foreman_vault 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a11fc63d2584b7fd9f4ad6b561cdbdd471503d3de307d4a77610094d67d26b62
-  data.tar.gz: 215b5f6e87ed318a16b7623bedccb25d17dd001ee73281f144b6726a44aee28b
+  metadata.gz: dbbedb9d2f03e0e5d76b5c088d054852e1cbb8f44ff2d8454026b2fecf39215f
+  data.tar.gz: 0f8099efcfc129acc8d640e0240ef9418b7d4a657609d13a4e2094be7c0b8ec9
 SHA512:
-  metadata.gz: b73b1a230f9982752e8ede2a38b2afd1a071a7ca397fe5f518d6447dbd30ca4f94efcbf29d4c39430cb8f8bf5b9508d9c4edd542aead2ebde60d00e82f889833
-  data.tar.gz: 3b85d123010e4ff958ed12885792b759cddd81b550c4f3cc287cce45b38881ea6589e700caa99751f0f0baf79002a89c2089f5a5784b23d6dafbf3509dc938cd
+  metadata.gz: 50d747b63207ee9ae91733eb32bbbd8ee8479e985d1acf6584928a6b1017ab73c1a753b1ed792280ae68ded7f509c01243a106f4695b5f014ae9b88e480e1291
+  data.tar.gz: c146baed359276db93d4e696bd1b1f0cd700d022b4af12ba391cdfaccbfd858d1f0780b8d5ba20a56ea572215b19541e1213ac9b17989af05fccae6bcb0b4d76

data/README.md

@@ -18,6 +18,13 @@ Auth methods also get deleted after the host is removed from Foreman.
 
 This allows Foreman to create everything needed to access Hashicorp Vault directly from a VM using it's Puppet certificate (e.g. for _Deferred functions_ in Puppet or other CLI tools).
 
+## Compatibility
+
+| Foreman Version | Plugin Version |
+| --------------- | -------------- |
+| >= 1.23         | ~> 0.3         |
+| >= 1.20         | ~> 0.2         |
+
 ## Requirements
 
 - Foreman >= 1.20

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -16,6 +16,7 @@ module ForemanVault
 
       def queue_vault_push
         return if !managed? || errors.any?
+        return unless orchestration_enabled?
         return unless vault_policy.valid?
         return unless vault_auth_method.valid?
 
@@ -25,6 +26,8 @@ module ForemanVault
 
       def queue_vault_destroy
         return if !managed? || errors.any?
+        return unless orchestration_enabled?
+        return unless vault_auth_method.valid?
 
         queue.create(name: _('Clear %s Vault data') % self, priority: 60,
                      action: [self, :del_vault])
@@ -54,6 +57,13 @@ module ForemanVault
         Foreman::Logging.exception("Failed to clear #{name} Vault data", e)
         failure format(_("Failed to clear %{name} Vault data: %{message}\n "), name: name, message: e.message), e
       end
+
+      def orchestration_enabled?
+        return false unless Setting[:vault_orchestration_enabled]
+        return false if vault_connection.nil?
+
+        true
+      end
     end
   end
 end

data/app/models/concerns/foreman_vault/provisioning_template_extensions.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  module ProvisioningTemplateExtensions
+    extend ActiveSupport::Concern
+
+    def render(host: nil, params: {}, variables: {}, mode: Foreman::Renderer::REAL_MODE, template_input_values: {}, source_klass: nil)
+      source_klass = Foreman::Renderer::Source::Database if template_kind == TemplateKind.find_by(name: 'VaultPolicy')
+
+      super
+    end
+  end
+end

data/app/models/setting/vault.rb

@@ -6,7 +6,7 @@ class Setting
     BLANK_ATTRS << 'vault_policy_template'
 
     def self.default_settings
-      [set_vault_connection, set_vault_policy_template]
+      [set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
     end
 
     def self.load_defaults
@@ -40,12 +40,15 @@ class Setting
       end
 
       def default_vault_connection
+        return nil unless VaultConnection.table_exists?
         return unless VaultConnection.unscoped.count == 1
 
         VaultConnection.unscoped.first.name
       end
 
       def vault_connections_collection
+        return [] unless VaultConnection.table_exists?
+
         proc { Hash[VaultConnection.unscoped.all.map { |vc| [vc.name, vc.name] }] }
       end
 
@@ -68,6 +71,15 @@ class Setting
       def vault_policy_templates_collection
         proc { Hash[ProvisioningTemplate.unscoped.of_kind(:VaultPolicy).map { |tmpl| [tmpl.name, tmpl.name] }] }
       end
+
+      def set_vault_orchestration_enabled
+        set(
+          'vault_orchestration_enabled',
+          N_('Enable or disable the Vault orchestration step for managing policies and auth methods'),
+          false,
+          N_('Vault Orchestration enabled')
+        )
+      end
     end
   end
 end

data/app/services/foreman_vault/vault_auth_method.rb

@@ -23,7 +23,7 @@ module ForemanVault
     end
 
     def delete
-      return false unless name
+      return false unless valid?
 
       delete_certificate(name)
     end

data/app/services/foreman_vault/vault_policy.rb

@@ -29,7 +29,7 @@ module ForemanVault
     end
 
     def delete
-      return false unless name
+      return false unless valid?
 
       delete_policy(name)
     end

data/lib/foreman_vault/engine.rb

@@ -29,7 +29,7 @@ module ForemanVault
 
     initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
       Foreman::Plugin.register :foreman_vault do
-        requires_foreman '>= 1.20'
+        requires_foreman '>= 1.23'
 
         apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
 
@@ -55,6 +55,7 @@ module ForemanVault
     config.to_prepare do
       begin
         ::Host::Managed.include(ForemanVault::HostExtensions)
+        ::ProvisioningTemplate.include(ForemanVault::ProvisioningTemplateExtensions)
         ::Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
         ::Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret, :vault_issue_certificate] }
       rescue StandardError => e

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

data/test/factories/vault_policy_template.rb

@@ -4,6 +4,7 @@ FactoryBot.modify do
   factory :provisioning_template do
     trait :vault_policy do
       name { Setting['vault_policy_template'] || 'Default Vault Policy' }
+      template_kind { TemplateKind.find_or_create_by(name: 'VaultPolicy') }
       template { File.read(File.join(ForemanVault::Engine.root, 'app/views/unattended/provisioning_templates/VaultPolicy/default.erb')) }
     end
   end

data/test/models/foreman_vault/orchestration/vault_policy_test.rb

@@ -10,11 +10,14 @@ module ForemanVault
         let(:queue) { mock('queue') }
         let(:vault_policy) { mock('vault_policy') }
         let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
 
         setup do
           host.stubs(:queue).returns(queue)
           host.stubs(:vault_policy).returns(vault_policy)
           host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
         end
 
         test 'should queue Vault orchestration' do
@@ -50,6 +53,44 @@ module ForemanVault
         end
       end
 
+      describe '#queue_vault_destroy' do
+        let(:host) { FactoryBot.create(:host, :managed) }
+        let(:queue) { mock('queue') }
+        let(:vault_policy) { mock('vault_policy') }
+        let(:vault_auth_method) { mock('vault_auth_method') }
+        let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+        setup do
+          host.stubs(:queue).returns(queue)
+          host.stubs(:vault_policy).returns(vault_policy)
+          host.stubs(:vault_auth_method).returns(vault_auth_method)
+          FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+        end
+
+        context 'when auth_method is valid' do
+          test 'should queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(true)
+
+            queue.expects(:create).with(
+              name: "Clear #{host} Vault data",
+              priority: 60,
+              action: [host, :del_vault]
+            ).once
+            host.send(:queue_vault_destroy)
+          end
+        end
+
+        context 'when auth_method is not valid' do
+          test 'should not queue del_vault' do
+            vault_auth_method.stubs(:valid?).returns(false)
+
+            queue.expects(:create).never
+            host.send(:queue_vault_destroy)
+          end
+        end
+      end
+
       describe '#set_vault' do
         let(:environment) { FactoryBot.create(:environment, name: 'MyEnv') }
         let(:host) { FactoryBot.create(:host, :managed, environment: environment) }
@@ -92,6 +133,7 @@ module ForemanVault
 
