hiera-eyaml-vault_rs 1.2.0 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4a3677ad3762c7f8c05f571f3990a00a4d5be082f1246fac19c40b5b6c4f5686
|
4
|
+
data.tar.gz: 0dd6a4ce7310233af213b8c6066ca38567833dd6cabfbf6fb1d1edfc58f13db5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cde0dcc87f13403e4b559e143bb35c67632a52d17deb36c936c1d0253a85d62901d75c697c58488798fae419199e89f4fc4345f04f339074bcb229ce5154b89d
|
7
|
+
data.tar.gz: c19de0c79f62b8795b5ad6afc1b6cf3606082fffb42f0cccf14aaa26a7954f81d04ad77655b2faeccdb091120f80348b4968efda64b2e4029d82deca763421e7
|
@@ -35,16 +35,12 @@ class Hiera
|
|
35
35
|
end
|
36
36
|
|
37
37
|
http = Net::HTTP.new(uri.host, uri.port)
|
38
|
-
if options[:
|
39
|
-
http.use_ssl = true
|
40
|
-
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
41
|
-
http.cert = OpenSSL::X509::Certificate.new(options[:cert])
|
42
|
-
http.key = OpenSSL::PKey::RSA.new(options[:key])
|
43
|
-
elsif options[:ssl]
|
38
|
+
if options[:ssl]
|
44
39
|
http.use_ssl = true
|
45
40
|
http.verify_mode = options[:ssl_verify] ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
|
46
41
|
http.cert = OpenSSL::X509::Certificate.new(options[:ssl_cert]) if options[:ssl_cert]
|
47
42
|
http.key = OpenSSL::PKey::RSA.new(options[:ssl_key]) if options[:ssl_key]
|
43
|
+
http.ca_file = options[:ca_file] if options[:ca_file]
|
48
44
|
end
|
49
45
|
|
50
46
|
begin
|
@@ -61,4 +57,3 @@ class Hiera
|
|
61
57
|
end
|
62
58
|
end
|
63
59
|
end
|
64
|
-
|
@@ -12,12 +12,20 @@ class Hiera
|
|
12
12
|
class Vault_rs < Encryptor
|
13
13
|
class AuthenticationError < Exception
|
14
14
|
end
|
15
|
-
|
15
|
+
|
16
16
|
HTTP_HANDLER = Hiera::Backend::Eyaml::Encryptors::Vault_rs::Httphandler
|
17
17
|
|
18
|
-
self.tag = '
|
18
|
+
self.tag = 'VAULT_RS'
|
19
19
|
|
20
20
|
self.options = {
|
21
|
+
|
22
|
+
:login_type => {
|
23
|
+
desc: "Method to login to Vault",
|
24
|
+
type: :string,
|
25
|
+
# allowed_values: ['approle', 'cert', 'ldap']
|
26
|
+
default: "approle"
|
27
|
+
},
|
28
|
+
|
21
29
|
:addr => {
|
22
30
|
desc: "Address of the vault server",
|
23
31
|
type: :string,
|
@@ -39,16 +47,6 @@ class Hiera
|
|
39
47
|
type: :string,
|
40
48
|
},
|
41
49
|
|
42
|
-
:client_cert => {
|
43
|
-
desc: "Path to the client certificate for certificate-based authentication",
|
44
|
-
type: :string,
|
45
|
-
},
|
46
|
-
|
47
|
-
:client_key => {
|
48
|
-
desc: "Path to the client private key for certificate-based authentication",
|
49
|
-
type: :string,
|
50
|
-
},
|
51
|
-
|
52
50
|
:use_ssl => {
|
53
51
|
desc: "Use SSL to connect to vault",
|
54
52
|
type: :boolean,
|
@@ -71,6 +69,11 @@ class Hiera
|
|
71
69
|
type: :string
|
72
70
|
},
|
73
71
|
|
72
|
+
:ca_file => {
|
73
|
+
desc: "Path to the CA bundle file for SSL verification",
|
74
|
+
type: :string
|
75
|
+
},
|
76
|
+
|
74
77
|
:transit_name => {
|
75
78
|
desc: "Vault transit engine name (default 'transit')",
|
76
79
|
type: :string,
|
@@ -83,6 +86,18 @@ class Hiera
|
|
83
86
|
default: "hiera"
|
84
87
|
},
|
85
88
|
|
89
|
+
:ldap_username => {
|
90
|
+
desc: "Vault LDAP login name",
|
91
|
+
type: :string,
|
92
|
+
default: ""
|
93
|
+
},
|
94
|
+
|
95
|
+
:ldap_password => {
|
96
|
+
desc: "Vault LDAP login password",
|
97
|
+
type: :string,
|
98
|
+
default: ""
|
99
|
+
},
|
100
|
+
|
86
101
|
:api_version => {
|
87
102
|
desc: "API version to use",
|
88
103
|
type: :integer,
|
@@ -108,10 +123,10 @@ class Hiera
|
|
108
123
|
# Debug flag
|
109
124
|
debug = ENV['EYAML_DEBUG'] == 'true'
|
110
125
|
puts "Resolving option for key: #{key}" if debug
|
111
|
-
|
126
|
+
|
112
127
|
# Load the configuration file if not already loaded
|
113
128
|
load_config if @config_defaults.nil?
