hiera-eyaml-vault_rs 1.2.1 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/hiera/backend/eyaml/encryptors/vault_rs/httphandler.rb +2 -7
  3. data/lib/hiera/backend/eyaml/encryptors/vault_rs.rb +46 -36
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1a2e54c6d915c70d28abe1f92588e2790c042f00df1bdc4ed9b8e01844253d45
4
- data.tar.gz: b87e83acd3ac25b896863692bc47662793713eadd063e0f58396b1b14ccff8c9
3
+ metadata.gz: 4a3677ad3762c7f8c05f571f3990a00a4d5be082f1246fac19c40b5b6c4f5686
4
+ data.tar.gz: 0dd6a4ce7310233af213b8c6066ca38567833dd6cabfbf6fb1d1edfc58f13db5
5
5
  SHA512:
6
- metadata.gz: fd3bfa4258e45ecbf70d41eb860b1b16b8a8bcf64d8863acea3ca7d315d89a6a545777343a756d3af7f9fc19af77f59eb78903ec24a10b147cd949f684880a4a
7
- data.tar.gz: 12347df1a3aec525431ae09654507f73e50d54025ce34662fd4ae1f47de5251af6294a00874cb78152a888878b3394954193626562eaab260eca109f4c103614
6
+ metadata.gz: cde0dcc87f13403e4b559e143bb35c67632a52d17deb36c936c1d0253a85d62901d75c697c58488798fae419199e89f4fc4345f04f339074bcb229ce5154b89d
7
+ data.tar.gz: c19de0c79f62b8795b5ad6afc1b6cf3606082fffb42f0cccf14aaa26a7954f81d04ad77655b2faeccdb091120f80348b4968efda64b2e4029d82deca763421e7
data/lib/hiera/backend/eyaml/encryptors/vault_rs/httphandler.rb CHANGED
@@ -35,16 +35,12 @@ class Hiera
35
35
  end
36
36
 
37
37
  http = Net::HTTP.new(uri.host, uri.port)
38
- if options[:cert]
39
- http.use_ssl = true
40
- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
41
- http.cert = OpenSSL::X509::Certificate.new(options[:cert])
42
- http.key = OpenSSL::PKey::RSA.new(options[:key])
43
- elsif options[:ssl]
38
+ if options[:ssl]
44
39
  http.use_ssl = true
45
40
  http.verify_mode = options[:ssl_verify] ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
46
41
  http.cert = OpenSSL::X509::Certificate.new(options[:ssl_cert]) if options[:ssl_cert]
47
42
  http.key = OpenSSL::PKey::RSA.new(options[:ssl_key]) if options[:ssl_key]
43
+ http.ca_file = options[:ca_file] if options[:ca_file]
48
44
  end
49
45
 
50
46
  begin
@@ -61,4 +57,3 @@ class Hiera
61
57
  end
62
58
  end
63
59
  end
64
-
data/lib/hiera/backend/eyaml/encryptors/vault_rs.rb CHANGED
@@ -12,12 +12,20 @@ class Hiera
12
12
  class Vault_rs < Encryptor
13
13
  class AuthenticationError < Exception
14
14
  end
15
-
15
+
16
16
  HTTP_HANDLER = Hiera::Backend::Eyaml::Encryptors::Vault_rs::Httphandler
17
17
 
18
18
  self.tag = 'VAULT_RS'
19
19
 
20
20
  self.options = {
21
+
22
+ :login_type => {
23
+ desc: "Method to login to Vault",
24
+ type: :string,
25
+ # allowed_values: ['approle', 'cert', 'ldap']
26
+ default: "approle"
27
+ },
28
+
21
29
  :addr => {
22
30
  desc: "Address of the vault server",
23
31
  type: :string,
@@ -39,16 +47,6 @@ class Hiera
39
47
  type: :string,
40
48
  },
41
49
 
42
- :client_cert => {
43
- desc: "Path to the client certificate for certificate-based authentication",
44
- type: :string,
45
- },
46
-
47
- :client_key => {
48
- desc: "Path to the client private key for certificate-based authentication",
49
- type: :string,
50
- },
51
-
52
50
  :use_ssl => {
53
51
  desc: "Use SSL to connect to vault",
54
52
  type: :boolean,
@@ -71,6 +69,11 @@ class Hiera
71
69
  type: :string
72
70
  },
73
71
 
72
+ :ca_file => {
73
+ desc: "Path to the CA bundle file for SSL verification",
74
+ type: :string
75
+ },
76
+
74
77
  :transit_name => {
75
78
  desc: "Vault transit engine name (default 'transit')",
76
79
  type: :string,
@@ -83,6 +86,18 @@ class Hiera
83
86
  default: "hiera"
84
87
  },
85
88
 
89
+ :ldap_username => {
90
+ desc: "Vault LDAP login name",
91
+ type: :string,
92
+ default: ""
93
+ },
94
+
95
+ :ldap_password => {
96
+ desc: "Vault LDAP login password",
97
+ type: :string,
98
+ default: ""
99
+ },
100
+
86
101
  :api_version => {
87
102
  desc: "API version to use",
88
103
  type: :integer,
@@ -108,10 +123,10 @@ class Hiera
108
123
  # Debug flag
109
124
  debug = ENV['EYAML_DEBUG'] == 'true'
110
125
  puts "Resolving option for key: #{key}" if debug
111
-
126
+
112
127
  # Load the configuration file if not already loaded
113
128
  load_config if @config_defaults.nil?
114
-
129
+
115
130
  # Try to resolve the option from the configuration file first
116
131
  unless @config_defaults.nil?
117
132
  config_option = @config_defaults[key.to_s]
@@ -127,7 +142,7 @@ class Hiera
127
142
  end
128
143
 
129
144
  def create_keys
130
- diagnostic_message = self.option :diagnostic_message
145
+ diagnostic_message = self.option :diagnostic_message
131
146
  puts "Create_keys: #{diagnostic_message}"
132
147
  end
133
148
 
@@ -140,7 +155,8 @@ class Hiera
140
155
  end
141
156
 
142
157
  def login
143
- if option(:role_id)
158
+ case option(:login_type)
159
+ when 'approle'
144
160
  role_id = option :role_id
145
161
  secret_id = option :secret_id
146
162
 
@@ -149,13 +165,22 @@ class Hiera
149
165
 
150
166
  response = vault_post(login_data, :login, false)
151
167
  @login_token = response['auth']['client_token']
152
- elsif option(:client_cert)
168
+ when 'cert'
153
169
  auth_name = option :auth_name
154
170
 
155
171
  login_data = { "name" => auth_name }
156
172
 
157
173
  response = vault_post(login_data, :cert_login, false)
158
174
  @login_token = response['auth']['client_token']
175
+ when 'ldap'
176
+ password = option :ldap_password
177
+
178
+ login_data = { "password" => password }
179
+
180
+ response = vault_post(login_data, :ldap_login, false)
181
+ @login_token = response['auth']['client_token']
182
+ else
183
+ raise ArgumentError, "Invalid login_type '#{option(:login_type)}'"
159
184
  end
160
185
  end
161
186
 
@@ -180,18 +205,6 @@ class Hiera
180
205
  @vault_ssl_cert
181
206
  end
182
207
 
183
- def client_cert
184
- return nil if option(:client_cert).nil?
185
- @vault_client_cert ||= read_file(option :client_cert)
186
- @vault_client_cert
187
- end
188
-
189
- def client_key
190
- return nil if option(:client_key).nil?
191
- @vault_client_key ||= read_file(option :client_key)
192
- @vault_client_key
193
- end
194
-
195
208
  def token_configured?
196
209
  return true if ENV['VAULT_TOKEN']
197
210
  not option(:token).nil?
@@ -217,7 +230,8 @@ class Hiera
217
230
  :decrypt => "#{option(:transit_name)}/decrypt/#{option(:key_name)}",
218
231
  :encrypt => "#{option(:transit_name)}/encrypt/#{option(:key_name)}",
219
232
  :login => "auth/approle/login",
220
- :cert_login => "auth/cert/login"
233
+ :cert_login => "auth/cert/login",
234
+ :ldap_login => "auth/ldap/login/#{option(:ldap_username)}"
221
235
  }
222
236
 
223
237
  # Output debug information if the debug mode is enabled
@@ -253,18 +267,14 @@ class Hiera
253
267
  def vault_post(data, action, use_token=true, headers={})
254
268
  url = url_path(action)
255
269
  http_options = {}
256
- if option(:client_cert)
257
- http_options = {
258
- :cert => client_cert,
259
- :key => client_key,
260
- }
261
- elsif ssl?
270
+ if ssl?
262
271
  http_options = {
263
272
  :ssl => true,
264
273
  :ssl_verify => option(:ssl_verify),
265
274
  :ssl_cert => ssl_cert,
266
275
  :ssl_key => ssl_key,
267
276
  }
277
+ http_options[:ca_file] = option(:ca_file) if option(:ca_file)
268
278
  end
269
279
 
270
280
  begin
@@ -292,7 +302,7 @@ class Hiera
292
302
  response_data=response['data']
293
303
  response_data['ciphertext']
294
304
  end
295
- end
305
+ end
296
306
  end
297
307
  end
298
308
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: hiera-eyaml-vault_rs
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.1
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - ryan-scheinberg
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2023-09-27 00:00:00.000000000 Z
12
+ date: 2023-12-05 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: hiera-eyaml