vault-provision 0.1.2 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 07ea7e20d39900ca94b02dff1b460933ea9e2a7b
4
- data.tar.gz: 974204a47b957a7532d1750c9248e408ce1baaeb
3
+ metadata.gz: 36de8a869cbe29da2205f9aa25365ed0b4e1e652
4
+ data.tar.gz: d4a705e2021cf83b8e2edffd87f1e1e45e0feb1d
5
5
  SHA512:
6
- metadata.gz: fd1561e9ae836c4e51d0930157b6ebbfdf5fb7210fdfeecfc192d778070e76f782277be085e8e4bfad8814de3ce988f493ca897f3695ae56c3de65ffd225ab31
7
- data.tar.gz: 19d8c9a168a5c4c9f983fdbccc181c08affffe07ef9170b1dc86a16c7b8df2fe2b9ebbd88359fe47a370055677fef2d4b723ad3a665e08b99b9354014089ba66
6
+ metadata.gz: 5877329f3880ae4b2e7981a9e047f309d4a0ebb0180fe04d1d24f8baede83a591f9e64f13f4989a3a51714fe10be46fe1ea88fd915a8a5b01d258f57558016c4
7
+ data.tar.gz: 01a94754acc3de508811da63380726606193b2d99366393b78ceca38ee5ce929b9fbe54c2cfacadcaa45678f7b99524dae4c4febaafd79bba2c6a0fd5dca7c54
data/Gemfile CHANGED
@@ -7,4 +7,5 @@ gem 'rspec', '~>3.5.0'
7
7
  gem 'rspec-core', '~>3.5.4'
8
8
 
9
9
  gem 'activesupport', '~>5.0.2'
10
+ gem 'rhcl', '~>0.1.0'
10
11
  gem 'vault', '~>0.9.0'
data/Gemfile.lock CHANGED
@@ -1,7 +1,8 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.1.1)
4
+ vault-provision (0.1.4)
5
+ rhcl (~> 0.1.0)
5
6
  vault (~> 0.9.0)
6
7
 
7
8
  GEM
@@ -13,10 +14,13 @@ GEM
13
14
  minitest (~> 5.1)
14
15
  tzinfo (~> 1.1)
15
16
  concurrent-ruby (1.0.5)
17
+ deep_merge (1.1.1)
16
18
  diff-lcs (1.3)
17
19
  i18n (0.8.1)
18
20
  minitest (5.10.1)
19
21
  rake (12.0.0)
22
+ rhcl (0.1.0)
23
+ deep_merge
20
24
  rspec (3.5.0)
21
25
  rspec-core (~> 3.5.0)
22
26
  rspec-expectations (~> 3.5.0)
@@ -41,6 +45,7 @@ PLATFORMS
41
45
  DEPENDENCIES
42
46
  activesupport (~> 5.0.2)
43
47
  rake (~> 12.0)
48
+ rhcl (~> 0.1.0)
44
49
  rspec (~> 3.5.0)
45
50
  rspec-core (~> 3.5.4)
46
51
  vault (~> 0.9.0)
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.2
1
+ 0.1.4
@@ -0,0 +1,10 @@
1
+ {
2
+ "bind_secret_id": true,
3
+ "bound_cidr_list": "1.2.3.4/25,127.0.0.0/16",
4
+ "policies": "default,pki-intermediate,backends",
5
+ "secret_id_num_uses": "25",
6
+ "secret_id_ttl": "6m",
7
+ "token_num_uses": 3,
8
+ "token_ttl": "16m",
9
+ "token_max_ttl": "30m"
10
+ }
@@ -0,0 +1,10 @@
1
+ {
2
+ "bind_secret_id": true,
3
+ "bound_cidr_list": "10.0.100.0/24,1.2.3.4/25",
4
+ "policies": "default,frontends",
5
+ "secret_id_num_uses": "255",
6
+ "secret_id_ttl": "61m",
7
+ "token_num_uses": 7,
8
+ "token_ttl": "62m",
9
+ "token_max_ttl": "300m"
10
+ }
@@ -0,0 +1,3 @@
1
+ {
2
+ "role_id": "robert_paulson"
3
+ }
@@ -0,0 +1,10 @@
1
+ {
2
+ "bind_secret_id": false,
3
+ "bound_cidr_list": "1.2.3.4/25,127.0.0.0/16",
4
+ "policies": "backends",
5
+ "secret_id_num_uses": "25",
6
+ "secret_id_ttl": "6m",
7
+ "token_num_uses": 3,
8
+ "token_ttl": "16m",
9
+ "token_max_ttl": "30m"
10
+ }
@@ -0,0 +1,10 @@
1
+ {
2
+ "bind_secret_id": false,
3
+ "bound_cidr_list": "10.0.1.0/24",
4
+ "policies": "default,frontends",
5
+ "secret_id_num_uses": "255",
6
+ "secret_id_ttl": "61m",
7
+ "token_num_uses": 7,
8
+ "token_ttl": "62m",
9
+ "token_max_ttl": "300m"
10
+ }
@@ -0,0 +1,4 @@
1
+ {
2
+ "description": "my awesome approle",
3
+ "type": "approle"
4
+ }
@@ -0,0 +1,4 @@
1
+ {
2
+ "description": "his name is robert paulson",
3
+ "type": "approle"
4
+ }
@@ -0,0 +1,18 @@
1
+ {
2
+ "path": [
3
+ {
4
+ "secret/frontends/*": {
5
+ "capabilities": [
6
+ "read",
7
+ "list"
8
+ ]
9
+ },
10
+ "secret/frontends/*": {
11
+ "capabilities": [
12
+ "read",
13
+ "list"
14
+ ]
15
+ }
16
+ }
17
+ ]
18
+ }
@@ -0,0 +1,12 @@
1
+ {
2
+ "path": [
3
+ {
4
+ "secret/frontends/*": {
5
+ "capabilities": [
6
+ "read",
7
+ "list"
8
+ ]
9
+ }
10
+ }
11
+ ]
12
+ }
@@ -0,0 +1,34 @@
1
+ # placeholder
2
+ class Vault::Provision::Auth::Approle < Vault::Provision::Prototype
3
+ def provision!
4
+ repo_files.each do |rf|
5
+ validate_file! rf
6
+ role_name = File.basename(rf, '.json')
7
+ auth_point = rf.split('/')[-3]
8
+ role_path = "auth/#{auth_point}/role/#{role_name}"
9
+ role_id_file = "#{@instance_dir}/#{role_path}/role-id.json"
10
+
11
+ puts " * #{role_path}"
12
+ @vault.post "v1/#{role_path}", File.read(rf)
13
+ next unless FileTest.file? role_id_file
14
+ puts " * #{role_path}/role-id"
15
+ @vault.post "v1/#{role_path}/role-id", File.read(role_id_file)
16
+ end
17
+ end
18
+
19
+ # Vault supports multiple instances of the 'approle' backend mounted
20
+ # concurrently. The map-reducey method repo_files gets the list of
21
+ # approle mounts, calls role_files() once for each of the mounts,
22
+ # then concatenates all those filenames into one big flat array
23
+ def repo_files
24
+ @vault.sys.auths.select { |_,v| v.type == 'approle' }
25
+ .keys
26
+ .inject([]) { |acc, elem| acc + role_files(elem) }
27
+ end
28
+
29
+ def role_files auth_point
30
+ Dir.glob("#{@instance_dir}/auth/#{auth_point}/role/*.json").select do |rf|
31
+ FileTest.file?(rf)
32
+ end
33
+ end
34
+ end
@@ -6,10 +6,11 @@ class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
6
6
  end
7
7
  end
8
8
 
9
+ # Vault supports multiple instances of the 'ldap' backend mounted
10
+ # concurrently. The map-reducey method repo_files gets the list of
11
+ # ldap mounts, calls group_files() once for each of the mounts,
12
+ # then concatenates all those filenames into one big flat array
9
13
  def repo_files
10
- #auths = @vault.sys.auths
11
- #auths.keys.select { |ap| auths[ap].type == 'ldap' }
12
- # .inject([]) { |acc, elem| acc + group_files(elem) }
13
14
  @vault.sys.auths.select { |_,v| v.type == 'ldap' }
14
15
  .keys
15
16
  .inject([]) { |acc, elem| acc + group_files(elem) }
@@ -2,3 +2,4 @@
2
2
  class Vault::Provision::Auth; end
3
3
 
4
4
  require 'vault/provision/auth/ldap'
5
+ require 'vault/provision/auth/approle'
@@ -1,5 +1,9 @@
1
+ require 'rhcl'
2
+
1
3
  # prototype for the individual hierarchy paths
2
4
  class Vault::Provision::Prototype
5
+ class InvalidProvisioningFileError < RuntimeError; end
6
+
3
7
  def initialize boss
4
8
  @vault = boss.vault
5
9
  @instance_dir = boss.instance_dir
@@ -23,4 +27,21 @@ class Vault::Provision::Prototype
23
27
  def provision!
24
28
  puts "#{self.class} says: Go climb a tree!"
25
29
  end
30
+
31
+ def validate_file! path
32
+ file_string = File.read(path)
33
+ begin
34
+ case File.extname(path)
35
+ when '.json'
36
+ JSON.parse file_string
37
+ when '.hcl'
38
+ Rhcl.parse file_string
39
+ else
40
+ raise InvalidProvisioningFileError.new("unknown filetype #{File.extname(path)}")
41
+ end
42
+ true
43
+ rescue Racc::ParseError, JSON::ParserError, InvalidProvisioningFileError => e
44
+ raise InvalidProvisioningFileError.new("Unable to parse file #{path}:\n🐱🐱🐱\n#{file_string}\n🐱🐱🐱\n#{e.class} #{e.message}")
45
+ end
46
+ end
26
47
  end
@@ -5,9 +5,11 @@ class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
5
5
 
6
6
  change = []
7
7
  repo_files.each do |rf|
8
+ validate_file! rf
8
9
  path = rf[(repo_path.length + 1)..-6].to_sym
9
10
  r_conf = JSON.parse(File.read(rf))
10
11
 
12
+ puts " * #{File.basename(rf, '.json')} (#{r_conf['type']})"
11
13
  next if auths[path]
12
14
  @vault.sys.enable_auth(path.to_s,
13
15
  r_conf['type'], r_conf['description'])
@@ -6,12 +6,14 @@ class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
6
6
 
7
7
  def provision!
8
8
  repo_files.each do |rf|
9
+ validate_file! rf
9
10
  policy_name = if rf.end_with? '.json'
10
11
  File.basename(rf, '.json')
11
12
  elsif rf.end_with? '.hcl'
12
13
  File.basename(rf, '.hcl')
13
14
  end
14
15
  next if Vault::Provision::SYSTEM_POLICIES.include? policy_name
16
+ puts " * #{File.basename(rf, '.json')}"
15
17
  @vault.sys.put_policy(policy_name, File.read(rf))
16
18
  end
17
19
  end
@@ -37,6 +37,7 @@ class Vault::Provision
37
37
  Generic,
38
38
  Sys::Policy,
39
39
  Auth::Ldap::Groups,
40
+ Auth::Approle
40
41
  ]
41
42
  end
42
43
 
@@ -68,4 +68,30 @@ describe Vault::Provision do
68
68
  it "has a secret squirrel" do
69
69
  expect(client.sys.mounts[:squirrel].type).to be == 'generic'
70
70
  end
71
+
72
+ it "has an approle mount" do
73
+ expect(client.sys.auths[:approle].type).to be == 'approle'
74
+ end
75
+
76
+ it "has approle role for frontends" do
77
+ resp = client.get('v1/auth/approle/role/frontends')
78
+ expect(resp[:data]).to be
79
+ expect(resp[:data][:secret_id_num_uses]).to be == 255
80
+ end
81
+
82
+ it "has an approle mount named bob" do
83
+ expect(client.sys.auths[:bob_the_dancing_approle_mount].type).to be == 'approle'
84
+ end
85
+
86
+ it "bob has dreams too ya know" do
87
+ resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/dream')
88
+ expect(resp[:data]).to be
89
+ expect(resp[:data][:bound_cidr_list]).to be == '10.0.1.0/24'
90
+ end
91
+
92
+ it "in death, a member of project mayhem has a name (or at least a role-id)" do
93
+ resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/death/role-id')
94
+ expect(resp[:data]).to be
95
+ expect(resp[:data][:role_id]).to be == 'robert_paulson'
96
+ end
71
97
  end
@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
10
10
  s.license = "Apache-2.0"
11
11
  s.files = `git ls-files`.split("\n")
12
12
  s.homepage = 'https://github.com/tmaher/vault-provision'
13
+ s.add_dependency 'rhcl', '~>0.1.0'
13
14
  s.add_dependency 'vault', '~>0.9.0'
14
15
  s.add_development_dependency "rake", '~>12'
15
16
  s.add_development_dependency "rspec", '~>3'
metadata CHANGED
@@ -1,15 +1,29 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-03-28 00:00:00.000000000 Z
11
+ date: 2017-04-05 00:00:00.000000000 Z
12
12
  dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rhcl
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 0.1.0
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 0.1.0
13
27
  - !ruby/object:Gem::Dependency
14
28
  name: vault
15
29
  requirement: !ruby/object:Gem::Requirement
@@ -65,6 +79,11 @@ files:
65
79
  - Rakefile
66
80
  - VERSION
67
81
  - examples/basic/auth/.keep
82
+ - examples/basic/auth/approle/role/backends.json
83
+ - examples/basic/auth/approle/role/frontends.json
84
+ - examples/basic/auth/bob_the_dancing_approle_mount/role/death.json
85
+ - examples/basic/auth/bob_the_dancing_approle_mount/role/death/role-id.json
86
+ - examples/basic/auth/bob_the_dancing_approle_mount/role/dream.json
68
87
  - examples/basic/auth/ldap/.keep
69
88
  - examples/basic/auth/ldap/config.json
70
89
  - examples/basic/auth/ldap/groups/admin.json
@@ -85,6 +104,8 @@ files:
85
104
  - examples/basic/pki-root/root/generate/internal.json
86
105
  - examples/basic/sys/auth.json
87
106
  - examples/basic/sys/auth/.keep
107
+ - examples/basic/sys/auth/approle.json
108
+ - examples/basic/sys/auth/bob_the_dancing_approle_mount.json
88
109
  - examples/basic/sys/auth/ldap.json
89
110
  - examples/basic/sys/auth/token.json
90
111
  - examples/basic/sys/mounts/.keep
@@ -97,13 +118,15 @@ files:
97
118
  - examples/basic/sys/mounts/squirrel.json
98
119
  - examples/basic/sys/mounts/sys.json
99
120
  - examples/basic/sys/policy/.keep
121
+ - examples/basic/sys/policy/backends.json
100
122
  - examples/basic/sys/policy/default.hcl
123
+ - examples/basic/sys/policy/frontends.json
101
124
  - examples/basic/sys/policy/master_of_secrets.json
102
125
  - examples/basic/sys/policy/pki-intermediates.json
103
126
  - examples/basic/sys/policy/response-wrapping.hcl
104
- - examples/basic/sys/policy/root.json
105
127
  - lib/vault/provision.rb
106
128
  - lib/vault/provision/auth.rb
129
+ - lib/vault/provision/auth/approle.rb
107
130
  - lib/vault/provision/auth/ldap.rb
108
131
  - lib/vault/provision/auth/ldap/config.rb
109
132
  - lib/vault/provision/auth/ldap/groups.rb
File without changes