pe_rbac 0.1.3 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +9 -0
  3. data/exe/pe_rbac +98 -6
  4. data/lib/pe_rbac/version.rb +1 -1
  5. data/lib/pe_rbac.rb +36 -26
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9d51fc870e1249e5e42c38f4fe54c5ae2595e71a
4
- data.tar.gz: 29ba39485a027a14e68476169294e0ff877866bf
3
+ metadata.gz: e8e46eabe4fa453dae8cef44b5ae0f7371d9a2bb
4
+ data.tar.gz: d89e915974bd3bd5b7edb4bbc45e4736411905c6
5
5
  SHA512:
6
- metadata.gz: d13d751aeb2fb9028dd39e341efdf8ab735e7d13e2fd63ff589908d82942d87fa7dc2502f1cd49db5ade40fd09041c4adeb59cd887abd7cf97591fde4275deb6
7
- data.tar.gz: cf15c113f866a5b9bb814e01627c61c9b512ecf273140853ad20e06fd71770963cae863efea9f3e272dffd5fe5e46e4e30ac3f9462b62f5af6ae6995278e0b4c
6
+ metadata.gz: 0033af434edc4f964d0e442e66dca216551052d1e39c424648841d312949bcf3aabb1e82c0c7afbe8e74a15b1cb28a663e87728b5636958d06cc6cd319dad960
7
+ data.tar.gz: 3a13fd98d0dfd3aaac65e6609fb412bc090183d45bb01a145971e42538047f569e4bd7a53a1038bf39d9533cd6077d1809721ca6ac61fd58738f1638f01b6136
data/README.md CHANGED
@@ -34,6 +34,15 @@ pe_rbac code_manager --password t0ps3cret
34
34
  Right now, the command line just provides a means to setup code manager. If you
35
35
  want to do more then this, you must use the Ruby API
36
36
 
37
+ ### Generating a token to use for ro/rw access to PuppetDB API
38
+ ```
39
+ # read-only access
40
+ pe_rbac puppetdb --password t0ps3cret
41
+
42
+ # read-write access
43
+ pe_rbac puppetdb --allow-write --password t0ps3cret
44
+ ```
45
+
37
46
  ### Ruby API
38
47
  An *IN FLUX* Ruby API exists, see code for more info. This WILL change (well it
39
48
  will if I do any more development work on this...) - expect module names,
data/exe/pe_rbac CHANGED
@@ -13,18 +13,27 @@ Escort::App.create do |app|
13
13
  command.action do |options, arguments|
14
14
  role = 'Code Deployers'
15
15
  cmd = :code_manager # FIXME obtain this automatically
16
+ description = options[:global][:commands][cmd][:options][:description]
16
17
  lifetime = options[:global][:commands][cmd][:options][:lifetime]
17
18
  username = options[:global][:commands][cmd][:options][:username]
18
19
  password = options[:global][:commands][cmd][:options][:password]
19
20
  email = options[:global][:commands][cmd][:options][:email]
21
+
20
22
  role_ids = PeRbac::get_role_ids(role)
21
23
 
22
- perms = {
23
- "objectType" => "tokens",
24
- "action" => "override_lifetime",
25
- "instance" => nil,
26
- }
27
- PeRbac::update_role(role, permissions=perms)
24
+ perms = [{
25
+ "object_type" => "tokens",
26
+ "action" => "override_lifetime",
27
+ "instance" => "*",
28
+ }]
29
+
30
+ # only need to update the role since its built-in
31
+ PeRbac::update_role(
32
+ role,
33
+ nil,
34
+ perms,
35
+ )
36
+
28
37
  PeRbac::ensure_user(username, email, username, password, role_ids)
29
38
  PeRbac::login(username, password, lifetime)
30
39
  end
@@ -52,4 +61,87 @@ Escort::App.create do |app|
52
61
  end
53
62
  end
54
63
 
