inspec-vault 0.3.2 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +21 -3
- data/lib/inspec-vault/input.rb +34 -4
- data/lib/inspec-vault/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 13843b34e8af9ceeca87c9aa62daf8abce7dec302ec6a10a7298a8517d236607
|
|
4
|
+
data.tar.gz: 77c25c4d6fb5978cd8dde5e61ef2056e22f66bd929f99e309d03be7a190c90fb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6fdd7c2aedcc3dac543ca291b359b6d0bd80ee14857781674cda79c5c6b69c5c7d5fdfb6f7941da30f7454e395fc7c1affe07c117b86b0f1c1436688b527e8d3
|
|
7
|
+
data.tar.gz: 786a7ea8d8aa0e279c7e56a210626a5f1db6fb8b0b711bffb2f1187c616c5cc3ccdd6345a9d7711f77108bccc02aa2a28ff3e193e449712405bc00bccbf71e56
|
data/README.md
CHANGED
|
@@ -44,7 +44,14 @@ With that value stored, Chef InSpec will now be able to retrieve the value.
|
|
|
44
44
|
|
|
45
45
|
## What This Plugin Does
|
|
46
46
|
|
|
47
|
-
With the inspec-vault plugin enabled,
|
|
47
|
+
With the inspec-vault plugin enabled, whenever an `input()` DSL call appears in profile control code, Chef InSpec contacts the Vault server. If the secret is located in Vault, Chef InSpec uses this value. Otherwise, it searches for other sources to resolve the input, such as other plugins, profile metadata, or CLI values, as described in the Chef InSpec [input precedence](https://www.inspec.io/docs/reference/inputs/) documentation.
|
|
48
|
+
|
|
49
|
+
|
|
50
|
+
### Profile Based Lookup
|
|
51
|
+
|
|
52
|
+
The default mode allows you to use profile-specific secrets.
|
|
53
|
+
|
|
54
|
+
For example, whenever profile code like this is encountered:
|
|
48
55
|
|
|
49
56
|
```ruby
|
|
50
57
|
# In profile "my_profile"
|
|
@@ -53,7 +60,19 @@ describe input("some_input") do
|
|
|
53
60
|
end
|
|
54
61
|
```
|
|
55
62
|
|
|
56
|
-
|
|
63
|
+
With no other settings, Chef InSpec looks for a Vault secret located at `secret/inspec/my_profile` with a key named `some_input`, where `inspec` is derived from the `path_prefix` setting and `my_profile` is the name of this InSpec profile.
|
|
64
|
+
|
|
65
|
+
### Absolute Path Lookup
|
|
66
|
+
|
|
67
|
+
To access global information instead of a value related to a specific profile, qualify the path in absolute syntax with a starting `/`. For example:
|
|
68
|
+
|
|
69
|
+
```ruby
|
|
70
|
+
describe input("/configuration/webserver/password")
|
|
71
|
+
it { should cmp "some_expected_value" }
|
|
72
|
+
end
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
In this case, Chef InSpec searches the `secret/configuration/webserver` document and returns the value of the `password` key.
|
|
57
76
|
|
|
58
77
|
## Configuring the Plugin
|
|
59
78
|
|
|
@@ -111,4 +130,3 @@ Please have a look at our CONTRIBUTING.md for general guidelines.
|
|
|
111
130
|
Run `bundle exec rake test:lint` for linting, `bundle exec rake test:unit` for unit tests, and `bundle exec rake test:integration` for integration tests.
|
|
112
131
|
|
|
113
132
|
Note that integration tests will download and run Vault server locally.
|
|
114
|
-
|
data/lib/inspec-vault/input.rb
CHANGED
|
@@ -10,10 +10,15 @@ module InspecPlugins::Vault
|
|
|
10
10
|
attr_reader :path_prefix
|
|
11
11
|
attr_reader :vault
|
|
12
12
|
attr_reader :priority
|
|
13
|
+
attr_reader :input_name
|
|
14
|
+
attr_reader :logger
|
|
13
15
|
|
|
14
16
|
def initialize
|
|
15
17
|
@plugin_conf = Inspec::Config.cached.fetch_plugin_config("inspec-vault")
|
|
16
18
|
|
|
19
|
+
@logger = Inspec::Log
|
|
20
|
+
logger.debug format("Inspec-Vault plugin version %s", VERSION)
|
|
21
|
+
|
|
17
22
|
@mount_point = fetch_plugin_setting("mount_point", "secret")
|
|
18
23
|
@path_prefix = fetch_plugin_setting("path_prefix", "inspec")
|
|
19
24
|
|
|
@@ -40,31 +45,56 @@ module InspecPlugins::Vault
|
|
|
40
45
|
path = logical_path_for_profile(profile_name)
|
|
41
46
|
doc = vault.logical.read(path)
|
|
42
47
|
return [] unless doc
|
|
48
|
+
|
|
43
49
|
return doc.data[:data].keys.map(&:to_s)
|
|
44
50
|
end
|
|
45
51
|
end
|
|
46
52
|
|
|
47
53
|
# Fetch a value of a single input from Vault
|
|
48
|
-
# Assumption: inputs have been stored on documents named for their
|
|
49
|
-
# profiles, and each input has a key-value pair in the document.
|
|
50
54
|
# TODO we should probably cache these - https://github.com/inspec/inspec-vault/issues/15
|
|
51
55
|
def fetch(profile_name, input_name)
|
|
56
|
+
@input_name = input_name
|
|
57
|
+
|
|
52
58
|
path = logical_path_for_profile(profile_name)
|
|
59
|
+
item = input_name
|
|
60
|
+
|
|
61
|
+
if absolute_path?
|
|
62
|
+
_empty, *path, item = input_name.split("/")
|
|
63
|
+
path = logical_path path.join("/")
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
logger.info format("Reading Vault secret from %s", path)
|
|
53
67
|
vault.with_retries(Vault::HTTPConnectionError) do
|
|
54
68
|
doc = vault.logical.read(path)
|
|
55
69
|
# Keys from vault are always symbolized
|
|
56
|
-
return doc.data[:data][
|
|
70
|
+
return doc.data[:data][item.to_sym] if doc
|
|
57
71
|
end
|
|
58
72
|
end
|
|
59
73
|
|
|
60
74
|
private
|
|
61
75
|
|
|
76
|
+
# Assumption for profile based lookups: inputs have been stored on documents named
|
|
77
|
+
# for their profiles, and each input has a key-value pair in the document.
|
|
62
78
|
def logical_path_for_profile(profile_name)
|
|
79
|
+
logical_path(profile_name)
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def logical_path(relative_path)
|
|
63
83
|
# When you actually read a value, on the KV2 backend you must
|
|
64
84
|
# read secret/data/path, not secret/path (as on the CLI)
|
|
65
85
|
# https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
|
|
66
86
|
# Is this true for all backends?
|
|
67
|
-
"#{mount_point}/data/#{
|
|
87
|
+
"#{mount_point}/data/#{prefix}#{relative_path}"
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
def prefix
|
|
91
|
+
return "#{path_prefix}/" unless absolute_path?
|
|
92
|
+
|
|
93
|
+
""
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
def absolute_path?
|
|
97
|
+
input_name.start_with?("/")
|
|
68
98
|
end
|
|
69
99
|
|
|
70
100
|
def fetch_plugin_setting(setting_name, default = nil)
|
data/lib/inspec-vault/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- InSpec Core Engineering
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-08-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: vault
|
|
@@ -59,7 +59,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
59
59
|
- !ruby/object:Gem::Version
|
|
60
60
|
version: '0'
|
|
61
61
|
requirements: []
|
|
62
|
-
rubygems_version: 3.
|
|
62
|
+
rubygems_version: 3.1.2
|
|
63
63
|
signing_key:
|
|
64
64
|
specification_version: 4
|
|
65
65
|
summary: Use HashiCorp Vault data in your InSpec profiles
|