vault-provision 0.1.11 → 0.1.12

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -2
  3. data/VERSION +1 -1
  4. data/examples/audit-change/sys/audit/my_file.json +8 -0
  5. data/examples/audit-change/sys/audit/my_syslog.json +8 -0
  6. data/examples/basic/sys/audit/my_syslog.json +1 -1
  7. data/lib/vault/provision.rb +2 -0
  8. data/lib/vault/provision/auth/ldap/groups.rb +3 -1
  9. data/lib/vault/provision/prototype.rb +1 -0
  10. data/lib/vault/provision/sys.rb +1 -0
  11. data/lib/vault/provision/sys/audit.rb +20 -7
  12. data/lib/vault/provision/sys/policy.rb +1 -0
  13. data/spec/spec_helper.rb +2 -0
  14. data/spec/vault_provision_spec.rb +6 -0
  15. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 060598f1500adc483e0fbf393bf8e1c50b81f251
4
- data.tar.gz: 6d3a8fc25c8e4f2083fe44bebfb7a15d4290443e
3
+ metadata.gz: a7cbddb546570293e5d52694169538c7bd187304
4
+ data.tar.gz: 918e87a4e02fe5fed0360925e81c6a57e13b8f15
5
5
  SHA512:
6
- metadata.gz: 11f2f509baf8dbbee5a1bbfb48cbed93a93bf7e32454224f13e9b0a2704437bdfc8dc3633aff7f930baa49f65a6254dd161963fd291b41ef4ae03990ddc525e7
7
- data.tar.gz: f13d17d20092adf42a42a36aae968f96144801e0f114e0f5c3b7001e483127ffb6e8270001dec3a5e782e714974e41f4627880e38a8e8fb3da6b61336d5e612b
6
+ metadata.gz: 2b38e074717f06ad42c0f42311a947506ac70358476f652a088563aa33128338d8a2e8ae15741497c3ab2eb4b5dc326fbb03e90689b0d7481a46f3243e6c934d
7
+ data.tar.gz: 5db926b27d09d029065c95c3ed68b21ac8eab8caa5c0ea5ede709086e2278f6fef024bb8c5095f7484b05af08a3d24d6cdaa1682d3ec82825205a4fbe2a6f801
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.1.11)
4
+ vault-provision (0.1.12)
5
5
  activesupport (~> 5.0, >= 5.0.2)
6
6
  rhcl (~> 0.1.0)
7
7
  vault (~> 0.10)
@@ -97,4 +97,4 @@ DEPENDENCIES
97
97
  webmock (~> 3.0.1)
98
98
 
99
99
  BUNDLED WITH
100
- 1.15.1
100
+ 1.15.3
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.11
1
+ 0.1.12
data/examples/audit-change/sys/audit/my_file.json ADDED
@@ -0,0 +1,8 @@
1
+ {
2
+ "type": "file",
3
+ "description": "my file-based audit backend",
4
+ "options": {
5
+ "file_path": "/tmp/my-vault-alt-audit-test.log",
6
+ "mode": "0644"
7
+ }
8
+ }
data/examples/audit-change/sys/audit/my_syslog.json ADDED
@@ -0,0 +1,8 @@
1
+ {
2
+ "type": "syslog",
3
+ "description": "my syslog audit backend",
4
+ "options": {
5
+ "facility": "LPR",
6
+ "tag": "my-vault-audit-tag"
7
+ }
8
+ }
data/examples/basic/sys/audit/my_syslog.json CHANGED
@@ -3,6 +3,6 @@
3
3
  "description": "my syslog audit backend",
4
4
  "options": {
5
5
  "facility": "LPR",
6
- "tag": "vault-provision-testing"
6
+ "tag": "my-vault-audit-tag"
7
7
  }
8
8
  }
data/lib/vault/provision.rb CHANGED
@@ -1,4 +1,6 @@
1
1
  require 'vault'
2
+ require 'active_support'
3
+ require 'active_support/core_ext'
2
4
  require 'active_support/inflector'
3
5
 
4
6
  class Vault::Provision; end
data/lib/vault/provision/auth/ldap/groups.rb CHANGED
@@ -1,7 +1,9 @@
1
1
  # placeholder
2
2
  class Vault::Provision::Auth::Ldap::Groups < Vault::Provision::Prototype
3
3
  def group_files auth_point
4
- Find.find("#{@instance_dir}/auth/#{auth_point}/groups/").select do |rf|
4
+ groups_path = "#{@instance_dir}/auth/#{auth_point}/groups/"
5
+ return [] unless Dir.exist? groups_path
6
+ Find.find(groups_path).select do |rf|
5
7
  FileTest.file?(rf) && rf.end_with?('.json')
6
8
  end
7
9
  end
data/lib/vault/provision/prototype.rb CHANGED
@@ -22,6 +22,7 @@ class Vault::Provision::Prototype
22
22
  end
23
23
 
