smart_proxy_vault 0.3.0 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +18 -0
  3. data/README.md +18 -8
  4. data/lib/smart_proxy_vault/api.rb +8 -3
  5. data/lib/smart_proxy_vault/endpoint.rb +2 -1
  6. data/lib/smart_proxy_vault/helpers.rb +1 -1
  7. data/lib/smart_proxy_vault/version.rb +1 -1
  8. data/test/authentication_chef_test.rb +2 -2
  9. data/test/request_test.rb +96 -12
  10. data/test/test_helper.rb +5 -4
  11. metadata +53 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3bc99e2ef5775e96638be552f22d34c29d7401df
4
- data.tar.gz: 8e133958ef309ad1bb51c9881811812aa3d7356a
3
+ metadata.gz: 65273d38422ca44e608f96ae9ae8817d400474ee
4
+ data.tar.gz: 29a3c9736686f61bea73aea03aa14fb6e142961c
5
5
  SHA512:
6
- metadata.gz: e8646fd374e184105847592fc1513a61bdc787259d4a68b6303396b947fadaa0c24443b81199f395baee5539a73fde4454a05e5fbcb7ba2c03ff144ddbd200b5
7
- data.tar.gz: 0c0541374147afccfef1e004a8d1c3be016df10420fd7aa235d254fd8e3c73706c345d981ad52e168e55a94e14ea33fdf9a8d519a684d4cfee95e6c8dee14041
6
+ metadata.gz: 5e5d49e23187f0e440b7183a4796dccb69bddb27ed2a91a6af1131e03d022bdbd323b2c3ffb3039a10b1ec86e83189b75c5b79fde36d2a4aee85a07d40e264db
7
+ data.tar.gz: 32d359e5abce0c2e6e7990a36c476e83f9778743afc3d22fea16d38c0b726a618b1a0fed2f303b3482bb6eefe1ec8de129f1682dd08b70cb0caba4240c7063da
data/CHANGELOG.md ADDED
@@ -0,0 +1,18 @@
1
+ # Change Log
2
+
3
+ ## [v0.4.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.4.0)
4
+ - Added creating tokens from roles
5
+ - Fixed days to seconds calculation
6
+ - Updated Vault gem dependency to 0.7.0
7
+
8
+ ## [v0.3.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.3.0)
9
+ - Added token renewal (Closes [\#2](https://github.com/theforeman/smart_proxy_vault/issues/2))
10
+ - Cleaned up lib/ directory layout & module namespaces
11
+ - Updated Vault gem dependency to 0.4.0
12
+
13
+ ## [v0.2.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.2.0)
14
+ - Released as a gem
15
+ - Added unit tests
16
+ - Fixed several assumptions that may have caused issues
17
+
18
+ ## [v0.1.0](https://github.com/theforeman/smart_proxy_vault/tree/v0.1.0)
data/README.md CHANGED
@@ -1,13 +1,13 @@
1
- [![Build Status](https://img.shields.io/travis/visioncritical/smart_proxy_vault/master.svg)](https://travis-ci.org/visioncritical/smart_proxy_vault)
1
+ [![Build Status](https://img.shields.io/travis/theforeman/smart_proxy_vault/master.svg)](https://travis-ci.org/theforeman/smart_proxy_vault)
2
2
  [![Code Quality](https://img.shields.io/codeclimate/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault)
3
3
  [![Code Climate](https://img.shields.io/codeclimate/coverage/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault/coverage)
4
4
  [![Gem](https://img.shields.io/gem/v/smart_proxy_vault.svg)](https://rubygems.org/gems/smart_proxy_vault/versions)
5
5
  [![GitHub license](https://img.shields.io/badge/license-GPLv3-blue.svg)](./LICENSE)
6
6
 
7
7
 
8
- # Smart Proxy - Vault Plugin
8
+ # Smart Proxy - Hashicorp Vault Plugin
9
9
 
10
- A Smart Proxy plugin will return a Vault token after authenticating a client.
10
+ A Smart Proxy plugin that will return a Vault token after authenticating a client.