64
+ app.command :puppetdb do |command|
65
+ command.summary "Access to PuppetDB"
66
+ command.description "Create a user and token to access PuppetDB"
67
+ command.action do |options, arguments|
68
+ role = 'PuppetDB Readers'
69
+ cmd = :puppetdb # FIXME obtain this automatically
70
+ description = options[:global][:commands][cmd][:options][:description]
71
+ lifetime = options[:global][:commands][cmd][:options][:lifetime]
72
+ username = options[:global][:commands][cmd][:options][:username]
73
+ password = options[:global][:commands][cmd][:options][:password]
74
+ email = options[:global][:commands][cmd][:options][:email]
75
+ allow_write = options[:global][:commands][cmd][:options][:allow_write]
76
+ perms = [
77
+ {
78
+ "object_type" => "tokens",
79
+ "action" => "override_lifetime",
80
+ "instance" => "*",
81
+ },
82
+ {
83
+ "object_type" => "nodes",
84
+ "action" => "view_data",
85
+ "instance" => "*",
86
+ }
87
+ ]
88
+ if allow_write
89
+ perms.push({
90
+ "object_type" => "nodes",
91
+ "action" => "edit_data",
92
+ "instance" => "*",
93
+ })
94
+ end
95
+
96
+ # create/update the role
97
+ PeRbac::ensure_role(
98
+ role,
99
+ description,
100
+ perms
101
+ )
102
+
103
+ # get the ID of the newly created role
104
+ role_ids = PeRbac::get_role_ids(role)
105
+
106
+ # join a user to the role
107
+ PeRbac::ensure_user(username, email, username, password, role_ids)
108
+
109
+ # Generate and output the token
110
+ token = PeRbac::token(username, password, lifetime)
111
+ Escort::Logger.output.puts token
112
+ end
113
+ command.options do |opts|
114
+ opts.opt(:username,
115
+ 'Username for puppetdb user',
116
+ :long => '--username',
117
+ :default => 'puppetdb_read'
118
+ )
119
+ opts.opt(:password,
120
+ 'Initial password for deploy user',
121
+ :long => '--password',
122
+ :default => 'changeme'
123
+ )
124
+ opts.opt(:email,
125
+ 'Email address',
126
+ :long => '--email',
127
+ :default => 'root@localhost'
128
+ )
129
+ opts.opt(:lifetime,
130
+ 'Token validity length',
131
+ :long => '--lifetime',
132
+ :default => '10y'
133
+ )
134
+ opts.opt(:allow_write,
135
+ 'Allow WRITING to PuppetDB?',
136
+ :long => '--allow-write',
137
+ :type => :boolean,
138
+ :default => false
139
+ )
140
+ opts.opt(:description,
141
+ 'Custommise the role description',
142
+ :long => '--description',
143
+ :default => 'Token access to PuppetDB'
144
+ )
145
+ end
146
+ end
55
147
  end
data/lib/pe_rbac/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module PeRbac
2
- VERSION = "0.1.3"
2
+ VERSION = "0.2.0"
3
3
  end
data/lib/pe_rbac.rb CHANGED
@@ -149,30 +149,33 @@ module PeRbac
149
149
  ids = []
150
150
  display_names.each { |display_name|
151
151
  found=get_role_id(display_name)
152
- if !found
153
- raise("RBAC role '#{display_name}' not found")
152
+ #if !found
153
+ # raise("RBAC role '#{display_name}' not found")
154
+ #end
155
+ if found
156
+ ids.push(found)
154
157
  end
155
- ids.push(found)
156
158
  }
157
159
  ids
158
160
  end
159
161
 
160
162
  # CREATE
161
- def self.ensure_role(display_name, description, permissions=[], users=[])
163
+ def self.ensure_role(display_name, description, permissions=[], user_ids=[])
162
164
  if get_role_id(display_name)
163
- update_role(display_name, description, permissions, users)
165
+ update_role(display_name, description, permissions, user_ids)
164
166
  else
165
- create_role(display_name, description, permissions, users)
167
+ create_role(display_name, description, permissions, user_ids)
166
168
  end
167
169
  end
168
-
169
- def self.create_role(display_name, description, permissions=[], users=[])
170
+
171
+ # https://docs.puppet.com/pe/latest/rbac_roles_v1.html#post-roles
172
+ def self.create_role(display_name, description=display_name, permissions=[], user_ids=[], group_ids=[])
170
173
  role = {
174
+ "permissions" => permissions,
175
+ "user_ids" => user_ids,
176
+ "group_ids" => group_ids,
171
177
  "display_name" => display_name,
172
178
  "description" => description,
173
- "permissions" => permissions,
174
- "user_ids" => users,
175
- "group_ids" => [], # doesn't seem to be used yet
176
179
  }
177
180
  _request(:post, '/roles', role)
178
181
  end
@@ -181,11 +184,11 @@ module PeRbac
181
184
  role_id = get_role_id(display_name)
182
185
  if role_id
183
186
  role = get_role(role_id)
184
- role['display_name'] = display_name ? display_name : role['display_name']
185
- role['description'] = description ? display_name : role['description']
186
- role['permissions'] = permissions ? display_name : role['permissions']
187
- role['user_ids'] = user_ids ? display_name : role['user_ids']
188
- role['group_ids'] = group_ids ? display_name : role['group_ids']
187
+ role['display_name'] = display_name ? display_name : role['display_name']
188
+ role['description'] = description ? display_name : role['description']
189
+ role['permissions'] = permissions ? permissions : role['permissions']
190
+ role['user_ids'] = user_ids ? user_ids : role['user_ids']
191
+ role['group_ids'] = group_ids ? group_ids : role['group_ids']
189
192
 
190
193
  _request(:put, "/roles/#{role_id}", role)
191
194
  else
@@ -242,16 +245,23 @@ module PeRbac
242
245
  else
243
246
  _payload=nil
244
247
  end
245
- RestClient::Request.execute(
246
- method: method,
247
- url: url,
248
- ssl_ca_file: CONF[:cacert],
249
- ssl_client_cert: OpenSSL::X509::Certificate.new(File.read(CONF[:cert])),
250
- ssl_client_key: OpenSSL::PKey::RSA.new(File.read(CONF[:key])),
251
- ssl_version: :TLSv1,
252
- headers: {:content_type => :json, :accept => :json},
253
- payload: _payload,
254
- )
248
+ begin
249
+ RestClient::Request.execute(
250
+ method: method,
251
+ url: url,
252
+ ssl_ca_file: CONF[:cacert],
253
+ ssl_client_cert: OpenSSL::X509::Certificate.new(File.read(CONF[:cert])),
254
+ ssl_client_key: OpenSSL::PKey::RSA.new(File.read(CONF[:key])),
255
+ ssl_version: :TLSv1,
256
+ headers: {:content_type => :json, :accept => :json},
257
+ payload: _payload,
258
+ )
259
+ rescue RestClient::ExceptionWithResponse => e
260
+ Escort::Logger.error.error url
261
+ Escort::Logger.error.error _payload
262
+ Escort::Logger.error.error e.response
263
+ raise "API Error"
264
+ end
255
265
  end
256
266
 
257
267
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pe_rbac
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Geoff Williams
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-11-15 00:00:00.000000000 Z
11
+ date: 2016-11-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler