vault-provision 0.1.2 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -0
- data/Gemfile.lock +6 -1
- data/VERSION +1 -1
- data/examples/basic/auth/approle/role/backends.json +10 -0
- data/examples/basic/auth/approle/role/frontends.json +10 -0
- data/examples/basic/auth/bob_the_dancing_approle_mount/role/death/role-id.json +3 -0
- data/examples/basic/auth/bob_the_dancing_approle_mount/role/death.json +10 -0
- data/examples/basic/auth/bob_the_dancing_approle_mount/role/dream.json +10 -0
- data/examples/basic/sys/auth/approle.json +4 -0
- data/examples/basic/sys/auth/bob_the_dancing_approle_mount.json +4 -0
- data/examples/basic/sys/policy/backends.json +18 -0
- data/examples/basic/sys/policy/frontends.json +12 -0
- data/lib/vault/provision/auth/approle.rb +34 -0
- data/lib/vault/provision/auth/ldap/groups.rb +4 -3
- data/lib/vault/provision/auth.rb +1 -0
- data/lib/vault/provision/prototype.rb +21 -0
- data/lib/vault/provision/sys/auth.rb +2 -0
- data/lib/vault/provision/sys/policy.rb +2 -0
- data/lib/vault/provision.rb +1 -0
- data/spec/vault_provision_spec.rb +26 -0
- data/vault-provision.gemspec +1 -0
- metadata +26 -3
- data/examples/basic/sys/policy/root.json +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 36de8a869cbe29da2205f9aa25365ed0b4e1e652
|
|
4
|
+
data.tar.gz: d4a705e2021cf83b8e2edffd87f1e1e45e0feb1d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5877329f3880ae4b2e7981a9e047f309d4a0ebb0180fe04d1d24f8baede83a591f9e64f13f4989a3a51714fe10be46fe1ea88fd915a8a5b01d258f57558016c4
|
|
7
|
+
data.tar.gz: 01a94754acc3de508811da63380726606193b2d99366393b78ceca38ee5ce929b9fbe54c2cfacadcaa45678f7b99524dae4c4febaafd79bba2c6a0fd5dca7c54
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
vault-provision (0.1.
|
|
4
|
+
vault-provision (0.1.4)
|
|
5
|
+
rhcl (~> 0.1.0)
|
|
5
6
|
vault (~> 0.9.0)
|
|
6
7
|
|
|
7
8
|
GEM
|
|
@@ -13,10 +14,13 @@ GEM
|
|
|
13
14
|
minitest (~> 5.1)
|
|
14
15
|
tzinfo (~> 1.1)
|
|
15
16
|
concurrent-ruby (1.0.5)
|
|
17
|
+
deep_merge (1.1.1)
|
|
16
18
|
diff-lcs (1.3)
|
|
17
19
|
i18n (0.8.1)
|
|
18
20
|
minitest (5.10.1)
|
|
19
21
|
rake (12.0.0)
|
|
22
|
+
rhcl (0.1.0)
|
|
23
|
+
deep_merge
|
|
20
24
|
rspec (3.5.0)
|
|
21
25
|
rspec-core (~> 3.5.0)
|
|
22
26
|
rspec-expectations (~> 3.5.0)
|
|
@@ -41,6 +45,7 @@ PLATFORMS
|
|
|
41
45
|
DEPENDENCIES
|
|
42
46
|
activesupport (~> 5.0.2)
|
|
43
47
|
rake (~> 12.0)
|
|
48
|
+
rhcl (~> 0.1.0)
|
|
44
49
|
rspec (~> 3.5.0)
|
|
45
50
|
rspec-core (~> 3.5.4)
|
|
46
51
|
vault (~> 0.9.0)
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.4
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# placeholder
|
|
2
|
+
class Vault::Provision::Auth::Approle < Vault::Provision::Prototype
|
|
3
|
+
def provision!
|
|
4
|
+
repo_files.each do |rf|
|
|
5
|
+
validate_file! rf
|
|
6
|
+
role_name = File.basename(rf, '.json')
|
|
7
|
+
auth_point = rf.split('/')[-3]
|
|
8
|
+
role_path = "auth/#{auth_point}/role/#{role_name}"
|
|
9
|
+
role_id_file = "#{@instance_dir}/#{role_path}/role-id.json"
|
|
10
|
+
|
|
11
|
+
puts " * #{role_path}"
|
|
12
|
+
@vault.post "v1/#{role_path}", File.read(rf)
|
|
13
|
+
next unless FileTest.file? role_id_file
|
|
14
|
+
puts " * #{role_path}/role-id"
|
|
15
|
+
@vault.post "v1/#{role_path}/role-id", File.read(role_id_file)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
# Vault supports multiple instances of the 'approle' backend mounted
|
|
20
|
+
# concurrently. The map-reducey method repo_files gets the list of
|
|
21
|
+
# approle mounts, calls role_files() once for each of the mounts,
|
|
22
|
+
# then concatenates all those filenames into one big flat array
|
|
23
|
+
def repo_files
|
|
24
|
+
@vault.sys.auths.select { |_,v| v.type == 'approle' }
|
|
25
|
+
.keys
|
|
26
|
+
.inject([]) { |acc, elem| acc + role_files(elem) }
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def role_files auth_point
|
|
30
|
+
Dir.glob("#{@instance_dir}/auth/#{auth_point}/role/*.json").select do |rf|
|
|
31
|
+
FileTest.file?(rf)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -6,10 +6,11 @@ class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
|
|
|
6
6
|
end
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
+
# Vault supports multiple instances of the 'ldap' backend mounted
|
|
10
|
+
# concurrently. The map-reducey method repo_files gets the list of
|
|
11
|
+
# ldap mounts, calls group_files() once for each of the mounts,
|
|
12
|
+
# then concatenates all those filenames into one big flat array
|
|
9
13
|
def repo_files
|
|
10
|
-
#auths = @vault.sys.auths
|
|
11
|
-
#auths.keys.select { |ap| auths[ap].type == 'ldap' }
|
|
12
|
-
# .inject([]) { |acc, elem| acc + group_files(elem) }
|
|
13
14
|
@vault.sys.auths.select { |_,v| v.type == 'ldap' }
|
|
14
15
|
.keys
|
|
15
16
|
.inject([]) { |acc, elem| acc + group_files(elem) }
|
data/lib/vault/provision/auth.rb
CHANGED
|
@@ -1,5 +1,9 @@
|
|
|
1
|
+
require 'rhcl'
|
|
2
|
+
|
|
1
3
|
# prototype for the individual hierarchy paths
|
|
2
4
|
class Vault::Provision::Prototype
|
|
5
|
+
class InvalidProvisioningFileError < RuntimeError; end
|
|
6
|
+
|
|
3
7
|
def initialize boss
|
|
4
8
|
@vault = boss.vault
|
|
5
9
|
@instance_dir = boss.instance_dir
|
|
@@ -23,4 +27,21 @@ class Vault::Provision::Prototype
|
|
|
23
27
|
def provision!
|
|
24
28
|
puts "#{self.class} says: Go climb a tree!"
|
|
25
29
|
end
|
|
30
|
+
|
|
31
|
+
def validate_file! path
|
|
32
|
+
file_string = File.read(path)
|
|
33
|
+
begin
|
|
34
|
+
case File.extname(path)
|
|
35
|
+
when '.json'
|
|
36
|
+
JSON.parse file_string
|
|
37
|
+
when '.hcl'
|
|
38
|
+
Rhcl.parse file_string
|
|
39
|
+
else
|
|
40
|
+
raise InvalidProvisioningFileError.new("unknown filetype #{File.extname(path)}")
|
|
41
|
+
end
|
|
42
|
+
true
|
|
43
|
+
rescue Racc::ParseError, JSON::ParserError, InvalidProvisioningFileError => e
|
|
44
|
+
raise InvalidProvisioningFileError.new("Unable to parse file #{path}:\n🐱🐱🐱\n#{file_string}\n🐱🐱🐱\n#{e.class} #{e.message}")
|
|
45
|
+
end
|
|
46
|
+
end
|
|
26
47
|
end
|
|
@@ -5,9 +5,11 @@ class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
|
|
|
5
5
|
|
|
6
6
|
change = []
|
|
7
7
|
repo_files.each do |rf|
|
|
8
|
+
validate_file! rf
|
|
8
9
|
path = rf[(repo_path.length + 1)..-6].to_sym
|
|
9
10
|
r_conf = JSON.parse(File.read(rf))
|
|
10
11
|
|
|
12
|
+
puts " * #{File.basename(rf, '.json')} (#{r_conf['type']})"
|
|
11
13
|
next if auths[path]
|
|
12
14
|
@vault.sys.enable_auth(path.to_s,
|
|
13
15
|
r_conf['type'], r_conf['description'])
|
|
@@ -6,12 +6,14 @@ class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
|
|
|
6
6
|
|
|
7
7
|
def provision!
|
|
8
8
|
repo_files.each do |rf|
|
|
9
|
+
validate_file! rf
|
|
9
10
|
policy_name = if rf.end_with? '.json'
|
|
10
11
|
File.basename(rf, '.json')
|
|
11
12
|
elsif rf.end_with? '.hcl'
|
|
12
13
|
File.basename(rf, '.hcl')
|
|
13
14
|
end
|
|
14
15
|
next if Vault::Provision::SYSTEM_POLICIES.include? policy_name
|
|
16
|
+
puts " * #{File.basename(rf, '.json')}"
|
|
15
17
|
@vault.sys.put_policy(policy_name, File.read(rf))
|
|
16
18
|
end
|
|
17
19
|
end
|
data/lib/vault/provision.rb
CHANGED
|
@@ -68,4 +68,30 @@ describe Vault::Provision do
|
|
|
68
68
|
it "has a secret squirrel" do
|
|
69
69
|
expect(client.sys.mounts[:squirrel].type).to be == 'generic'
|
|
70
70
|
end
|
|
71
|
+
|
|
72
|
+
it "has an approle mount" do
|
|
73
|
+
expect(client.sys.auths[:approle].type).to be == 'approle'
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
it "has approle role for frontends" do
|
|
77
|
+
resp = client.get('v1/auth/approle/role/frontends')
|
|
78
|
+
expect(resp[:data]).to be
|
|
79
|
+
expect(resp[:data][:secret_id_num_uses]).to be == 255
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
it "has an approle mount named bob" do
|
|
83
|
+
expect(client.sys.auths[:bob_the_dancing_approle_mount].type).to be == 'approle'
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
it "bob has dreams too ya know" do
|
|
87
|
+
resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/dream')
|
|
88
|
+
expect(resp[:data]).to be
|
|
89
|
+
expect(resp[:data][:bound_cidr_list]).to be == '10.0.1.0/24'
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
it "in death, a member of project mayhem has a name (or at least a role-id)" do
|
|
93
|
+
resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/death/role-id')
|
|
94
|
+
expect(resp[:data]).to be
|
|
95
|
+
expect(resp[:data][:role_id]).to be == 'robert_paulson'
|
|
96
|
+
end
|
|
71
97
|
end
|
data/vault-provision.gemspec
CHANGED
|
@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
|
|
|
10
10
|
s.license = "Apache-2.0"
|
|
11
11
|
s.files = `git ls-files`.split("\n")
|
|
12
12
|
s.homepage = 'https://github.com/tmaher/vault-provision'
|
|
13
|
+
s.add_dependency 'rhcl', '~>0.1.0'
|
|
13
14
|
s.add_dependency 'vault', '~>0.9.0'
|
|
14
15
|
s.add_development_dependency "rake", '~>12'
|
|
15
16
|
s.add_development_dependency "rspec", '~>3'
|
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: vault-provision
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tom Maher
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rhcl
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - "~>"
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 0.1.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - "~>"
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 0.1.0
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: vault
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -65,6 +79,11 @@ files:
|
|
|
65
79
|
- Rakefile
|
|
66
80
|
- VERSION
|
|
67
81
|
- examples/basic/auth/.keep
|
|
82
|
+
- examples/basic/auth/approle/role/backends.json
|
|
83
|
+
- examples/basic/auth/approle/role/frontends.json
|
|
84
|
+
- examples/basic/auth/bob_the_dancing_approle_mount/role/death.json
|
|
85
|
+
- examples/basic/auth/bob_the_dancing_approle_mount/role/death/role-id.json
|
|
86
|
+
- examples/basic/auth/bob_the_dancing_approle_mount/role/dream.json
|
|
68
87
|
- examples/basic/auth/ldap/.keep
|
|
69
88
|
- examples/basic/auth/ldap/config.json
|
|
70
89
|
- examples/basic/auth/ldap/groups/admin.json
|
|
@@ -85,6 +104,8 @@ files:
|
|
|
85
104
|
- examples/basic/pki-root/root/generate/internal.json
|
|
86
105
|
- examples/basic/sys/auth.json
|
|
87
106
|
- examples/basic/sys/auth/.keep
|
|
107
|
+
- examples/basic/sys/auth/approle.json
|
|
108
|
+
- examples/basic/sys/auth/bob_the_dancing_approle_mount.json
|
|
88
109
|
- examples/basic/sys/auth/ldap.json
|
|
89
110
|
- examples/basic/sys/auth/token.json
|
|
90
111
|
- examples/basic/sys/mounts/.keep
|
|
@@ -97,13 +118,15 @@ files:
|
|
|
97
118
|
- examples/basic/sys/mounts/squirrel.json
|
|
98
119
|
- examples/basic/sys/mounts/sys.json
|
|
99
120
|
- examples/basic/sys/policy/.keep
|
|
121
|
+
- examples/basic/sys/policy/backends.json
|
|
100
122
|
- examples/basic/sys/policy/default.hcl
|
|
123
|
+
- examples/basic/sys/policy/frontends.json
|
|
101
124
|
- examples/basic/sys/policy/master_of_secrets.json
|
|
102
125
|
- examples/basic/sys/policy/pki-intermediates.json
|
|
103
126
|
- examples/basic/sys/policy/response-wrapping.hcl
|
|
104
|
-
- examples/basic/sys/policy/root.json
|
|
105
127
|
- lib/vault/provision.rb
|
|
106
128
|
- lib/vault/provision/auth.rb
|
|
129
|
+
- lib/vault/provision/auth/approle.rb
|
|
107
130
|
- lib/vault/provision/auth/ldap.rb
|
|
108
131
|
- lib/vault/provision/auth/ldap/config.rb
|
|
109
132
|
- lib/vault/provision/auth/ldap/groups.rb
|
|
File without changes
|