vault-provision 0.1.11 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -2
  3. data/VERSION +1 -1
  4. data/examples/audit-change/sys/audit/my_file.json +8 -0
  5. data/examples/audit-change/sys/audit/my_syslog.json +8 -0
  6. data/examples/basic/sys/audit/my_syslog.json +1 -1
  7. data/lib/vault/provision.rb +2 -0
  8. data/lib/vault/provision/auth/ldap/groups.rb +3 -1
  9. data/lib/vault/provision/prototype.rb +1 -0
  10. data/lib/vault/provision/sys.rb +1 -0
  11. data/lib/vault/provision/sys/audit.rb +20 -7
  12. data/lib/vault/provision/sys/policy.rb +1 -0
  13. data/spec/spec_helper.rb +2 -0
  14. data/spec/vault_provision_spec.rb +6 -0
  15. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 060598f1500adc483e0fbf393bf8e1c50b81f251
4
- data.tar.gz: 6d3a8fc25c8e4f2083fe44bebfb7a15d4290443e
3
+ metadata.gz: a7cbddb546570293e5d52694169538c7bd187304
4
+ data.tar.gz: 918e87a4e02fe5fed0360925e81c6a57e13b8f15
5
5
  SHA512:
6
- metadata.gz: 11f2f509baf8dbbee5a1bbfb48cbed93a93bf7e32454224f13e9b0a2704437bdfc8dc3633aff7f930baa49f65a6254dd161963fd291b41ef4ae03990ddc525e7
7
- data.tar.gz: f13d17d20092adf42a42a36aae968f96144801e0f114e0f5c3b7001e483127ffb6e8270001dec3a5e782e714974e41f4627880e38a8e8fb3da6b61336d5e612b
6
+ metadata.gz: 2b38e074717f06ad42c0f42311a947506ac70358476f652a088563aa33128338d8a2e8ae15741497c3ab2eb4b5dc326fbb03e90689b0d7481a46f3243e6c934d
7
+ data.tar.gz: 5db926b27d09d029065c95c3ed68b21ac8eab8caa5c0ea5ede709086e2278f6fef024bb8c5095f7484b05af08a3d24d6cdaa1682d3ec82825205a4fbe2a6f801
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.1.11)
4
+ vault-provision (0.1.12)
5
5
  activesupport (~> 5.0, >= 5.0.2)
6
6
  rhcl (~> 0.1.0)
7
7
  vault (~> 0.10)
@@ -97,4 +97,4 @@ DEPENDENCIES
97
97
  webmock (~> 3.0.1)
98
98
 
99
99
  BUNDLED WITH
100
- 1.15.1
100
+ 1.15.3
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.11
1
+ 0.1.12
data/examples/audit-change/sys/audit/my_file.json ADDED
@@ -0,0 +1,8 @@
1
+ {
2
+ "type": "file",
3
+ "description": "my file-based audit backend",
4
+ "options": {
5
+ "file_path": "/tmp/my-vault-alt-audit-test.log",
6
+ "mode": "0644"
7
+ }
8
+ }
data/examples/audit-change/sys/audit/my_syslog.json ADDED
@@ -0,0 +1,8 @@
1
+ {
2
+ "type": "syslog",
3
+ "description": "my syslog audit backend",
4
+ "options": {
5
+ "facility": "LPR",
6
+ "tag": "my-vault-audit-tag"
7
+ }
8
+ }
data/examples/basic/sys/audit/my_syslog.json CHANGED
@@ -3,6 +3,6 @@
3
3
  "description": "my syslog audit backend",
4
4
  "options": {
5
5
  "facility": "LPR",
6
- "tag": "vault-provision-testing"
6
+ "tag": "my-vault-audit-tag"
7
7
  }
8
8
  }
data/lib/vault/provision.rb CHANGED
@@ -1,4 +1,6 @@
1
1
  require 'vault'
2
+ require 'active_support'
3
+ require 'active_support/core_ext'
2
4
  require 'active_support/inflector'
3
5
 
4
6
  class Vault::Provision; end
data/lib/vault/provision/auth/ldap/groups.rb CHANGED
@@ -1,7 +1,9 @@
1
1
  # placeholder
2
2
  class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
3
3
  def group_files auth_point
4
- Find.find("#{@instance_dir}/auth/#{auth_point}/groups/").select do |rf|
4
+ groups_path = "#{@instance_dir}/auth/#{auth_point}/groups/"
5
+ return [] unless Dir.exist? groups_path
6
+ Find.find(groups_path).select do |rf|
5
7
  FileTest.file?(rf) && rf.end_with?('.json')
6
8
  end
7
9
  end
data/lib/vault/provision/prototype.rb CHANGED
@@ -22,6 +22,7 @@ class Vault::Provision::Prototype
22
22
  end
23
23
 
24
24
  def repo_files
25
+ return [] unless File.exist? repo_path
25
26
  Find.find(repo_path).select { |rf| rf.end_with?('.json') }
26
27
  end
27
28
 
data/lib/vault/provision/sys.rb CHANGED
@@ -20,6 +20,7 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
20
20
 
21
21
  repo_path = "#{@instance_dir}/sys/mounts"
22
22
  change = []
23
+ return change unless Dir.exist?(repo_path)
23
24
  Find.find(repo_path).each do |rf|
24
25
  next unless rf.end_with?('.json')
25
26
  next if rf.end_with?('/tune.json')
data/lib/vault/provision/sys/audit.rb CHANGED
@@ -1,27 +1,40 @@
1
1
  # helps to enable auditing
2
2
  class Vault::Provision::Sys::Audit < Vault::Provision::Prototype
3
3
  def provision!
4
- audits = @vault.sys.audits
5
-
6
4
  change = []
7
5
  repo_files.each do |rf|
6
+ audits = @vault.sys.audits
8
7
  validate_file! rf
9
- path = rf[(repo_path.length + 1)..-6].to_sym
8
+ path = rf[(repo_path.length + 1)..-6]
10
9
  r_conf = JSON.parse(File.read(rf))
11
- next unless backend_changed? audits[path], r_conf
10
+ next unless backend_changed? audits[path.to_sym], r_conf
11
+
12
+ # API only lets you delete & re-create audit backends
13
+ # No upcerts allowed :(
14
+ if backend_exists?(path)
15
+ puts " * #{path} changed, disabling for update"
16
+ @vault.sys.disable_audit(path)
17
+ end
12
18
 
13
- @vault.sys.enable_audit(path.to_s,
19
+ puts " * #{path} enabled"
20
+ @vault.sys.enable_audit(path,
14
21
  r_conf['type'],
15
22
  r_conf['description'],
16
23
  r_conf['options'])
17
- change << @vault.sys.audits[path]
24
+ change << @vault.sys.audits[path.to_sym]
18
25
  end
19
26
  change
20
27
  end
21
28
 
22
29
  def backend_changed?(vault_conf, file_conf)
23
30
  return true unless vault_conf
24
- file_conf.each { |k, v| return true if v != vault_conf[k] }
31
+ file_conf.deep_symbolize_keys.each do |k, v|
32
+ return true if v != vault_conf.to_h[k]
33
+ end
25
34
  false
26
35
  end
36
+
37
+ def backend_exists?(path)
38
+ !@vault.sys.audits[path.to_sym].nil?
39
+ end
27
40
  end
data/lib/vault/provision/sys/policy.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # for rubocop, this comment is a matter of policy
2
2
  class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
3
3
  def repo_files
4
+ return [] unless File.exist? repo_path
4
5
  Find.find(repo_path).select { |rf| rf.end_with?('.json', '.hcl') }
5
6
  end
6
7
 
data/spec/spec_helper.rb CHANGED
@@ -9,7 +9,9 @@ require 'vcr'
9
9
  DEV_VAULT_TOKEN = 'kittens'.freeze
10
10
  DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
11
11
  EXAMPLE_DIR = "#{GEM_DIR}/examples/basic".freeze
12
+ EXAMPLE_AUDIT_DIR = "#{GEM_DIR}/examples/audit-change".freeze
12
13
  AUDIT_LOG_PATH = "/tmp/my-vault-audit-test.log"
14
+ ALT_AUDIT_LOG_PATH = "/tmp/my-vault-alt-audit-test.log"
13
15
  AUDIT_LOG_TAG = "my-vault-audit-tag"
14
16
 
15
17
  ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
data/spec/vault_provision_spec.rb CHANGED
@@ -173,5 +173,11 @@ describe Vault::Provision do
173
173
  expect(resp[:my_syslog]).to be
174
174
  expect(resp[:my_syslog].options[:tag]).to be == AUDIT_LOG_TAG
175
175
  expect(resp[:my_syslog].options[:facility]).to be == "LPR"
176
+
177
+ # File.unlink(AUDIT_LOG_PATH)
178
+ Vault::Provision.new(EXAMPLE_AUDIT_DIR).provision!
179
+ resp = client.sys.audits
180
+ expect(resp[:my_file].options[:file_path]).to be == ALT_AUDIT_LOG_PATH
181
+ expect(File.exist?(ALT_AUDIT_LOG_PATH)).to be true
176
182
  end
177
183
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.11
4
+ version: 0.1.12
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-04 00:00:00.000000000 Z
11
+ date: 2017-08-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -101,6 +101,8 @@ files:
101
101
  - Rakefile
102
102
  - VERSION
103
103
  - bin/vault-provision
104
+ - examples/audit-change/sys/audit/my_file.json
105
+ - examples/audit-change/sys/audit/my_syslog.json
104
106
  - examples/basic/auth/.keep
105
107
  - examples/basic/auth/approle/role/backends.json
106
108
  - examples/basic/auth/approle/role/frontends.json