foreman_vault 1.2.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/Rakefile +2 -2
- data/app/controllers/api/v2/vault_connections_controller.rb +2 -1
- data/app/controllers/vault_connections_controller.rb +2 -1
- data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb +2 -4
- data/app/models/vault_connection.rb +3 -3
- data/app/services/foreman_vault/vault_auth_method.rb +2 -1
- data/app/services/foreman_vault/vault_policy.rb +1 -0
- data/db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb +7 -0
- data/db/seeds.d/103-provisioning_templates.rb +2 -2
- data/lib/foreman_vault/engine.rb +28 -41
- data/lib/foreman_vault/version.rb +1 -1
- data/lib/tasks/foreman_vault_tasks.rake +14 -39
- data/test/unit/foreman_vault/access_permissions_test.rb +18 -0
- data/test/unit/lib/foreman_vault/macros_test.rb +1 -1
- data/test/unit/services/foreman_vault/vault_auth_method_test.rb +5 -3
- data/test/unit/services/foreman_vault/vault_client_test.rb +4 -4
- metadata +15 -10
- data/app/models/setting/vault.rb +0 -104
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c5fe8746df7815f6129640d07776dcc4e32108fcd751c35fdb20f6facf95b87f
|
|
4
|
+
data.tar.gz: 48a412989b2ce3dda9389f9a6ea9a06fc881157cb959536c618b6395d5b6ed83
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d45fa891dc392701f2cdb08ed00216fabff042a63b3d097cd71caf43630366b245c70ef06bd5860963fa1d9179f239bc0e3e7b79f94a288109d9c97b2dbe068c
|
|
7
|
+
data.tar.gz: 48f5a92159bccc41cea54144f88ce47875d1f83f6158ba812a2b36c1289087aadf41f2caad431f52ebf2c917267f9432e2cf6cbc2a221a35b9ed2b1a924958a1
|
data/README.md
CHANGED
|
@@ -22,6 +22,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
|
|
|
22
22
|
|
|
23
23
|
| Foreman Version | Plugin Version |
|
|
24
24
|
| --------------- | -------------- |
|
|
25
|
+
| >= 3.9 | ~> 2.0 |
|
|
25
26
|
| >= 2.3 | ~> 1.0 |
|
|
26
27
|
| >= 1.23 | ~> 0.3, ~> 0.4 |
|
|
27
28
|
| >= 1.20 | ~> 0.2 |
|
data/Rakefile
CHANGED
|
@@ -20,7 +20,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
|
|
|
20
20
|
rdoc.rdoc_files.include('lib/**/*.rb')
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
-
APP_RAKEFILE = File.expand_path('
|
|
23
|
+
APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
|
|
24
24
|
|
|
25
25
|
Bundler::GemHelper.install_tasks
|
|
26
26
|
|
|
@@ -38,7 +38,7 @@ task default: :test
|
|
|
38
38
|
begin
|
|
39
39
|
require 'rubocop/rake_task'
|
|
40
40
|
RuboCop::RakeTask.new
|
|
41
|
-
rescue =>
|
|
41
|
+
rescue StandardError => _e
|
|
42
42
|
puts 'Rubocop not loaded.'
|
|
43
43
|
end
|
|
44
44
|
|
|
@@ -16,7 +16,8 @@ module Api
|
|
|
16
16
|
|
|
17
17
|
api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
|
|
18
18
|
param :id, :identifier, required: true
|
|
19
|
-
def show
|
|
19
|
+
def show
|
|
20
|
+
end
|
|
20
21
|
|
|
21
22
|
def_param_group :vault_connection do
|
|
22
23
|
param :vault_connection, Hash, action_aware: true, required: true do
|
|
@@ -21,7 +21,7 @@ module ForemanVault
|
|
|
21
21
|
return unless vault_auth_method.valid?
