smart_proxy_vault 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/README.md +18 -8
- data/lib/smart_proxy_vault/api.rb +8 -3
- data/lib/smart_proxy_vault/endpoint.rb +2 -1
- data/lib/smart_proxy_vault/helpers.rb +1 -1
- data/lib/smart_proxy_vault/version.rb +1 -1
- data/test/authentication_chef_test.rb +2 -2
- data/test/request_test.rb +96 -12
- data/test/test_helper.rb +5 -4
- metadata +53 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 65273d38422ca44e608f96ae9ae8817d400474ee
|
4
|
+
data.tar.gz: 29a3c9736686f61bea73aea03aa14fb6e142961c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5e5d49e23187f0e440b7183a4796dccb69bddb27ed2a91a6af1131e03d022bdbd323b2c3ffb3039a10b1ec86e83189b75c5b79fde36d2a4aee85a07d40e264db
|
7
|
+
data.tar.gz: 32d359e5abce0c2e6e7990a36c476e83f9778743afc3d22fea16d38c0b726a618b1a0fed2f303b3482bb6eefe1ec8de129f1682dd08b70cb0caba4240c7063da
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
# Change Log
|
2
|
+
|
3
|
+
## [v0.4.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.4.0)
|
4
|
+
- Added creating tokens from roles
|
5
|
+
- Fixed days to seconds calculation
|
6
|
+
- Updated Vault gem dependency to 0.7.0
|
7
|
+
|
8
|
+
## [v0.3.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.3.0)
|
9
|
+
- Added token renewal (Closes [\#2](https://github.com/theforeman/smart_proxy_vault/issues/2))
|
10
|
+
- Cleaned up lib/ directory layout & module namespaces
|
11
|
+
- Updated Vault gem dependency to 0.4.0
|
12
|
+
|
13
|
+
## [v0.2.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.2.0)
|
14
|
+
- Released as a gem
|
15
|
+
- Added unit tests
|
16
|
+
- Fixed several assumptions that may have caused issues
|
17
|
+
|
18
|
+
## [v0.1.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.1.0)
|
data/README.md
CHANGED
@@ -1,13 +1,13 @@
|
|
1
|
-
[![Build Status](https://img.shields.io/travis/
|
1
|
+
[![Build Status](https://img.shields.io/travis/theforeman/smart_proxy_vault/master.svg)](https://travis-ci.org/theforeman/smart_proxy_vault)
|
2
2
|
[![Code Quality](https://img.shields.io/codeclimate/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault)
|
3
3
|
[![Code Climate](https://img.shields.io/codeclimate/coverage/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault/coverage)
|
4
4
|
[![Gem](https://img.shields.io/gem/v/smart_proxy_vault.svg)](https://rubygems.org/gems/smart_proxy_vault/versions)
|
5
5
|
[![GitHub license](https://img.shields.io/badge/license-GPLv3-blue.svg)](./LICENSE)
|
6
6
|
|
7
7
|
|
8
|
-
# Smart Proxy - Vault Plugin
|
8
|
+
# Smart Proxy - Hashicorp Vault Plugin
|
9
9
|
|
10
|
-
A Smart Proxy plugin will return a Vault token after authenticating a client.
|
10
|
+
A Smart Proxy plugin that will return a Vault token after authenticating a client.
|
11
11
|
|
12
12
|
## Design
|
13
13
|
|
@@ -19,7 +19,7 @@ If you're unable to use one of the above to authenticate your clients, you can a
|
|
19
19
|
|
20
20
|
## Installation
|
21
21
|
|
22
|
-
Add this line to your Smart Proxy bundler.d/vault.rb gemfile:
|
22
|
+
Add this line to your Smart Proxy's `bundler.d/vault.rb` gemfile:
|
23
23
|
|
24
24
|
```ruby
|
25
25
|
gem 'smart_proxy_vault'
|
@@ -58,7 +58,7 @@ Example:
|
|
58
58
|
|
59
59
|
#####:enabled:
|
60
60
|
|
61
|
-
Toggles whether or not this plugin is enabled
|
61
|
+
Toggles whether or not this plugin is enabled.
