.vault_auth_method.save
|
15
|
+
if result
|
16
|
+
puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
17
|
+
else
|
18
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
23
19
|
end
|
20
|
+
rescue StandardError => e
|
21
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
24
22
|
end
|
25
23
|
end
|
26
24
|
end
|
@@ -33,16 +31,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
33
31
|
hosts = Host::Managed.where(managed: true)
|
34
32
|
|
35
33
|
hosts.each_with_index do |host, index|
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
42
|
-
end
|
43
|
-
rescue StandardError => err
|
44
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
34
|
+
result = host.reload.vault_policy.save
|
35
|
+
if result
|
36
|
+
puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
37
|
+
else
|
38
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
45
39
|
end
|
40
|
+
rescue StandardError => e
|
41
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
46
42
|
end
|
47
43
|
end
|
48
44
|
end
|
@@ -61,25 +57,4 @@ namespace :test do
|
|
61
57
|
end
|
62
58
|
end
|
63
59
|
|
64
|
-
namespace :foreman_vault do
|
65
|
-
task :rubocop do
|
66
|
-
begin
|
67
|
-
require 'rubocop/rake_task'
|
68
|
-
RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
|
69
|
-
task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
|
70
|
-
"#{ForemanVault::Engine.root}/lib/**/*.rb",
|
71
|
-
"#{ForemanVault::Engine.root}/test/**/*.rb"]
|
72
|
-
end
|
73
|
-
rescue StandardError
|
74
|
-
puts 'Rubocop not loaded.'
|
75
|
-
end
|
76
|
-
|
77
|
-
Rake::Task['rubocop_foreman_vault'].invoke
|
78
|
-
end
|
79
|
-
end
|
80
|
-
|
81
60
|
Rake::Task[:test].enhance ['test:foreman_vault']
|
82
|
-
|
83
|
-
load 'tasks/jenkins.rake'
|
84
|
-
|
85
|
-
Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')
|
@@ -0,0 +1,18 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'test_plugin_helper'
|
4
|
+
require 'unit/shared/access_permissions_test_base'
|
5
|
+
|
6
|
+
# Permissions are added in AccessPermissions with lists of controllers and
|
7
|
+
# actions that they enable access to. For non-admin users, we need to test
|
8
|
+
# that there are permissions available that cover every controller action, else
|
9
|
+
# it can't be delegated and this will lead to parts of the application that
|
10
|
+
# aren't functional for non-admin users.
|
11
|
+
#
|
12
|
+
# In particular, it's important that actions for AJAX requests are added to
|
13
|
+
# an appropriate permission so views using those requests function.
|
14
|
+
class AccessPermissionsTest < ActiveSupport::TestCase
|
15
|
+
include AccessPermissionsTestBase
|
16
|
+
|
17
|
+
check_routes(ForemanVault::Engine.routes, [])
|
18
|
+
end
|
@@ -22,7 +22,7 @@ class MacrosTest < ActiveSupport::TestCase
|
|
22
22
|
|
23
23
|
subject = TestScope.new(host: host, source: source)
|
24
24
|
|
25
|
-
|
25
|
+
assert_respond_to subject, :vault_secret
|
26
26
|
assert_equal response.data, subject.vault_secret(vault_connection.name, secret_path)
|
27
27
|
end
|
28
28
|
end
|
@@ -59,9 +59,11 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
|
|
59
59
|
|
60
60
|
subject.expects(:set_certificate).once.with(
|
61
61
|
'name',
|
62
|
-
|
63
|
-
|
64
|
-
|
62
|
+
{
|
63
|
+
certificate: 'cert',
|
64
|
+
token_policies: 'vault_policy_name',
|
65
|
+
allowed_common_names: [host.fqdn],
|
66
|
+
}
|
65
67
|
)
|
66
68
|
subject.save
|
67
69
|
end
|
@@ -23,15 +23,15 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
23
23
|
stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
|
24
24
|
body: {
|
25
25
|
role_id: role_id,
|
26
|
-
secret_id: secret_id
|
26
|
+
secret_id: secret_id,
|
27
27
|
}
|
28
28
|
).to_return(
|
29
29
|
status: 200,
|
30
30
|
headers: { 'Content-Type': 'application/json' },
|
31
31
|
body: {
|
32
32
|
auth: {
|
33
|
-
client_token: token
|
34
|
-
}
|
33
|
+
client_token: token,
|
34
|
+
},
|
35
35
|
}.to_json
|
36
36
|
)
|
37
37
|
end
|
@@ -82,7 +82,7 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
82
82
|
issuing_ca: 'CA_CERTIFICATE_DATA',
|
83
83
|
private_key: 'PRIVATE_KEY_DATA',
|
84
84
|
private_key_type: 'rsa',
|
85
|
-
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
|
85
|
+
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7',
|
86
86
|
}
|
87
87
|
|
88
88
|
response = OpenStruct.new(data: @data)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: foreman_vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- dmTECH GmbH
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-05-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: vault
|
@@ -39,19 +39,19 @@ dependencies:
|
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
-
name: rubocop
|
42
|
+
name: theforeman-rubocop
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- -
|
45
|
+
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: 0.
|
47
|
+
version: 0.1.2
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- -
|
52
|
+
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: 0.
|
54
|
+
version: 0.1.2
|
55
55
|
description:
|
56
56
|
email:
|
57
57
|
- opensource@dm.de
|
@@ -71,7 +71,6 @@ files:
|
|
71
71
|
- app/models/concerns/foreman_vault/host_extensions.rb
|
72
72
|
- app/models/concerns/foreman_vault/orchestration/vault_policy.rb
|
73
73
|
- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
|
74
|
-
- app/models/setting/vault.rb
|
75
74
|
- app/models/vault_connection.rb
|
76
75
|
- app/services/foreman_vault/vault_auth_method.rb
|
77
76
|
- app/services/foreman_vault/vault_client.rb
|
@@ -93,6 +92,7 @@ files:
|
|
93
92
|
- db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
|
94
93
|
- db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
|
95
94
|
- db/migrate/20201203220058_add_approle_to_vault_connection.rb
|
95
|
+
- db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb
|
96
96
|
- db/seeds.d/103-provisioning_templates.rb
|
97
97
|
- lib/foreman_vault.rb
|
98
98
|
- lib/foreman_vault/engine.rb
|
@@ -115,6 +115,7 @@ files:
|
|
115
115
|
- test/models/vault_connection_test.rb
|
116
116
|
- test/models/vault_policy_template_test.rb
|
117
117
|
- test/test_plugin_helper.rb
|
118
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
118
119
|
- test/unit/lib/foreman_vault/macros_test.rb
|
119
120
|
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
120
121
|
- test/unit/services/foreman_vault/vault_client_test.rb
|
@@ -131,14 +132,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
131
132
|
requirements:
|
132
133
|
- - ">="
|
133
134
|
- !ruby/object:Gem::Version
|
134
|
-
version: '
|
135
|
+
version: '2.5'
|
136
|
+
- - "<"
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '4'
|
135
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
136
140
|
requirements:
|
137
141
|
- - ">="
|
138
142
|
- !ruby/object:Gem::Version
|
139
143
|
version: '0'
|
140
144
|
requirements: []
|
141
|
-
rubygems_version: 3.
|
145
|
+
rubygems_version: 3.4.1
|
142
146
|
signing_key:
|
143
147
|
specification_version: 4
|
144
148
|
summary: Adds support for using credentials from Hashicorp Vault
|
@@ -156,6 +160,7 @@ test_files:
|
|
156
160
|
- test/models/vault_connection_test.rb
|
157
161
|
- test/models/vault_policy_template_test.rb
|
158
162
|
- test/test_plugin_helper.rb
|
163
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
159
164
|
- test/unit/lib/foreman_vault/macros_test.rb
|
160
165
|
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
161
166
|
- test/unit/services/foreman_vault/vault_client_test.rb
|
data/app/models/setting/vault.rb
DELETED
@@ -1,104 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
class Setting
|
4
|
-
class Vault < ::Setting
|
5
|
-
BLANK_ATTRS << 'vault_connection'
|
6
|
-
BLANK_ATTRS << 'vault_policy_template'
|
7
|
-
|
8
|
-
def self.default_settings
|
9
|
-
[set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
|
10
|
-
end
|
11
|
-
|
12
|
-
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
13
|
-
def self.load_defaults
|
14
|
-
return unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('3.4')
|
15
|
-
|
16
|
-
# Check the table exists
|
17
|
-
return unless super
|
18
|
-
|
19
|
-
transaction do
|
20
|
-
default_settings.each do |s|
|
21
|
-
setting = create! s.update(category: 'Setting::Vault')
|
22
|
-
|
23
|
-
Foreman.try(:settings)&._add(
|
24
|
-
s[:name],
|
25
|
-
s.slice(:description, :default, :full_name, :encrypted)
|
26
|
-
.merge(category: 'Setting::Vault')
|
27
|
-
.yield_self do |params|
|
28
|
-
unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
|
29
|
-
params[:context] = :vault
|
30
|
-
params[:type] = setting.settings_type
|
31
|
-
end
|
32
|
-
params
|
33
|
-
end
|
34
|
-
)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
true
|
39
|
-
end
|
40
|
-
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
41
|
-
|
42
|
-
def self.humanized_category
|
43
|
-
N_('Vault')
|
44
|
-
end
|
45
|
-
|
46
|
-
class << self
|
47
|
-
private
|
48
|
-
|
49
|
-
def set_vault_connection
|
50
|
-
set(
|
51
|
-
'vault_connection',
|
52
|
-
N_('Default Vault Connection that can be override using parameters'),
|
53
|
-
default_vault_connection,
|
54
|
-
N_('Default Vault Connection'),
|
55
|
-
nil,
|
56
|
-
collection: vault_connections_collection,
|
57
|
-
include_blank: _('Select Vault Connection')
|
58
|
-
)
|
59
|
-
end
|
60
|
-
|
61
|
-
def default_vault_connection
|
62
|
-
return nil unless VaultConnection.table_exists?
|
63
|
-
return unless VaultConnection.unscoped.count == 1
|
64
|
-
|
65
|
-
VaultConnection.unscoped.first.name
|
66
|
-
end
|
67
|
-
|
68
|
-
def vault_connections_collection
|
69
|
-
return [] unless VaultConnection.table_exists?
|
70
|
-
|
71
|
-
proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
|
72
|
-
end
|
73
|
-
|
74
|
-
def set_vault_policy_template
|
75
|
-
set(
|
76
|
-
'vault_policy_template',
|
77
|
-
N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
78
|
-
default_vault_policy_template,
|
79
|
-
N_('Vault Policy template name'),
|
80
|
-
nil,
|
81
|
-
collection: vault_policy_templates_collection,
|
82
|
-
include_blank: _('Select Template')
|
83
|
-
)
|
84
|
-
end
|
85
|
-
|
86
|
-
def default_vault_policy_template
|
87
|
-
ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
|
88
|
-
end
|
89
|
-
|
90
|
-
def vault_policy_templates_collection
|
91
|
-
proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
|
92
|
-
end
|
93
|
-
|
94
|
-
def set_vault_orchestration_enabled
|
95
|
-
set(
|
96
|
-
'vault_orchestration_enabled',
|
97
|
-
N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
98
|
-
false,
|
99
|
-
N_('Vault Orchestration enabled')
|
100
|
-
)
|
101
|
-
end
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|