|
|
22
22
|
|
|
23
23
|
queue.create(name: _('Push %s data to Vault') % self, priority: 100,
|
|
24
|
-
|
|
24
|
+
action: [self, :set_vault])
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def queue_vault_destroy
|
|
@@ -30,10 +30,9 @@ module ForemanVault
|
|
|
30
30
|
return unless vault_auth_method.valid?
|
|
31
31
|
|
|
32
32
|
queue.create(name: _('Clear %s Vault data') % self, priority: 60,
|
|
33
|
-
|
|
33
|
+
action: [self, :del_vault])
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
-
# rubocop:disable Metrics/AbcSize
|
|
37
36
|
def set_vault
|
|
38
37
|
logger.info "Pushing #{name} data to Vault"
|
|
39
38
|
|
|
@@ -44,7 +43,6 @@ module ForemanVault
|
|
|
44
43
|
Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
|
|
45
44
|
failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
|
|
46
45
|
end
|
|
47
|
-
# rubocop:enable Metrics/AbcSize
|
|
48
46
|
|
|
49
47
|
def del_vault
|
|
50
48
|
logger.info "Clearing #{name} Vault data"
|
|
@@ -7,7 +7,7 @@ class VaultConnection < ApplicationRecord
|
|
|
7
7
|
validates :name, presence: true, uniqueness: true
|
|
8
8
|
validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
|
|
9
9
|
validates :url, presence: true
|
|
10
|
-
validates :url, format: URI.
|
|
10
|
+
validates :url, format: URI::DEFAULT_PARSER.make_regexp(['http', 'https'])
|
|
11
11
|
|
|
12
12
|
validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
|
|
13
13
|
validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
|
|
@@ -25,8 +25,8 @@ class VaultConnection < ApplicationRecord
|
|
|
25
25
|
scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
|
|
26
26
|
|
|
27
27
|
delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
|
|
28
|
-
|
|
29
|
-
|
|
28
|
+
:policy, :policies, :put_policy, :delete_policy,
|
|
29
|
+
:set_certificate, :certificates, :delete_certificate, to: :client
|
|
30
30
|
|
|
31
31
|
def with_token?
|
|
32
32
|
token.present?
|
|
@@ -31,6 +31,7 @@ module ForemanVault
|
|
|
31
31
|
private
|
|
32
32
|
|
|
33
33
|
attr_reader :host
|
|
34
|
+
|
|
34
35
|
delegate :vault_policy, :vault_connection, :fqdn, to: :host
|
|
35
36
|
delegate :name, to: :vault_policy, prefix: true
|
|
36
37
|
delegate :set_certificate, :delete_certificate, to: :vault_connection
|
|
@@ -39,7 +40,7 @@ module ForemanVault
|
|
|
39
40
|
{
|
|
40
41
|
certificate: certificate,
|
|
41
42
|
token_policies: vault_policy_name,
|
|
42
|
-
allowed_common_names: allowed_common_names
|
|
43
|
+
allowed_common_names: allowed_common_names,
|
|
43
44
|
}
|
|
44
45
|
end
|
|
45
46
|
|
|
@@ -5,8 +5,8 @@ User.as_anonymous_admin do
|
|
|
5
5
|
{
|
|
6
6
|
name: 'Default Vault Policy',
|
|
7
7
|
source: 'VaultPolicy/default.erb',
|
|
8
|
-
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
|
|
9
|
-
}
|
|
8
|
+
template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy'),
|
|
9
|
+
},
|
|
10
10
|
]
|
|
11
11
|
|
|
12
12
|
templates.each do |template|
|
data/lib/foreman_vault/engine.rb
CHANGED
|
@@ -12,14 +12,6 @@ module ForemanVault
|
|
|
12
12
|
config.autoload_paths += Dir["#{config.root}/app/lib"]
|
|
13
13
|
config.autoload_paths += Dir["#{config.root}/app/jobs"]
|
|
14
14
|
|
|
15
|
-
initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
|
|
16
|
-
require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
|
|
17
|
-
Setting.table_exists?