|
62
62
|
|
63
63
|
#####:auth_backend:
|
64
64
|
|
@@ -123,7 +123,9 @@ A hash of settings that are used to configure a connection to the Chef server (u
|
|
123
123
|
|
124
124
|
## Usage
|
125
125
|
|
126
|
-
To configure this plugin you can use template from [settings.d/vault.yml.example](settings.d/vault.yml.example). You must place the vault.yml config file in your Smart Proxy's `config/settings.d/` directory.
|
126
|
+
To configure this plugin you can use template from [settings.d/vault.yml.example](settings.d/vault.yml.example). You must place the `vault.yml` config file in your Smart Proxy's `config/settings.d/` directory.
|
127
|
+
|
128
|
+
The token specified in the [`:vault:`](#vault) section must be a role token so that this plugin can renew it indefinitely.
|
127
129
|
|
128
130
|
### Endpoints
|
129
131
|
|
@@ -131,14 +133,22 @@ To configure this plugin you can use template from [settings.d/vault.yml.example
|
|
131
133
|
|
132
134
|
##### Parameters
|
133
135
|
|
134
|
-
`ttl=X[d,h,m,s]`
|
136
|
+
###### `ttl=X[d,h,m,s]`
|
135
137
|
|
136
|
-
Overrides the token TTL specified in the [`:token_options:`](#token_options) section.
|
138
|
+
Overrides the token TTL specified in the [`:token_options:`](#token_options) section. However, this value must be **lower** than the Vault server's `max_lease_ttl` value.
|
137
139
|
|
138
140
|
Example:
|
139
141
|
|
140
142
|
`/vault/token/issue?ttl=60s`
|
141
143
|
|
144
|
+
###### `role=foo`
|
145
|
+
|
146
|
+
A role to assign the token. Tokens issued under roles are able to be renewed indefinitely. This is useful for applications like Consul Template. The role must be created on the Vault server first.
|
147
|
+
|
148
|
+
Example:
|
149
|
+
|
150
|
+
`/vault/token/issue?role=foobar`
|
151
|
+
|
142
152
|
### Caveats
|
143
153
|
|
144
154
|
In order to use this plugin effectively, the Ruby installation on your Smart Proxy server should be version 2.0.0 or higher, and be compiled against a version of OpenSSL that supports TLS (=>1.0.1). I recommend using [RVM](https://rvm.io/) & [Passenger](https://www.phusionpassenger.com) to run your Smart Proxy server.
|
@@ -25,12 +25,16 @@ module VaultPlugin
|
|
25
25
|
@connection.auth_token.create(options).auth.client_token
|
26
26
|
end
|
27
27
|
|
28
|
+
def issue_role_token(role, options)
|
29
|
+
@connection.auth_token.create_with_role(role, options).auth.client_token
|
30
|
+
end
|
31
|
+
|
28
32
|
def lookup_self
|
29
33
|
@connection.auth_token.lookup_self
|
30
34
|
end
|
31
35
|
|
32
36
|
def renew_self
|
33
|
-
@connection.auth_token.renew_self(lookup_self
|
37
|
+
@connection.auth_token.renew_self(lookup_self.data[:creation_ttl])
|
34
38
|
end
|
35
39
|
end
|
36
40
|
|
@@ -49,9 +53,10 @@ module VaultPlugin
|
|
49
53
|
Client.new
|
50
54
|
end
|
51
55
|
|
52
|
-
def issue(ttl)
|
56
|
+
def issue(ttl, role)
|
53
57
|
begin
|
54
|
-
|
58
|
+
opts = options ttl
|
59
|
+
role.nil? ? vault.issue_token(opts) : vault.issue_role_token(role, opts)
|
55
60
|
rescue StandardError => e
|
56
61
|
log_halt 500, 'Failed to generate Vault token ' + e.message
|
57
62
|
end
|
data/test/request_test.rb
CHANGED
@@ -1,9 +1,10 @@
|
|
1
|
-
|
1
|
+
require_relative './test_helper'
