foreman_vault 1.2.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a698b340bc8ac1d8e1f9313548b3f27b971e87863886b4eac7c345c836460f2
-  data.tar.gz: 199cfbb6dae934a8dddc047964f068ad68a0fb1dd32590dbf4a976513229a205
+  metadata.gz: f4fbc008315206c64c8641835e56d14ef1b31f42ef411dfc321a3c8670998172
+  data.tar.gz: 3ff7634135705a37592423d8d993790041b826a4d414f7952187290ae4d9109b
 SHA512:
-  metadata.gz: 43759e193861b1ead17c0112b73fb7b36f613348f0041687e84646bb1e9ae869f5833893f4a749ffee880a921e23896a1ff5dfa7488cff7d6079d9056ffb3332
-  data.tar.gz: b956c84f73978386e43ad0e095d86ff1a2383f826f747252a176fe1198df2605c0e10d740c1fdacbb99f9105773ebef00e891c643e386f24e448d185389d9e08
+  metadata.gz: 9a7afc22a1db923534cd471d61b0837573c3f3db79c82ca7c6454148a281aa1adf76806fec9a39da3e4bb189e00a38ba2e3bf0e69382c48319489e24c943381d
+  data.tar.gz: 34e80dcc58fcf00a8673d6ca9a5f23f30196d5d8ab38640d34eb4323322572ad152f66b308e252d2a2be9d176082193a9acbc4e62006016f279c218841a319fd

data/README.md

@@ -1,6 +1,6 @@
 # ForemanVault
 
-[<img src="https://opensourcelogos.aws.dmtech.cloud/dmTECH_opensource_logo.svg" height="21" width="130">](https://www.dmtech.de/)
+[<img src="https://raw.githubusercontent.com/dm-drogeriemarkt/.github/refs/heads/main/assets/dmtech-open-source-badge.svg">](https://www.dmtech.de/)
 
 **Foreman Vault** is a plugin for Foreman that integrates with Hashicorp Vault for different things. Currently, it offers two distinct features.
 
@@ -22,6 +22,8 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
 
 | Foreman Version | Plugin Version |
 | --------------- | -------------- |
+| >= 3.13         | ~> 3.0         |
+| >= 3.9          | ~> 2.0         |
 | >= 2.3          | ~> 1.0         |
 | >= 1.23         | ~> 0.3, ~> 0.4 |
 | >= 1.20         | ~> 0.2         |

data/Rakefile

@@ -20,7 +20,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-APP_RAKEFILE = File.expand_path('../test/dummy/Rakefile', __FILE__)
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
 
 Bundler::GemHelper.install_tasks
 
@@ -38,7 +38,7 @@ task default: :test
 begin
   require 'rubocop/rake_task'
   RuboCop::RakeTask.new
-rescue => _
+rescue StandardError => _e
   puts 'Rubocop not loaded.'
 end
 

data/app/controllers/api/v2/vault_connections_controller.rb

@@ -16,7 +16,8 @@ module Api
 
       api :GET, '/vault_connections/:id', N_('Show VaultConnection details')
       param :id, :identifier, required: true
-      def show; end
+      def show
+      end
 
       def_param_group :vault_connection do
         param :vault_connection, Hash, action_aware: true, required: true do

data/app/controllers/vault_connections_controller.rb

@@ -22,7 +22,8 @@ class VaultConnectionsController < ::ApplicationController
     end
   end
 
-  def edit; end
+  def edit
+  end
 
   def update
     if @vault_connection.update(vault_connection_params)

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -21,7 +21,7 @@ module ForemanVault
         return unless vault_auth_method.valid?
 
         queue.create(name: _('Push %s data to Vault') % self, priority: 100,
-                     action: [self, :set_vault])
+          action: [self, :set_vault])
       end
 
       def queue_vault_destroy
@@ -30,10 +30,9 @@ module ForemanVault
         return unless vault_auth_method.valid?
 
         queue.create(name: _('Clear %s Vault data') % self, priority: 60,
-                     action: [self, :del_vault])
+          action: [self, :del_vault])
       end
 
