vault-provision 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/VERSION +1 -1
  4. data/lib/vault/provision/auth/ldap/config.rb +0 -6
  5. data/lib/vault/provision/pki/config/urls.rb +0 -1
  6. data/lib/vault/provision/pki/intermediate/generate/internal.rb +4 -3
  7. data/lib/vault/provision/pki/root/generate/internal.rb +1 -0
  8. data/lib/vault/provision/pki.rb +3 -3
  9. data/lib/vault/provision/prototype.rb +1 -0
  10. data/lib/vault/provision/sys/auth.rb +0 -3
  11. data/lib/vault/provision/sys.rb +0 -1
  12. data/lib/vault/provision.rb +4 -3
  13. data/spec/spec_helper.rb +4 -2
  14. data/spec/vault_provision_spec.rb +2 -2
  15. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 77e526d32e962aec4cfdafc7f667c1767211bcae
4
- data.tar.gz: 1b6ca464da212e641f8b47119f30203bcb45663d
3
+ metadata.gz: 79f872c69434db5cf504adcd6efeea369c1bff7c
4
+ data.tar.gz: eabe325c9cff5d09bbc2ad8b58a364aa4d948d0d
5
5
  SHA512:
6
- metadata.gz: 0b2c5748e7d17721c40954677ae908dbe2f292db74c6e1ec5ede155efb90ece8db460412afea558e11583dd89477777b3c95d314d51cb97e68477683f5b6f950
7
- data.tar.gz: e1c9aa9abc26e3a20a110bd5074f8d5231d4cb03e528051d34a7fbf0459d642d7dd24d3b6188df9590111a6a2d8bede0279bb61ad3395e3e01cc9e706bc81bf2
6
+ metadata.gz: 624e211242329581f89cad36cdf018f70d5f5244366f25e81ca1df8d05463e91374edc532e14890d935dfdec8219392f388198360d52c94ce7db376d6fe02389
7
+ data.tar.gz: 7aba52e8656f2a035c2871ca19e6d08b03a7c4d6c1ed8b962ef19bf26cfd3fda3640f9b94a117ce947f07454befbf0f6ea7fbbf3f957c5879239994360b3af48
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.0.0)
4
+ vault-provision (0.1.0)
5
5
  vault (~> 0.9.0)
6
6
 
7
7
  GEM
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.0
1
+ 0.1.1
data/lib/vault/provision/auth/ldap/config.rb CHANGED
@@ -6,20 +6,16 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
6
6
 
7
7
  def repo_files
8
8
  return @repo_files if @repo_files
9
- #puts "*** calling repo_files"
10
-
11
9
  auths = @vault.sys.auths
12
10
 
13
11
  aps = auths.keys.select do |auth_point|
14
12
  next unless auths[auth_point].type == 'ldap'
15
- #puts "**** got auth mount #{auth_point}"
16
13
  next unless FileTest.file? ap_file(auth_point)
17
14
 
18
15
  repo_config = JSON.parse(File.read(ap_file(auth_point)))
19
16
  vault_config = begin
20
17
  @vault.get("auth/#{auth_point}config")['data']
21
18
  rescue Vault::HTTPClientError => e
22
- #puts "**** new #{auth_point} config"
23
19
  raise e unless e.code == 404
24
20
  {}
25
21
  end
@@ -28,9 +24,7 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
28
24
  # vault state. If they're identical, go on to the next mount point.
29
25
  !repo_config.keys.inject(true) { |acc,elem| acc && vault_config[elem] == repo_config[elem]}
30
26
  end
31
- #puts "**** aps is #{aps}"
32
27
  map_out = aps.map { |auth_point| ap_file(auth_point) }
33
- #puts "**** returning map_out of #{map_out}"
34
28
  @repo_files = map_out
35
29
  end
36
30
 
data/lib/vault/provision/pki/config/urls.rb CHANGED
@@ -17,7 +17,6 @@ class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
17
17
  def provision!
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-3]
20
- #puts "**** mount #{mount_point} rf => #{rf}"
21
20
  @vault.post "v1/#{mount_point}/config/urls", File.read(rf)
22
21
  end
23
22
  end
data/lib/vault/provision/pki/intermediate/generate/internal.rb CHANGED
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-4]
20
20
  next if generated? mount_point
21
+ next unless @pki_allow_destructive
21
22
  resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",
22
23
  File.read(rf)
23
24
  sign_intermediate_csr(mount_point, resp[:data][:csr])
@@ -26,11 +27,11 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
26
27
 
27
28
  def sign_intermediate_csr mount_point, csr
28
29
  return if @intermediate_issuer.empty?
29
- root = @intermediate_issuer[mount_point.to_sym]
30
- return if root.nil?
30
+ root_mount = @intermediate_issuer[mount_point.to_sym]
31
+ return if root_mount.nil?
31
32
 
32
33
  req = JSON.parse(File.read(gen_file(mount_point)))
33
- resp = @vault.post "v1/#{root}/root/sign-intermediate",
34
+ resp = @vault.post "v1/#{root_mount}/root/sign-intermediate",
34
35
  JSON.dump(csr: csr,
35
36
  common_name: req['common_name'],
36
37
  ttl: req['ttl'],
data/lib/vault/provision/pki/root/generate/internal.rb CHANGED
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Protot
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-4]
20
20
  next if generated? mount_point
21
+ next unless @pki_allow_destructive
21
22
  @vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)
22
23
  end
23
24
  end
data/lib/vault/provision/pki.rb CHANGED
@@ -6,10 +6,10 @@ module Vault::Provision::Pki
6
6
  class Intermediate; end
7
7
 
8
8
  def generated? path
9
- @vault.get "#{path}/ca/pem"
10
- true
9
+ result = @vault.get "v1/#{path}/ca/pem"
10
+ return true if result =~ /BEGIN CERTIFICATE/
11
11
  rescue Vault::HTTPClientError
12
- false
12
+ return false
13
13
  end
14
14
 
15
15
  def ca_type path
data/lib/vault/provision/prototype.rb CHANGED
@@ -4,6 +4,7 @@ class Vault::Provision::Prototype
4
4
  @vault = boss.vault
5
5
  @instance_dir = boss.instance_dir
6
6
  @intermediate_issuer = boss.intermediate_issuer
7
+ @pki_allow_destructive = boss.pki_allow_destructive
7
8
  end
8
9
 
9
10
  def repo_prefix
data/lib/vault/provision/sys/auth.rb CHANGED
@@ -1,17 +1,14 @@
1
1
  # helps to enable authentication
2
2
  class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
3
3
  def provision!
4
- #puts "files: #{repo_files}"
5
4
  auths = @vault.sys.auths
6
5
 
7
6
  change = []
8
7
  repo_files.each do |rf|
9
8
  path = rf[(repo_path.length + 1)..-6].to_sym
10
9
  r_conf = JSON.parse(File.read(rf))
11
- # puts "** found #{path}"
12
10
 
13
11
  next if auths[path]
14
- # puts "** processing #{path}"
15
12
  @vault.sys.enable_auth(path.to_s,
16
13
  r_conf['type'], r_conf['description'])
17
14
  change << @vault.sys.auths[path]
data/lib/vault/provision/sys.rb CHANGED
@@ -25,7 +25,6 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
25
25
 
26
26
  rf_base = File.basename rf, '.json'
27
27
  next if SYSTEM_MOUNTS.include? rf_base
28
- # puts "** processing mount #{rf_base}"
29
28
 
30
29
  path = rf[(repo_path.length + 1)..-6].to_sym
31
30
  r_conf = JSON.parse(File.read(rf))
data/lib/vault/provision.rb CHANGED
@@ -13,18 +13,19 @@ require 'vault/provision/generic'
13
13
  class Vault::Provision
14
14
  SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
15
15
 
16
- attr_accessor :vault, :instance_dir, :intermediate_issuer
16
+ attr_accessor :vault, :instance_dir,
17
+ :intermediate_issuer, :pki_allow_destructive
17
18
 
18
19
  def initialize instance_dir,
19
20
  address: ENV['VAULT_ADDR'],
20
21
  token: ENV['VAULT_TOKEN'],
21
22
  intermediate_issuer: {},
22
- pki_force: false
23
+ pki_allow_destructive: false
23
24
 
24
25
  @instance_dir = instance_dir
25
26
  @vault = Vault::Client.new address: address, token: token
26
27
  @intermediate_issuer = intermediate_issuer
27
- @pki_force = pki_force
28
+ @pki_allow_destructive = pki_allow_destructive
28
29
  @handlers = [
29
30
  Sys::Auth,
30
31
  Auth::Ldap::Config,
data/spec/spec_helper.rb CHANGED
@@ -26,7 +26,7 @@ def vault_server
26
26
  Process.kill :INT, server.pid
27
27
  end
28
28
  [:INT, :EXIT].each { |sig| trap(sig, cleanup) }
29
- puts "server is #{server.pid}"
29
+ puts "server is PID #{server.pid}"
30
30
  sleep(1) # woo race condition! wait for server to start up
31
31
  server
32
32
  end
@@ -43,4 +43,6 @@ end
43
43
  @server = vault_server
44
44
  signatories = {'pki-intermediate': 'pki-root'}
45
45
 
46
- Vault::Provision.new(EXAMPLE_DIR, intermediate_issuer: signatories).provision!
46
+ Vault::Provision.new(EXAMPLE_DIR,
47
+ intermediate_issuer: signatories,
48
+ pki_allow_destructive: true).provision!
data/spec/vault_provision_spec.rb CHANGED
@@ -24,7 +24,7 @@ describe Vault::Provision do
24
24
  end
25
25
 
26
26
  it "has a CA" do
27
- expect(client.get('v1/pki-root/ca/pem')).to be
27
+ expect(client.get('v1/pki-root/ca/pem')).to include "BEGIN CERTIFICATE"
28
28
  end
29
29
 
30
30
  it "has pki-root config urls" do
@@ -36,7 +36,7 @@ describe Vault::Provision do
36
36
  end
37
37
 
38
38
  it "has pki-intermediate ca" do
39
- expect(client.get('v1/pki-intermediate/ca/pem')).to be
39
+ expect(client.get('v1/pki-intermediate/ca/pem')).to include "BEGIN CERTIFICATE"
40
40
  end
41
41
 
42
42
  it "has a dvcert role for intermediate" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher