foreman_vault 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6107c566ac8bf65dd8b0c11f2c6534d26303e781407fef11f29612d5ca77325e
-  data.tar.gz: ae555560613c5b4dbe17281c05c7db8df0d244f82ffd27c56785e805c7ac04da
+  metadata.gz: 39553e728b4ff3661a8b0fc008ee0959e5fdbba5f915a9f7f9d09bdd24d9d65a
+  data.tar.gz: 34b06a3ffc2cfdd6055356c4af15e91bb7d94de7954983d0becc20881c85fef3
 SHA512:
-  metadata.gz: 3a86e4e2f4fc926c0c8ade16116830d311be2b54b00cca629465d1af4c4ecfaa84cd42614ebb8090c17b50eb92ce1f732d15969f1bbfea972e9fe489b73d12f3
-  data.tar.gz: 30afd42d83d3d91ce4d72fc4419cd2b0f360f495462d6e916b209db7619a63ada8a365169ec8903508aa738e9686a627bb9577b4648851bacffa8bf60b8592f5
+  metadata.gz: 04fe38f150fb63017eeb3803c14ea02fe6eb557a8a51d13f7f089bc4a7e5ca12f08182ede2c642e5dd6b47d5ab53e5adcc80e45117ad714ad6154cec2df486de
+  data.tar.gz: d6ecb38160b4180a137a6db4f0d9e7fa6e9e14d32ebc5e98cae09a92f18997946bacc548adc4a55f7e19107ae6f2fcdbe7e43ab5a540b0d96706239dd81aa462

data/app/models/concerns/foreman_vault/orchestration/vault_policy.rb

@@ -38,11 +38,7 @@ module ForemanVault
         logger.info "Pushing #{name} data to Vault"
 
         vault_policy.save if vault_policy.new?
-
-        if vault_auth_method.name != old&.vault_auth_method&.name
-          old&.vault_auth_method&.delete
-          vault_auth_method.save
-        end
+        vault_auth_method.save
         true
       rescue StandardError => e
         Foreman::Logging.exception("Failed to push #{name} data to Vault.", e)

data/app/models/setting/vault.rb

@@ -9,16 +9,34 @@ class Setting
       [set_vault_connection, set_vault_policy_template, set_vault_orchestration_enabled]
     end
 
+    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     def self.load_defaults
       # Check the table exists
       return unless super
 
       transaction do
-        default_settings.each { |s| create! s.update(category: 'Setting::Vault') }
+        default_settings.each do |s|
+          setting = create! s.update(category: 'Setting::Vault')
+
+          Foreman.try(:settings)&._add(
+            s[:name],
+            s.slice(:description, :default, :full_name, :encrypted)
+             .merge(category: 'Setting::Vault')
+             .yield_self do |params|
+               unless Gem::Version.new(SETTINGS[:version].notag) < Gem::Version.new('2.6')
+                 params[:context] = :vault
+                 params[:type] = setting.settings_type
+               end
+               params
+             end
+          )
+        end
       end
 
+      Foreman.try(:settings)&.load
       true
     end
+    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
 
     def self.humanized_category
       N_('Vault')

data/app/services/foreman_vault/vault_auth_method.rb

@@ -11,9 +11,9 @@ module ForemanVault
     end
 
     def name
-      return if !host || !vault_policy_name
+      return unless host
 
-      [host, vault_policy_name].join('-').parameterize
+      host.name.parameterize
     end
 
     def save

data/app/views/unattended/provisioning_templates/VaultPolicy/default.erb

@@ -1,6 +1,6 @@
-# NAME: <%= @host.owner %>-<%= @host.environment %>
+# NAME: <%= @host.owner %>-<%= @host.name %>
 
-# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>
-path "secrets/data/<%= @host.owner %>/<%= @host.environment %>/*" {
+# allow access to secrets from puppet hosts from <foreman_owner>-<hostname>
+path "secrets/data/<%= @host.owner %>/<%= @host.name %>/*" {
     capabilities = ["create", "read", "update"]
 }

data/lib/foreman_vault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanVault
-  VERSION = '1.0.0'
+  VERSION = '1.1.0'
 end

data/lib/tasks/foreman_vault_tasks.rake

@@ -3,7 +3,50 @@
 require 'rake/testtask'
 
 # Tasks
-namespace :foreman_vault do
+namespace :foreman_vault do # rubocop:disable Metrics/BlockLength
+  namespace :auth_methods do
+    desc 'Push auth methods for all hosts to Vault'
+    task push: :environment do
+      User.as_anonymous_admin do
+        hosts = Host::Managed.where(managed: true)
+
+        hosts.each_with_index do |host, index|
+          begin
+            result = host.reload.vault_auth_method.save
+            if result
+              puts "[#{index + 1}/#{hosts.count}] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+            else
+              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
+            end
+          rescue StandardError => err
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          end
+        end
+      end
+    end
+  end
+
+  namespace :policies do
+    desc 'Push policies for all hosts to Vault'
+    task push: :environment do
+      User.as_anonymous_admin do
+        hosts = Host::Managed.where(managed: true)
+
+        hosts.each_with_index do |host, index|
+          begin
+            result = host.reload.vault_policy.save
+            if result
+              puts "[#{index + 1}/#{hosts.count}] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\""
+            else
+              puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{result}"
+            end
+          rescue StandardError => err
+            puts "[#{index + 1}/#{hosts.count}] Failed to push \"#{host.name}\": #{err}"
+          end
+        end
+      end
+    end
+  end
 end
 