-      # rubocop:disable Metrics/AbcSize
       def set_vault
         logger.info "Pushing #{name} data to Vault"
 
@@ -44,7 +43,6 @@ module ForemanVault
         Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
         failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e
       end
-      # rubocop:enable Metrics/AbcSize
 
       def del_vault
         logger.info "Clearing #{name} Vault data"

data/app/models/vault_connection.rb

@@ -7,7 +7,7 @@ class VaultConnection < ApplicationRecord
   validates :name, presence: true, uniqueness: true
   validates :name, inclusion: { in: ->(i) { [i.name_was] }, message: _('cannot be changed after creation') }, on: :update
   validates :url, presence: true
-  validates :url, format: URI.regexp(['http', 'https'])
+  validates :url, format: URI::DEFAULT_PARSER.make_regexp(['http', 'https'])
 
   validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
   validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
@@ -25,8 +25,8 @@ class VaultConnection < ApplicationRecord
   scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
 
   delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
-           :policy, :policies, :put_policy, :delete_policy,
-           :set_certificate, :certificates, :delete_certificate, to: :client
+    :policy, :policies, :put_policy, :delete_policy,
+    :set_certificate, :certificates, :delete_certificate, to: :client
 
   def with_token?
     token.present?

data/app/services/foreman_vault/vault_auth_method.rb

@@ -31,6 +31,7 @@ module ForemanVault
     private
 
     attr_reader :host
+
     delegate :vault_policy, :vault_connection, :fqdn, to: :host
     delegate :name, to: :vault_policy, prefix: true
     delegate :set_certificate, :delete_certificate, to: :vault_connection
@@ -39,7 +40,7 @@ module ForemanVault
       {
         certificate: certificate,
         token_policies: vault_policy_name,
-        allowed_common_names: allowed_common_names
+        allowed_common_names: allowed_common_names,
       }
     end
 

data/app/services/foreman_vault/vault_policy.rb

@@ -37,6 +37,7 @@ module ForemanVault
     private
 
     attr_reader :host
+
     delegate :params, :render_template, :vault_connection, to: :host
     delegate :policy, :policies, :put_policy, :delete_policy, to: :vault_connection
 

data/db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class FixVaultSettingsCategoryToDsl < ActiveRecord::Migration[6.0]
+  def up
+    Setting.where(category: 'Setting::Vault').update_all(category: 'Setting') if column_exists?(:settings, :category)
+  end
+end

data/db/seeds.d/103-provisioning_templates.rb

@@ -5,8 +5,8 @@ User.as_anonymous_admin do
     {
       name: 'Default Vault Policy',
       source: 'VaultPolicy/default.erb',
-      template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy')
-    }
+      template_kind: TemplateKind.find_or_create_by(name: 'VaultPolicy'),
+    },
   ]
 
   templates.each do |template|

data/lib/foreman_vault/engine.rb

@@ -6,20 +6,6 @@ module ForemanVault
   class Engine < ::Rails::Engine
     engine_name 'foreman_vault'
 
-    config.autoload_paths += Dir["#{config.root}/app/controllers"]
-    config.autoload_paths += Dir["#{config.root}/app/models"]
-    config.autoload_paths += Dir["#{config.root}/app/services"]
-    config.autoload_paths += Dir["#{config.root}/app/lib"]
-    config.autoload_paths += Dir["#{config.root}/app/jobs"]
-
-    initializer 'foreman_vault.load_default_settings', before: :load_config_initializers do
-      require_dependency File.expand_path('../../app/models/setting/vault.rb', __dir__) if begin
-                                                                                             Setting.table_exists?
-                                                                                           rescue StandardError
-                                                                                             (false)
-                                                                                           end
-    end
-
     # Add any db migrations
     initializer 'foreman_vault.load_app_instance_data' do |app|
       ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
@@ -27,67 +13,64 @@ module ForemanVault
       end
     end
 
