vault-provision 0.1.10 → 0.1.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e853aa8d1f672f7323191fec012d953f54e0e30
-  data.tar.gz: d9d5e22bc0066d78d97dda39429d0c36608fb305
+  metadata.gz: 060598f1500adc483e0fbf393bf8e1c50b81f251
+  data.tar.gz: 6d3a8fc25c8e4f2083fe44bebfb7a15d4290443e
 SHA512:
-  metadata.gz: 7d275b1ac8383c2937bc8e581e40590afe69e3a8ac824e32c197b41cb6ffdeb161ac5051dbe13ceba3ed6663994d4e1401de30539369dd1ece26680c489883f7
-  data.tar.gz: 3d214478286d2cf4a938b1bdf380caff38e3031ceb5a13e07c72de9998bcd2863790ad34ff863e620dec595aab00137b4548f16499e0c5b72bfeb8be6e3ff249
+  metadata.gz: 11f2f509baf8dbbee5a1bbfb48cbed93a93bf7e32454224f13e9b0a2704437bdfc8dc3633aff7f930baa49f65a6254dd161963fd291b41ef4ae03990ddc525e7
+  data.tar.gz: f13d17d20092adf42a42a36aae968f96144801e0f114e0f5c3b7001e483127ffb6e8270001dec3a5e782e714974e41f4627880e38a8e8fb3da6b61336d5e612b

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    vault-provision (0.1.8)
+    vault-provision (0.1.11)
       activesupport (~> 5.0, >= 5.0.2)
       rhcl (~> 0.1.0)
       vault (~> 0.10)

data/VERSION

@@ -1 +1 @@
-0.1.10
+0.1.11

data/examples/basic/sys/audit/my_file.json

@@ -0,0 +1,8 @@
+{
+  "type": "file",
+  "description": "my file-based audit backend",
+  "options": {
+    "file_path": "/tmp/my-vault-audit-test.log",
+    "mode": "0644"
+  }
+}

data/examples/basic/sys/audit/my_syslog.json

@@ -0,0 +1,8 @@
+{
+  "type": "syslog",
+  "description": "my syslog audit backend",
+  "options": {
+    "facility": "LPR",
+    "tag": "vault-provision-testing"
+  }
+}

data/lib/vault/provision.rb

@@ -31,6 +31,7 @@ class Vault::Provision
     @intermediate_issuer = intermediate_issuer
     @pki_allow_destructive = pki_allow_destructive
     @handlers = [
+      Sys::Audit,
       Sys::Auth,
       Auth::Ldap::Config,
       Sys::Mounts,

data/lib/vault/provision/sys.rb

@@ -2,6 +2,7 @@ require 'find'
 
 # systems backend provisioning
 class Vault::Provision::Sys; end
+require 'vault/provision/sys/audit'
 require 'vault/provision/sys/auth'
 require 'vault/provision/sys/policy'
 

data/lib/vault/provision/sys/audit.rb

@@ -0,0 +1,27 @@
+# helps to enable auditing
+class Vault::Provision::Sys::Audit < Vault::Provision::Prototype
+  def provision!
+    audits = @vault.sys.audits
+
+    change = []
+    repo_files.each do |rf|
+      validate_file! rf
+      path = rf[(repo_path.length + 1)..-6].to_sym
+      r_conf = JSON.parse(File.read(rf))
+      next unless backend_changed? audits[path], r_conf
+
+      @vault.sys.enable_audit(path.to_s,
+                              r_conf['type'],
+                              r_conf['description'],
+                              r_conf['options'])
+      change << @vault.sys.audits[path]
+    end
+    change
+  end
+
+  def backend_changed?(vault_conf, file_conf)
+    return true unless vault_conf
+    file_conf.each { |k, v| return true if v != vault_conf[k] }
+    false
+  end
+end

data/spec/spec_helper.rb

@@ -9,6 +9,8 @@ require 'vcr'
 DEV_VAULT_TOKEN                = 'kittens'.freeze
 DEV_VAULT_ADDR                 = 'http://127.0.0.1:8200'.freeze
 EXAMPLE_DIR                    = "#{GEM_DIR}/examples/basic".freeze
+AUDIT_LOG_PATH                 = "/tmp/my-vault-audit-test.log"
+AUDIT_LOG_TAG                  = "my-vault-audit-tag"
 
 ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
 ENV['VAULT_TOKEN']             = DEV_VAULT_TOKEN
@@ -34,6 +36,7 @@ VCR.configure do |config|
 end
 
 def vault_server
+  File.unlink(AUDIT_LOG_PATH) if File.exist?(AUDIT_LOG_PATH)
   stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
   cleanup = lambda do |_|
     stdin.close
@@ -41,7 +44,9 @@ def vault_server
     stderr.close
     Process.kill :INT, server.pid
   end
-  [:INT, :EXIT].each { |sig| trap(sig, cleanup) }
+  [:INT, :EXIT].each do |sig|
+    trap(sig, cleanup)
+  end
   puts "server is PID #{server.pid}"
   sleep(1) # woo race condition! wait for server to start up
   server

data/spec/vault_provision_spec.rb

@@ -162,4 +162,16 @@ describe Vault::Provision do
       expect(last_used.user_name).to be
     end
   end
+
+  it "can create audit backends" do
+    resp = client.sys.audits
+    expect(resp[:my_file]).to be
+    expect(resp[:my_file].options[:file_path]).to be == AUDIT_LOG_PATH
+    expect(resp[:my_file].description).to be == 'my file-based audit backend'
+    expect(File.exist?(AUDIT_LOG_PATH)).to be true
+
+    expect(resp[:my_syslog]).to be
+    expect(resp[:my_syslog].options[:tag]).to be == AUDIT_LOG_TAG
+    expect(resp[:my_syslog].options[:facility]).to be == "LPR"
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vault-provision
 version: !ruby/object:Gem::Version
-  version: 0.1.10
+  version: 0.1.11
 platform: ruby
 authors:
 - Tom Maher
@@ -130,6 +130,8 @@ files:
 - examples/basic/secret/bar/bad.json
 - examples/basic/secret/baz/yummy.json
 - examples/basic/secret/foo/good.json
+- examples/basic/sys/audit/my_file.json
+- examples/basic/sys/audit/my_syslog.json
 - examples/basic/sys/auth.json
 - examples/basic/sys/auth/.keep
 - examples/basic/sys/auth/approle.json
@@ -178,6 +180,7 @@ files:
 - lib/vault/provision/prototype.rb
 - lib/vault/provision/secret.rb
 - lib/vault/provision/sys.rb
+- lib/vault/provision/sys/audit.rb
 - lib/vault/provision/sys/auth.rb
 - lib/vault/provision/sys/policy.rb
 - lib/vault_provision.rb