 # Tests

data/test/lib/tasks/push_auth_methods_test.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+require 'rake'
+
+module ForemanVault
+  class PushAuthMethodsTest < ActiveSupport::TestCase
+    TASK_NAME = 'foreman_vault:auth_methods:push'
+
+    let(:host) { FactoryBot.create(:host, :managed) }
+    let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+    setup do
+      Rake.application.rake_require 'tasks/foreman_vault_tasks'
+
+      Rake::Task.define_task(:environment)
+      Rake::Task[TASK_NAME].reenable
+
+      FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+
+      ForemanVault::VaultAuthMethod.any_instance.stubs(:vault_policy_name).returns('vault_policy_name')
+      ForemanVault::VaultAuthMethod.any_instance.stubs(:certificate).returns('cert')
+
+      ForemanVault::VaultClient.any_instance.stubs(:set_certificate).returns(true)
+    end
+
+    it 'does successfully push auth methods' do
+      host
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Auth-Method of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\"", stdout)
+    end
+
+    it 'does throw an error when host was deleted' do
+      host
+
+      Host::Managed.any_instance.stubs(:reload).raises(ActiveRecord::RecordNotFound)
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Failed to push \"#{host.name}\"", stdout)
+    end
+  end
+end

data/test/lib/tasks/push_policies_test.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+require 'rake'
+
+module ForemanVault
+  class PushPoliciesTest < ActiveSupport::TestCase
+    TASK_NAME = 'foreman_vault:policies:push'
+
+    let(:host) { FactoryBot.create(:host, :managed) }
+    let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
+
+    setup do
+      Rake.application.rake_require 'tasks/foreman_vault_tasks'
+
+      Rake::Task.define_task(:environment)
+      Rake::Task[TASK_NAME].reenable
+
+      FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
+
+      ForemanVault::VaultPolicy.any_instance.stubs(:name).returns('vault_policy_name')
+      ForemanVault::VaultPolicy.any_instance.stubs(:rules).returns('rules')
+
+      ForemanVault::VaultClient.any_instance.stubs(:put_policy).returns(true)
+    end
+
+    it 'does successfully push policies' do
+      host
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Policy of \"#{host.name}\" pushed to Vault server \"#{host.vault_connection.url}\"", stdout)
+    end
+
+    it 'does throw an error when host was deleted' do
+      host
+
+      Host::Managed.any_instance.stubs(:reload).raises(ActiveRecord::RecordNotFound)
+
+      stdout, _stderr = capture_io do
+        Rake::Task[TASK_NAME].invoke
+      end
+
+      assert_match("[1/1] Failed to push \"#{host.name}\"", stdout)
+    end
+  end
+end

data/test/models/foreman_vault/orchestration/vault_policy_test.rb

@@ -17,7 +17,11 @@ module ForemanVault
           host.stubs(:vault_policy).returns(vault_policy)
           host.stubs(:vault_auth_method).returns(vault_auth_method)
           FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
-          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
         end
 
         test 'should queue Vault orchestration' do
@@ -65,7 +69,11 @@ module ForemanVault
           host.stubs(:vault_policy).returns(vault_policy)
           host.stubs(:vault_auth_method).returns(vault_auth_method)
           FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
-          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
         end
 
         context 'when auth_method is valid' do
@@ -92,8 +100,7 @@ module ForemanVault
       end
 
       describe '#set_vault' do
-        let(:environment) { FactoryBot.create(:environment, name: 'MyEnv') }
-        let(:host) { FactoryBot.create(:host, :managed, environment: environment) }
+        let(:host) { FactoryBot.create(:host, :managed) }
         let(:vault_connection) { FactoryBot.create(:vault_connection, :without_callbacks) }
         let(:new_owner) { FactoryBot.create(:usergroup, name: 'MyOwner') }
 
@@ -105,16 +112,16 @@ module ForemanVault
           )
         end
 
-        let(:new_policy_name) { "#{new_owner}-#{host.environment}".parameterize }
+        let(:new_policy_name) { "#{new_owner}-#{host.name}".parameterize }
         let(:put_policy_request) do
           url = "#{vault_connection.url}/v1/sys/policy/#{new_policy_name}"
           # rubocop:disable Metrics/LineLength
-          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<puppet_environment>\npath \"secrets/data/MyOwner/MyEnv/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
+          rules = "# allow access to secrets from puppet hosts from <foreman_owner>-<hostname>\npath \"secrets/data/MyOwner/#{host.name}/*\" {\n    capabilities = [\"create\", \"read\", \"update\"]\n}\n"
           # rubocop:enable Metrics/LineLength
           stub_request(:put, url).with(body: JSON.fast_generate(rules: rules)).to_return(status: 200)
         end
 
