vault-provision 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/VERSION +1 -1
- data/lib/vault/provision/auth/ldap/config.rb +0 -6
- data/lib/vault/provision/pki/config/urls.rb +0 -1
- data/lib/vault/provision/pki/intermediate/generate/internal.rb +4 -3
- data/lib/vault/provision/pki/root/generate/internal.rb +1 -0
- data/lib/vault/provision/pki.rb +3 -3
- data/lib/vault/provision/prototype.rb +1 -0
- data/lib/vault/provision/sys/auth.rb +0 -3
- data/lib/vault/provision/sys.rb +0 -1
- data/lib/vault/provision.rb +4 -3
- data/spec/spec_helper.rb +4 -2
- data/spec/vault_provision_spec.rb +2 -2
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 79f872c69434db5cf504adcd6efeea369c1bff7c
|
4
|
+
data.tar.gz: eabe325c9cff5d09bbc2ad8b58a364aa4d948d0d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 624e211242329581f89cad36cdf018f70d5f5244366f25e81ca1df8d05463e91374edc532e14890d935dfdec8219392f388198360d52c94ce7db376d6fe02389
|
7
|
+
data.tar.gz: 7aba52e8656f2a035c2871ca19e6d08b03a7c4d6c1ed8b962ef19bf26cfd3fda3640f9b94a117ce947f07454befbf0f6ea7fbbf3f957c5879239994360b3af48
|
data/Gemfile.lock
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.1
|
@@ -6,20 +6,16 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
|
|
6
6
|
|
7
7
|
def repo_files
|
8
8
|
return @repo_files if @repo_files
|
9
|
-
#puts "*** calling repo_files"
|
10
|
-
|
11
9
|
auths = @vault.sys.auths
|
12
10
|
|
13
11
|
aps = auths.keys.select do |auth_point|
|
14
12
|
next unless auths[auth_point].type == 'ldap'
|
15
|
-
#puts "**** got auth mount #{auth_point}"
|
16
13
|
next unless FileTest.file? ap_file(auth_point)
|
17
14
|
|
18
15
|
repo_config = JSON.parse(File.read(ap_file(auth_point)))
|
19
16
|
vault_config = begin
|
20
17
|
@vault.get("auth/#{auth_point}config")['data']
|
21
18
|
rescue Vault::HTTPClientError => e
|
22
|
-
#puts "**** new #{auth_point} config"
|
23
19
|
raise e unless e.code == 404
|
24
20
|
{}
|
25
21
|
end
|
@@ -28,9 +24,7 @@ class Vault::Provision::Auth::Ldap::Config < Vault::Provision::Prototype
|
|
28
24
|
# vault state. If they're identical, go on to the next mount point.
|
29
25
|
!repo_config.keys.inject(true) { |acc,elem| acc && vault_config[elem] == repo_config[elem]}
|
30
26
|
end
|
31
|
-
#puts "**** aps is #{aps}"
|
32
27
|
map_out = aps.map { |auth_point| ap_file(auth_point) }
|
33
|
-
#puts "**** returning map_out of #{map_out}"
|
34
28
|
@repo_files = map_out
|
35
29
|
end
|
36
30
|
|
@@ -17,7 +17,6 @@ class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
|
|
17
17
|
def provision!
|
18
18
|
repo_files.each do |rf|
|
19
19
|
mount_point = rf.split('/')[-3]
|
20
|
-
#puts "**** mount #{mount_point} rf => #{rf}"
|
21
20
|
@vault.post "v1/#{mount_point}/config/urls", File.read(rf)
|
22
21
|
end
|
23
22
|
end
|
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
|
|
18
18
|
repo_files.each do |rf|
|
19
19
|
mount_point = rf.split('/')[-4]
|
20
20
|
next if generated? mount_point
|
21
|
+
next unless @pki_allow_destructive
|
21
22
|
resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",
|
22
23
|
File.read(rf)
|
23
24
|
sign_intermediate_csr(mount_point, resp[:data][:csr])
|
@@ -26,11 +27,11 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
|
|
26
27
|
|
27
28
|
def sign_intermediate_csr mount_point, csr
|
28
29
|
return if @intermediate_issuer.empty?
|
29
|
-
|
30
|
-
return if
|
30
|
+
root_mount = @intermediate_issuer[mount_point.to_sym]
|
31
|
+
return if root_mount.nil?
|
31
32
|
|
32
33
|
req = JSON.parse(File.read(gen_file(mount_point)))
|
33
|
-
resp = @vault.post "v1/#{
|
34
|
+
resp = @vault.post "v1/#{root_mount}/root/sign-intermediate",
|
34
35
|
JSON.dump(csr: csr,
|
35
36
|
common_name: req['common_name'],
|
36
37
|
ttl: req['ttl'],
|
@@ -18,6 +18,7 @@ class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Protot
|
|
18
18
|
repo_files.each do |rf|
|
19
19
|
mount_point = rf.split('/')[-4]
|
20
20
|
next if generated? mount_point
|
21
|
+
next unless @pki_allow_destructive
|
21
22
|
@vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)
|
22
23
|
end
|
23
24
|
end
|
data/lib/vault/provision/pki.rb
CHANGED
@@ -6,10 +6,10 @@ module Vault::Provision::Pki
|
|
6
6
|
class Intermediate; end
|
7
7
|
|
8
8
|
def generated? path
|
9
|
-
@vault.get "
|
10
|
-
true
|
9
|
+
result = @vault.get "v1/#{path}/ca/pem"
|
10
|
+
return true if result =~ /BEGIN CERTIFICATE/
|
11
11
|
rescue Vault::HTTPClientError
|
12
|
-
false
|
12
|
+
return false
|
13
13
|
end
|
14
14
|
|
15
15
|
def ca_type path
|
@@ -1,17 +1,14 @@
|
|
1
1
|
# helps to enable authentication
|
2
2
|
class Vault::Provision::Sys::Auth < Vault::Provision::Prototype
|
3
3
|
def provision!
