inspec-vault 0.3.2 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cfbbbb425fb095bdf5a4124f20a3475f87f6d983074339889156e70eccb1cbc7
4
- data.tar.gz: c45dcca2381837fbb2380467ac66eae9321fce02ef23d5ab8cea27403ce9ca21
3
+ metadata.gz: 13843b34e8af9ceeca87c9aa62daf8abce7dec302ec6a10a7298a8517d236607
4
+ data.tar.gz: 77c25c4d6fb5978cd8dde5e61ef2056e22f66bd929f99e309d03be7a190c90fb
5
5
  SHA512:
6
- metadata.gz: fe1329781eca561a3788ed933bc5a46729447819be483e047095217caf4ae53d233e23936bf0201729e99b5c3cfc3a7096b7b9586c58a52908dec34fdaa88684
7
- data.tar.gz: 803e458ad47d5f518691b0e265c997689ffa045c3c144be241361436e342669f4fc4229f3c888c411b1c97657b19f2f01a391ca6e5601d277fffcb6cbb3bbbe6
6
+ metadata.gz: 6fdd7c2aedcc3dac543ca291b359b6d0bd80ee14857781674cda79c5c6b69c5c7d5fdfb6f7941da30f7454e395fc7c1affe07c117b86b0f1c1436688b527e8d3
7
+ data.tar.gz: 786a7ea8d8aa0e279c7e56a210626a5f1db6fb8b0b711bffb2f1187c616c5cc3ccdd6345a9d7711f77108bccc02aa2a28ff3e193e449712405bc00bccbf71e56
data/README.md CHANGED
@@ -44,7 +44,14 @@ With that value stored, Chef InSpec will now be able to retrieve the value.
44
44
 
45
45
  ## What This Plugin Does
46
46
 
47
- With the inspec-vault plugin enabled, Chef InSpec will contact the Vault server whenever an `input()` DSL call appears in profile control code. For example, whenever profile code like this is encountered:
47
+ With the inspec-vault plugin enabled, whenever an `input()` DSL call appears in profile control code, Chef InSpec contacts the Vault server. If the secret is located in Vault, Chef InSpec uses this value. Otherwise, it searches for other sources to resolve the input, such as other plugins, profile metadata, or CLI values, as described in the Chef InSpec [input precedence](https://www.inspec.io/docs/reference/inputs/) documentation.
48
+
49
+
50
+ ### Profile Based Lookup
51
+
52
+ The default mode allows you to use profile-specific secrets.
53
+
54
+ For example, whenever profile code like this is encountered:
48
55
 
49
56
  ```ruby
50
57
  # In profile "my_profile"
@@ -53,7 +60,19 @@ describe input("some_input") do
53
60
  end
54
61
  ```
55
62
 
56
- Chef InSpec will determine a secret lookup path and access Vault. With no other settings, Chef InSpec will look for a Vault secret located at `secret/inspec/my_profile` with a key named "some_input". Chef InSpec will use the Vault secret if found, but otherwise it will fall back to other means of resolving the input, such as the profile metadata or CLI values.
63
+ With no other settings, Chef InSpec looks for a Vault secret located at `secret/inspec/my_profile` with a key named `some_input`, where `inspec` is derived from the `path_prefix` setting and `my_profile` is the name of this InSpec profile.
64
+
65
+ ### Absolute Path Lookup
66
+
67
+ To access global information instead of a value related to a specific profile, qualify the path in absolute syntax with a starting `/`. For example:
68
+
69
+ ```ruby
70
+ describe input("/configuration/webserver/password")
71
+ it { should cmp "some_expected_value" }
72
+ end
73
+ ```
74
+
75
+ In this case, Chef InSpec searches the `secret/configuration/webserver` document and returns the value of the `password` key.
57
76
 
58
77
  ## Configuring the Plugin
59
78
 
@@ -111,4 +130,3 @@ Please have a look at our CONTRIBUTING.md for general guidelines.
111
130
  Run `bundle exec rake test:lint` for linting, `bundle exec rake test:unit` for unit tests, and `bundle exec rake test:integration` for integration tests.
112
131
 