11
11
 
12
12
  ## Design
13
13
 
@@ -19,7 +19,7 @@ If you're unable to use one of the above to authenticate your clients, you can a
19
19
 
20
20
  ## Installation
21
21
 
22
- Add this line to your Smart Proxy bundler.d/vault.rb gemfile:
22
+ Add this line to your Smart Proxy's `bundler.d/vault.rb` gemfile:
23
23
 
24
24
  ```ruby
25
25
  gem 'smart_proxy_vault'
@@ -58,7 +58,7 @@ Example:
58
58
 
59
59
  #####:enabled:
60
60
 
61
- Toggles whether or not this plugin is enabled for Smart Proxy.
61
+ Toggles whether or not this plugin is enabled.
62
62
 
63
63
  #####:auth_backend:
64
64
 
@@ -123,7 +123,9 @@ A hash of settings that are used to configure a connection to the Chef server (u
123
123
 
124
124
  ## Usage
125
125
 
126
- To configure this plugin you can use template from [settings.d/vault.yml.example](settings.d/vault.yml.example). You must place the vault.yml config file in your Smart Proxy's `config/settings.d/` directory.
126
+ To configure this plugin you can use template from [settings.d/vault.yml.example](settings.d/vault.yml.example). You must place the `vault.yml` config file in your Smart Proxy's `config/settings.d/` directory.
127
+
128
+ The token specified in the [`:vault:`](#vault) section must be a role token so that this plugin can renew it indefinitely.
127
129
 
128
130
  ### Endpoints
129
131
 
@@ -131,14 +133,22 @@ To configure this plugin you can use template from [settings.d/vault.yml.example
131
133
 
132
134
  ##### Parameters
133
135
 
134
- `ttl=X[d,h,m,s]`
136
+ ###### `ttl=X[d,h,m,s]`
135
137
 
136
- Overrides the token TTL specified in the [`:token_options:`](#token_options) section. This value must be **lower** than the default TTL.
138
+ Overrides the token TTL specified in the [`:token_options:`](#token_options) section. However, this value must be **lower** than the Vault server's `max_lease_ttl` value.
137
139
 
138
140
  Example:
139
141
 
140
142
  `/vault/token/issue?ttl=60s`
141
143
 
144
+ ###### `role=foo`
145
+
146
+ A role to assign the token. Tokens issued under roles are able to be renewed indefinitely. This is useful for applications like Consul Template. The role must be created on the Vault server first.
147
+
148
+ Example:
149
+
150
+ `/vault/token/issue?role=foobar`
151
+
142
152
  ### Caveats
143
153
 
144
154
  In order to use this plugin effectively, the Ruby installation on your Smart Proxy server should be version 2.0.0 or higher, and be compiled against a version of OpenSSL that supports TLS (=>1.0.1). I recommend using [RVM](https://rvm.io/) & [Passenger](https://www.phusionpassenger.com) to run your Smart Proxy server.
data/lib/smart_proxy_vault/api.rb CHANGED
@@ -25,12 +25,16 @@ module VaultPlugin
25
25
  @connection.auth_token.create(options).auth.client_token
26
26
  end
27
27
 
28
+ def issue_role_token(role, options)
29
+ @connection.auth_token.create_with_role(role, options).auth.client_token
30
+ end
31
+
28
32
  def lookup_self
29
33
  @connection.auth_token.lookup_self
30
34
  end
31
35
 
32
36
  def renew_self
33
- @connection.auth_token.renew_self(lookup_self[:data][:creation_ttl])
37
+ @connection.auth_token.renew_self(lookup_self.data[:creation_ttl])
34
38
  end
35
39
  end
36
40
 
@@ -49,9 +53,10 @@ module VaultPlugin
49
53
  Client.new
50
54
  end
51
55
 
52
- def issue(ttl)
56
+ def issue(ttl, role)
53
57
  begin
54
- vault.issue_token options(ttl)
58
+ opts = options ttl
59
+ role.nil? ? vault.issue_token(opts) : vault.issue_role_token(role, opts)
55
60
  rescue StandardError => e
56
61
  log_halt 500, 'Failed to generate Vault token ' + e.message
57
62
  end
data/lib/smart_proxy_vault/endpoint.rb CHANGED
@@ -20,7 +20,8 @@ module VaultPlugin
20
20
 
21
21
  get '/token/issue' do
22
22
  ttl = params[:ttl]
23
- issue(ttl) if valid_ttl? ttl
23
+ role = params[:role]
24
+ issue(ttl, role) if valid_ttl? ttl
24
25
  end
25
26
  end
26
27
  end
data/lib/smart_proxy_vault/helpers.rb CHANGED
@@ -19,7 +19,7 @@ module VaultPlugin
19
19
  def to_seconds(string)
20
20
  case string.slice(-1)
21
21
  when 'd'
22
- string.tr('d', '').to_i * 30 * 24
22
+ string.tr('d', '').to_i * 24 * 3600
23
23
  when 'h'
24
24
  string.tr('h', '').to_i * 3600
25
25
  when 'm'
data/lib/smart_proxy_vault/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module VaultPlugin
2
- VERSION = '0.3.0'
2
+ VERSION = '0.4.0'
3
3
  end
data/test/authentication_chef_test.rb CHANGED
@@ -1,9 +1,9 @@
1
- require 'test_helper'
1
+ require_relative './test_helper'
2
2
  require 'smart_proxy_vault/authentication/chef'
3
3
 
4
-
5
4
  class AuthenticationChefTest < Test::Unit::TestCase
6
5
  include Rack::Test::Methods
6
+ include Proxy::Pluggable
7
7
 
8
8
  ###
9
9
  # Classes
data/test/request_test.rb CHANGED
@@ -1,9 +1,10 @@
1
- require 'test_helper'
1
+ require_relative './test_helper'
2
2
  require 'smart_proxy_vault'
3
3
  require 'smart_proxy_vault/endpoint'
4
4
 
5
5
  class RequestTest < Test::Unit::TestCase
6
6
  include Rack::Test::Methods
7
+ include VaultPlugin::API
7
8
 
8
9
  ###
9
10
  # Helper Methods
@@ -22,21 +23,92 @@ class RequestTest < Test::Unit::TestCase
22
23
  end
23
24
 
24
25
  def token
25
- {:lease_id => "",
26
- :renewable => false,
27
- :lease_duration => 43200,
28
- :data => nil,
29
- :warnings => nil,
30
- :auth => { :client_token => "GUID", :lease_duration => 43200, :renewable => true }}
26
+ {lease_id: "",
27
+ renewable: false,
28
+ lease_duration: 43200,
29
+ data: nil,
30
+ warnings: nil,
31
+ auth: { client_token: "GUID", lease_duration: 43200, renewable: true }}
32
+ end
33
+
34
+ def token_lookup
35
+ {request_id: "GUID",
36
+ lease_id: "",
37
+ renewable: false,
38
+ lease_duration: 0,
39
+ data:
40
+ {accessor: "GUID",
41
+ creation_time: 1111111111,
42
+ creation_ttl: 43200,
43
+ display_name: "token",
44
+ explicit_max_ttl: 0,
45
+ id: "GUID",
46
+ last_renewal_time: 1111111111,
47
+ meta: nil,
48
+ num_uses: 0,
49
+ orphan: false,
50
+ path: "auth/token/create/foorole",
51
+ policies: ["default"],
52
+ renewable: true,
53
+ role: "foorole",
54
+ ttl: 84971},
55
+ wrap_info: nil,
56
+ warnings: nil,
57
+ auth: nil}
58
+ end
59
+
60
+ def token_renew
61
+ {client_token: "GUID",
62
+ accessor: "GUID",
63
+ policies: ["default"],
64
+ metadata: nil,
65
+ lease_duration: 43200,
66
+ renewable: true}
31
67
  end
32
68
 
33
69
  def stub_response
34
70
  stub_request(:post, "https://vault.example.com/v1/auth/token/create").
35
- with(:body => "{\"ttl\":\"12h\"}",
36
- :headers => { 'Accept'=>['*/*', 'application/json'], 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
37
- 'Content-Type'=>'application/json', 'User-Agent'=>['Ruby', 'VaultRuby/0.4.0 (+github.com/hashicorp/vault-ruby)'],
38
- 'X-Vault-Token'=>'GUID' }).
39
- to_return(:status => 200, :body => token.to_json, :headers => { 'Content-Type'=>'application/json' })
71
+ with(:body => "{\"ttl\":\"12h\"}",
72
+ :headers => { 'Accept'=>['*/*', 'application/json'],
73
+ 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
74
+ 'Content-Type'=>'application/json',
75
+ 'User-Agent'=>['Ruby', 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
76
+ 'X-Vault-Token'=>'GUID'}).
77
+ to_return(:status => 200, :body => token.to_json, :headers => { 'Content-Type'=>'application/json' })
78
+ end
79
+
80
+ def stub_response_role
81
+ stub_request(:post, "https://vault.example.com/v1/auth/token/create/foo").
82
+ with(:body => "{\"ttl\":\"12h\"}",
83
+ :headers => { 'Accept'=>['*/*', 'application/json'],
84
+ 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
85
+ 'Content-Type'=>'application/json',
86
+ 'User-Agent'=>['Ruby', 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
87
+ 'X-Vault-Token'=>'GUID'}).
88
+ to_return(:status => 200, :body => token.to_json, :headers => { 'Content-Type'=>'application/json' })
89
+ end
90
+
91
+ def stub_response_lookup
92
+ stub_request(:get, "https://vault.example.com/v1/auth/token/lookup-self").
93
+ with(:headers => { 'Accept'=>['*/*', 'application/json'],
94
+ 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
95
+ 'Content-Type'=>'application/json',
96
+ 'User-Agent'=>['Ruby',
97
+ 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
98
+ 'X-Vault-Token'=>'GUID'}).
99
+ to_return(:status => 200, :body => token_lookup.to_json, :headers => { 'Content-Type'=>'application/json' })
100
+ end
101
+
102
+ def stub_response_renew
103
+ stub_request(:put, "https://vault.example.com/v1/auth/token/renew-self").
104
+ with(:body => "{\"increment\":43200}",
105
+ :headers => { 'Accept'=>['*/*', 'application/json'],
106
+ 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
107
+ 'Content-Type'=>'application/json',
108
+ 'User-Agent'=>['Ruby',
109
+ 'VaultRuby/0.7.3 (+github.com/hashicorp/vault-ruby)'],
110
+ 'X-Vault-Token'=>'GUID'}).
111
+ to_return(:status => 200, :body => token_renew.to_json, :headers => { 'Content-Type'=>'application/json' })
40
112
  end
41
113
 
42
114
  ###
@@ -66,8 +138,20 @@ class RequestTest < Test::Unit::TestCase
66
138
  assert last_response.ok?
67
139
  end
68
140
 
141
+ def test_vault_token_issue_role
142
+ stub_response_role
143
+ get '/token/issue', role: 'foo', ttl: '12h'
144
+ assert last_response.ok?
145
+ end
146
+
69
147
  def test_bad_ttl_override
70
148
  get '/token/issue', ttl: '24h'
71
149
  assert last_response.bad_request?
72
150
  end
151
+
152
+ def test_token_renewal
153
+ stub_response_lookup
154
+ stub_response_renew
155
+ renew
156
+ end
73
157
  end
data/test/test_helper.rb CHANGED
@@ -1,14 +1,15 @@
1
- require "codeclimate-test-reporter"
2
- CodeClimate::TestReporter.start
1
+ require 'simplecov'
2
+ SimpleCov.start
3
3
 
4
4
  $: << File.join(File.dirname(__FILE__), '..', 'lib')
5
5
 
6
6
  require 'openssl'
7
7
  require 'test/unit'
8
+ require "test/unit/rr"
8
9
  require 'webmock/test_unit'
9
10
  require 'rack/test'
10
- require 'rr'
11
11
  require 'factory_girl'
12
+ require 'pry'
12
13
  FactoryGirl.find_definitions
13
14
 
14
15
  require 'smart_proxy_for_testing'
@@ -20,4 +21,4 @@ end
20
21
  logdir = File.join(File.dirname(__FILE__), '..', 'logs')
21
22
  FileUtils.mkdir_p(logdir) unless File.exists?(logdir)
22
23
 
23
- WebMock.disable_net_connect!(:allow => "codeclimate.com")
24
+ WebMock.disable_net_connect!(:allow => 'codeclimate.com')
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: smart_proxy_vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Riley
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-05-16 00:00:00.000000000 Z
12
+ date: 2016-11-15 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -67,6 +67,20 @@ dependencies:
67
67
  - - "~>"
68
68
  - !ruby/object:Gem::Version
69
69
  version: '2'
70
+ - !ruby/object:Gem::Dependency
71
+ name: test-unit-rr
72
+ requirement: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - "~>"
75
+ - !ruby/object:Gem::Version
76
+ version: '1.0'
77
+ type: :development
78
+ prerelease: false
79
+ version_requirements: !ruby/object:Gem::Requirement
80
+ requirements:
81
+ - - "~>"
82
+ - !ruby/object:Gem::Version
83
+ version: '1.0'
70
84
  - !ruby/object:Gem::Dependency
71
85
  name: mocha
72
86
  requirement: !ruby/object:Gem::Requirement
@@ -124,19 +138,47 @@ dependencies:
124
138
  - !ruby/object:Gem::Version
125
139
  version: '4.0'
126
140
  - !ruby/object:Gem::Dependency
127
- name: rr
141
+ name: simplecov
128
142
  requirement: !ruby/object:Gem::Requirement
129
143
  requirements:
130
144
  - - "~>"
131
145
  - !ruby/object:Gem::Version
132
- version: '1.1'
146
+ version: '0.12'
133
147
  type: :development
134
148
  prerelease: false
135
149
  version_requirements: !ruby/object:Gem::Requirement
136
150
  requirements:
137
151
  - - "~>"
138
152
  - !ruby/object:Gem::Version
139
- version: '1.1'
153
+ version: '0.12'
154
+ - !ruby/object:Gem::Dependency
155
+ name: codeclimate-test-reporter
156
+ requirement: !ruby/object:Gem::Requirement
157
+ requirements:
158
+ - - "~>"
159
+ - !ruby/object:Gem::Version
160
+ version: '1.0'
161
+ type: :development
162
+ prerelease: false
163
+ version_requirements: !ruby/object:Gem::Requirement
164
+ requirements:
165
+ - - "~>"
166
+ - !ruby/object:Gem::Version
167
+ version: '1.0'
168
+ - !ruby/object:Gem::Dependency
169
+ name: activesupport
170
+ requirement: !ruby/object:Gem::Requirement
171
+ requirements:
172
+ - - "~>"
173
+ - !ruby/object:Gem::Version
174
+ version: '4.0'
175
+ type: :development
176
+ prerelease: false
177
+ version_requirements: !ruby/object:Gem::Requirement
178
+ requirements:
179
+ - - "~>"
180
+ - !ruby/object:Gem::Version
181
+ version: '4.0'
140
182
  - !ruby/object:Gem::Dependency
141
183
  name: chef-api
142
184
  requirement: !ruby/object:Gem::Requirement
@@ -157,14 +199,14 @@ dependencies:
157
199
  requirements:
158
200
  - - "~>"
159
201
  - !ruby/object:Gem::Version
160
- version: 0.4.0
202
+ version: 0.7.0
161
203
  type: :runtime
162
204
  prerelease: false
163
205
  version_requirements: !ruby/object:Gem::Requirement
164
206
  requirements:
165
207
  - - "~>"
166
208
  - !ruby/object:Gem::Version
167
- version: 0.4.0
209
+ version: 0.7.0
168
210
  description: Authenticates a client & returns a Vault token
169
211
  email: riley.shott@visioncritical.com
170
212
  executables: []
@@ -172,7 +214,9 @@ extensions: []
172
214
  extra_rdoc_files:
173
215
  - README.md
174
216
  - LICENSE
217
+ - CHANGELOG.md
175
218
  files:
219
+ - CHANGELOG.md
176
220
  - LICENSE
177
221
  - README.md
178
222
  - bundler.d/vault.rb
@@ -192,7 +236,7 @@ files:
192
236
  - test/fixtures/authentication/chef/fry.pem
193
237
  - test/request_test.rb
194
238
  - test/test_helper.rb
195
- homepage: http://github.com/visioncritical/smart_proxy_vault
239
+ homepage: http://github.com/theforeman/smart_proxy_vault
196
240
  licenses:
197
241
  - GPLv3
198
242
  metadata: {}
@@ -212,7 +256,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
212
256
  version: '0'
213
257
  requirements: []
214
258
  rubyforge_project:
215
- rubygems_version: 2.4.6
259
+ rubygems_version: 2.6.6
216
260
  signing_key:
217
261
  specification_version: 4
218
262
  summary: Authenticates a client & returns a Vault token