         setup do
           Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
+          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
           FactoryBot.create(:setting, :vault_policy)
           FactoryBot.create(:provisioning_template, :vault_policy, name: Setting['vault_policy_template'])
           FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)

data/test/models/vault_policy_template_test.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class VaultPolicyTemplateTest < ActiveSupport::TestCase
+  let(:template) { FactoryBot.create(:provisioning_template, :vault_policy) }
+
+  it 'is rendered from a database' do
+    Foreman::Renderer.expects(:get_source).with(has_entry(klass: Foreman::Renderer::Source::Database))
+    Foreman::Renderer.stubs(:get_scope)
+    Foreman::Renderer.stubs(:render)
+
+    template.render
+  end
+end

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -91,18 +91,18 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
   end
 
   describe '#delete' do
-    context 'with name' do
+    context 'when valid' do
       it 'deletes Certificate' do
-        subject.stubs(:name).returns('name')
+        subject.stubs(:valid?).returns(true)
 
         subject.expects(:delete_certificate).once.with(subject.name)
         subject.delete
       end
     end
 
-    context 'without name' do
+    context 'when not valid' do
       it 'does not delete Certificate' do
-        subject.stubs(:name).returns(nil)
+        subject.stubs(:valid?).returns(false)
 
         subject.expects(:delete_certificate).never
         subject.delete

data/test/unit/services/foreman_vault/vault_policy_test.rb

@@ -112,18 +112,18 @@ class VaultPolicyTest < ActiveSupport::TestCase
   end
 
   describe '#delete' do
-    context 'with name' do
+    context 'when valid' do
       it 'deletes Vault Policy' do
-        subject.stubs(:name).returns('name')
+        subject.stubs(:valid?).returns(true)
 
         subject.expects(:delete_policy).once.with(subject.name)
         subject.delete
       end
     end
 
-    context 'without name' do
+    context 'when not valid' do
       it 'does not delete Vault Policy' do
-        subject.stubs(:name).returns(nil)
+        subject.stubs(:valid?).returns(false)
 
         subject.expects(:delete_policy).never
         subject.delete

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - dmTECH GmbH
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-03 00:00:00.000000000 Z
+date: 2020-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -52,7 +52,7 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.54.0
-description: 
+description:
 email:
 - opensource@dm.de
 executables: []
@@ -70,6 +70,7 @@ files:
 - app/lib/foreman_vault/macros.rb
 - app/models/concerns/foreman_vault/host_extensions.rb
 - app/models/concerns/foreman_vault/orchestration/vault_policy.rb
+- app/models/concerns/foreman_vault/provisioning_template_extensions.rb
 - app/models/setting/vault.rb
 - app/models/vault_connection.rb
 - app/services/foreman_vault/vault_auth_method.rb
@@ -109,6 +110,7 @@ files:
 - test/jobs/refresh_vault_tokens_test.rb
 - test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/models/vault_connection_test.rb
+- test/models/vault_policy_template_test.rb
 - test/test_plugin_helper.rb
 - test/unit/lib/foreman_vault/macros_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
@@ -118,7 +120,7 @@ homepage: https://github.com/dm-drogeriemarkt/foreman_vault
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -134,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
 test_files:
@@ -142,6 +144,7 @@ test_files:
 - test/unit/services/foreman_vault/vault_client_test.rb
 - test/unit/services/foreman_vault/vault_policy_test.rb
 - test/unit/services/foreman_vault/vault_auth_method_test.rb
+- test/models/vault_policy_template_test.rb
 - test/models/vault_connection_test.rb
 - test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/factories/vault_policy_template.rb