vault-provision 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 77e526d32e962aec4cfdafc7f667c1767211bcae
+  data.tar.gz: 1b6ca464da212e641f8b47119f30203bcb45663d
+SHA512:
+  metadata.gz: 0b2c5748e7d17721c40954677ae908dbe2f292db74c6e1ec5ede155efb90ece8db460412afea558e11583dd89477777b3c95d314d51cb97e68477683f5b6f950
+  data.tar.gz: e1c9aa9abc26e3a20a110bd5074f8d5231d4cb03e528051d34a7fbf0459d642d7dd24d3b6188df9590111a6a2d8bede0279bb61ad3395e3e01cc9e706bc81bf2

data/.gitignore

@@ -0,0 +1,12 @@
+.bundle
+.DS_Store
+vendor/bundle
+default.pem
+*.swo
+resources_dump.json
+hosts.txt
+out
+coverage
+todo
+*.gem
+vendor/ruby

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rake',       '~>12.0'
+gem 'rspec',      '~>3.5.0'
+gem 'rspec-core', '~>3.5.4'
+
+gem 'activesupport', '~>5.0.2'
+gem 'vault',         '~>0.9.0'

data/Gemfile.lock

@@ -0,0 +1,50 @@
+PATH
+  remote: .
+  specs:
+    vault-provision (0.0.0)
+      vault (~> 0.9.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.0.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    i18n (0.8.1)
+    minitest (5.10.1)
+    rake (12.0.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
+    vault (0.9.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (~> 5.0.2)
+  rake (~> 12.0)
+  rspec (~> 3.5.0)
+  rspec-core (~> 3.5.4)
+  vault (~> 0.9.0)
+  vault-provision!
+
+BUNDLED WITH
+   1.14.6

data/README.md

@@ -0,0 +1,4 @@
+This repo is trying to be a ruby implementation of what's described here:
+
+https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/
+https://github.com/hashicorp/vault-provision-example

data/Rakefile

@@ -0,0 +1,12 @@
+require 'bundler/setup'
+require 'rspec'
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new :spec
+rescue LoadError => e
+  puts "load error: #{e.message}"
+end
+
+task :default => :spec
+task :test    => :spec

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/examples/basic/auth/ldap/config.json

@@ -0,0 +1,13 @@
+{
+  "binddn": "",
+  "bindpass": "",
+  "certificate": "",
+  "discoverdn": false,
+  "groupdn": "ou=groups,dc=example,dc=com",
+  "insecure_tls": false,
+  "starttls": false,
+  "upndomain": "",
+  "url": "ldaps://ldap.example.com",
+  "userattr": "uid",
+  "userdn": "ou=people,dc=example,dc=com"
+}

data/examples/basic/auth/ldap/groups/admin.json

@@ -0,0 +1,3 @@
+{
+  "policies": "default,security_admin"
+}

data/examples/basic/auth/ldap/groups/operators.json

@@ -0,0 +1,3 @@
+{
+  "policies": "default,master_of_secrets"
+}

data/examples/basic/pki-intermediate/config/crl.json

@@ -0,0 +1,3 @@
+{
+  "expiry": "72h"
+}

data/examples/basic/pki-intermediate/config/urls.json

@@ -0,0 +1,4 @@
+{
+  "crl_distribution_points": "https://cdn.example.com/intermediate.crl",
+  "issuing_certificates": "https://cdn.example.com/intermediate.crt"
+}

data/examples/basic/pki-intermediate/intermediate/generate/internal.json

@@ -0,0 +1,7 @@
+{
+  "common_name": "some_intermediate_ca",
+  "exclude_cn_from_sans": true,
+  "ttl": "26280h",
+  "key_type": "rsa",
+  "key_bits": 2048
+}

data/examples/basic/pki-intermediate/roles/dvcert.json

@@ -0,0 +1,19 @@
+{
+  "allow_any_name": false,
+  "allow_bare_domains": true,
+  "allow_ip_sans": true,
+  "allow_localhost": true,
+  "allow_subdomains": true,
+  "allow_token_displayname": false,
+  "allowed_domains": "example.com,example.net,vault.example.com",
+  "client_flag": true,
+  "code_signing_flag": false,
+  "email_protection_flag": false,
+  "enforce_hostnames": true,
+  "key_bits": 4096,
+  "key_type": "rsa",
+  "max_ttl": "4380h0m0s",
+  "server_flag": true,
+  "ttl": "4380h0m0s",
+  "use_csr_common_name": true
+}