-    initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
-      Foreman::Plugin.register :foreman_vault do
-        requires_foreman '>= 2.3'
+    initializer 'foreman_vault.register_plugin', before: :finisher_hook do |app|
+      app.reloader.to_prepare do
+        Foreman::Plugin.register :foreman_vault do
+          requires_foreman '>= 3.13'
 
-        apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
+          apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
 
-        # Add permissions
-        security_block :foreman_vault do
-          permission :view_vault_connections,     { vault_connections: [:index, :show],
-                                                    'api/v2/vault_connections': [:index, :show] }, resource_type: 'VaultConnection'
-          permission :create_vault_connections,   { vault_connections: [:new, :create],
-                                                    'api/v2/vault_connections': [:create] }, resource_type: 'VaultConnection'
-          permission :edit_vault_connections,     { vault_connections: [:edit, :update],
-                                                    'api/v2/vault_connections': [:update] }, resource_type: 'VaultConnection'
-          permission :destroy_vault_connections,  { vault_connections: [:destroy],
-                                                    'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
-        end
+          # Add permissions
+          security_block :foreman_vault do
+            permission :view_vault_connections,     { vault_connections: [:index, :show],
+                                                      'api/v2/vault_connections': [:index, :show] }, resource_type: 'VaultConnection'
+            permission :create_vault_connections,   { vault_connections: [:new, :create],
+                                                      'api/v2/vault_connections': [:create] }, resource_type: 'VaultConnection'
+            permission :edit_vault_connections,     { vault_connections: [:edit, :update],
+                                                      'api/v2/vault_connections': [:update] }, resource_type: 'VaultConnection'
+            permission :destroy_vault_connections,  { vault_connections: [:destroy],
+                                                      'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
+          end
 
-        # New settings definition DSL is available from Foreman 3.0
-        if respond_to?(:settings)
           settings do
             category(:vault, N_('Vault')) do
               setting('vault_connection',
-                      full_name: N_('Default Vault connection'),
-                      type: :string,
-                      description: N_('Default Vault Connection that can be override using parameters'),
-                      default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
-                      collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
-                      include_blank: _('Select Vault Connection'))
+                full_name: N_('Default Vault connection'),
+                type: :string,
+                description: N_('Default Vault Connection that can be override using parameters'),
+                default: VaultConnection.table_exists? && VaultConnection.unscoped.count == 1 ? VaultConnection.unscoped.first.name : nil,
+                collection: VaultConnection.table_exists? ? proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] } : [],
+                include_blank: _('Select Vault Connection'))
               setting('vault_policy_template',
-                      full_name: N_('Vault Policy template name'),
-                      type: :string,
-                      description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
-                      default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
-                      collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
-                      include_blank: _('Select Template'))
+                full_name: N_('Vault Policy template name'),
+                type: :string,
+                description: N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
+                default: ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name,
+                collection: proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] },
+                include_blank: _('Select Template'))
               setting('vault_orchestration_enabled',
-                      full_name: N_('Vault Orchestration enabled'),
-                      type: :boolean,
-                      description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
-                      default: false)
+                full_name: N_('Vault Orchestration enabled'),
+                type: :boolean,
+                description: N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
+                default: false)
             end
           end
-        end
 
-        # add menu entry
-        menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
-                                            caption: N_('Vault Connections'),
-                                            parent: :infrastructure_menu
+          # add menu entry
+          menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
+                                              caption: N_('Vault Connections'),
+                                              parent: :infrastructure_menu
+        end
       end
     end
 
     config.to_prepare do
-      begin
-        ::Host::Managed.include(ForemanVault::HostExtensions)
-        ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
-        ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
-        ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
-      rescue StandardError => e
-        Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
-      end
+      ::Host::Managed.include(ForemanVault::HostExtensions)
+      ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
+      ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
+      ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
+    rescue StandardError => e
+      Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
     end
 
     initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '1.2.0'
+  VERSION = '3.0.0'
 end

data/lib/tasks/foreman_vault_tasks.rake

@@ -11,16 +11,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
         hosts = Host::Managed.where(managed: true)
 