113
132
  Note that integration tests will download and run Vault server locally.
114
-
@@ -10,10 +10,15 @@ module InspecPlugins::Vault
10
10
  attr_reader :path_prefix
11
11
  attr_reader :vault
12
12
  attr_reader :priority
13
+ attr_reader :input_name
14
+ attr_reader :logger
13
15
 
14
16
  def initialize
15
17
  @plugin_conf = Inspec::Config.cached.fetch_plugin_config("inspec-vault")
16
18
 
19
+ @logger = Inspec::Log
20
+ logger.debug format("Inspec-Vault plugin version %s", VERSION)
21
+
17
22
  @mount_point = fetch_plugin_setting("mount_point", "secret")
18
23
  @path_prefix = fetch_plugin_setting("path_prefix", "inspec")
19
24
 
@@ -40,31 +45,56 @@ module InspecPlugins::Vault
40
45
  path = logical_path_for_profile(profile_name)
41
46
  doc = vault.logical.read(path)
42
47
  return [] unless doc
48
+
43
49
  return doc.data[:data].keys.map(&:to_s)
44
50
  end
45
51
  end
46
52
 
47
53
  # Fetch a value of a single input from Vault
48
- # Assumption: inputs have been stored on documents named for their
49
- # profiles, and each input has a key-value pair in the document.
50
54
  # TODO we should probably cache these - https://github.com/inspec/inspec-vault/issues/15
51
55
  def fetch(profile_name, input_name)
56
+ @input_name = input_name
57
+
52
58
  path = logical_path_for_profile(profile_name)
59
+ item = input_name
60
+
61
+ if absolute_path?
62
+ _empty, *path, item = input_name.split("/")
63
+ path = logical_path path.join("/")
64
+ end
65
+
66
+ logger.info format("Reading Vault secret from %s", path)
53
67
  vault.with_retries(Vault::HTTPConnectionError) do
54
68
  doc = vault.logical.read(path)
55
69
  # Keys from vault are always symbolized
56
- return doc.data[:data][input_name.to_sym] if doc
70
+ return doc.data[:data][item.to_sym] if doc
57
71
  end
58
72
  end
59
73
 
60
74
  private
61
75
 
76
+ # Assumption for profile based lookups: inputs have been stored on documents named
77
+ # for their profiles, and each input has a key-value pair in the document.
62
78
  def logical_path_for_profile(profile_name)
79
+ logical_path(profile_name)
80
+ end
81
+
82
+ def logical_path(relative_path)
63
83
  # When you actually read a value, on the KV2 backend you must
64
84
  # read secret/data/path, not secret/path (as on the CLI)
65
85
  # https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
66
86
  # Is this true for all backends?
67
- "#{mount_point}/data/#{path_prefix}/#{profile_name}"
87
+ "#{mount_point}/data/#{prefix}#{relative_path}"
88
+ end
89
+
90
+ def prefix
91
+ return "#{path_prefix}/" unless absolute_path?
92
+
93
+ ""
94
+ end
95
+
96
+ def absolute_path?
97
+ input_name.start_with?("/")
68
98
  end
69
99
 
70
100
  def fetch_plugin_setting(setting_name, default = nil)
@@ -5,6 +5,6 @@
5
5
  # to learn the current version.
6
6
  module InspecPlugins
7
7
  module Vault
8
- VERSION = "0.3.2".freeze
8
+ VERSION = "0.4.0".freeze
9
9
  end
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec-vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.2
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - InSpec Core Engineering
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-09-13 00:00:00.000000000 Z
11
+ date: 2020-08-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: vault
@@ -59,7 +59,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
59
59
  - !ruby/object:Gem::Version
60
60
  version: '0'
61
61
  requirements: []
62
- rubygems_version: 3.0.3
62
+ rubygems_version: 3.1.2
63
63
  signing_key:
64
64
  specification_version: 4
65
65
  summary: Use HashiCorp Vault data in your InSpec profiles