foreman_vault 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dbbedb9d2f03e0e5d76b5c088d054852e1cbb8f44ff2d8454026b2fecf39215f
-  data.tar.gz: 0f8099efcfc129acc8d640e0240ef9418b7d4a657609d13a4e2094be7c0b8ec9
+  metadata.gz: d4b3350992a46b726aea3cee25dbca26efcd09f9b7f2d539543d13662661b36b
+  data.tar.gz: 8debbd584b231a9643563801dccb9da533b5821e70f5790f1ee80dc8065fd00f
 SHA512:
-  metadata.gz: 50d747b63207ee9ae91733eb32bbbd8ee8479e985d1acf6584928a6b1017ab73c1a753b1ed792280ae68ded7f509c01243a106f4695b5f014ae9b88e480e1291
-  data.tar.gz: c146baed359276db93d4e696bd1b1f0cd700d022b4af12ba391cdfaccbfd858d1f0780b8d5ba20a56ea572215b19541e1213ac9b17989af05fccae6bcb0b4d76
+  metadata.gz: d21b6079acb7e9f4d2972f899a23d104f76c7c65ea72d367043d3a174f0b071f47f94702763b781d67ee48cdb0d20adbdf28a2f8ede9299ba210e800f1459549
+  data.tar.gz: 588561b8a0ccc783e14a4c2fcff7ddb66c7d4c9f2cbef90c4eb4be4c4260aacbd24230ac8da51efc34218db793ce4faa8ee5e0abf24ddbbddbb6c1fcae4913af

data/README.md

@@ -30,6 +30,7 @@ This allows Foreman to create everything needed to access Hashicorp Vault direct
 - Foreman >= 1.20
 - Working Vault instance
   - with _cert_ auth enabled
+  - with _approle_ auth enabled
   - with _kv_ secret store enabled
 - valid Vault Token
 
@@ -48,6 +49,27 @@ $ vault token create -period=60m
 [...]
 ```
 
+To interact with Vault you can use Vault UI, which is available at `http://127.0.0.1:8200/ui`.
+
+- The AppRole auth method
+
+```
+$ vault auth enable approle
+$ vault write auth/approle/role/my-role policies="default"
+Success! Data written to: auth/approle/role/my-role
+$ vault read auth/approle/role/my-role/role-id
+Key        Value
+---        -----
+role_id    8403910c-e563-d2f2-1c77-6e26319be8b5
+$ vault write -f auth/approle/role/my-role/secret-id
+Key                   Value
+---                   -----
+secret_id             1058434b-b4aa-bf5a-b376-a15d9efb1059
+secret_id_accessor    9cc19ed7-201f-7438-782e-561edd12b2a8
+```
+
+See also [Vault CLI testing AppRole](https://gist.github.com/kamils-iRonin/d099908eaf0500de8ad9c2cea5658d01)
+
 ## Installation
 
 See [Plugins install instructions](https://theforeman.org/plugins/) for how to install Foreman plugins.

data/app/controllers/concerns/foreman_vault/controller/parameters/vault_connection.rb

@@ -9,7 +9,7 @@ module ForemanVault
         class_methods do
           def vault_connection_params_filter
             Foreman::ParameterFilter.new(::VaultConnection).tap do |filter|
-              filter.permit :name, :url, :token
+              filter.permit :name, :url, :token, :role_id, :secret_id
             end
           end
         end

data/app/lib/foreman_vault/macros.rb

@@ -4,7 +4,7 @@ module ForemanVault
   module Macros
     def vault_secret(vault_connection_name, secret_path)
       vault = VaultConnection.find_by!(name: vault_connection_name)
-      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) if vault.with_token? && !vault.token_valid?
 
       vault.fetch_secret(secret_path)
     rescue ActiveRecord::RecordNotFound => e
@@ -13,7 +13,7 @@ module ForemanVault
 
     def vault_issue_certificate(vault_connection_name, secret_path, *options)
       vault = VaultConnection.find_by!(name: vault_connection_name)
-      raise VaultError.new(N_('Invalid token for %s'), vault.name) unless vault.token_valid?
