vault-provision 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 77e526d32e962aec4cfdafc7f667c1767211bcae
4
- data.tar.gz: 1b6ca464da212e641f8b47119f30203bcb45663d
3
+ metadata.gz: 79f872c69434db5cf504adcd6efeea369c1bff7c
4
+ data.tar.gz: eabe325c9cff5d09bbc2ad8b58a364aa4d948d0d
5
5
  SHA512:
6
- metadata.gz: 0b2c5748e7d17721c40954677ae908dbe2f292db74c6e1ec5ede155efb90ece8db460412afea558e11583dd89477777b3c95d314d51cb97e68477683f5b6f950
7
- data.tar.gz: e1c9aa9abc26e3a20a110bd5074f8d5231d4cb03e528051d34a7fbf0459d642d7dd24d3b6188df9590111a6a2d8bede0279bb61ad3395e3e01cc9e706bc81bf2
6
+ metadata.gz: 624e211242329581f89cad36cdf018f70d5f5244366f25e81ca1df8d05463e91374edc532e14890d935dfdec8219392f388198360d52c94ce7db376d6fe02389
7
+ data.tar.gz: 7aba52e8656f2a035c2871ca19e6d08b03a7c4d6c1ed8b962ef19bf26cfd3fda3640f9b94a117ce947f07454befbf0f6ea7fbbf3f957c5879239994360b3af48
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.0.0)
4
+ vault-provision (0.1.0)
5
5
  vault (~> 0.9.0)
6
6
 
7
7
  GEM
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.0
1
+ 0.1.1
@@ -6,20 +6,16 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
6
6
 
7
7
  def repo_files
8
8
  return @repo_files if @repo_files
9
- #puts "*** calling repo_files"
10
-
11
9
  auths = @vault.sys.auths
12
10
 
13
11
  aps = auths.keys.select do |auth_point|
14
12
  next unless auths[auth_point].type == 'ldap'
15
- #puts "**** got auth mount #{auth_point}"
16
13
  next unless FileTest.file? ap_file(auth_point)
17
14
 
18
15
  repo_config = JSON.parse(File.read(ap_file(auth_point)))
19
16
  vault_config = begin
20
17
  @vault.get("auth/#{auth_point}config")['data']
21
18
  rescue Vault::HTTPClientError => e
22
- #puts "**** new #{auth_point} config"
23
19
  raise e unless e.code == 404
24
20
  {}
25
21
  end
@@ -28,9 +24,7 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
28
24
  # vault state. If they're identical, go on to the next mount point.
29
25
  !repo_config.keys.inject(true) { |acc,elem| acc && vault_config[elem] == repo_config[elem]}
30
26
  end
31
- #puts "**** aps is #{aps}"
32
27
  map_out = aps.map { |auth_point| ap_file(auth_point) }
33
- #puts "**** returning map_out of #{map_out}"
34
28
  @repo_files = map_out
35
29
  end
36
30
 
@@ -17,7 +17,6 @@ class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
17
17
  def provision!
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-3]
20
- #puts "**** mount #{mount_point} rf => #{rf}"
21
20
  @vault.post "v1/#{mount_point}/config/urls", File.read(rf)
22
21
  end
23
22
  end
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-4]
20
20
  next if generated? mount_point
21
+ next unless @pki_allow_destructive
21
22
  resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",
22
23
  File.read(rf)
23
24
  sign_intermediate_csr(mount_point, resp[:data][:csr])
@@ -26,11 +27,11 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
26
27
 
27
28
  def sign_intermediate_csr mount_point, csr
28
29
  return if @intermediate_issuer.empty?
29
- root = @intermediate_issuer[mount_point.to_sym]
30
- return if root.nil?
30
+ root_mount = @intermediate_issuer[mount_point.to_sym]
31
+ return if root_mount.nil?
31
32
 
32
33
  req = JSON.parse(File.read(gen_file(mount_point)))
33
- resp = @vault.post "v1/#{root}/root/sign-intermediate",
34
+ resp = @vault.post "v1/#{root_mount}/root/sign-intermediate",
34
35
  JSON.dump(csr: csr,
35
36
  common_name: req['common_name'],
36
37
  ttl: req['ttl'],
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Protot
18
18
  repo_files.each do |rf|
19
19
  mount_point = rf.split('/')[-4]
20
20
  next if generated? mount_point
21
+ next unless @pki_allow_destructive
21
22
  @vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)
22
23
  end
23
24
  end
@@ -6,10 +6,10 @@ module Vault::Provision::Pki
6
6
  class Intermediate; end
7
7
 
8
8
  def generated? path
9
- @vault.get "#{path}/ca/pem"
10
- true
9
+ result = @vault.get "v1/#{path}/ca/pem"
10
+ return true if result =~ /BEGIN CERTIFICATE/
11
11
  rescue Vault::HTTPClientError
12
- false
12
+ return false
13
13
  end
14
14
 
15
15
  def ca_type path
@@ -4,6 +4,7 @@ class Vault::Provision::Prototype
4
4
  @vault = boss.vault
5
5
  @instance_dir = boss.instance_dir
6
6
  @intermediate_issuer = boss.intermediate_issuer
7
+ @pki_allow_destructive = boss.pki_allow_destructive
7
8
  end
8
9
 
9
10
  def repo_prefix
@@ -1,17 +1,14 @@
1
1
  # helps to enable authentication
2
2
  class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
3
3
  def provision!
4
- #puts "files: #{repo_files}"
5
4
  auths = @vault.sys.auths
6
5
 
7
6
  change = []
8
7
  repo_files.each do |rf|
9
8
  path = rf[(repo_path.length + 1)..-6].to_sym
10
9
  r_conf = JSON.parse(File.read(rf))
11
- # puts "** found #{path}"
12
10
 
13
11
  next if auths[path]
14
- # puts "** processing #{path}"
15
12
  @vault.sys.enable_auth(path.to_s,
16
13
  r_conf['type'], r_conf['description'])
17
14
  change << @vault.sys.auths[path]
@@ -25,7 +25,6 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
25
25
 
26
26
  rf_base = File.basename rf, '.json'
27
27
  next if SYSTEM_MOUNTS.include? rf_base
28
- # puts "** processing mount #{rf_base}"
29
28
 
30
29
  path = rf[(repo_path.length + 1)..-6].to_sym
31
30
  r_conf = JSON.parse(File.read(rf))
@@ -13,18 +13,19 @@ require 'vault/provision/generic'
13
13
  class Vault::Provision
14
14
  SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
15
15
 
16
- attr_accessor :vault, :instance_dir, :intermediate_issuer
16
+ attr_accessor :vault, :instance_dir,
17
+ :intermediate_issuer, :pki_allow_destructive
17
18
 
18
19
  def initialize instance_dir,
19
20
  address: ENV['VAULT_ADDR'],
20
21
  token: ENV['VAULT_TOKEN'],
21
22
  intermediate_issuer: {},
22
- pki_force: false
23
+ pki_allow_destructive: false
23
24
 
24
25
  @instance_dir = instance_dir
25
26
  @vault = Vault::Client.new address: address, token: token
26
27
  @intermediate_issuer = intermediate_issuer
27
- @pki_force = pki_force
28
+ @pki_allow_destructive = pki_allow_destructive
28
29
  @handlers = [
29
30
  Sys::Auth,
30
31
  Auth::Ldap::Config,
data/spec/spec_helper.rb CHANGED
@@ -26,7 +26,7 @@ def vault_server
26
26
  Process.kill :INT, server.pid
27
27
  end
28
28
  [:INT, :EXIT].each { |sig| trap(sig, cleanup) }
29
- puts "server is #{server.pid}"
29
+ puts "server is PID #{server.pid}"
30
30
  sleep(1) # woo race condition! wait for server to start up
31
31
  server
32
32
  end
@@ -43,4 +43,6 @@ end
43
43
  @server = vault_server
44
44
  signatories = {'pki-intermediate': 'pki-root'}
45
45
 
46
- Vault::Provision.new(EXAMPLE_DIR, intermediate_issuer: signatories).provision!
46
+ Vault::Provision.new(EXAMPLE_DIR,
47
+ intermediate_issuer: signatories,
48
+ pki_allow_destructive: true).provision!
@@ -24,7 +24,7 @@ describe Vault::Provision do
24
24
  end
25
25
 
26
26
  it "has a CA" do
27
- expect(client.get('v1/pki-root/ca/pem')).to be
27
+ expect(client.get('v1/pki-root/ca/pem')).to include "BEGIN CERTIFICATE"
28
28
  end
29
29
 
30
30
  it "has pki-root config urls" do
@@ -36,7 +36,7 @@ describe Vault::Provision do
36
36
  end
37
37
 
38
38
  it "has pki-intermediate ca" do
39
- expect(client.get('v1/pki-intermediate/ca/pem')).to be
39
+ expect(client.get('v1/pki-intermediate/ca/pem')).to include "BEGIN CERTIFICATE"
40
40
  end
41
41
 
42
42
  it "has a dvcert role for intermediate" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher