vault-provision 0.1.11 → 0.1.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/VERSION +1 -1
- data/examples/audit-change/sys/audit/my_file.json +8 -0
- data/examples/audit-change/sys/audit/my_syslog.json +8 -0
- data/examples/basic/sys/audit/my_syslog.json +1 -1
- data/lib/vault/provision.rb +2 -0
- data/lib/vault/provision/auth/ldap/groups.rb +3 -1
- data/lib/vault/provision/prototype.rb +1 -0
- data/lib/vault/provision/sys.rb +1 -0
- data/lib/vault/provision/sys/audit.rb +20 -7
- data/lib/vault/provision/sys/policy.rb +1 -0
- data/spec/spec_helper.rb +2 -0
- data/spec/vault_provision_spec.rb +6 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a7cbddb546570293e5d52694169538c7bd187304
|
4
|
+
data.tar.gz: 918e87a4e02fe5fed0360925e81c6a57e13b8f15
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2b38e074717f06ad42c0f42311a947506ac70358476f652a088563aa33128338d8a2e8ae15741497c3ab2eb4b5dc326fbb03e90689b0d7481a46f3243e6c934d
|
7
|
+
data.tar.gz: 5db926b27d09d029065c95c3ed68b21ac8eab8caa5c0ea5ede709086e2278f6fef024bb8c5095f7484b05af08a3d24d6cdaa1682d3ec82825205a4fbe2a6f801
|
data/Gemfile.lock
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.12
|
data/lib/vault/provision.rb
CHANGED
@@ -1,7 +1,9 @@
|
|
1
1
|
# placeholder
|
2
2
|
class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
|
3
3
|
def group_files auth_point
|
4
|
-
|
4
|
+
groups_path = "#{@instance_dir}/auth/#{auth_point}/groups/"
|
5
|
+
return [] unless Dir.exist? groups_path
|
6
|
+
Find.find(groups_path).select do |rf|
|
5
7
|
FileTest.file?(rf) && rf.end_with?('.json')
|
6
8
|
end
|
7
9
|
end
|
data/lib/vault/provision/sys.rb
CHANGED
@@ -20,6 +20,7 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
|
|
20
20
|
|
21
21
|
repo_path = "#{@instance_dir}/sys/mounts"
|
22
22
|
change = []
|
23
|
+
return change unless Dir.exist?(repo_path)
|
23
24
|
Find.find(repo_path).each do |rf|
|
24
25
|
next unless rf.end_with?('.json')
|
25
26
|
next if rf.end_with?('/tune.json')
|
@@ -1,27 +1,40 @@
|
|
1
1
|
# helps to enable auditing
|
2
2
|
class Vault::Provision::Sys::Audit < Vault::Provision::Prototype
|
3
3
|
def provision!
|
4
|
-
audits = @vault.sys.audits
|
5
|
-
|
6
4
|
change = []
|
7
5
|
repo_files.each do |rf|
|
6
|
+
audits = @vault.sys.audits
|
8
7
|
validate_file! rf
|
9
|
-
path = rf[(repo_path.length + 1)..-6]
|
8
|
+
path = rf[(repo_path.length + 1)..-6]
|
10
9
|
r_conf = JSON.parse(File.read(rf))
|
11
|
-
next unless backend_changed? audits[path], r_conf
|
10
|
+
next unless backend_changed? audits[path.to_sym], r_conf
|
11
|
+
|
12
|
+
# API only lets you delete & re-create audit backends
|
13
|
+
# No upcerts allowed :(
|
14
|
+
if backend_exists?(path)
|
15
|
+
puts " * #{path} changed, disabling for update"
|
16
|
+
@vault.sys.disable_audit(path)
|
17
|
+
end
|
12
18
|
|
13
|
-
|
19
|
+
puts " * #{path} enabled"
|
20
|
+
@vault.sys.enable_audit(path,
|
14
21
|
r_conf['type'],
|
15
22
|
r_conf['description'],
|
16
23
|
r_conf['options'])
|
17
|
-
change << @vault.sys.audits[path]
|
24
|
+
change << @vault.sys.audits[path.to_sym]
|
18
25
|
end
|
19
26
|
change
|
20
27
|
end
|
21
28
|
|
22
29
|
def backend_changed?(vault_conf, file_conf)
|
23
30
|
return true unless vault_conf
|
24
|
-
file_conf.each
|
31
|
+
file_conf.deep_symbolize_keys.each do |k, v|
|
32
|
+
return true if v != vault_conf.to_h[k]
|
33
|
+
end
|
25
34
|
false
|
26
35
|
end
|
36
|
+
|
37
|
+
def backend_exists?(path)
|
38
|
+
!@vault.sys.audits[path.to_sym].nil?
|
39
|
+
end
|
27
40
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -9,7 +9,9 @@ require 'vcr'
|
|
9
9
|
DEV_VAULT_TOKEN = 'kittens'.freeze
|
10
10
|
DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
|
11
11
|
EXAMPLE_DIR = "#{GEM_DIR}/examples/basic".freeze
|
12
|
+
EXAMPLE_AUDIT_DIR = "#{GEM_DIR}/examples/audit-change".freeze
|
12
13
|
AUDIT_LOG_PATH = "/tmp/my-vault-audit-test.log"
|
14
|
+
ALT_AUDIT_LOG_PATH = "/tmp/my-vault-alt-audit-test.log"
|
13
15
|
AUDIT_LOG_TAG = "my-vault-audit-tag"
|
14
16
|
|
15
17
|
ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
|
@@ -173,5 +173,11 @@ describe Vault::Provision do
|
|
173
173
|
expect(resp[:my_syslog]).to be
|
174
174
|
expect(resp[:my_syslog].options[:tag]).to be == AUDIT_LOG_TAG
|
175
175
|
expect(resp[:my_syslog].options[:facility]).to be == "LPR"
|
176
|
+
|
177
|
+
# File.unlink(AUDIT_LOG_PATH)
|
178
|
+
Vault::Provision.new(EXAMPLE_AUDIT_DIR).provision!
|
179
|
+
resp = client.sys.audits
|
180
|
+
expect(resp[:my_file].options[:file_path]).to be == ALT_AUDIT_LOG_PATH
|
181
|
+
expect(File.exist?(ALT_AUDIT_LOG_PATH)).to be true
|
176
182
|
end
|
177
183
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: vault-provision
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.12
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Maher
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-08-
|
11
|
+
date: 2017-08-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -101,6 +101,8 @@ files:
|
|
101
101
|
- Rakefile
|
102
102
|
- VERSION
|
103
103
|
- bin/vault-provision
|
104
|
+
- examples/audit-change/sys/audit/my_file.json
|
105
|
+
- examples/audit-change/sys/audit/my_syslog.json
|
104
106
|
- examples/basic/auth/.keep
|
105
107
|
- examples/basic/auth/approle/role/backends.json
|
106
108
|
- examples/basic/auth/approle/role/frontends.json
|