vault-provision 0.1.10 → 0.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/VERSION +1 -1
- data/examples/basic/sys/audit/my_file.json +8 -0
- data/examples/basic/sys/audit/my_syslog.json +8 -0
- data/lib/vault/provision.rb +1 -0
- data/lib/vault/provision/sys.rb +1 -0
- data/lib/vault/provision/sys/audit.rb +27 -0
- data/spec/spec_helper.rb +6 -1
- data/spec/vault_provision_spec.rb +12 -0
- metadata +4 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 060598f1500adc483e0fbf393bf8e1c50b81f251
|
|
4
|
+
data.tar.gz: 6d3a8fc25c8e4f2083fe44bebfb7a15d4290443e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 11f2f509baf8dbbee5a1bbfb48cbed93a93bf7e32454224f13e9b0a2704437bdfc8dc3633aff7f930baa49f65a6254dd161963fd291b41ef4ae03990ddc525e7
|
|
7
|
+
data.tar.gz: f13d17d20092adf42a42a36aae968f96144801e0f114e0f5c3b7001e483127ffb6e8270001dec3a5e782e714974e41f4627880e38a8e8fb3da6b61336d5e612b
|
data/Gemfile.lock
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.1.
|
|
1
|
+
0.1.11
|
data/lib/vault/provision.rb
CHANGED
data/lib/vault/provision/sys.rb
CHANGED
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# helps to enable auditing
|
|
2
|
+
class Vault::Provision::Sys::Audit < Vault::Provision::Prototype
|
|
3
|
+
def provision!
|
|
4
|
+
audits = @vault.sys.audits
|
|
5
|
+
|
|
6
|
+
change = []
|
|
7
|
+
repo_files.each do |rf|
|
|
8
|
+
validate_file! rf
|
|
9
|
+
path = rf[(repo_path.length + 1)..-6].to_sym
|
|
10
|
+
r_conf = JSON.parse(File.read(rf))
|
|
11
|
+
next unless backend_changed? audits[path], r_conf
|
|
12
|
+
|
|
13
|
+
@vault.sys.enable_audit(path.to_s,
|
|
14
|
+
r_conf['type'],
|
|
15
|
+
r_conf['description'],
|
|
16
|
+
r_conf['options'])
|
|
17
|
+
change << @vault.sys.audits[path]
|
|
18
|
+
end
|
|
19
|
+
change
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def backend_changed?(vault_conf, file_conf)
|
|
23
|
+
return true unless vault_conf
|
|
24
|
+
file_conf.each { |k, v| return true if v != vault_conf[k] }
|
|
25
|
+
false
|
|
26
|
+
end
|
|
27
|
+
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -9,6 +9,8 @@ require 'vcr'
|
|
|
9
9
|
DEV_VAULT_TOKEN = 'kittens'.freeze
|
|
10
10
|
DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
|
|
11
11
|
EXAMPLE_DIR = "#{GEM_DIR}/examples/basic".freeze
|
|
12
|
+
AUDIT_LOG_PATH = "/tmp/my-vault-audit-test.log"
|
|
13
|
+
AUDIT_LOG_TAG = "my-vault-audit-tag"
|
|
12
14
|
|
|
13
15
|
ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
|
|
14
16
|
ENV['VAULT_TOKEN'] = DEV_VAULT_TOKEN
|
|
@@ -34,6 +36,7 @@ VCR.configure do |config|
|
|
|
34
36
|
end
|
|
35
37
|
|
|
36
38
|
def vault_server
|
|
39
|
+
File.unlink(AUDIT_LOG_PATH) if File.exist?(AUDIT_LOG_PATH)
|
|
37
40
|
stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
|
|
38
41
|
cleanup = lambda do |_|
|
|
39
42
|
stdin.close
|
|
@@ -41,7 +44,9 @@ def vault_server
|
|
|
41
44
|
stderr.close
|
|
42
45
|
Process.kill :INT, server.pid
|
|
43
46
|
end
|
|
44
|
-
[:INT, :EXIT].each
|
|
47
|
+
[:INT, :EXIT].each do |sig|
|
|
48
|
+
trap(sig, cleanup)
|
|
49
|
+
end
|
|
45
50
|
puts "server is PID #{server.pid}"
|
|
46
51
|
sleep(1) # woo race condition! wait for server to start up
|
|
47
52
|
server
|
|
@@ -162,4 +162,16 @@ describe Vault::Provision do
|
|
|
162
162
|
expect(last_used.user_name).to be
|
|
163
163
|
end
|
|
164
164
|
end
|
|
165
|
+
|
|
166
|
+
it "can create audit backends" do
|
|
167
|
+
resp = client.sys.audits
|
|
168
|
+
expect(resp[:my_file]).to be
|
|
169
|
+
expect(resp[:my_file].options[:file_path]).to be == AUDIT_LOG_PATH
|
|
170
|
+
expect(resp[:my_file].description).to be == 'my file-based audit backend'
|
|
171
|
+
expect(File.exist?(AUDIT_LOG_PATH)).to be true
|
|
172
|
+
|
|
173
|
+
expect(resp[:my_syslog]).to be
|
|
174
|
+
expect(resp[:my_syslog].options[:tag]).to be == AUDIT_LOG_TAG
|
|
175
|
+
expect(resp[:my_syslog].options[:facility]).to be == "LPR"
|
|
176
|
+
end
|
|
165
177
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: vault-provision
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tom Maher
|
|
@@ -130,6 +130,8 @@ files:
|
|
|
130
130
|
- examples/basic/secret/bar/bad.json
|
|
131
131
|
- examples/basic/secret/baz/yummy.json
|
|
132
132
|
- examples/basic/secret/foo/good.json
|
|
133
|
+
- examples/basic/sys/audit/my_file.json
|
|
134
|
+
- examples/basic/sys/audit/my_syslog.json
|
|
133
135
|
- examples/basic/sys/auth.json
|
|
134
136
|
- examples/basic/sys/auth/.keep
|
|
135
137
|
- examples/basic/sys/auth/approle.json
|
|
@@ -178,6 +180,7 @@ files:
|
|
|
178
180
|
- lib/vault/provision/prototype.rb
|
|
179
181
|
- lib/vault/provision/secret.rb
|
|
180
182
|
- lib/vault/provision/sys.rb
|
|
183
|
+
- lib/vault/provision/sys/audit.rb
|
|
181
184
|
- lib/vault/provision/sys/auth.rb
|
|
182
185
|
- lib/vault/provision/sys/policy.rb
|
|
183
186
|
- lib/vault_provision.rb
|