|
2
2
|
require 'smart_proxy_vault'
|
3
3
|
require 'smart_proxy_vault/endpoint'
|
4
4
|
|
5
5
|
class RequestTest < Test::Unit::TestCase
|
6
6
|
include Rack::Test::Methods
|
7
|
+
include VaultPlugin::API
|
7
8
|
|
8
9
|
###
|
9
10
|
# Helper Methods
|
@@ -22,21 +23,92 @@ class RequestTest < Test::Unit::TestCase
|
|
22
23
|
end
|
23
24
|
|
24
25
|
def token
|
25
|
-
{:
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
29
|
-
:
|
30
|
-
:
|
26
|
+
{lease_id: "",
|
27
|
+
renewable: false,
|
28
|
+
lease_duration: 43200,
|
29
|
+
data: nil,
|
30
|
+
warnings: nil,
|
31
|
+
auth: { client_token: "GUID", lease_duration: 43200, renewable: true }}
|
32
|
+
end
|
33
|
+
|
34
|
+
def token_lookup
|
35
|
+
{request_id: "GUID",
|
36
|
+
lease_id: "",
|
37
|
+
renewable: false,
|
38
|
+
lease_duration: 0,
|
39
|
+
data:
|
40
|
+
{accessor: "GUID",
|
41
|
+
creation_time: 1111111111,
|
42
|
+
creation_ttl: 43200,
|
43
|
+
display_name: "token",
|
44
|
+
explicit_max_ttl: 0,
|
45
|
+
id: "GUID",
|
46
|
+
last_renewal_time: 1111111111,
|
47
|
+
meta: nil,
|
48
|
+
num_uses: 0,
|
49
|
+
orphan: false,
|
50
|
+
path: "auth/token/create/foorole",
|
51
|
+
policies: ["default"],
|
52
|
+
renewable: true,
|
53
|
+
role: "foorole",
|
54
|
+
ttl: 84971},
|
55
|
+
wrap_info: nil,
|
56
|
+
warnings: nil,
|
57
|
+
auth: nil}
|
58
|
+
end
|
59
|
+
|
60
|
+
def token_renew
|
61
|
+
{client_token: "GUID",
|
62
|
+
accessor: "GUID",
|
63
|
+
policies: ["default"],
|
64
|
+
metadata: nil,
|
65
|
+
lease_duration: 43200,
|
66
|
+
renewable: true}
|
31
67
|
end
|
32
68
|
|
33
69
|
def stub_response
|
34
70
|
stub_request(:post, "https://vault.example.com/v1/auth/token/create").
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
71
|
+
with(:body => "{\"ttl\":\"12h\"}",
|
72
|
+
:headers => { 'Accept'=>['*/*', 'application/json'],
|
73
|
+
'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
|
74
|
+
'Content-Type'=>'application/json',
|
75
|
+
'User-Agent'=>['Ruby', 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
|
76
|
+
'X-Vault-Token'=>'GUID'}).
|
77
|
+
to_return(:status => 200, :body => token.to_json, :headers => { 'Content-Type'=>'application/json' })
|
78
|
+
end
|
79
|
+
|
80
|
+
def stub_response_role
|
81
|
+
stub_request(:post, "https://vault.example.com/v1/auth/token/create/foo").
|
82
|
+
with(:body => "{\"ttl\":\"12h\"}",
|
83
|
+
:headers => { 'Accept'=>['*/*', 'application/json'],
|
84
|
+
'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
|
85
|
+
'Content-Type'=>'application/json',
|
86
|
+
'User-Agent'=>['Ruby', 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
|
87
|
+
'X-Vault-Token'=>'GUID'}).
|
88
|
+
to_return(:status => 200, :body => token.to_json, :headers => { 'Content-Type'=>'application/json' })
|
89
|
+
end
|
90
|
+
|
91
|
+
def stub_response_lookup
|
92
|
+
stub_request(:get, "https://vault.example.com/v1/auth/token/lookup-self").
|
93
|
+
with(:headers => { 'Accept'=>['*/*', 'application/json'],
|
94
|
+
'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
|
95
|
+
'Content-Type'=>'application/json',
|
96
|
+
'User-Agent'=>['Ruby',
|
97
|
+
'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
|
98
|
+
'X-Vault-Token'=>'GUID'}).
|
99
|
+
to_return(:status => 200, :body => token_lookup.to_json, :headers => { 'Content-Type'=>'application/json' })
|
100
|
+
end
|
101
|
+
|
102
|
+
def stub_response_renew
|
103
|
+
stub_request(:put, "https://vault.example.com/v1/auth/token/renew-self").
|
104
|
+
with(:body => "{\"increment\":43200}",
|
105
|
+
:headers => { 'Accept'=>['*/*', 'application/json'],
|
106
|
+
'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
|
107
|
+
'Content-Type'=>'application/json',
|
108
|
+
'User-Agent'=>['Ruby',
|
109
|
+
'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
|
110
|
+
'X-Vault-Token'=>'GUID'}).
|
111
|
+
to_return(:status => 200, :body => token_renew.to_json, :headers => { 'Content-Type'=>'application/json' })
|
40
112
|
end
|
41
113
|
|
42
114
|
###
|
@@ -66,8 +138,20 @@ class RequestTest < Test::Unit::TestCase
|
|
66
138
|
assert last_response.ok?
|
67
139
|
end
|
68
140
|
|
141
|
+
def test_vault_token_issue_role
|
142
|
+
stub_response_role
|
143
|
+
get '/token/issue', role: 'foo', ttl: '12h'
|
144
|
+
assert last_response.ok?
|
145
|
+
end
|
146
|
+
|
69
147
|
def test_bad_ttl_override
|
70
148
|
get '/token/issue', ttl: '24h'
|
71
149
|
assert last_response.bad_request?
|
72
150
|
end
|
151
|
+
|
152
|
+
def test_token_renewal
|
153
|
+
stub_response_lookup
|
154
|
+
stub_response_renew
|
155
|
+
renew
|
156
|
+
end
|
73
157
|
end
|
data/test/test_helper.rb
CHANGED
@@ -1,14 +1,15 @@
|
|
1
|
-
require
|
2
|
-
|
1
|
+
require 'simplecov'
|
2
|
+
SimpleCov.start
|
3
3
|
|
4
4
|
$: << File.join(File.dirname(__FILE__), '..', 'lib')
|
5
5
|
|
6
6
|
require 'openssl'
|
7
7
|
require 'test/unit'
|
8
|
+
require "test/unit/rr"
|
8
9
|
require 'webmock/test_unit'
|
9
10
|
require 'rack/test'
|
10
|
-
require 'rr'
|
11
11
|
require 'factory_girl'
|
12
|
+
require 'pry'
|
12
13
|
FactoryGirl.find_definitions
|
13
14
|
|
14
15
|
require 'smart_proxy_for_testing'
|
@@ -20,4 +21,4 @@ end
|
|
20
21
|
logdir = File.join(File.dirname(__FILE__), '..', 'logs')
|
21
22
|
FileUtils.mkdir_p(logdir) unless File.exists?(logdir)
|
22
23
|
|
23
|
-
WebMock.disable_net_connect!(:allow =>
|
24
|
+
WebMock.disable_net_connect!(:allow => 'codeclimate.com')
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: smart_proxy_vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Riley
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2016-
|
12
|
+
date: 2016-11-15 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
@@ -67,6 +67,20 @@ dependencies:
|
|
67
67
|
- - "~>"
|
68
68
|
- !ruby/object:Gem::Version
|
69
69
|
version: '2'
|
70
|
+
- !ruby/object:Gem::Dependency
|
71
|
+
name: test-unit-rr
|
72
|
+
requirement: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - "~>"
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: '1.0'
|
77
|
+
type: :development
|
78
|
+
prerelease: false
|
79
|
+
version_requirements: !ruby/object:Gem::Requirement
|
80
|
+
requirements:
|
81
|
+
- - "~>"
|
82
|
+
- !ruby/object:Gem::Version
|
83
|
+
version: '1.0'
|
70
84
|
- !ruby/object:Gem::Dependency
|
71
85
|
name: mocha
|
72
86
|
requirement: !ruby/object:Gem::Requirement
|
@@ -124,19 +138,47 @@ dependencies:
|
|
124
