From 320d23a7002343cfa17bdc63e4ac43bacdf5702e Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 30 Sep 2024 19:49:18 -0700 Subject: [PATCH 01/11] initial --- app/lib/clients/vault.rb | 1 + app/lib/clients/vault/entity.rb | 12 ++++++++++++ test/lib/clients/vault_test.rb | 14 ++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 app/lib/clients/vault/entity.rb diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb index 6c73276..97035fe 100644 --- a/app/lib/clients/vault.rb +++ b/app/lib/clients/vault.rb @@ -26,4 +26,5 @@ def enable_engine(mount, type) require_relative "vault/key_value" require_relative "vault/certificate" + require_relative "vault/entity" end diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb new file mode 100644 index 0000000..1c8ff97 --- /dev/null +++ b/app/lib/clients/vault/entity.rb @@ -0,0 +1,12 @@ +module Clients + class Vault + class << self + def put_entity(opts) + client.logical.write("identity/entity", opts) + end + def read_entity(name) + client.logical.read("identity/entity/name/" + name.to_s) + end + end + end +end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index ddbb38a..1a69467 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -2,16 +2,30 @@ class VaultTest < ActiveSupport::TestCase attr_reader :random_mount + attr_reader :policies + attr_reader :entity_name setup do @client = Clients::Vault @random_mount = SecureRandom.hex(4) + @policies = SecureRandom.hex(4) + @entity_name = SecureRandom.hex(4) end teardown do vault_client.sys.unmount(random_mount) end + test "#put_entity" do + puts "gbj " + @entity_name.to_s + en = @client.put_entity(name: @entity_name.to_s, policies: @policies.to_s) + if en == nil then puts "gbj1nil" end + puts "gbj2 " + en.data.to_s + entity2 = @client.read_entity(@entity_name.to_s) + if entity2 == nil then puts "gbjnil" end + assert_equal entity2.data[:policies], @policies.to_s + end + test "#configure_kv" do @client.stub :kv_mount, random_mount do assert @client.configure_kv From 403ba3b822602498494f3273ac55f7dc9e41d67e Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 11:24:04 -0700 Subject: [PATCH 02/11] basic --- app/lib/clients/vault/entity.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb index 1c8ff97..43ee6be 100644 --- a/app/lib/clients/vault/entity.rb +++ b/app/lib/clients/vault/entity.rb @@ -1,11 +1,16 @@ module Clients class Vault class << self - def put_entity(opts) - client.logical.write("identity/entity", opts) + def put_entity(name, policies) + client.logical.write("identity/entity", + {:name => name, + :policies => policies}) end def read_entity(name) - client.logical.read("identity/entity/name/" + name.to_s) + client.logical.read("identity/entity/name/" + name) + end + def delete_entity(name) + client.logical.delete("identity/entity/name/" + name) end end end From 3d4a1932dea35f9301edc36adf8dce2a8325cab8 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 11:32:53 -0700 Subject: [PATCH 03/11] test passing --- app/lib/clients/vault/entity.rb | 4 ++-- test/lib/clients/vault_test.rb | 10 +++------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb index 43ee6be..ab75a44 100644 --- a/app/lib/clients/vault/entity.rb +++ b/app/lib/clients/vault/entity.rb @@ -3,8 +3,8 @@ class Vault class << self def put_entity(name, policies) client.logical.write("identity/entity", - {:name => name, - :policies => policies}) + name: name, + policies: policies) end def read_entity(name) client.logical.read("identity/entity/name/" + name) diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index 1a69467..a118248 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -17,13 +17,9 @@ class VaultTest < ActiveSupport::TestCase end test "#put_entity" do - puts "gbj " + @entity_name.to_s - en = @client.put_entity(name: @entity_name.to_s, policies: @policies.to_s) - if en == nil then puts "gbj1nil" end - puts "gbj2 " + en.data.to_s - entity2 = @client.read_entity(@entity_name.to_s) - if entity2 == nil then puts "gbjnil" end - assert_equal entity2.data[:policies], @policies.to_s + @client.put_entity( @entity_name, @policies) + entity = @client.read_entity(@entity_name) + assert_equal entity.data[:policies][0], @policies end test "#configure_kv" do From 3adffc4cb3c574b8336096b3bb3c1ed6d7f8cad4 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 11:35:35 -0700 Subject: [PATCH 04/11] entity tests working --- test/lib/clients/vault_test.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index a118248..95220ab 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -16,10 +16,18 @@ class VaultTest < ActiveSupport::TestCase vault_client.sys.unmount(random_mount) end - test "#put_entity" do - @client.put_entity( @entity_name, @policies) + test "#entity" do + entity = @client.read_entity(@entity_name) + assert_nil entity + + @client.put_entity(@entity_name, @policies) entity = @client.read_entity(@entity_name) assert_equal entity.data[:policies][0], @policies + + @client.delete_entity(@entity_name) + entity = @client.read_entity(@entity_name) + assert_nil entity + end test "#configure_kv" do From 417b6ae96bf69ffb49d8996e0c472d2fcf15780a Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 15:11:23 -0700 Subject: [PATCH 05/11] alias support --- app/lib/clients/vault.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb index 97035fe..40d654a 100644 --- a/app/lib/clients/vault.rb +++ b/app/lib/clients/vault.rb @@ -27,4 +27,5 @@ def enable_engine(mount, type) require_relative "vault/key_value" require_relative "vault/certificate" require_relative "vault/entity" + require_relative "vault/entity_alias" end From 31af1592c8c6d9ef9880021e9813287f7b615956 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 16:11:15 -0700 Subject: [PATCH 06/11] added alias tests --- test/lib/clients/vault_test.rb | 55 ++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index 95220ab..f493b15 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -4,32 +4,19 @@ class VaultTest < ActiveSupport::TestCase attr_reader :random_mount attr_reader :policies attr_reader :entity_name - + attr_reader :alias_name setup do @client = Clients::Vault @random_mount = SecureRandom.hex(4) @policies = SecureRandom.hex(4) @entity_name = SecureRandom.hex(4) + @alias_name = SecureRandom.hex(4) end teardown do vault_client.sys.unmount(random_mount) end - test "#entity" do - entity = @client.read_entity(@entity_name) - assert_nil entity - - @client.put_entity(@entity_name, @policies) - entity = @client.read_entity(@entity_name) - assert_equal entity.data[:policies][0], @policies - - @client.delete_entity(@entity_name) - entity = @client.read_entity(@entity_name) - assert_nil entity - - end - test "#configure_kv" do @client.stub :kv_mount, random_mount do assert @client.configure_kv @@ -58,6 +45,44 @@ class VaultTest < ActiveSupport::TestCase end end + test "#entity" do + entity = @client.read_entity(@entity_name) + assert_nil entity + + @client.put_entity(@entity_name, @policies) + entity = @client.read_entity(@entity_name) + assert_equal entity.data[:policies][0], @policies + + @client.delete_entity(@entity_name) + entity = @client.read_entity(@entity_name) + assert_nil entity + + end + + test "#entity_alias" do + err = assert_raises RuntimeError do + @client.read_entity_alias(@entity_name, @alias_name) + end + assert_match /no such entity/, err.message + + @client.put_entity(@entity_name, @policies) + err = assert_raises RuntimeError do + @client.read_entity_alias(@entity_name, @alias_name) + end + assert_match /no such alias/, err.message + + @client.put_entity_alias(@entity_name, @alias_name, "token/") + entity_alias = @client.read_entity_alias(@entity_name, @alias_name) + assert_equal entity_alias.data[:mount_type], "token" + + assert_equal @client.delete_entity_alias(@entity_name, @alias_name), true + + err = assert_raises RuntimeError do + @client.delete_entity_alias(@entity_name, @alias_name) + end + assert_match /no such alias/, err.message + end + private def vault_client From 4fafa873bdd0107ab77aa557c9bf47781811ff55 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 16:13:10 -0700 Subject: [PATCH 07/11] added alias methods --- app/lib/clients/vault/entity_alias.rb | 42 +++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 app/lib/clients/vault/entity_alias.rb diff --git a/app/lib/clients/vault/entity_alias.rb b/app/lib/clients/vault/entity_alias.rb new file mode 100644 index 0000000..5604884 --- /dev/null +++ b/app/lib/clients/vault/entity_alias.rb @@ -0,0 +1,42 @@ +module Clients + class Vault + class << self + # auth_path e.g. "oidc/" + def put_entity_alias(entity_name, alias_name, auth_path) + e = read_entity(entity_name) + if e.nil? + raise "no such entity #{entity_name}" + end + canonical_id = e.data[:id] + accessor = client.logical.read("/sys/auth").data[auth_path.to_sym][:accessor] + client.logical.write("identity/entity-alias", + name: alias_name, + canonical_id: canonical_id, + mount_accessor: accessor) + end + + def read_entity_alias_id(entity_name, alias_name) + e = read_entity(entity_name) + if e.nil? + raise "no such entity #{entity_name}" + end + aliases = e.data[:aliases] + a = aliases.find { |a| a[:name] == alias_name} + if a.nil? + raise "no such alias #{alias_name}" + end + a[:id] + end + + def read_entity_alias(entity_name, alias_name) + client.logical.read( + "identity/entity-alias/id/#{read_entity_alias_id(entity_name, alias_name)}") + end + + def delete_entity_alias(entity_name, alias_name) + client.logical.delete( + "identity/entity-alias/id/#{read_entity_alias_id(entity_name, alias_name)}") + end + end + end +end From 8a6a3944cf8e099847f712996606194520aba33a Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 17:12:00 -0700 Subject: [PATCH 08/11] cleanup --- app/lib/clients/vault/entity.rb | 4 ++-- app/lib/clients/vault/entity_alias.rb | 14 +++++++------- test/lib/clients/vault_test.rb | 5 +++-- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb index ab75a44..679bd22 100644 --- a/app/lib/clients/vault/entity.rb +++ b/app/lib/clients/vault/entity.rb @@ -7,10 +7,10 @@ def put_entity(name, policies) policies: policies) end def read_entity(name) - client.logical.read("identity/entity/name/" + name) + client.logical.read("identity/entity/name/#{name}") end def delete_entity(name) - client.logical.delete("identity/entity/name/" + name) + client.logical.delete("identity/entity/name/#{name}") end end end diff --git a/app/lib/clients/vault/entity_alias.rb b/app/lib/clients/vault/entity_alias.rb index 5604884..b2af359 100644 --- a/app/lib/clients/vault/entity_alias.rb +++ b/app/lib/clients/vault/entity_alias.rb @@ -1,14 +1,14 @@ module Clients class Vault class << self - # auth_path e.g. "oidc/" - def put_entity_alias(entity_name, alias_name, auth_path) + def put_entity_alias(entity_name, alias_name, auth_method) e = read_entity(entity_name) if e.nil? raise "no such entity #{entity_name}" end canonical_id = e.data[:id] - accessor = client.logical.read("/sys/auth").data[auth_path.to_sym][:accessor] + auth_sym = "#{auth_method}/".to_sym + accessor = client.logical.read("/sys/auth").data[auth_sym][:accessor] client.logical.write("identity/entity-alias", name: alias_name, canonical_id: canonical_id, @@ -29,13 +29,13 @@ def read_entity_alias_id(entity_name, alias_name) end def read_entity_alias(entity_name, alias_name) - client.logical.read( - "identity/entity-alias/id/#{read_entity_alias_id(entity_name, alias_name)}") + id = read_entity_alias_id(entity_name, alias_name) + client.logical.read("identity/entity-alias/id/#{id}") end def delete_entity_alias(entity_name, alias_name) - client.logical.delete( - "identity/entity-alias/id/#{read_entity_alias_id(entity_name, alias_name)}") + id = read_entity_alias_id(entity_name, alias_name) + client.logical.delete("identity/entity-alias/id/#{id}") end end end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index f493b15..e09b1ed 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -71,9 +71,10 @@ class VaultTest < ActiveSupport::TestCase end assert_match /no such alias/, err.message - @client.put_entity_alias(@entity_name, @alias_name, "token/") + auth_method = "token" + @client.put_entity_alias(@entity_name, @alias_name, auth_method) entity_alias = @client.read_entity_alias(@entity_name, @alias_name) - assert_equal entity_alias.data[:mount_type], "token" + assert_equal entity_alias.data[:mount_type], auth_method assert_equal @client.delete_entity_alias(@entity_name, @alias_name), true From b1215d4a551c692ff21c866663ffcb2eaa47936e Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 17:28:22 -0700 Subject: [PATCH 09/11] comments --- test/lib/clients/vault_test.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index e09b1ed..6338796 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -60,24 +60,27 @@ class VaultTest < ActiveSupport::TestCase end test "#entity_alias" do + #confirm no entity yet err = assert_raises RuntimeError do @client.read_entity_alias(@entity_name, @alias_name) end assert_match /no such entity/, err.message + #confirm no alias yet @client.put_entity(@entity_name, @policies) err = assert_raises RuntimeError do @client.read_entity_alias(@entity_name, @alias_name) end assert_match /no such alias/, err.message + #create alias auth_method = "token" @client.put_entity_alias(@entity_name, @alias_name, auth_method) entity_alias = @client.read_entity_alias(@entity_name, @alias_name) assert_equal entity_alias.data[:mount_type], auth_method + #confirm deleted alias assert_equal @client.delete_entity_alias(@entity_name, @alias_name), true - err = assert_raises RuntimeError do @client.delete_entity_alias(@entity_name, @alias_name) end From d8a4d74e38e5d94fbd69d53854790d0089db75ee Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 1 Oct 2024 17:52:06 -0700 Subject: [PATCH 10/11] lint --- app/lib/clients/vault/entity_alias.rb | 2 +- test/lib/clients/vault_test.rb | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/app/lib/clients/vault/entity_alias.rb b/app/lib/clients/vault/entity_alias.rb index b2af359..010a3a4 100644 --- a/app/lib/clients/vault/entity_alias.rb +++ b/app/lib/clients/vault/entity_alias.rb @@ -21,7 +21,7 @@ def read_entity_alias_id(entity_name, alias_name) raise "no such entity #{entity_name}" end aliases = e.data[:aliases] - a = aliases.find { |a| a[:name] == alias_name} + a = aliases.find { |a| a[:name] == alias_name } if a.nil? raise "no such alias #{alias_name}" end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index 6338796..27fc48a 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -56,30 +56,29 @@ class VaultTest < ActiveSupport::TestCase @client.delete_entity(@entity_name) entity = @client.read_entity(@entity_name) assert_nil entity - end test "#entity_alias" do - #confirm no entity yet + # confirm no entity yet err = assert_raises RuntimeError do @client.read_entity_alias(@entity_name, @alias_name) end assert_match /no such entity/, err.message - #confirm no alias yet + # confirm no alias yet @client.put_entity(@entity_name, @policies) err = assert_raises RuntimeError do @client.read_entity_alias(@entity_name, @alias_name) end assert_match /no such alias/, err.message - #create alias + # create alias auth_method = "token" @client.put_entity_alias(@entity_name, @alias_name, auth_method) entity_alias = @client.read_entity_alias(@entity_name, @alias_name) assert_equal entity_alias.data[:mount_type], auth_method - #confirm deleted alias + # confirm deleted alias assert_equal @client.delete_entity_alias(@entity_name, @alias_name), true err = assert_raises RuntimeError do @client.delete_entity_alias(@entity_name, @alias_name) From 0d441b3e92e8afbbe64bb1c9255b17b59a58cffb Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 2 Oct 2024 15:49:37 -0700 Subject: [PATCH 11/11] review cleanup --- app/lib/clients/vault/entity.rb | 2 ++ test/lib/clients/vault_test.rb | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app/lib/clients/vault/entity.rb b/app/lib/clients/vault/entity.rb index 679bd22..2f894d3 100644 --- a/app/lib/clients/vault/entity.rb +++ b/app/lib/clients/vault/entity.rb @@ -6,9 +6,11 @@ def put_entity(name, policies) name: name, policies: policies) end + def read_entity(name) client.logical.read("identity/entity/name/#{name}") end + def delete_entity(name) client.logical.delete("identity/entity/name/#{name}") end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index ce59860..4017556 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -1,8 +1,8 @@ require "test_helper" class VaultTest < ActiveSupport::TestCase - attr_reader :root_ca_mount attr_reader :intermediate_ca_mount + attr_reader :root_ca_mount attr_reader :policies attr_reader :entity_name attr_reader :alias_name @@ -59,7 +59,7 @@ class VaultTest < ActiveSupport::TestCase @client.put_entity(@entity_name, @policies) entity = @client.read_entity(@entity_name) - assert_equal entity.data[:policies][0], @policies + assert_equal @policies, entity.data[:policies][0] @client.delete_entity(@entity_name) entity = @client.read_entity(@entity_name) @@ -84,10 +84,10 @@ class VaultTest < ActiveSupport::TestCase auth_method = "token" @client.put_entity_alias(@entity_name, @alias_name, auth_method) entity_alias = @client.read_entity_alias(@entity_name, @alias_name) - assert_equal entity_alias.data[:mount_type], auth_method + assert_equal auth_method, entity_alias.data[:mount_type] # confirm deleted alias - assert_equal @client.delete_entity_alias(@entity_name, @alias_name), true + assert_equal true, @client.delete_entity_alias(@entity_name, @alias_name) err = assert_raises RuntimeError do @client.delete_entity_alias(@entity_name, @alias_name) end