|
114
|
-
|
129
|
+
|
115
130
|
# Try to resolve the option from the configuration file first
|
116
131
|
unless @config_defaults.nil?
|
117
132
|
config_option = @config_defaults[key.to_s]
|
@@ -127,7 +142,7 @@ class Hiera
|
|
127
142
|
end
|
128
143
|
|
129
144
|
def create_keys
|
130
|
-
diagnostic_message = self.option :diagnostic_message
|
145
|
+
diagnostic_message = self.option :diagnostic_message
|
131
146
|
puts "Create_keys: #{diagnostic_message}"
|
132
147
|
end
|
133
148
|
|
@@ -140,7 +155,8 @@ class Hiera
|
|
140
155
|
end
|
141
156
|
|
142
157
|
def login
|
143
|
-
|
158
|
+
case option(:login_type)
|
159
|
+
when 'approle'
|
144
160
|
role_id = option :role_id
|
145
161
|
secret_id = option :secret_id
|
146
162
|
|
@@ -149,13 +165,22 @@ class Hiera
|
|
149
165
|
|
150
166
|
response = vault_post(login_data, :login, false)
|
151
167
|
@login_token = response['auth']['client_token']
|
152
|
-
|
168
|
+
when 'cert'
|
153
169
|
auth_name = option :auth_name
|
154
170
|
|
155
171
|
login_data = { "name" => auth_name }
|
156
172
|
|
157
173
|
response = vault_post(login_data, :cert_login, false)
|
158
174
|
@login_token = response['auth']['client_token']
|
175
|
+
when 'ldap'
|
176
|
+
password = option :ldap_password
|
177
|
+
|
178
|
+
login_data = { "password" => password }
|
179
|
+
|
180
|
+
response = vault_post(login_data, :ldap_login, false)
|
181
|
+
@login_token = response['auth']['client_token']
|
182
|
+
else
|
183
|
+
raise ArgumentError, "Invalid login_type '#{option(:login_type)}'"
|
159
184
|
end
|
160
185
|
end
|
161
186
|
|
@@ -180,18 +205,6 @@ class Hiera
|
|
180
205
|
@vault_ssl_cert
|
181
206
|
end
|
182
207
|
|
183
|
-
def client_cert
|
184
|
-
return nil if option(:client_cert).nil?
|
185
|
-
@vault_client_cert ||= read_file(option :client_cert)
|
186
|
-
@vault_client_cert
|
187
|
-
end
|
188
|
-
|
189
|
-
def client_key
|
190
|
-
return nil if option(:client_key).nil?
|
191
|
-
@vault_client_key ||= read_file(option :client_key)
|
192
|
-
@vault_client_key
|
193
|
-
end
|
194
|
-
|
195
208
|
def token_configured?
|
196
209
|
return true if ENV['VAULT_TOKEN']
|
197
210
|
not option(:token).nil?
|
@@ -217,7 +230,8 @@ class Hiera
|
|
217
230
|
:decrypt => "#{option(:transit_name)}/decrypt/#{option(:key_name)}",
|
218
231
|
:encrypt => "#{option(:transit_name)}/encrypt/#{option(:key_name)}",
|
219
232
|
:login => "auth/approle/login",
|
220
|
-
:cert_login => "auth/cert/login"
|
233
|
+
:cert_login => "auth/cert/login",
|
234
|
+
:ldap_login => "auth/ldap/login/#{option(:ldap_username)}"
|
221
235
|
}
|
222
236
|
|
223
237
|
# Output debug information if the debug mode is enabled
|
@@ -253,18 +267,14 @@ class Hiera
|
|
253
267
|
def vault_post(data, action, use_token=true, headers={})
|
254
268
|
url = url_path(action)
|
255
269
|
http_options = {}
|
256
|
-
if
|
257
|
-
http_options = {
|
258
|
-
:cert => client_cert,
|
259
|
-
:key => client_key,
|
260
|
-
}
|
261
|
-
elsif ssl?
|
270
|
+
if ssl?
|
262
271
|
http_options = {
|
263
272
|
:ssl => true,
|
264
273
|
:ssl_verify => option(:ssl_verify),
|
265
274
|
:ssl_cert => ssl_cert,
|
266
275
|
:ssl_key => ssl_key,
|
267
276
|
}
|
277
|
+
http_options[:ca_file] = option(:ca_file) if option(:ca_file)
|
268
278
|
end
|
269
279
|
|
270
280
|
begin
|
@@ -292,7 +302,7 @@ class Hiera
|
|
292
302
|
response_data=response['data']
|
293
303
|
response_data['ciphertext']
|
294
304
|
end
|
295
|
-
end
|
305
|
+
end
|
296
306
|
end
|
297
307
|
end
|
298
308
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hiera-eyaml-vault_rs
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- ryan-scheinberg
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2023-
|
12
|
+
date: 2023-12-05 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: hiera-eyaml
|