pe_rbac 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/exe/pe_rbac +34 -8
- data/lib/pe_rbac/version.rb +1 -1
- data/lib/pe_rbac.rb +29 -12
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 858d59d7f1c47371a5f8379f5a9aa271d2ad6078
|
4
|
+
data.tar.gz: 0f2bd35912191340c9978a0d08547d87bb6dc09b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 07a17310e5e1369d72a97eba970a34dd5d33b919eac5a4ae8d9bbca6145ccd5c7692ffc955285a4229aaf00a065f02fd66471e8f56f80ad4299271018eb6d7a1
|
7
|
+
data.tar.gz: 6ade6201c2003bcab6790d99086dfb4d4519ab9e2d226bc805406f0a246e438115dc7dd37b1ac16f721af0c12d1853acf9e46a03fcd0282610d7e03b4e3e8a82
|
data/exe/pe_rbac
CHANGED
@@ -18,7 +18,7 @@ Escort::App.create do |app|
|
|
18
18
|
username = options[:global][:commands][cmd][:options][:username]
|
19
19
|
password = options[:global][:commands][cmd][:options][:password]
|
20
20
|
email = options[:global][:commands][cmd][:options][:email]
|
21
|
-
|
21
|
+
|
22
22
|
role_ids = PeRbac::get_role_ids(role)
|
23
23
|
|
24
24
|
perms = [{
|
@@ -29,13 +29,13 @@ Escort::App.create do |app|
|
|
29
29
|
|
30
30
|
# only need to update the role since its built-in
|
31
31
|
PeRbac::update_role(
|
32
|
-
role,
|
32
|
+
role,
|
33
33
|
nil,
|
34
|
-
perms,
|
34
|
+
perms,
|
35
35
|
)
|
36
36
|
|
37
37
|
PeRbac::ensure_user(username, email, username, password, role_ids)
|
38
|
-
PeRbac::login(username, password, lifetime)
|
38
|
+
PeRbac::login(username, password, lifetime)
|
39
39
|
end
|
40
40
|
command.options do |opts|
|
41
41
|
opts.opt(:username,
|
@@ -91,15 +91,15 @@ Escort::App.create do |app|
|
|
91
91
|
"action" => "edit_data",
|
92
92
|
"instance" => "*",
|
93
93
|
})
|
94
|
-
end
|
94
|
+
end
|
95
95
|
|
96
96
|
# create/update the role
|
97
97
|
PeRbac::ensure_role(
|
98
98
|
role,
|
99
|
-
description,
|
99
|
+
description,
|
100
100
|
perms
|
101
101
|
)
|
102
|
-
|
102
|
+
|
103
103
|
# get the ID of the newly created role
|
104
104
|
role_ids = PeRbac::get_role_ids(role)
|
105
105
|
|
@@ -141,7 +141,33 @@ Escort::App.create do |app|
|
|
141
141
|
'Custommise the role description',
|
142
142
|
:long => '--description',
|
143
143
|
:default => 'Token access to PuppetDB'
|
144
|
-
)
|
144
|
+
)
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
app.command :reset_password do |command|
|
149
|
+
command.summary "Reset a logon password"
|
150
|
+
command.description "Obtain a reset token and then reset a password"
|
151
|
+
command.action do |options, arguments|\
|
152
|
+
# fixme - obtain automatically
|
153
|
+
cmd = :reset_password
|
154
|
+
username = options[:global][:commands][cmd][:options][:username]
|
155
|
+
password = options[:global][:commands][cmd][:options][:password]
|
156
|
+
|
157
|
+
PeRbac::reset_password(username, password)
|
158
|
+
end
|
159
|
+
command.options do |opts|
|
160
|
+
opts.opt(:username,
|
161
|
+
'Username to reset',
|
162
|
+
:long => '--username',
|
163
|
+
:default => 'admin'
|
164
|
+
)
|
165
|
+
opts.opt(:password,
|
166
|
+
'Password to reset to',
|
167
|
+
:long => '--password',
|
168
|
+
:default => 'changeme'
|
169
|
+
)
|
145
170
|
end
|
146
171
|
end
|
172
|
+
|
147
173
|
end
|
data/lib/pe_rbac/version.rb
CHANGED
data/lib/pe_rbac.rb
CHANGED
@@ -12,7 +12,7 @@ module PeRbac
|
|
12
12
|
pe_new_cert = "#{ssldir}/certs/#{fqdn}.pem"
|
13
13
|
|
14
14
|
# pe 2016.4.0 removes the pe-internal-orchestrator.pem file but old systems
|
15
|
-
# will still have the client cert (which won't work), so pick based on
|
15
|
+
# will still have the client cert (which won't work), so pick based on
|
16
16
|
# using pe-internal-orchestrator.pem if its available
|
17
17
|
if File.exist?(pe_old_pk)
|
18
18
|
pk = pe_old_pk
|
@@ -34,7 +34,7 @@ module PeRbac
|
|
34
34
|
|
35
35
|
#
|
36
36
|
# user
|
37
|
-
#
|
37
|
+
#
|
38
38
|
|
39
39
|
def self.get_users
|
40
40
|