+      raise VaultError.new(N_('Invalid token for %s'), vault.name) if vault.with_token? && !vault.token_valid?
       vault.issue_certificate(secret_path, *options)
     rescue ActiveRecord::RecordNotFound => e
       raise VaultError, e.message

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -43,6 +43,7 @@ module ForemanVault
           old&.vault_auth_method&.delete
           vault_auth_method.save
         end
+        true
       rescue StandardError => e
         Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)
         failure format(_('Failed to push %{name} data to Vault: %{message}\n '), name: name, message: e.message), e

data/app/models/vault_connection.rb

@@ -5,20 +5,42 @@ class VaultConnection < ApplicationRecord
 
   validates_lengths_from_database
   validates :name, presence: true, uniqueness: true
-  validates :url, :token, presence: true
+  validates :url, presence: true
   validates :url, format: URI.regexp(['http', 'https'])
 
-  before_create :set_expire_time
-  before_update :update_expire_time
+  validates :token, presence: true, if: -> { role_id.nil? || secret_id.nil? }
+  validates :token, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { role_id.nil? || secret_id.nil? }
+  validates :role_id, presence: true, if: -> { token.nil? }
+  validates :role_id, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { token.nil? }
+  validates :secret_id, presence: true, if: -> { token.nil? }
+  validates :secret_id, inclusion: { in: [nil], message: _('AppRole or token must be blank') }, unless: -> { token.nil? }
 
-  scope :with_valid_token, -> { where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
+  before_validation :normalize_blank_values
+  before_create :set_expire_time, unless: -> { token.nil? }
+  before_update :update_expire_time, unless: -> { token.nil? }
+
+  scope :with_approle, -> { where.not(role_id: nil).where.not(secret_id: nil) }
+  scope :with_token, -> { where.not(token: nil) }
+  scope :with_valid_token, -> { with_token.where(vault_error: nil).where('expire_time > ?', Time.zone.now) }
 
   delegate :fetch_expire_time, :fetch_secret, :issue_certificate,
            :policy, :policies, :put_policy, :delete_policy,
            :set_certificate, :certificates, :delete_certificate, to: :client
 
+  def with_token?
+    token.present?
+  end
+
+  def with_approle?
+    role_id.present? && secret_id.present?
+  end
+
   def token_valid?
-    vault_error.nil? && expire_time && expire_time > Time.zone.now
+    return false unless with_token?
+    return false unless vault_error.nil?
+    return true unless expire_time
+
+    expire_time > Time.zone.now
   end
 
   def renew_token!
@@ -52,7 +74,13 @@ class VaultConnection < ApplicationRecord
     self.vault_error = e.message
   end
 
+  def normalize_blank_values
+    attributes.each do |column, _value|
+      self[column].present? || self[column] = nil
+    end
+  end
+
   def client
-    @client ||= ForemanVault::VaultClient.new(url, token)
+    @client ||= ForemanVault::VaultClient.new(url, token, role_id, secret_id)
   end
 end

data/app/services/foreman_vault/vault_client.rb

@@ -2,9 +2,11 @@
 
 module ForemanVault
   class VaultClient
-    def initialize(base_url, token)
+    def initialize(base_url, token, role_id, secret_id)
       @base_url = base_url
       @token = token
+      @role_id = role_id
+      @secret_id = secret_id
     end
 
     delegate :sys, :auth_tls, to: :client
@@ -13,7 +15,8 @@ module ForemanVault
 
     def fetch_expire_time
       response = client.auth_token.lookup_self
-      Time.zone.parse(response.data[:expire_time])
+      expire_time = response.data[:expire_time]
+      expire_time && Time.zone.parse(expire_time)
     end
 
     def fetch_secret(secret_path)
@@ -38,10 +41,16 @@ module ForemanVault
     class VaultClientError < Foreman::Exception; end
     class NoDataError < VaultClientError; end
 
-    attr_reader :base_url, :token
+    attr_reader :base_url, :token, :role_id, :secret_id
 
     def client
-      @client ||= Vault::Client.new(address: base_url, token: token)
+      @client ||= if role_id.present? && secret_id.present?
+                    Vault::Client.new(address: base_url).tap do |client|
+                      client.auth.approle(role_id, secret_id)
+                    end
+                  else
+                    Vault::Client.new(address: base_url, token: token)
+                  end
     end
   end
 end

data/app/views/vault_connections/_form.html.erb

@@ -1,7 +1,23 @@
-<%= form_for @vault_connection, :url => (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(:id => @vault_connection)) do |f| %>
+<%= form_for @vault_connection, url: (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(id: @vault_connection)) do |f| %>
   <%= base_errors_for @vault_connection %>
-  <%= text_f f, :name, :help_inline => _("Vault Connection name") %>
-  <%= text_f f, :url, :help_inline => _("Vault Server url") %>
-  <%= text_f f, :token, :help_inline => _("Vault Connection token") %>
+  <%= text_f f, :name, help_inline: _("Vault Connection name") %>
+  <%= text_f f, :url, help_inline: _("Vault Server url") %>
+  <div class="auth_methods">
+    <h4><%=_("Auth Methods")%></h4>
+    <%= alert(text: _('Please only fill in one auth method'), class: 'alert-info', close: false) %>
+    <ul class="nav nav-tabs" data-tabs="tabs">
+      <li class="active"><a href="#approle" data-toggle="tab"><%= _('AppRole') %></a></li>
+      <li><a href="#token" data-toggle="tab"><%= _('Token') %></a></li>
+    </ul>
+    <div class="tab-content">
+      <div class="tab-pane active" id="approle">
+        <%= text_f f, :role_id, label: _("Role ID"), help_inline: _("Vault Connection Role ID") %>
+        <%= text_f f, :secret_id, label: _("Secret ID"), help_inline: _("Vault Connection Secret ID") %>
+      </div>
+      <div class="tab-pane" id="token">
+        <%= text_f f, :token, help_inline: _("Vault Connection token") %>
+      </div>
+    </div>
+  </div>
   <%= submit_or_cancel f %>
 <% end %>

data/app/views/vault_connections/index.html.erb

@@ -4,9 +4,11 @@
 <table class="<%= table_css_classes 'table-fixed' %>">
   <thead>
     <tr>
-      <th class="col-md-9"><%= sort :name, :as => s_('Vault Connections|Name') %></th>
-      <th class="col-md-1"><%= _('Valid') %></th>
-      <th class="col-md-1"><%= _('Expire time') %></th>
+      <th class="col-md-2"><%= sort :name, as: s_('Vault Connections|Name') %></th>
+      <th class="col-md-2"><%= _('URL') %></th>
+      <th class="col-md-2"><%= _('Role ID') %></th>
+      <th class="col-md-1"><%= _('Token Valid') %></th>
+      <th class="col-md-1"><%= _('Token Expire time') %></th>
       <th class="col-md-1"><%= _('Actions') %></th>
     </tr>
   </thead>
@@ -14,17 +16,29 @@
     <% @vault_connections.each do |vault_connection| %>
       <tr>
         <td class="ellipsis">
-          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(:id => vault_connection) %>
+          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(id: vault_connection) %>
+        </td>
+        <td class="ellipsis">
+          <code class="transparent"><%= vault_connection.url %></code>
+        </td>
+        <td class="ellipsis">
+          <% if vault_connection.with_approle? %>
+            <code class="transparent"><%= vault_connection.role_id %></code>
+          <% end %>
         </td>
         <td align='center'>
-          <% if vault_connection.token_valid? %>
+          <% vault_connection.with_token? && if vault_connection.token_valid? %>
             <%= ('<span class="glyphicon glyphicon-ok"/>').html_safe %>
           <% else %>
             <%= ('<span class="glyphicon glyphicon-remove" title="%s"/>' % vault_connection.vault_error).html_safe %>
           <% end %>
         </td>
-        <td><%= date_time_absolute(vault_connection.expire_time) %></td>
-        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(:id => vault_connection), :data => { :confirm => _("Delete %s?") % vault_connection.name } %></td>
+        <td>
+          <% if vault_connection.with_token? %>
+            <%= date_time_absolute(vault_connection.expire_time) %>
+          <% end %>
+        </td>
+        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(id: vault_connection), data: { confirm: _("Delete %s?") % vault_connection.name } %></td>
       </tr>
     <% end %>
   </tbody>

data/db/migrate/20201203220058_add_approle_to_vault_connection.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddApproleToVaultConnection < ActiveRecord::Migration[5.1]
+  def change
+    add_column :vault_connections, :role_id, :string
+    add_column :vault_connections, :secret_id, :string
+  end
+end

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '0.3.0'
+  VERSION = '0.4.0'
 end

data/test/factories/vault_connection.rb

@@ -8,7 +8,7 @@ FactoryBot.define do
     expire_time { Time.zone.now + 1.year }
 
     trait :invalid do
-      expire_time { nil }
+      expire_time { Time.zone.now - 1.year }
     end
 
     trait :without_callbacks do

data/test/unit/services/foreman_vault/vault_client_test.rb

@@ -3,10 +3,46 @@
 require 'test_plugin_helper'
 
 class VaultClientTest < ActiveSupport::TestCase
-  setup do
-    @subject = ForemanVault::VaultClient.new('http://127.0.0.1:8200', 'e57e5ef2-b25c-a0e5-65a6-863ab095dff6')
-    @client = mock
-    Vault::Client.expects(:new).returns(@client)
+  subject do
+    ForemanVault::VaultClient.new(base_url, token, nil, nil).tap do |vault_client|
+      vault_client.instance_variable_set(:@client, client)
+    end
+  end
+
+  let(:client) { Vault::Client }
+  let(:base_url) { 'http://127.0.0.1:8200' }
+  let(:token) { 's.opkr0MAqme5e5nr3i2or5wZC' }
+
+  describe 'auth with AppRole' do
+    subject { ForemanVault::VaultClient.new(base_url, nil, role_id, secret_id) }
+
+    let(:role_id) { '8403910c-e563-d2f2-1c77-6e26319be8b5' }
+    let(:secret_id) { '1058434b-b4aa-bf5a-b376-a15d9efb1059' }
+
+    setup do
+      stub_request(:post, "#{base_url}/v1/auth/approle/login").with(
+        body: {
+          role_id: role_id,
+          secret_id: secret_id
+        }
+      ).to_return(
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: {
+          auth: {
+            client_token: token
+          }
+        }.to_json
+      )
+    end
+
+    it { assert_equal token, subject.send(:client).token }
+  end
+
+  describe 'auth with token' do
+    subject { ForemanVault::VaultClient.new(base_url, token, nil, nil) }
+
+    it { assert_equal token, subject.send(:client).token }
   end
 
   describe '#fetch_expire_time' do
@@ -14,11 +50,11 @@ class VaultClientTest < ActiveSupport::TestCase
       @time = '2018-08-01T20:08:55.525830559+02:00'
       response = OpenStruct.new(data: { expire_time: @time })
       auth_token = mock.tap { |object| object.expects(:lookup_self).once.returns(response) }
-      @client.expects(:auth_token).once.returns(auth_token)
+      client.expects(:auth_token).once.returns(auth_token)
     end
 
     test 'should return expire time' do
-      assert_equal Time.zone.parse(@time), @subject.fetch_expire_time
+      assert_equal Time.zone.parse(@time), subject.fetch_expire_time
     end
   end
 
@@ -29,11 +65,11 @@ class VaultClientTest < ActiveSupport::TestCase
       response = OpenStruct.new(data: @data)
       logical = mock.tap { |object| object.expects(:read).once.with(@secret_path).returns(response) }
 
-      @client.expects(:logical).once.returns(logical)
+      client.expects(:logical).once.returns(logical)
     end
 
     test 'should return expire time' do
-      assert_equal @data, @subject.fetch_secret(@secret_path)
+      assert_equal @data, subject.fetch_secret(@secret_path)
     end
   end
 
@@ -52,11 +88,11 @@ class VaultClientTest < ActiveSupport::TestCase
       response = OpenStruct.new(data: @data)
       logical = mock.tap { |object| object.expects(:write).once.with(@pki_path).returns(response) }
 
-      @client.expects(:logical).once.returns(logical)
+      client.expects(:logical).once.returns(logical)
     end
 
     test 'should return new certificate' do
-      assert_equal @data, @subject.issue_certificate(@pki_path)
+      assert_equal @data, subject.issue_certificate(@pki_path)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - dmTECH GmbH
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-10 00:00:00.000000000 Z
+date: 2021-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -92,6 +92,7 @@ files:
 - config/routes.rb
 - db/migrate/20180725072913_create_vault_connection.foreman_vault.rb
 - db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb
+- db/migrate/20201203220058_add_approle_to_vault_connection.rb
 - db/seeds.d/103-provisioning_templates.rb
 - lib/foreman_vault.rb
 - lib/foreman_vault/engine.rb
@@ -135,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key:
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault