vault-provision 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07ea7e20d39900ca94b02dff1b460933ea9e2a7b
-  data.tar.gz: 974204a47b957a7532d1750c9248e408ce1baaeb
+  metadata.gz: 36de8a869cbe29da2205f9aa25365ed0b4e1e652
+  data.tar.gz: d4a705e2021cf83b8e2edffd87f1e1e45e0feb1d
 SHA512:
-  metadata.gz: fd1561e9ae836c4e51d0930157b6ebbfdf5fb7210fdfeecfc192d778070e76f782277be085e8e4bfad8814de3ce988f493ca897f3695ae56c3de65ffd225ab31
-  data.tar.gz: 19d8c9a168a5c4c9f983fdbccc181c08affffe07ef9170b1dc86a16c7b8df2fe2b9ebbd88359fe47a370055677fef2d4b723ad3a665e08b99b9354014089ba66
+  metadata.gz: 5877329f3880ae4b2e7981a9e047f309d4a0ebb0180fe04d1d24f8baede83a591f9e64f13f4989a3a51714fe10be46fe1ea88fd915a8a5b01d258f57558016c4
+  data.tar.gz: 01a94754acc3de508811da63380726606193b2d99366393b78ceca38ee5ce929b9fbe54c2cfacadcaa45678f7b99524dae4c4febaafd79bba2c6a0fd5dca7c54

data/Gemfile

@@ -7,4 +7,5 @@ gem 'rspec',      '~>3.5.0'
 gem 'rspec-core', '~>3.5.4'
 
 gem 'activesupport', '~>5.0.2'
+gem 'rhcl',          '~>0.1.0'
 gem 'vault',         '~>0.9.0'

data/Gemfile.lock

@@ -1,7 +1,8 @@
 PATH
   remote: .
   specs:
-    vault-provision (0.1.1)
+    vault-provision (0.1.4)
+      rhcl (~> 0.1.0)
       vault (~> 0.9.0)
 
 GEM
@@ -13,10 +14,13 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     concurrent-ruby (1.0.5)
+    deep_merge (1.1.1)
     diff-lcs (1.3)
     i18n (0.8.1)
     minitest (5.10.1)
     rake (12.0.0)
+    rhcl (0.1.0)
+      deep_merge
     rspec (3.5.0)
       rspec-core (~> 3.5.0)
       rspec-expectations (~> 3.5.0)
@@ -41,6 +45,7 @@ PLATFORMS
 DEPENDENCIES
   activesupport (~> 5.0.2)
   rake (~> 12.0)
+  rhcl (~> 0.1.0)
   rspec (~> 3.5.0)
   rspec-core (~> 3.5.4)
   vault (~> 0.9.0)

data/VERSION

@@ -1 +1 @@
-0.1.2
+0.1.4

data/examples/basic/auth/approle/role/backends.json

@@ -0,0 +1,10 @@
+{
+  "bind_secret_id": true,
+  "bound_cidr_list": "1.2.3.4/25,127.0.0.0/16",
+  "policies": "default,pki-intermediate,backends",
+  "secret_id_num_uses": "25",
+  "secret_id_ttl": "6m",
+  "token_num_uses": 3,
+  "token_ttl": "16m",
+  "token_max_ttl": "30m"
+}

data/examples/basic/auth/approle/role/frontends.json

@@ -0,0 +1,10 @@
+{
+  "bind_secret_id": true,
+  "bound_cidr_list": "10.0.100.0/24,1.2.3.4/25",
+  "policies": "default,frontends",
+  "secret_id_num_uses": "255",
+  "secret_id_ttl": "61m",
+  "token_num_uses": 7,
+  "token_ttl": "62m",
+  "token_max_ttl": "300m"
+}

data/examples/basic/auth/bob_the_dancing_approle_mount/role/death/role-id.json

@@ -0,0 +1,3 @@
+{
+  "role_id": "robert_paulson"
+}

data/examples/basic/auth/bob_the_dancing_approle_mount/role/death.json

@@ -0,0 +1,10 @@
+{
+  "bind_secret_id": false,
+  "bound_cidr_list": "1.2.3.4/25,127.0.0.0/16",
+  "policies": "backends",
+  "secret_id_num_uses": "25",
+  "secret_id_ttl": "6m",
+  "token_num_uses": 3,
+  "token_ttl": "16m",
+  "token_max_ttl": "30m"
+}

data/examples/basic/auth/bob_the_dancing_approle_mount/role/dream.json

@@ -0,0 +1,10 @@
+{
+  "bind_secret_id": false,
+  "bound_cidr_list": "10.0.1.0/24",
+  "policies": "default,frontends",
+  "secret_id_num_uses": "255",
+  "secret_id_ttl": "61m",
+  "token_num_uses": 7,
+  "token_ttl": "62m",
+  "token_max_ttl": "300m"
+}

data/examples/basic/sys/auth/approle.json

@@ -0,0 +1,4 @@
+{
+  "description": "my awesome approle",
+  "type": "approle"
+}

data/examples/basic/sys/auth/bob_the_dancing_approle_mount.json

@@ -0,0 +1,4 @@
+{
+  "description": "his name is robert paulson",
+  "type": "approle"
+}

data/examples/basic/sys/policy/backends.json

@@ -0,0 +1,18 @@
+{
+  "path": [
+    {
+      "secret/frontends/*": {
+        "capabilities": [
+          "read",
+          "list"
+        ]
+      },
+      "secret/frontends/*": {
+        "capabilities": [
+          "read",
+          "list"
+        ]
+      }
+    }
+  ]
+}

data/examples/basic/sys/policy/frontends.json

@@ -0,0 +1,12 @@
+{
+  "path": [
+    {
+      "secret/frontends/*": {
+        "capabilities": [
+          "read",
+          "list"
+        ]
+      }
+    }
+  ]
+}

data/lib/vault/provision/auth/approle.rb

@@ -0,0 +1,34 @@
+# placeholder
+class Vault::Provision::Auth::Approle < Vault::Provision::Prototype
+  def provision!
+    repo_files.each do |rf|
+      validate_file! rf
+      role_name    = File.basename(rf, '.json')
+      auth_point   = rf.split('/')[-3]
+      role_path    = "auth/#{auth_point}/role/#{role_name}"
+      role_id_file = "#{@instance_dir}/#{role_path}/role-id.json"
+
+      puts "  * #{role_path}"
+      @vault.post "v1/#{role_path}", File.read(rf)
+      next unless FileTest.file? role_id_file
+      puts "  * #{role_path}/role-id"
+      @vault.post "v1/#{role_path}/role-id", File.read(role_id_file)
+    end
+  end
+
+  # Vault supports multiple instances of the 'approle' backend mounted
+  # concurrently. The map-reducey method repo_files gets the list of
+  # approle mounts, calls role_files() once for each of the mounts,
+  # then concatenates all those filenames into one big flat array
+  def repo_files
+    @vault.sys.auths.select { |_,v| v.type == 'approle' }
+          .keys
+          .inject([]) { |acc, elem| acc + role_files(elem) }
+  end
+
+  def role_files auth_point
+    Dir.glob("#{@instance_dir}/auth/#{auth_point}/role/*.json").select do |rf|
+      FileTest.file?(rf)
+    end
+  end
+end

data/lib/vault/provision/auth/ldap/groups.rb

@@ -6,10 +6,11 @@ class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
     end
   end
 
+  # Vault supports multiple instances of the 'ldap' backend mounted
+  # concurrently. The map-reducey method repo_files gets the list of
+  # ldap mounts, calls group_files() once for each of the mounts,
+  # then concatenates all those filenames into one big flat array
   def repo_files
-    #auths = @vault.sys.auths
-    #auths.keys.select { |ap| auths[ap].type == 'ldap' }
-    #     .inject([]) { |acc, elem| acc + group_files(elem) }
     @vault.sys.auths.select { |_,v| v.type == 'ldap' }
           .keys
           .inject([]) { |acc, elem| acc + group_files(elem) }

data/lib/vault/provision/auth.rb

@@ -2,3 +2,4 @@
 class Vault::Provision::Auth; end
 
 require 'vault/provision/auth/ldap'
+require 'vault/provision/auth/approle'

data/lib/vault/provision/prototype.rb

@@ -1,5 +1,9 @@
+require 'rhcl'
+
 # prototype for the individual hierarchy paths
 class Vault::Provision::Prototype
+  class InvalidProvisioningFileError < RuntimeError; end
+
   def initialize boss
     @vault = boss.vault
     @instance_dir = boss.instance_dir
@@ -23,4 +27,21 @@ class Vault::Provision::Prototype
   def provision!
     puts "#{self.class} says: Go climb a tree!"
   end
+
+  def validate_file! path
+    file_string = File.read(path)
+    begin
+      case File.extname(path)
+      when '.json'
+        JSON.parse file_string
+      when '.hcl'
+        Rhcl.parse file_string
+      else
+        raise InvalidProvisioningFileError.new("unknown filetype #{File.extname(path)}")
+      end
+      true
+    rescue Racc::ParseError, JSON::ParserError, InvalidProvisioningFileError => e
+      raise InvalidProvisioningFileError.new("Unable to parse file #{path}:\n🐱🐱🐱\n#{file_string}\n🐱🐱🐱\n#{e.class} #{e.message}")
+    end
+  end
 end

data/lib/vault/provision/sys/auth.rb

@@ -5,9 +5,11 @@ class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
 
     change = []
     repo_files.each do |rf|
+      validate_file! rf
       path = rf[(repo_path.length + 1)..-6].to_sym
       r_conf = JSON.parse(File.read(rf))
 
+      puts "  * #{File.basename(rf, '.json')} (#{r_conf['type']})"
       next if auths[path]
       @vault.sys.enable_auth(path.to_s,
                              r_conf['type'], r_conf['description'])

data/lib/vault/provision/sys/policy.rb

@@ -6,12 +6,14 @@ class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
 
   def provision!
     repo_files.each do |rf|
+      validate_file! rf
       policy_name = if rf.end_with? '.json'
                       File.basename(rf, '.json')
                     elsif rf.end_with? '.hcl'
                       File.basename(rf, '.hcl')
                     end
       next if Vault::Provision::SYSTEM_POLICIES.include? policy_name
+      puts "  * #{File.basename(rf, '.json')}"
       @vault.sys.put_policy(policy_name, File.read(rf))
     end
   end

data/lib/vault/provision.rb

@@ -37,6 +37,7 @@ class Vault::Provision
       Generic,
       Sys::Policy,
       Auth::Ldap::Groups,
+      Auth::Approle
     ]
   end
 

data/spec/vault_provision_spec.rb

@@ -68,4 +68,30 @@ describe Vault::Provision do
   it "has a secret squirrel" do
     expect(client.sys.mounts[:squirrel].type).to be == 'generic'
   end
+
+  it "has an approle mount" do
+    expect(client.sys.auths[:approle].type).to be == 'approle'
+  end
+
+  it "has approle role for frontends" do
+    resp = client.get('v1/auth/approle/role/frontends')
+    expect(resp[:data]).to be
+    expect(resp[:data][:secret_id_num_uses]).to be == 255
+  end
+
+  it "has an approle mount named bob" do
+    expect(client.sys.auths[:bob_the_dancing_approle_mount].type).to be == 'approle'
+  end
+
+  it "bob has dreams too ya know" do
+    resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/dream')
+    expect(resp[:data]).to be
+    expect(resp[:data][:bound_cidr_list]).to be == '10.0.1.0/24'
+  end
+
+  it "in death, a member of project mayhem has a name (or at least a role-id)" do
+    resp = client.get('v1/auth/bob_the_dancing_approle_mount/role/death/role-id')
+    expect(resp[:data]).to be
+    expect(resp[:data][:role_id]).to be == 'robert_paulson'
+  end
 end

data/vault-provision.gemspec

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.license = "Apache-2.0"
   s.files = `git ls-files`.split("\n")
   s.homepage = 'https://github.com/tmaher/vault-provision'
+  s.add_dependency 'rhcl', '~>0.1.0'
   s.add_dependency 'vault', '~>0.9.0'
   s.add_development_dependency "rake", '~>12'
   s.add_development_dependency "rspec", '~>3'

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: vault-provision
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - Tom Maher
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-28 00:00:00.000000000 Z
+date: 2017-04-05 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rhcl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: vault
   requirement: !ruby/object:Gem::Requirement
@@ -65,6 +79,11 @@ files:
 - Rakefile
 - VERSION
 - examples/basic/auth/.keep
+- examples/basic/auth/approle/role/backends.json
+- examples/basic/auth/approle/role/frontends.json
+- examples/basic/auth/bob_the_dancing_approle_mount/role/death.json
+- examples/basic/auth/bob_the_dancing_approle_mount/role/death/role-id.json
+- examples/basic/auth/bob_the_dancing_approle_mount/role/dream.json
 - examples/basic/auth/ldap/.keep
 - examples/basic/auth/ldap/config.json
 - examples/basic/auth/ldap/groups/admin.json
@@ -85,6 +104,8 @@ files:
 - examples/basic/pki-root/root/generate/internal.json
 - examples/basic/sys/auth.json
 - examples/basic/sys/auth/.keep
+- examples/basic/sys/auth/approle.json
+- examples/basic/sys/auth/bob_the_dancing_approle_mount.json
 - examples/basic/sys/auth/ldap.json
 - examples/basic/sys/auth/token.json
 - examples/basic/sys/mounts/.keep
@@ -97,13 +118,15 @@ files:
 - examples/basic/sys/mounts/squirrel.json
 - examples/basic/sys/mounts/sys.json
 - examples/basic/sys/policy/.keep
+- examples/basic/sys/policy/backends.json
 - examples/basic/sys/policy/default.hcl
+- examples/basic/sys/policy/frontends.json
 - examples/basic/sys/policy/master_of_secrets.json
 - examples/basic/sys/policy/pki-intermediates.json
 - examples/basic/sys/policy/response-wrapping.hcl
-- examples/basic/sys/policy/root.json
 - lib/vault/provision.rb
 - lib/vault/provision/auth.rb
+- lib/vault/provision/auth/approle.rb
 - lib/vault/provision/auth/ldap.rb
 - lib/vault/provision/auth/ldap/config.rb
 - lib/vault/provision/auth/ldap/groups.rb