24
24
  def repo_files
25
+ return [] unless File.exist? repo_path
25
26
  Find.find(repo_path).select { |rf| rf.end_with?('.json') }
26
27
  end
27
28
 
data/lib/vault/provision/sys.rb CHANGED
@@ -20,6 +20,7 @@ class Vault::Provision::Sys::Mounts < Vault::Provision::Prototype
20
20
 
21
21
  repo_path = "#{@instance_dir}/sys/mounts"
22
22
  change = []
23
+ return change unless Dir.exist?(repo_path)
23
24
  Find.find(repo_path).each do |rf|
24
25
  next unless rf.end_with?('.json')
25
26
  next if rf.end_with?('/tune.json')
data/lib/vault/provision/sys/audit.rb CHANGED
@@ -1,27 +1,40 @@
1
1
  # helps to enable auditing
2
2
  class Vault::Provision::Sys::Audit < Vault::Provision::Prototype
3
3
  def provision!
4
- audits = @vault.sys.audits
5
-
6
4
  change = []
7
5
  repo_files.each do |rf|
6
+ audits = @vault.sys.audits
8
7
  validate_file! rf
9
- path = rf[(repo_path.length + 1)..-6].to_sym
8
+ path = rf[(repo_path.length + 1)..-6]
10
9
  r_conf = JSON.parse(File.read(rf))
11
- next unless backend_changed? audits[path], r_conf
10
+ next unless backend_changed? audits[path.to_sym], r_conf
11
+
12
+ # API only lets you delete & re-create audit backends
13
+ # No upcerts allowed :(
14
+ if backend_exists?(path)
15
+ puts " * #{path} changed, disabling for update"
16
+ @vault.sys.disable_audit(path)
17
+ end
12
18
 
13
- @vault.sys.enable_audit(path.to_s,
19
+ puts " * #{path} enabled"
20
+ @vault.sys.enable_audit(path,
14
21
  r_conf['type'],
15
22
  r_conf['description'],
16
23
  r_conf['options'])
17
- change << @vault.sys.audits[path]
24
+ change << @vault.sys.audits[path.to_sym]
18
25
  end
19
26
  change
20
27
  end
21
28
 
22
29
  def backend_changed?(vault_conf, file_conf)
23
30
  return true unless vault_conf
24
- file_conf.each { |k, v| return true if v != vault_conf[k] }
31
+ file_conf.deep_symbolize_keys.each do |k, v|
32
+ return true if v != vault_conf.to_h[k]
33
+ end
25
34
  false
26
35
  end
36
+
37
+ def backend_exists?(path)
38
+ !@vault.sys.audits[path.to_sym].nil?
39
+ end
27
40
  end
data/lib/vault/provision/sys/policy.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # for rubocop, this comment is a matter of policy
2
2
  class Vault::Provision::Sys::Policy < Vault::Provision::Prototype
3
3
  def repo_files
4
+ return [] unless File.exist? repo_path
4
5
  Find.find(repo_path).select { |rf| rf.end_with?('.json', '.hcl') }
5
6
  end
6
7
 
data/spec/spec_helper.rb CHANGED
@@ -9,7 +9,9 @@ require 'vcr'
9
9
  DEV_VAULT_TOKEN = 'kittens'.freeze
10
10
  DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
11
11
  EXAMPLE_DIR = "#{GEM_DIR}/examples/basic".freeze
12
+ EXAMPLE_AUDIT_DIR = "#{GEM_DIR}/examples/audit-change".freeze
12
13
  AUDIT_LOG_PATH = "/tmp/my-vault-audit-test.log"
14
+ ALT_AUDIT_LOG_PATH = "/tmp/my-vault-alt-audit-test.log"
13
15
  AUDIT_LOG_TAG = "my-vault-audit-tag"
14
16
 
15
17
  ENV['VAULT_DEV_ROOT_TOKEN_ID'] = DEV_VAULT_TOKEN
data/spec/vault_provision_spec.rb CHANGED
@@ -173,5 +173,11 @@ describe Vault::Provision do
173
173
  expect(resp[:my_syslog]).to be
174
174
  expect(resp[:my_syslog].options[:tag]).to be == AUDIT_LOG_TAG
175
175
  expect(resp[:my_syslog].options[:facility]).to be == "LPR"
176
+
177
+ # File.unlink(AUDIT_LOG_PATH)
178
+ Vault::Provision.new(EXAMPLE_AUDIT_DIR).provision!
179
+ resp = client.sys.audits
180
+ expect(resp[:my_file].options[:file_path]).to be == ALT_AUDIT_LOG_PATH
181
+ expect(File.exist?(ALT_AUDIT_LOG_PATH)).to be true
176
182
  end
177
183
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.11
4
+ version: 0.1.12
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-04 00:00:00.000000000 Z
11
+ date: 2017-08-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -101,6 +101,8 @@ files:
101
101
  - Rakefile
102
102
  - VERSION
103
103
  - bin/vault-provision
104
+ - examples/audit-change/sys/audit/my_file.json
105
+ - examples/audit-change/sys/audit/my_syslog.json
104
106
  - examples/basic/auth/.keep
105
107
  - examples/basic/auth/approle/role/backends.json
106
108
  - examples/basic/auth/approle/role/frontends.json