138
|
- !ruby/object:Gem::Version
|
125
139
|
version: '4.0'
|
126
140
|
- !ruby/object:Gem::Dependency
|
127
|
-
name:
|
141
|
+
name: simplecov
|
128
142
|
requirement: !ruby/object:Gem::Requirement
|
129
143
|
requirements:
|
130
144
|
- - "~>"
|
131
145
|
- !ruby/object:Gem::Version
|
132
|
-
version: '
|
146
|
+
version: '0.12'
|
133
147
|
type: :development
|
134
148
|
prerelease: false
|
135
149
|
version_requirements: !ruby/object:Gem::Requirement
|
136
150
|
requirements:
|
137
151
|
- - "~>"
|
138
152
|
- !ruby/object:Gem::Version
|
139
|
-
version: '
|
153
|
+
version: '0.12'
|
154
|
+
- !ruby/object:Gem::Dependency
|
155
|
+
name: codeclimate-test-reporter
|
156
|
+
requirement: !ruby/object:Gem::Requirement
|
157
|
+
requirements:
|
158
|
+
- - "~>"
|
159
|
+
- !ruby/object:Gem::Version
|
160
|
+
version: '1.0'
|
161
|
+
type: :development
|
162
|
+
prerelease: false
|
163
|
+
version_requirements: !ruby/object:Gem::Requirement
|
164
|
+
requirements:
|
165
|
+
- - "~>"
|
166
|
+
- !ruby/object:Gem::Version
|
167
|
+
version: '1.0'
|
168
|
+
- !ruby/object:Gem::Dependency
|
169
|
+
name: activesupport
|
170
|
+
requirement: !ruby/object:Gem::Requirement
|
171
|
+
requirements:
|
172
|
+
- - "~>"
|
173
|
+
- !ruby/object:Gem::Version
|
174
|
+
version: '4.0'
|
175
|
+
type: :development
|
176
|
+
prerelease: false
|
177
|
+
version_requirements: !ruby/object:Gem::Requirement
|
178
|
+
requirements:
|
179
|
+
- - "~>"
|
180
|
+
- !ruby/object:Gem::Version
|
181
|
+
version: '4.0'
|
140
182
|
- !ruby/object:Gem::Dependency
|
141
183
|
name: chef-api
|
142
184
|
requirement: !ruby/object:Gem::Requirement
|
@@ -157,14 +199,14 @@ dependencies:
|
|
157
199
|
requirements:
|
158
200
|
- - "~>"
|
159
201
|
- !ruby/object:Gem::Version
|
160
|
-
version: 0.
|
202
|
+
version: 0.7.0
|
161
203
|
type: :runtime
|
162
204
|
prerelease: false
|
163
205
|
version_requirements: !ruby/object:Gem::Requirement
|
164
206
|
requirements:
|
165
207
|
- - "~>"
|
166
208
|
- !ruby/object:Gem::Version
|
167
|
-
version: 0.
|
209
|
+
version: 0.7.0
|
168
210
|
description: Authenticates a client & returns a Vault token
|
169
211
|
email: riley.shott@visioncritical.com
|
170
212
|
executables: []
|
@@ -172,7 +214,9 @@ extensions: []
|
|
172
214
|
extra_rdoc_files:
|
173
215
|
- README.md
|
174
216
|
- LICENSE
|
217
|
+
- CHANGELOG.md
|
175
218
|
files:
|
219
|
+
- CHANGELOG.md
|
176
220
|
- LICENSE
|
177
221
|
- README.md
|
178
222
|
- bundler.d/vault.rb
|
@@ -192,7 +236,7 @@ files:
|
|
192
236
|
- test/fixtures/authentication/chef/fry.pem
|
193
237
|
- test/request_test.rb
|
194
238
|
- test/test_helper.rb
|
195
|
-
homepage: http://github.com/
|
239
|
+
homepage: http://github.com/theforeman/smart_proxy_vault
|
196
240
|
licenses:
|
197
241
|
- GPLv3
|
198
242
|
metadata: {}
|
@@ -212,7 +256,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
212
256
|
version: '0'
|
213
257
|
requirements: []
|
214
258
|
rubyforge_project:
|
215
|
-
rubygems_version: 2.
|
259
|
+
rubygems_version: 2.6.6
|
216
260
|
signing_key:
|
217
261
|
specification_version: 4
|
218
262
|
summary: Authenticates a client & returns a Vault token
|