|
|
18
|
-
rescue StandardError
|
|
19
|
-
(false)
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
|
|
23
15
|
# Add any db migrations
|
|
24
16
|
initializer 'foreman_vault.load_app_instance_data' do |app|
|
|
25
17
|
ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
|
|
@@ -29,7 +21,7 @@ module ForemanVault
|
|
|
29
21
|
|
|
30
22
|
initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
|
|
31
23
|
Foreman::Plugin.register :foreman_vault do
|
|
32
|
-
requires_foreman '>=
|
|
24
|
+
requires_foreman '>= 3.9'
|
|
33
25
|
|
|
34
26
|
apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
|
|
35
27
|
|
|
@@ -45,30 +37,27 @@ module ForemanVault
|
|
|
45
37
|
'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
|
|
46
38
|
end
|
|
47
39
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
70
|
-
default: false)
|
|
71
|
-
end
|
|
40
|
+
settings do
|
|
41
|
+
category(:vault, N_('Vault')) do
|
|
42
|
+
setting('vault_connection',
|
|
43
|
+
full_name: N_('Default Vault connection'),
|
|
44
|
+
type: :string,
|
|
45
|
+
description: N_('Default Vault Connection that can be override using parameters'),
|
|
46
|
+
default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
|
|
47
|
+
collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
|
|
48
|
+
include_blank: _('Select Vault Connection'))
|
|
49
|
+
setting('vault_policy_template',
|
|
50
|
+
full_name: N_('Vault Policy template name'),
|
|
51
|
+
type: :string,
|
|
52
|
+
description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
|
53
|
+
default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
|
|
54
|
+
collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
|
|
55
|
+
include_blank: _('Select Template'))
|
|
56
|
+
setting('vault_orchestration_enabled',
|
|
57
|
+
full_name: N_('Vault Orchestration enabled'),
|
|
58
|
+
type: :boolean,
|
|
59
|
+
description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
60
|
+
default: false)
|
|
72
61
|
end
|
|
73
62
|
end
|
|
74
63
|
|
|
@@ -80,14 +69,12 @@ module ForemanVault
|
|
|
80
69
|
end
|
|
81
70
|
|
|
82
71
|
config.to_prepare do
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
|
90
|
-
end
|
|
72
|
+
::Host::Managed.include(ForemanVault::HostExtensions)
|
|
73
|
+
::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
|
|
74
|
+
::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
|
|
75
|
+
::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
|
|
76
|
+
rescue StandardError => e
|
|
77
|
+
Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
|
|
91
78
|
end
|
|
92
79
|
|
|
93
80
|
initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|
|
|
@@ -11,16 +11,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
|
11
11
|
hosts = Host::Managed.where(managed: true)
|
|
12
12
|
|
|
13
13
|
hosts.each_with_index do |host, index|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
20
|
-
end
|
|
21
|
-
rescue StandardError => err
|
|
22
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
|
14
|
+
result = host.reload.vault_auth_method.save
|
|
15
|
+
if result
|
|
16
|
+
puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
|
17
|
+
else
|
|
18
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
23
19
|
end
|
|
20
|
+
rescue StandardError => e
|
|
21
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
|
24
22
|
end
|
|
25
23
|
end
|
|
26
24
|
end
|
|
@@ -33,16 +31,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
|
|
|
33
31
|
hosts = Host::Managed.where(managed: true)
|
|
34
32
|
|
|
35
33
|
hosts.each_with_index do |host, index|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
42
|
-
end
|
|
43
|
-
rescue StandardError => err
|
|
44
|
-
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
|
|
34
|
+
result = host.reload.vault_policy.save
|
|
35
|
+
if result
|
|
36
|
+
puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
|
|
37
|
+
else
|
|
38
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
|
|
45
39
|
end
|
|
40
|
+
rescue StandardError => e
|
|
41
|
+
puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
|
|
46
42
|
end
|
|
47
43
|
end
|
|
48
44
|
end
|
|
@@ -61,25 +57,4 @@ namespace :test do
|
|
|
61
57
|
end
|
|
62
58
|
end
|
|
63
59
|
|
|
64
|
-
namespace :foreman_vault do
|
|
65
|
-
task :rubocop do
|
|
66
|
-
begin
|
|
67
|
-
require 'rubocop/rake_task'
|
|
68
|
-
RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
|
|
69
|
-
task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
|
|
70
|
-
"#{ForemanVault::Engine.root}/lib/**/*.rb",
|
|
71
|
-
"#{ForemanVault::Engine.root}/test/**/*.rb"]
|
|
72
|
-
end
|
|
73
|
-
rescue StandardError
|
|
74
|
-
puts 'Rubocop not loaded.'
|
|
75
|
-
end
|
|
76
|
-
|
|
77
|
-
Rake::Task['rubocop_foreman_vault'].invoke
|
|
78
|
-
end
|
|
79
|
-
end
|
|
80
|
-
|
|
81
60
|
Rake::Task[:test].enhance ['test:foreman_vault']
|
|
82
|
-
|
|
83
|
-
load 'tasks/jenkins.rake'
|
|
84
|
-
|
|
85
|
-
Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'test_plugin_helper'
|
|
4
|
+
require 'unit/shared/access_permissions_test_base'
|
|
5
|
+
|
|
6
|
+
# Permissions are added in AccessPermissions with lists of controllers and
|
|
7
|
+
# actions that they enable access to. For non-admin users, we need to test
|
|
8
|
+
# that there are permissions available that cover every controller action, else
|
|
9
|
+
# it can't be delegated and this will lead to parts of the application that
|
|
10
|
+
# aren't functional for non-admin users.
|
|
11
|
+
#
|
|
12
|
+
# In particular, it's important that actions for AJAX requests are added to
|
|
13
|
+
# an appropriate permission so views using those requests function.
|
|
14
|
+
class AccessPermissionsTest < ActiveSupport::TestCase
|
|
15
|
+
include AccessPermissionsTestBase
|
|
16
|
+
|
|
17
|
+
check_routes(ForemanVault::Engine.routes, [])
|
|
18
|
+
end
|
|
@@ -22,7 +22,7 @@ class MacrosTest < ActiveSupport::TestCase
|
|
|
22
22
|
|
|
23
23
|
subject = TestScope.new(host: host, source: source)
|
|
24
24
|
|
|
25
|
-
|
|
25
|
+
assert_respond_to subject, :vault_secret
|
|
26
26
|
assert_equal response.data, subject.vault_secret(vault_connection.name, secret_path)
|
|
27
27
|
end
|
|
28
28
|
end
|
|
@@ -59,9 +59,11 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
|
|
|
59
59
|
|
|
60
60
|
subject.expects(:set_certificate).once.with(
|
|
61
61
|
'name',
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
62
|
+
{
|
|
63
|
+
certificate: 'cert',
|
|
64
|
+
token_policies: 'vault_policy_name',
|
|
65
|
+
allowed_common_names: [host.fqdn],
|
|
66
|
+
}
|
|
65
67
|
)
|
|
66
68
|
subject.save
|
|
67
69
|
end
|
|
@@ -23,15 +23,15 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
|
23
23
|
stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
|
|
24
24
|
body: {
|
|
25
25
|
role_id: role_id,
|
|
26
|
-
secret_id: secret_id
|
|
26
|
+
secret_id: secret_id,
|
|
27
27
|
}
|
|
28
28
|
).to_return(
|
|
29
29
|
status: 200,
|
|
30
30
|
headers: { 'Content-Type': 'application/json' },
|
|
31
31
|
body: {
|
|
32
32
|
auth: {
|
|
33
|
-
client_token: token
|
|
34
|
-
}
|
|
33
|
+
client_token: token,
|
|
34
|
+
},
|
|
35
35
|
}.to_json
|
|
36
36
|
)
|
|
37
37
|
end
|
|
@@ -82,7 +82,7 @@ class VaultClientTest < ActiveSupport::TestCase
|
|
|
82
82
|
issuing_ca: 'CA_CERTIFICATE_DATA',
|
|
83
83
|
private_key: 'PRIVATE_KEY_DATA',
|
|
84
84
|
private_key_type: 'rsa',
|
|
85
|
-
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
|
|
85
|
+
serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7',
|
|
86
86
|
}
|
|
87
87
|
|
|
88
88
|
response = OpenStruct.new(data: @data)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: foreman_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- dmTECH GmbH
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-05-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: vault
|
|
@@ -39,19 +39,19 @@ dependencies:
|
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
|
-
name: rubocop
|
|
42
|
+
name: theforeman-rubocop
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
44
44
|
requirements:
|
|
45
|
-
- -
|
|
45
|
+
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: 0.
|
|
47
|
+
version: 0.1.2
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
|
-
- -
|
|
52
|
+
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: 0.
|
|
54
|
+
version: 0.1.2
|
|
55
55
|
description:
|
|
56
56
|
email:
|
|
57
57
|
- opensource@dm.de
|
|
@@ -71,7 +71,6 @@ files:
|
|
|
71
71
|
- app/models/concerns/foreman_vault/host_extensions.rb
|
|
72
72
|
- app/models/concerns/foreman_vault/orchestration/vault_policy.rb
|
|
73
73
|
- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
|
|
74
|
-
- app/models/setting/vault.rb
|
|
75
74
|
- app/models/vault_connection.rb
|
|
76
75
|
- app/services/foreman_vault/vault_auth_method.rb
|
|
77
76
|
- app/services/foreman_vault/vault_client.rb
|
|
@@ -93,6 +92,7 @@ files:
|
|
|
93
92
|
- db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
|
|
94
93
|
- db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
|
|
95
94
|
- db/migrate/20201203220058_add_approle_to_vault_connection.rb
|
|
95
|
+
- db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb
|
|
96
96
|
- db/seeds.d/103-provisioning_templates.rb
|
|
97
97
|
- lib/foreman_vault.rb
|
|
98
98
|
- lib/foreman_vault/engine.rb
|
|
@@ -115,6 +115,7 @@ files:
|
|
|
115
115
|
- test/models/vault_connection_test.rb
|
|
116
116
|
- test/models/vault_policy_template_test.rb
|
|
117
117
|
- test/test_plugin_helper.rb
|
|
118
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
|
118
119
|
- test/unit/lib/foreman_vault/macros_test.rb
|
|
119
120
|
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
120
121
|
- test/unit/services/foreman_vault/vault_client_test.rb
|
|
@@ -131,14 +132,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
131
132
|
requirements:
|
|
132
133
|
- - ">="
|
|
133
134
|
- !ruby/object:Gem::Version
|
|
134
|
-
version: '
|
|
135
|
+
version: '2.5'
|
|
136
|
+
- - "<"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '4'
|
|
135
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
136
140
|
requirements:
|
|
137
141
|
- - ">="
|
|
138
142
|
- !ruby/object:Gem::Version
|
|
139
143
|
version: '0'
|
|
140
144
|
requirements: []
|
|
141
|
-
rubygems_version: 3.
|
|
145
|
+
rubygems_version: 3.4.1
|
|
142
146
|
signing_key:
|
|
143
147
|
specification_version: 4
|
|
144
148
|
summary: Adds support for using credentials from Hashicorp Vault
|
|
@@ -156,6 +160,7 @@ test_files:
|
|
|
156
160
|
- test/models/vault_connection_test.rb
|
|
157
161
|
- test/models/vault_policy_template_test.rb
|
|
158
162
|
- test/test_plugin_helper.rb
|
|
163
|
+
- test/unit/foreman_vault/access_permissions_test.rb
|
|
159
164
|
- test/unit/lib/foreman_vault/macros_test.rb
|
|
160
165
|
- test/unit/services/foreman_vault/vault_auth_method_test.rb
|
|
161
166
|
- test/unit/services/foreman_vault/vault_client_test.rb
|
data/app/models/setting/vault.rb
DELETED
|
@@ -1,104 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
class Setting
|
|
4
|
-
class Vault < ::Setting
|
|
5
|
-
BLANK_ATTRS << 'vault_connection'
|
|
6
|
-
BLANK_ATTRS << 'vault_policy_template'
|
|
7
|
-
|
|
8
|
-
def self.default_settings
|
|
9
|
-
[set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
13
|
-
def self.load_defaults
|
|
14
|
-
return unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('3.4')
|
|
15
|
-
|
|
16
|
-
# Check the table exists
|
|
17
|
-
return unless super
|
|
18
|
-
|
|
19
|
-
transaction do
|
|
20
|
-
default_settings.each do |s|
|
|
21
|
-
setting = create! s.update(category: 'Setting::Vault')
|
|
22
|
-
|
|
23
|
-
Foreman.try(:settings)&._add(
|
|
24
|
-
s[:name],
|
|
25
|
-
s.slice(:description, :default, :full_name, :encrypted)
|
|
26
|
-
.merge(category: 'Setting::Vault')
|
|
27
|
-
.yield_self do |params|
|
|
28
|
-
unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
|
|
29
|
-
params[:context] = :vault
|
|
30
|
-
params[:type] = setting.settings_type
|
|
31
|
-
end
|
|
32
|
-
params
|
|
33
|
-
end
|
|
34
|
-
)
|
|
35
|
-
end
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
true
|
|
39
|
-
end
|
|
40
|
-
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
|
41
|
-
|
|
42
|
-
def self.humanized_category
|
|
43
|
-
N_('Vault')
|
|
44
|
-
end
|
|
45
|
-
|
|
46
|
-
class << self
|
|
47
|
-
private
|
|
48
|
-
|
|
49
|
-
def set_vault_connection
|
|
50
|
-
set(
|
|
51
|
-
'vault_connection',
|
|
52
|
-
N_('Default Vault Connection that can be override using parameters'),
|
|
53
|
-
default_vault_connection,
|
|
54
|
-
N_('Default Vault Connection'),
|
|
55
|
-
nil,
|
|
56
|
-
collection: vault_connections_collection,
|
|
57
|
-
include_blank: _('Select Vault Connection')
|
|
58
|
-
)
|
|
59
|
-
end
|
|
60
|
-
|
|
61
|
-
def default_vault_connection
|
|
62
|
-
return nil unless VaultConnection.table_exists?
|
|
63
|
-
return unless VaultConnection.unscoped.count == 1
|
|
64
|
-
|
|
65
|
-
VaultConnection.unscoped.first.name
|
|
66
|
-
end
|
|
67
|
-
|
|
68
|
-
def vault_connections_collection
|
|
69
|
-
return [] unless VaultConnection.table_exists?
|
|
70
|
-
|
|
71
|
-
proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
|
|
72
|
-
end
|
|
73
|
-
|
|
74
|
-
def set_vault_policy_template
|
|
75
|
-
set(
|
|
76
|
-
'vault_policy_template',
|
|
77
|
-
N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
|
|
78
|
-
default_vault_policy_template,
|
|
79
|
-
N_('Vault Policy template name'),
|
|
80
|
-
nil,
|
|
81
|
-
collection: vault_policy_templates_collection,
|
|
82
|
-
include_blank: _('Select Template')
|
|
83
|
-
)
|
|
84
|
-
end
|
|
85
|
-
|
|
86
|
-
def default_vault_policy_template
|
|
87
|
-
ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
def vault_policy_templates_collection
|
|
91
|
-
proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
def set_vault_orchestration_enabled
|
|
95
|
-
set(
|
|
96
|
-
'vault_orchestration_enabled',
|
|
97
|
-
N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
|
|
98
|
-
false,
|
|
99
|
-
N_('Vault Orchestration enabled')
|
|
100
|
-
)
|
|
101
|
-
end
|
|
102
|
-
end
|
|
103
|
-
end
|
|
104
|
-
end
|