-        let(:new_auth_method_name) { "#{host}-#{new_policy_name}".parameterize }
+        let(:new_auth_method_name) { host.name.parameterize }
         let(:post_auth_method_request) do
           url = "#{vault_connection.url}/v1/auth/cert/certs/#{new_auth_method_name}"
           stub_request(:post, url).with(
@@ -126,15 +133,23 @@ module ForemanVault
           ).to_return(status: 200)
         end
 
-        let(:delete_old_auth_method_request) do
+        let(:override_old_auth_method_request) do
           url = "#{vault_connection.url}/v1/auth/cert/certs/#{host.vault_auth_method.name}"
           stub_request(:delete, url).to_return(status: 200)
         end
 
         setup do
           Setting.find_by(name: 'ssl_ca_file').update(value: File.join(ForemanVault::Engine.root, 'test/fixtures/ca.crt'))
-          FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
-          FactoryBot.create(:setting, :vault_policy)
+          if Setting.find_by(name: 'vault_orchestration_enabled')
+            Setting['vault_orchestration_enabled'] = true
+          else
+            FactoryBot.create(:setting, name: :vault_orchestration_enabled, value: true)
+          end
+          if Setting.find_by(name: 'vault_policy_template')
+            Setting['vault_policy_template'] = 'Default Vault Policy'
+          else
+            FactoryBot.create(:setting, :vault_policy)
+          end
           FactoryBot.create(:provisioning_template, :vault_policy, name: Setting['vault_policy_template'])
           FactoryBot.create(:parameter, name: 'vault_connection', value: vault_connection.name)
           host.stubs(:skip_orchestration_for_testing?).returns(false)
@@ -142,13 +157,11 @@ module ForemanVault
           get_policies_request
           put_policy_request
           post_auth_method_request
-          delete_old_auth_method_request
 
           host.update(owner: new_owner)
         end
 
         it { assert_requested(post_auth_method_request) }
-        it { assert_requested(delete_old_auth_method_request) }
 
         context 'when policy already exists on Vault' do
           let(:vault_policies) { [new_policy_name] }

data/test/unit/services/foreman_vault/vault_auth_method_test.rb

@@ -8,26 +8,13 @@ class VaultAuthMethodTest < ActiveSupport::TestCase
   let(:host) { FactoryBot.create(:host, :managed) }
 
   describe '#name' do
-    context 'with host and vault_policy_name' do
-      setup do
-        subject.stubs(:vault_policy_name).returns('vault_policy_name')
-      end
-
-      it { assert_equal "#{host}-vault_policy_name".parameterize, subject.name }
+    context 'with host' do
+      it { assert_equal host.name.parameterize, subject.name }
     end
 
     context 'without host' do
       setup do
         subject.stubs(:host).returns(nil)
-        subject.stubs(:vault_policy_name).returns('vault_policy_name')
-      end
-
-      it { assert_nil subject.name }
-    end
-
-    context 'without vault_policy_name' do
-      setup do
-        subject.stubs(:vault_policy_name).returns(nil)
       end
 
       it { assert_nil subject.name }

data/test/unit/services/foreman_vault/vault_policy_test.rb

@@ -8,7 +8,11 @@ class VaultPolicyTest < ActiveSupport::TestCase
   let(:host) { FactoryBot.create(:host, :managed) }
 
   setup do
-    FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+    if Setting.find_by(name: 'vault_policy_template')
+      Setting['vault_policy_template'] = 'Default Vault Policy'
+    else
+      FactoryBot.create(:setting, name: 'vault_policy_template', value: 'Default Vault Policy')
+    end
   end
 
   describe 'valid?' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_vault
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - dmTECH GmbH
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-11 00:00:00.000000000 Z
+date: 2021-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -109,6 +109,8 @@ files:
 - test/functional/api/v2/vault_connections_controller_test.rb
 - test/jobs/refresh_vault_token_test.rb
 - test/jobs/refresh_vault_tokens_test.rb
+- test/lib/tasks/push_auth_methods_test.rb
+- test/lib/tasks/push_policies_test.rb
 - test/models/foreman_vault/orchestration/vault_policy_test.rb
 - test/models/vault_connection_test.rb
 - test/models/vault_policy_template_test.rb
@@ -136,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.28
 signing_key:
 specification_version: 4
 summary: Adds support for using credentials from Hashicorp Vault
@@ -151,6 +153,8 @@ test_files:
 - test/factories/vault_policy_template.rb
 - test/factories/vault_connection.rb
 - test/factories/vault_setting.rb
+- test/lib/tasks/push_policies_test.rb
+- test/lib/tasks/push_auth_methods_test.rb
 - test/fixtures/ca.crt
 - test/test_plugin_helper.rb
 - test/jobs/refresh_vault_tokens_test.rb