data/examples/basic/pki-intermediate/roles/unlimited.json

@@ -0,0 +1,18 @@
+{
+  "allow_any_name": true,
+  "allow_bare_domains": true,
+  "allow_base_domain": true,
+  "allow_ip_sans": true,
+  "allow_localhost": true,
+  "allow_subdomains": true,
+  "client_flag": true,
+  "code_signing_flag": false,
+  "email_protection_flag": false,
+  "enforce_hostnames": false,
+  "key_bits": 4096,
+  "key_type": "rsa",
+  "max_ttl": "4380h0m0s",
+  "server_flag": true,
+  "ttl": "4380h0m0s",
+  "use_csr_common_name": true
+}

data/examples/basic/pki-root/config/crl.json

@@ -0,0 +1,3 @@
+{
+  "expiry": "72h"
+}

data/examples/basic/pki-root/config/urls.json

@@ -0,0 +1,4 @@
+{
+  "crl_distribution_points": "https://cdn.example.com/root.crl",
+  "issuing_certificates": "https://cdn.example.com/root.crt"
+}

data/examples/basic/pki-root/roles/unlimited.json

@@ -0,0 +1,18 @@
+{
+  "allow_any_name": true,
+  "allow_bare_domains": true,
+  "allow_base_domain": true,
+  "allow_ip_sans": true,
+  "allow_localhost": true,
+  "allow_subdomains": true,
+  "client_flag": true,
+  "code_signing_flag": false,
+  "email_protection_flag": false,
+  "enforce_hostnames": false,
+  "key_bits": 4096,
+  "key_type": "rsa",
+  "max_ttl": "4380h0m0s",
+  "server_flag": true,
+  "ttl": "4380h0m0s",
+  "use_csr_common_name": true
+}

data/examples/basic/pki-root/root/generate/internal.json

@@ -0,0 +1,7 @@
+{
+  "common_name": "some_root_ca",
+  "exclude_cn_from_sans": true,
+  "ttl": "87600h",
+  "key_type": "rsa",
+  "key_bits": 2048
+}

data/examples/basic/sys/auth.json

@@ -0,0 +1,10 @@
+{
+  "ldap/": {
+    "description": "",
+    "type": "ldap"
+  },
+  "token/": {
+    "description": "token based credentials",
+    "type": "token"
+  }
+}

data/examples/basic/sys/auth/ldap.json

@@ -0,0 +1,4 @@
+{
+  "description": "",
+  "type": "ldap"
+}

data/examples/basic/sys/auth/token.json

@@ -0,0 +1,4 @@
+{
+  "description": "token based credentials",
+  "type": "token"
+}

data/examples/basic/sys/mounts/cubbyhole.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 0
+  },
+  "description": "per-token private secret storage",
+  "type": "cubbyhole"
+}

data/examples/basic/sys/mounts/pki-intermediate.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 315360000
+  },
+  "description": "",
+  "type": "pki"
+}

data/examples/basic/sys/mounts/pki-intermediate/tune.json

@@ -0,0 +1,3 @@
+{
+  "max_lease_ttl": 315360000
+}

data/examples/basic/sys/mounts/pki-root.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 315360000
+  },
+  "description": "",
+  "type": "pki"
+}

data/examples/basic/sys/mounts/pki-root/tune.json

@@ -0,0 +1,3 @@
+{
+  "max_lease_ttl": 315360000
+}

data/examples/basic/sys/mounts/secret.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 0
+  },
+  "description": "generic secret storage",
+  "type": "generic"
+}

data/examples/basic/sys/mounts/squirrel.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 0
+  },
+  "description": "https://youtu.be/-S_F9U9gNEQ",
+  "type": "generic"
+}

data/examples/basic/sys/mounts/sys.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "max_lease_ttl": 0
+  },
+  "description": "system endpoints used for control, policy and debugging",
+  "type": "system"
+}

data/examples/basic/sys/policy/default.hcl

@@ -0,0 +1,21 @@
+
+path "auth/token/lookup-self" {
+    capabilities = ["read"]
+}
+
+path "auth/token/renew-self" {
+    capabilities = ["update"]
+}
+
+path "auth/token/revoke-self" {
+    capabilities = ["update"]
+}
+
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "cubbyhole" {
+    capabilities = ["list"]
+}
+

data/examples/basic/sys/policy/master_of_secrets.json

@@ -0,0 +1,21 @@
+{
+  "path": [
+    {
+      "secret/*": {
+        "capabilities": [
+          "create",
+          "read",
+          "update",
+          "delete",
+          "list"
+        ]
+      },
+      "sys/auth/*": {
+        "capabilities": [
+          "read",
+          "list"
+        ]
+      }
+    }
+  ]
+}

data/examples/basic/sys/policy/pki-intermediates.json

@@ -0,0 +1,21 @@
+{
+  "path": [
+    {
+      "pki-intermediate/issue/dvcert": {
+        "capabilities": [
+          "create",
+          "read",
+          "update",
+          "delete",
+          "list"
+        ]
+      },
+      "sys/*": {
+        "capabilities": [
+          "read",
+          "list"
+        ]
+      }
+    }
+  ]
+}

data/examples/basic/sys/policy/response-wrapping.hcl

@@ -0,0 +1,5 @@
+
+path "cubbyhole/response" {
+    capabilities = ["create", "read"]
+}
+

data/lib/vault/provision.rb

@@ -0,0 +1,52 @@
+require 'vault'
+require 'active_support/inflector'
+
+class Vault::Provision; end
+require 'vault/provision/prototype'
+
+require 'vault/provision/auth'
+require 'vault/provision/sys'
+require 'vault/provision/pki'
+require 'vault/provision/generic'
+
+# controller for the children
+class Vault::Provision
+  SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
+
+  attr_accessor :vault, :instance_dir, :intermediate_issuer
+
+  def initialize instance_dir,
+                 address: ENV['VAULT_ADDR'],
+                 token: ENV['VAULT_TOKEN'],
+                 intermediate_issuer: {},
+                 pki_force: false
+
+    @instance_dir = instance_dir
+    @vault = Vault::Client.new address: address, token: token
+    @intermediate_issuer = intermediate_issuer
+    @pki_force = pki_force
+    @handlers = [
+      Sys::Auth,
+      Auth::Ldap::Config,
+      Sys::Mounts,
+      Pki::Root::Generate::Internal,
+      Pki::Intermediate::Generate::Internal,
+      Pki::Config::Urls,
+      Pki::Roles,
+      Generic,
+      Sys::Policy,
+      #Auth::Ldap::Groups,
+    ]
+  end
+
+  def provision!
+    @handlers.each do |handler|
+      puts "* Calling handler #{handler}"
+      handler.new(self).provision!
+    end
+  end
+
+  def pki_force?
+    @pki_force
+  end
+end

data/lib/vault/provision/auth.rb

@@ -0,0 +1,4 @@
+# let there be authentication backends!
+class Vault::Provision::Auth; end
+
+require 'vault/provision/auth/ldap'

data/lib/vault/provision/auth/ldap.rb

@@ -0,0 +1,5 @@
+# placeholder
+class Vault::Provision::Auth::Ldap; end
+
+require 'vault/provision/auth/ldap/config'
+require 'vault/provision/auth/ldap/groups'

data/lib/vault/provision/auth/ldap/config.rb

@@ -0,0 +1,43 @@
+# config LDAP authn
+class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
+  def ap_file auth_point
+    "#{@instance_dir}/auth/#{auth_point}/config.json"
+  end
+
+  def repo_files
+    return @repo_files if @repo_files
+    #puts "*** calling repo_files"
+
+    auths = @vault.sys.auths
+
+    aps = auths.keys.select do |auth_point|
+      next unless auths[auth_point].type == 'ldap'
+      #puts "**** got auth mount #{auth_point}"
+      next unless FileTest.file? ap_file(auth_point)
+
+      repo_config  = JSON.parse(File.read(ap_file(auth_point)))
+      vault_config = begin
+                       @vault.get("auth/#{auth_point}config")['data']
+                     rescue Vault::HTTPClientError => e
+                       #puts "**** new #{auth_point} config"
+                       raise e unless e.code == 404
+                       {}
+                     end
+
+      # for each key in the repo JSON file's hash, compare to current
+      # vault state. If they're identical, go on to the next mount point.
+      !repo_config.keys.inject(true) { |acc,elem| acc && vault_config[elem] == repo_config[elem]}
+    end
+    #puts "**** aps is #{aps}"
+    map_out = aps.map { |auth_point| ap_file(auth_point) }
+    #puts "**** returning map_out of #{map_out}"
+    @repo_files = map_out
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      auth_point = rf.split('/')[-2]
+      @vault.post "v1/auth/#{auth_point}/config", File.read(rf)
+    end
+  end
+end

data/lib/vault/provision/auth/ldap/groups.rb

@@ -0,0 +1,3 @@
+# placeholder
+class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
+end

data/lib/vault/provision/generic.rb

@@ -0,0 +1,8 @@
+# Generic secret (k/v pairs) backend provisioning
+class Vault::Provision::Generic < Vault::Provision::Prototype
+  # the generic secret API doesn't have anything to configure!
+  # https://www.vaultproject.io/api/secret/generic/index.html
+  def provision!
+    true
+  end
+end

data/lib/vault/provision/pki.rb

@@ -0,0 +1,23 @@
+# PKI/CA backend provisioning
+module Vault::Provision::Pki
+  # placeholder
+  class Root; end
+  # placeholder
+  class Intermediate; end
+
+  def generated? path
+    @vault.get "#{path}/ca/pem"
+    true
+  rescue Vault::HTTPClientError
+    false
+  end
+
+  def ca_type path
+    path.match(/pki-intermediate/) && true
+  end
+end
+
+require 'vault/provision/pki/root'
+require 'vault/provision/pki/intermediate'
+require 'vault/provision/pki/config'
+require 'vault/provision/pki/roles'

data/lib/vault/provision/pki/config.rb

@@ -0,0 +1,4 @@
+# config crl & distribution points for CAs
+class Vault::Provision::Pki::Config; end
+
+require 'vault/provision/pki/config/urls'

data/lib/vault/provision/pki/config/crl.json

@@ -0,0 +1,24 @@
+# config crl & distribution points for CAs
+class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
+  include Vault::Provision::Pki
+
+  def provision!
+    paths = @vault.sys.mounts.select { |_,a| a.type == 'pki' } .keys
+
+    paths.each do |path|
+      r_crl_file  = "#{@instance_dir}/#{path}/config/crl.json"
+      r_urls_file = "#{@instance_dir}/#{path}/config/urls.json"
+
+      r_crl  = JSON.dump(File.read(r_crl_file))
+      r_urls = JSON.dump(File.read(r_urls_file))
+
+      v_crl = @vault.get("#{path}config/crl")['data']
+      same = r_crl.keys.inject(true) {|acc,elem| acc && r_crl[elem] == v_crl[elem] }
+      @vault.post("#{path}config/crl", r_crl) unless same
+
+      v_urls = @vault.get("#{path}config/urls")['data']
+      same = r_urls.keys.inject(true) {|acc,elem| acc && r_urls[elem] == v_urls[elem] }
+      @vault.post("#{path}config/urls", r_urls) unless same
+    end
+  end
+end

data/lib/vault/provision/pki/config/urls.rb

@@ -0,0 +1,24 @@
+# config crl & distribution points for CAs
+class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
+  include Vault::Provision::Pki
+
+  def urls_file mount_point
+    "#{@instance_dir}/#{mount_point}/config/urls.json"
+  end
+
+  def repo_files
+    mounts = @vault.sys.mounts
+    pki_mounts = mounts.keys.select do |mp|
+      mounts[mp].type == 'pki' && FileTest.file?(urls_file(mp))
+    end
+    pki_mounts.map { |mp| urls_file(mp) }
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      mount_point = rf.split('/')[-3]
+      #puts "**** mount #{mount_point} rf => #{rf}"
+      @vault.post "v1/#{mount_point}/config/urls", File.read(rf)
+    end
+  end
+end

data/lib/vault/provision/pki/intermediate.rb

@@ -0,0 +1,4 @@
+# placeholder
+class Vault::Provision::Pki::Intermediate; end
+
+require 'vault/provision/pki/intermediate/generate'

data/lib/vault/provision/pki/intermediate/generate.rb

@@ -0,0 +1,5 @@
+# placeholder
+class Vault::Provision::Pki::Intermediate::Generate; end
+
+require 'vault/provision/pki/intermediate/generate/internal'
+require 'vault/provision/pki/intermediate/generate/exported'

data/lib/vault/provision/pki/intermediate/generate/exported.rb

@@ -0,0 +1,2 @@
+# placeholder
+class Vault::Provision::Pki::Intermediate::Generate::Exported; end

data/lib/vault/provision/pki/intermediate/generate/internal.rb

@@ -0,0 +1,43 @@
+# create the CA
+class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision::Prototype
+  include Vault::Provision::Pki
+
+  def gen_file mount_point
+    "#{@instance_dir}/#{mount_point}/intermediate/generate/internal.json"
+  end
+
+  def repo_files
+    mounts = @vault.sys.mounts
+    generators = mounts.keys.select do |mp|
+      mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
+    end
+    generators.map { |mp| gen_file(mp) }
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      mount_point = rf.split('/')[-4]
+      next if generated? mount_point
+      resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",
+                         File.read(rf)
+      sign_intermediate_csr(mount_point, resp[:data][:csr])
+    end
+  end
+
+  def sign_intermediate_csr mount_point, csr
+    return if @intermediate_issuer.empty?
+    root = @intermediate_issuer[mount_point.to_sym]
+    return if root.nil?
+
+    req = JSON.parse(File.read(gen_file(mount_point)))
+    resp = @vault.post "v1/#{root}/root/sign-intermediate",
+                       JSON.dump(csr:                  csr,
+                                 common_name:          req['common_name'],
+                                 ttl:                  req['ttl'],
+                                 max_path_length:      0,
+                                 exclude_cn_from_sans: true)
+
+    @vault.post "v1/#{mount_point}/intermediate/set-signed",
+                JSON.dump(certificate: resp[:data][:certificate])
+  end
+end

data/lib/vault/provision/pki/roles.rb

@@ -0,0 +1,25 @@
+# templates for certs
+class Vault::Provision::Pki::Roles < Vault::Provision::Prototype
+  include Vault::Provision::Pki
+
+  def repo_files
+    mounts = @vault.sys.mounts
+    pki_mounts = mounts.keys.select { |mp| mounts[mp].type == 'pki' }
+    roles = []
+    pki_mounts.each do |mp|
+      Find.find("#{@instance_dir}/#{mp}/roles/").each do |rf|
+        next unless rf.end_with? '.json'
+        roles << rf
+      end
+    end
+    roles
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      mount_point = rf.split('/')[-3]
+      role_name = File.basename(rf, '.json')
+      @vault.post "v1/#{mount_point}/roles/#{role_name}", File.read(rf)
+    end
+  end
+end

data/lib/vault/provision/pki/root.rb

@@ -0,0 +1,4 @@
+# placeholder
+class Vault::Provision::Pki::Root; end
+
+require 'vault/provision/pki/root/generate'

data/lib/vault/provision/pki/root/generate.rb

@@ -0,0 +1,5 @@
+# placeholder
+class Vault::Provision::Pki::Root::Generate; end
+
+require 'vault/provision/pki/root/generate/internal'
+require 'vault/provision/pki/root/generate/exported'

data/lib/vault/provision/pki/root/generate/exported.rb

@@ -0,0 +1,2 @@
+# placeholder
+class Vault::Provision::Pki::Root::Generate::Exported; end

data/lib/vault/provision/pki/root/generate/internal.rb

@@ -0,0 +1,24 @@
+# create the CA
+class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Prototype
+  include Vault::Provision::Pki
+
+  def gen_file mount_point
+    "#{@instance_dir}/#{mount_point}/root/generate/internal.json"
+  end
+
+  def repo_files
+    mounts = @vault.sys.mounts
+    generators = mounts.keys.select do |mp|
+      mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
+    end
+    generators.map { |mp| gen_file(mp) }
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      mount_point = rf.split('/')[-4]
+      next if generated? mount_point
+      @vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)
+    end
+  end
+end

data/lib/vault/provision/prototype.rb

@@ -0,0 +1,25 @@
+# prototype for the individual hierarchy paths
+class Vault::Provision::Prototype
+  def initialize boss
+    @vault = boss.vault
+    @instance_dir = boss.instance_dir
+    @intermediate_issuer = boss.intermediate_issuer
+  end
+
+  def repo_prefix
+    ActiveSupport::Inflector.underscore(self.class.to_s)
+                            .split('/')[2..-1].join('/')
+  end
+
+  def repo_path
+    "#{@instance_dir}/#{repo_prefix}"
+  end
+
+  def repo_files
+    Find.find(repo_path).select { |rf| rf.end_with?('.json') }
+  end
+
+  def provision!
+    puts "#{self.class} says: Go climb a tree!"
+  end
+end

data/lib/vault/provision/sys.rb

@@ -0,0 +1,49 @@
+require 'find'
+
+# systems backend provisioning
+class Vault::Provision::Sys; end
+require 'vault/provision/sys/auth'
+require 'vault/provision/sys/policy'
+
+# secret mounts
+class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
+  SYSTEM_MOUNTS = [
+    'token',
+    'cubbyhole',
+    'sys',
+    'secret'
+  ].freeze
+
+  def provision!
+    mounts = @vault.sys.mounts
+
+    repo_path = "#{@instance_dir}/sys/mounts"
+    change = []
+    Find.find(repo_path).each do |rf|
+      next unless rf.end_with?('.json')
+      next if rf.end_with?('/tune.json')
+
+      rf_base = File.basename rf, '.json'
+      next if SYSTEM_MOUNTS.include? rf_base
+      # puts "** processing mount #{rf_base}"
+
+      path = rf[(repo_path.length + 1)..-6].to_sym
+      r_conf = JSON.parse(File.read(rf))
+      rcc = r_conf['config'] || {}
+
+      unless mounts[path]
+        @vault.sys.mount(path.to_s, r_conf['type'], r_conf['description'])
+        @vault.sys.mount_tune(path.to_s, rcc)
+        change << @vault.sys.mounts[path]
+        next
+      end
+
+      vmc = mounts[path].config || {}
+      next if rcc.keys.inject(true) { |acc, elem| acc && (vmc[elem.to_sym] == rcc[elem]) }
+
+      @vault.sys.mount_tune(path.to_s, rcc)
+      change << @vault.sys.mounts[path]
+    end
+    change
+  end
+end

data/lib/vault/provision/sys/auth.rb

@@ -0,0 +1,22 @@
+# helps to enable authentication
+class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
+  def provision!
+    #puts "files: #{repo_files}"
+    auths = @vault.sys.auths
+
+    change = []
+    repo_files.each do |rf|
+      path = rf[(repo_path.length + 1)..-6].to_sym
+      r_conf = JSON.parse(File.read(rf))
+      # puts "** found #{path}"
+
+      next if auths[path]
+      # puts "** processing #{path}"
+      @vault.sys.enable_auth(path.to_s,
+                             r_conf['type'], r_conf['description'])
+      change << @vault.sys.auths[path]
+    end
+
+    change
+  end
+end

data/lib/vault/provision/sys/policy.rb

@@ -0,0 +1,18 @@
+# for rubocop, this comment is a matter of policy
+class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
+  def repo_files
+    Find.find(repo_path).select { |rf| rf.end_with?('.json', '.hcl') }
+  end
+
+  def provision!
+    repo_files.each do |rf|
+      policy_name = if rf.end_with? '.json'
+                      File.basename(rf, '.json')
+                    elsif rf.end_with? '.hcl'
+                      File.basename(rf, '.hcl')
+                    end
+      next if Vault::Provision::SYSTEM_POLICIES.include? policy_name
+      @vault.sys.put_policy(policy_name, File.read(rf))
+    end
+  end
+end

data/lib/vault_provision.rb

@@ -0,0 +1 @@
+require 'vault/provision'