         hosts.each_with_index do |host, index|
-          begin
-            result = host.reload.vault_auth_method.save
-            if result
-              puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
-            else
-              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
-            end
-          rescue StandardError => err
-            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          result = host.reload.vault_auth_method.save
+          if result
+            puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+          else
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
           end
+        rescue StandardError => e
+          puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
         end
       end
     end
@@ -33,16 +31,14 @@ namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
         hosts = Host::Managed.where(managed: true)
 
         hosts.each_with_index do |host, index|
-          begin
-            result = host.reload.vault_policy.save
-            if result
-              puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
-            else
-              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
-            end
-          rescue StandardError => err
-            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          result = host.reload.vault_policy.save
+          if result
+            puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+          else
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
           end
+        rescue StandardError => e
+          puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{e}"
         end
       end
     end
@@ -61,25 +57,4 @@ namespace :test do
   end
 end
 
-namespace :foreman_vault do
-  task :rubocop do
-    begin
-      require 'rubocop/rake_task'
-      RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
-        task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
-                         "#{ForemanVault::Engine.root}/lib/**/*.rb",
-                         "#{ForemanVault::Engine.root}/test/**/*.rb"]
-      end
-    rescue StandardError
-      puts 'Rubocop not loaded.'
-    end
-
-    Rake::Task['rubocop_foreman_vault'].invoke
-  end
-end
-
 Rake::Task[:test].enhance ['test:foreman_vault']
-
-load 'tasks/jenkins.rake'
-
-Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')

data/test/unit/foreman_vault/access_permissions_test.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+require 'unit/shared/access_permissions_test_base'
+
+# Permissions are added in AccessPermissions with lists of controllers and
+# actions that they enable access to.  For non-admin users, we need to test
+# that there are permissions available that cover every controller action, else
+# it can't be delegated and this will lead to parts of the application that
+# aren't functional for non-admin users.
+#
+# In particular, it's important that actions for AJAX requests are added to
+# an appropriate permission so views using those requests function.
+class AccessPermissionsTest < ActiveSupport::TestCase
+  include AccessPermissionsTestBase
+
+  check_routes(ForemanVault::Engine.routes, [])
+end

data/test/unit/lib/foreman_vault/macros_test.rb

@@ -22,7 +22,7 @@ class MacrosTest < ActiveSupport::TestCase
 
       subject = TestScope.new(host: host, source: source)
 
-      assert subject.respond_to?(:vault_secret)
+      assert_respond_to subject, :vault_secret
       assert_equal response.data, subject.vault_secret(vault_connection.name, secret_path)
     end
   end

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -59,9 +59,11 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
 
         subject.expects(:set_certificate).once.with(
           'name',
-          certificate: 'cert',
-          token_policies: 'vault_policy_name',
-          allowed_common_names: [host.fqdn]
+          {
+            certificate: 'cert',
+            token_policies: 'vault_policy_name',
+            allowed_common_names: [host.fqdn],
+          }
         )
         subject.save
       end

data/test/unit/services/foreman_vault/vault_client_test.rb

@@ -23,15 +23,15 @@ class VaultClientTest < ActiveSupport::TestCase
       stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
         body: {
           role_id: role_id,
-          secret_id: secret_id
+          secret_id: secret_id,
         }
       ).to_return(
         status: 200,
         headers: { 'Content-Type': 'application/json' },
         body: {
           auth: {
-            client_token: token
-          }
+            client_token: token,
+          },
         }.to_json
       )
     end
@@ -82,7 +82,7 @@ class VaultClientTest < ActiveSupport::TestCase
         issuing_ca: 'CA_CERTIFICATE_DATA',
         private_key: 'PRIVATE_KEY_DATA',
         private_key_type: 'rsa',
-        serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7'
+        serial_number: '7e:2d:c8:dd:df:da:fe:1f:39:da:39:23:4f:74:c8:1f:1d:4a:db:a7',
       }
 
       response = OpenStruct.new(data: @data)

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 3.0.0
 platform: ruby
 authors:
 - dmTECH GmbH
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-18 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -39,20 +38,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: theforeman-rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.54.0
+        version: 0.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.54.0
-description:
+        version: 0.1.2
 email:
 - opensource@dm.de
 executables: []
@@ -71,7 +69,6 @@ files:
 - app/models/concerns/foreman_vault/host_extensions.rb
 - app/models/concerns/foreman_vault/orchestration/vault_policy.rb
 - app/models/concerns/foreman_vault/provisioning_template_extensions.rb
-- app/models/setting/vault.rb
 - app/models/vault_connection.rb
 - app/services/foreman_vault/vault_auth_method.rb
 - app/services/foreman_vault/vault_client.rb
@@ -93,6 +90,7 @@ files:
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
 - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
 - db/migrate/20201203220058_add_approle_to_vault_connection.rb
+- db/migrate/20230309072504_fix_vault_settings_category_to_dsl.rb
 - db/seeds.d/103-provisioning_templates.rb
 - lib/foreman_vault.rb
 - lib/foreman_vault/engine.rb
@@ -115,6 +113,7 @@ files:
 - test/models/vault_connection_test.rb
 - test/models/vault_policy_template_test.rb
 - test/test_plugin_helper.rb
+- test/unit/foreman_vault/access_permissions_test.rb
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb
@@ -123,7 +122,6 @@ homepage: https://github.com/dm-drogeriemarkt/foreman_vault
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -131,15 +129,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
 test_files:
@@ -156,6 +156,7 @@ test_files:
 - test/models/vault_connection_test.rb
 - test/models/vault_policy_template_test.rb
 - test/test_plugin_helper.rb
+- test/unit/foreman_vault/access_permissions_test.rb
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
 - test/unit/services/foreman_vault/vault_client_test.rb

data/app/models/setting/vault.rb

@@ -1,104 +0,0 @@
-# frozen_string_literal: true
-
-class Setting
-  class Vault < ::Setting
-    BLANK_ATTRS << 'vault_connection'
-    BLANK_ATTRS << 'vault_policy_template'
-
-    def self.default_settings
-      [set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
-    end
-
-    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
-    def self.load_defaults
-      return unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('3.4')
-
-      # Check the table exists
-      return unless super
-
-      transaction do
-        default_settings.each do |s|
-          setting = create! s.update(category: 'Setting::Vault')
-
-          Foreman.try(:settings)&._add(
-            s[:name],
-            s.slice(:description, :default, :full_name, :encrypted)
-             .merge(category: 'Setting::Vault')
-             .yield_self do |params|
-               unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
-                 params[:context] = :vault
-                 params[:type] = setting.settings_type
-               end
-               params
-             end
-          )
-        end
-      end
-
-      true
-    end
-    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
-
-    def self.humanized_category
-      N_('Vault')
-    end
-
-    class << self
-      private
-
-      def set_vault_connection
-        set(
-          'vault_connection',
-          N_('Default Vault Connection that can be override using parameters'),
-          default_vault_connection,
-          N_('Default Vault Connection'),
-          nil,
-          collection: vault_connections_collection,
-          include_blank: _('Select Vault Connection')
-        )
-      end
-
-      def default_vault_connection
-        return nil unless VaultConnection.table_exists?
-        return unless VaultConnection.unscoped.count == 1
-
-        VaultConnection.unscoped.first.name
-      end
-
-      def vault_connections_collection
-        return [] unless VaultConnection.table_exists?
-
-        proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
-      end
-
-      def set_vault_policy_template
-        set(
-          'vault_policy_template',
-          N_('The name of the ProvisioningTemplate that will be used for Vault Policy'),
-          default_vault_policy_template,
-          N_('Vault Policy template name'),
-          nil,
-          collection: vault_policy_templates_collection,
-          include_blank: _('Select Template')
-        )
-      end
-
-      def default_vault_policy_template
-        ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).find_by(name: 'Default Vault Policy')&.name
-      end
-
-      def vault_policy_templates_collection
-        proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
-      end
-
-      def set_vault_orchestration_enabled
-        set(
-          'vault_orchestration_enabled',
-          N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
-          false,
-          N_('Vault Orchestration enabled')
-        )
-      end
-    end
-  end
-end