JSON.parse(_request(:get, '/users').body)
|
@@ -97,8 +97,8 @@ module PeRbac
|
|
97
97
|
user['email'] = email ? email : user['email']
|
98
98
|
user['display_name'] = display_name ? display_name : user['display_name']
|
99
99
|
end
|
100
|
-
user['role_ids'] = role_ids ? role_ids : user['role_ids']
|
101
|
-
user['is_revoked'] = (! is_revoked.nil?) ? is_revoked : user['is_revoked']
|
100
|
+
user['role_ids'] = role_ids ? role_ids : user['role_ids']
|
101
|
+
user['is_revoked'] = (! is_revoked.nil?) ? is_revoked : user['is_revoked']
|
102
102
|
|
103
103
|
_request(:put, "/users/#{user['id']}", user)
|
104
104
|
end
|
@@ -113,7 +113,7 @@ module PeRbac
|
|
113
113
|
|
114
114
|
_request(:post, '/auth/reset', reset)
|
115
115
|
end
|
116
|
-
|
116
|
+
|
117
117
|
#
|
118
118
|
# role
|
119
119
|
#
|
@@ -138,7 +138,7 @@ module PeRbac
|
|
138
138
|
found
|
139
139
|
end
|
140
140
|
|
141
|
-
|
141
|
+
|
142
142
|
# get the role id for a display name
|
143
143
|
# eg ['Code Deployers', 'blah'] => [4,8]
|
144
144
|
def self.get_role_ids(display_names)
|
@@ -167,8 +167,8 @@ module PeRbac
|
|
167
167
|
create_role(display_name, description, permissions, user_ids)
|
168
168
|
end
|
169
169
|
end
|
170
|
-
|
171
|
-
# https://docs.puppet.com/pe/latest/rbac_roles_v1.html#post-roles
|
170
|
+
|
171
|
+
# https://docs.puppet.com/pe/latest/rbac_roles_v1.html#post-roles
|
172
172
|
def self.create_role(display_name, description=display_name, permissions=[], user_ids=[], group_ids=[])
|
173
173
|
role = {
|
174
174
|
"permissions" => permissions,
|
@@ -182,7 +182,7 @@ module PeRbac
|
|
182
182
|
|
183
183
|
def self.update_role(display_name, description=nil, permissions=nil, user_ids=nil, group_ids=nil)
|
184
184
|
role_id = get_role_id(display_name)
|
185
|
-
if role_id
|
185
|
+
if role_id
|
186
186
|
role = get_role(role_id)
|
187
187
|
role['display_name'] = display_name ? display_name : role['display_name']
|
188
188
|
role['description'] = description ? display_name : role['description']
|
@@ -195,7 +195,7 @@ module PeRbac
|
|
195
195
|
raise("No such role exists: #{display_name} create it first or use ensure_role")
|
196
196
|
end
|
197
197
|
end
|
198
|
-
|
198
|
+
|
199
199
|
|
200
200
|
#
|
201
201
|
# Permissions
|
@@ -213,7 +213,7 @@ module PeRbac
|
|
213
213
|
"login" => login,
|
214
214
|
"password" => password,
|
215
215
|
}
|
216
|
-
|
216
|
+
|
217
217
|
# see https://docs.puppet.com/pe/latest/rbac_token_auth.html#setting-a-token-specific-lifetime
|
218
218
|
if lifetime
|
219
219
|
payload["lifetime"] = lifetime
|
@@ -232,6 +232,23 @@ module PeRbac
|
|
232
232
|
File.chmod(0600, tokenfile)
|
233
233
|
end
|
234
234
|
|
235
|
+
def self.reset_password(login, password)
|
236
|
+
# lookup user id
|
237
|
+
user_id = self.get_user_id(login)
|
238
|
+
if user_id
|
239
|
+
# get password reset token
|
240
|
+
reset_token = _request(:post, "/users/#{user_id}/password/reset")
|
241
|
+
|
242
|
+
# reset password
|
243
|
+
_request(:post, '/auth/reset', {
|
244
|
+
'token' => reset_token,
|
245
|
+
'password' => password,
|
246
|
+
})
|
247
|
+
else
|
248
|
+
Escort::Logger.error.error "No such user: #{login}"
|
249
|
+
end
|
250
|
+
end
|
251
|
+
|
235
252
|
private
|
236
253
|
|
237
254
|
def self._request(method, path, payload=nil, raw=false)
|
@@ -247,7 +264,7 @@ module PeRbac
|
|
247
264
|
end
|
248
265
|
begin
|
249
266
|
RestClient::Request.execute(
|
250
|
-
method: method,
|
267
|
+
method: method,
|
251
268
|
url: url,
|
252
269
|
ssl_ca_file: CONF[:cacert],
|
253
270
|
ssl_client_cert: OpenSSL::X509::Certificate.new(File.read(CONF[:cert])),
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pe_rbac
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Geoff Williams
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-11-
|
11
|
+
date: 2016-11-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|