data/spec/spec_helper.rb

@@ -0,0 +1,46 @@
+GEM_DIR=File.expand_path(File.dirname(__FILE__) + '/../').freeze
+$: << "#{GEM_DIR}/lib"
+
+require 'vault_provision'
+require 'open3'
+
+DEV_VAULT_TOKEN                = 'kittens'.freeze
+DEV_VAULT_ADDR                 = 'http://127.0.0.1:8200'.freeze
+EXAMPLE_DIR                    = "#{GEM_DIR}/examples/basic".freeze
+
+ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
+ENV['VAULT_TOKEN']             = DEV_VAULT_TOKEN
+ENV['VAULT_ADDR']              = DEV_VAULT_ADDR
+
+Vault.configure do |config|
+  config.address = DEV_VAULT_ADDR
+  config.token = DEV_VAULT_TOKEN
+end
+
+def vault_server
+  stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
+  cleanup = lambda do |_|
+    stdin.close
+    stdout.close
+    stderr.close
+    Process.kill :INT, server.pid
+  end
+  [:INT, :EXIT].each { |sig| trap(sig, cleanup) }
+  puts "server is #{server.pid}"
+  sleep(1) # woo race condition! wait for server to start up
+  server
+end
+
+def client
+  @client ||= Vault::Client.new
+end
+
+RSpec.configure do |config|
+  config.tty = true
+  config.raise_errors_for_deprecations!
+end
+
+@server = vault_server
+signatories = {'pki-intermediate': 'pki-root'}
+
+Vault::Provision.new(EXAMPLE_DIR, intermediate_issuer: signatories).provision!

data/spec/vault_provision_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe Vault::Provision do
+  it "has a cubbyhole" do
+    expect(client.sys.mounts[:cubbyhole].description).to \
+      include 'per-token private secret storage'
+  end
+
+  it "has an ldap auth" do
+    expect(client.sys.auths[:ldap].type).to be == 'ldap'
+  end
+
+  it "has a token auth" do
+    expect(client.sys.auths[:token].type).to be == 'token'
+  end
+
+  it "has an ldap config" do
+    config_data = client.get('v1/auth/ldap/config')[:data]
+    expect(config_data[:url]).to be == 'ldaps://ldap.example.com'
+  end
+
+  it "has a pki-root mount" do
+    expect(client.sys.mounts.keys).to include :'pki-root'
+  end
+
+  it "has a CA" do
+    expect(client.get('v1/pki-root/ca/pem')).to be
+  end
+
+  it "has pki-root config urls" do
+    expect(client.get('v1/pki-root/config/urls')[:data][:crl_distribution_points].to_s).to include 'https://cdn.example.com'
+  end
+
+  it "has pki-intermediate config urls" do
+    expect(client.get('v1/pki-intermediate/config/urls')[:data][:issuing_certificates].to_s).to include 'https://cdn.example.com'
+  end
+
+  it "has pki-intermediate ca" do
+    expect(client.get('v1/pki-intermediate/ca/pem')).to be
+  end
+
+  it "has a dvcert role for intermediate" do
+    expect(client.get('v1/pki-intermediate/roles/dvcert')[:data][:allowed_domains]).to include "vault.example.com"
+    expect(client.get('v1/pki-intermediate/roles/dvcert')[:data][:allow_any_name]).to be_falsey
+  end
+
+  it "has an unlimited role for root" do
+    expect(client.get('v1/pki-root/roles/unlimited')[:data][:allow_any_name]).to be_truthy
+  end
+
+  it "has a master_of_secrets policy" do
+    expect(client.sys.policy('master_of_secrets').rules).to include '"sys/auth/*"'
+    expect(client.sys.policy('master_of_secrets').rules).to include '"secret/*"'
+  end
+
+  it "has a secret squirrel" do
+    expect(client.sys.mounts[:squirrel].type).to be == 'generic'
+  end
+end

data/vault-provision.gemspec

@@ -0,0 +1,16 @@
+require 'find'
+
+Gem::Specification.new do |s|
+  s.name = 'vault-provision'
+  s.version = File.read("VERSION").chomp
+  s.summary = 'Provisioning utility for HashiCorp\'s Vault'
+  s.description = ''
+  s.authors = ["Tom Maher"]
+  s.email = "tmaher@pw0n.me"
+  s.license = "Apache-2.0"
+  s.files = `git ls-files`.split("\n")
+  s.homepage = 'https://github.com/tmaher/vault-provision'
+  s.add_dependency 'vault', '~>0.9.0'
+  s.add_development_dependency "rake", '~>12'
+  s.add_development_dependency "rspec", '~>3'
+end

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification
+name: vault-provision
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tom Maher
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-03-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+description: ''
+email: tmaher@pw0n.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- VERSION
+- examples/basic/auth/.keep
+- examples/basic/auth/ldap/.keep
+- examples/basic/auth/ldap/config.json
+- examples/basic/auth/ldap/groups/admin.json
+- examples/basic/auth/ldap/groups/operators.json
+- examples/basic/auth/token/.keep
+- examples/basic/pki-intermediate/config/.keep
+- examples/basic/pki-intermediate/config/crl.json
+- examples/basic/pki-intermediate/config/urls.json
+- examples/basic/pki-intermediate/intermediate/generate/internal.json
+- examples/basic/pki-intermediate/roles/.keep
+- examples/basic/pki-intermediate/roles/dvcert.json
+- examples/basic/pki-intermediate/roles/unlimited.json
+- examples/basic/pki-root/config/.keep
+- examples/basic/pki-root/config/crl.json
+- examples/basic/pki-root/config/urls.json
+- examples/basic/pki-root/roles/.keep
+- examples/basic/pki-root/roles/unlimited.json
+- examples/basic/pki-root/root/generate/internal.json
+- examples/basic/sys/auth.json
+- examples/basic/sys/auth/.keep
+- examples/basic/sys/auth/ldap.json
+- examples/basic/sys/auth/token.json
+- examples/basic/sys/mounts/.keep
+- examples/basic/sys/mounts/cubbyhole.json
+- examples/basic/sys/mounts/pki-intermediate.json
+- examples/basic/sys/mounts/pki-intermediate/tune.json
+- examples/basic/sys/mounts/pki-root.json
+- examples/basic/sys/mounts/pki-root/tune.json
+- examples/basic/sys/mounts/secret.json
+- examples/basic/sys/mounts/squirrel.json
+- examples/basic/sys/mounts/sys.json
+- examples/basic/sys/policy/.keep
+- examples/basic/sys/policy/default.hcl
+- examples/basic/sys/policy/master_of_secrets.json
+- examples/basic/sys/policy/pki-intermediates.json
+- examples/basic/sys/policy/response-wrapping.hcl
+- examples/basic/sys/policy/root.json
+- lib/vault/provision.rb
+- lib/vault/provision/auth.rb
+- lib/vault/provision/auth/ldap.rb
+- lib/vault/provision/auth/ldap/config.rb
+- lib/vault/provision/auth/ldap/groups.rb
+- lib/vault/provision/generic.rb
+- lib/vault/provision/pki.rb
+- lib/vault/provision/pki/config.rb
+- lib/vault/provision/pki/config/crl.json
+- lib/vault/provision/pki/config/urls.rb
+- lib/vault/provision/pki/intermediate.rb
+- lib/vault/provision/pki/intermediate/generate.rb
+- lib/vault/provision/pki/intermediate/generate/exported.rb
+- lib/vault/provision/pki/intermediate/generate/internal.rb
+- lib/vault/provision/pki/roles.rb
+- lib/vault/provision/pki/root.rb
+- lib/vault/provision/pki/root/generate.rb
+- lib/vault/provision/pki/root/generate/exported.rb
+- lib/vault/provision/pki/root/generate/internal.rb
+- lib/vault/provision/prototype.rb
+- lib/vault/provision/sys.rb
+- lib/vault/provision/sys/auth.rb
+- lib/vault/provision/sys/policy.rb
+- lib/vault_provision.rb
+- spec/spec_helper.rb
+- spec/vault_provision_spec.rb
+- vault-provision.gemspec
+homepage: https://github.com/tmaher/vault-provision
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Provisioning utility for HashiCorp's Vault
+test_files: []