|
4
|
-
#puts "files: #{repo_files}"
|
5
4
|
auths = @vault.sys.auths
|
6
5
|
|
7
6
|
change = []
|
8
7
|
repo_files.each do |rf|
|
9
8
|
path = rf[(repo_path.length + 1)..-6].to_sym
|
10
9
|
r_conf = JSON.parse(File.read(rf))
|
11
|
-
# puts "** found #{path}"
|
12
10
|
|
13
11
|
next if auths[path]
|
14
|
-
# puts "** processing #{path}"
|
15
12
|
@vault.sys.enable_auth(path.to_s,
|
16
13
|
r_conf['type'], r_conf['description'])
|
17
14
|
change << @vault.sys.auths[path]
|
data/lib/vault/provision/sys.rb
CHANGED
@@ -25,7 +25,6 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
|
|
25
25
|
|
26
26
|
rf_base = File.basename rf, '.json'
|
27
27
|
next if SYSTEM_MOUNTS.include? rf_base
|
28
|
-
# puts "** processing mount #{rf_base}"
|
29
28
|
|
30
29
|
path = rf[(repo_path.length + 1)..-6].to_sym
|
31
30
|
r_conf = JSON.parse(File.read(rf))
|
data/lib/vault/provision.rb
CHANGED
@@ -13,18 +13,19 @@ require 'vault/provision/generic'
|
|
13
13
|
class Vault::Provision
|
14
14
|
SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
|
15
15
|
|
16
|
-
attr_accessor :vault, :instance_dir,
|
16
|
+
attr_accessor :vault, :instance_dir,
|
17
|
+
:intermediate_issuer, :pki_allow_destructive
|
17
18
|
|
18
19
|
def initialize instance_dir,
|
19
20
|
address: ENV['VAULT_ADDR'],
|
20
21
|
token: ENV['VAULT_TOKEN'],
|
21
22
|
intermediate_issuer: {},
|
22
|
-
|
23
|
+
pki_allow_destructive: false
|
23
24
|
|
24
25
|
@instance_dir = instance_dir
|
25
26
|
@vault = Vault::Client.new address: address, token: token
|
26
27
|
@intermediate_issuer = intermediate_issuer
|
27
|
-
@
|
28
|
+
@pki_allow_destructive = pki_allow_destructive
|
28
29
|
@handlers = [
|
29
30
|
Sys::Auth,
|
30
31
|
Auth::Ldap::Config,
|
data/spec/spec_helper.rb
CHANGED
@@ -26,7 +26,7 @@ def vault_server
|
|
26
26
|
Process.kill :INT, server.pid
|
27
27
|
end
|
28
28
|
[:INT, :EXIT].each { |sig| trap(sig, cleanup) }
|
29
|
-
puts "server is #{server.pid}"
|
29
|
+
puts "server is PID #{server.pid}"
|
30
30
|
sleep(1) # woo race condition! wait for server to start up
|
31
31
|
server
|
32
32
|
end
|
@@ -43,4 +43,6 @@ end
|
|
43
43
|
@server = vault_server
|
44
44
|
signatories = {'pki-intermediate': 'pki-root'}
|
45
45
|
|
46
|
-
Vault::Provision.new(EXAMPLE_DIR,
|
46
|
+
Vault::Provision.new(EXAMPLE_DIR,
|
47
|
+
intermediate_issuer: signatories,
|
48
|
+
pki_allow_destructive: true).provision!
|
@@ -24,7 +24,7 @@ describe Vault::Provision do
|
|
24
24
|
end
|
25
25
|
|
26
26
|
it "has a CA" do
|
27
|
-
expect(client.get('v1/pki-root/ca/pem')).to
|
27
|
+
expect(client.get('v1/pki-root/ca/pem')).to include "BEGIN CERTIFICATE"
|
28
28
|
end
|
29
29
|
|
30
30
|
it "has pki-root config urls" do
|
@@ -36,7 +36,7 @@ describe Vault::Provision do
|
|
36
36
|
end
|
37
37
|
|
38
38
|
it "has pki-intermediate ca" do
|
39
|
-
expect(client.get('v1/pki-intermediate/ca/pem')).to
|
39
|
+
expect(client.get('v1/pki-intermediate/ca/pem')).to include "BEGIN CERTIFICATE"
|
40
40
|
end
|
41
41
|
|
42
42
|
it "has a dvcert role for intermediate" do
|