simplify shasums signature verification; move setcap to server state

dafyddj · dafyddj · commit c829eac420c5 · 2018-10-21T15:53:49.000+01:00
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -52,6 +52,7 @@ suites:
           vault:
 #            version: 0.11.1    # test upgrades by doing a double-converge, changing the version pillar between each one
             version: 0.11.2
+            secure_download: false
 
   - name: dev_server
     provisioner:
diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb
@@ -4,6 +4,12 @@
   its(:stdout) { should match(/^Vault v[0-9\.]+ \('[0-9a-f]+'\)/) }
 end
 
+describe command('getcap $(readlink -f /usr/local/bin/vault)') do
+  its(:exit_status) { should eq 0 }
+  its(:stderr) { should be_empty }
+  its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) }
+end
+
 describe file('/etc/vault/config/server.hcl') do
   it { should be_a_file }
 end
diff --git a/vault/defaults.yaml b/vault/defaults.yaml
@@ -15,6 +15,7 @@ vault:
     path: /var/lib/vault/data
   dev_mode: true
   secure_download: true
+  gpg_pkg: gnupg
   user: root
   group: root
   hashicorp_gpg_key: |
diff --git a/vault/init.sls b/vault/init.sls
@@ -1,85 +1,60 @@
 {% from "vault/map.jinja" import vault with context %}
-# using archive.extracted causes: 'Comment: Failed to cache https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip: [Errno 1] _ssl.c:493: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version'
-#vault packages:
-#  pkg.installed:
-#    - names:
-#      - unzip
-#      - curl
-#      {% if vault.secure_download %}
-#      {% if grains['os'] == 'CentOS' or grains['os'] == 'Amazon' %}
-#      - gnupg2
-#      - perl-Digest-SHA
-#      {% elif grains['os'] == 'Ubuntu' %}
-#      - gnupg
-#      - libdigest-sha-perl
-#      {% endif %}
-#      {% endif %}
-/opt/vault/{{ vault.version }}/bin:
+
+{% set version = vault.version %}
+
+/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS:
+  file.managed:
+    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
+    - makedirs: true
+    - skip_verify: true
+
+/opt/vault/{{ version }}/bin:
   archive.extracted:
-    - source: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_linux_amd64.zip
-    - source_hash: https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS 
+    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip
+    - source_hash: /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
     - enforce_toplevel: false
+    - require:
+      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
 
 /usr/local/bin/vault:
   file.symlink:
-    - target: /opt/vault/{{ vault.version }}/bin/vault
+    - target: /opt/vault/{{ version }}/bin/vault
     - force: true
     - require:
-      - /opt/vault/{{ vault.version }}/bin
+      - /opt/vault/{{ version }}/bin
+
+{% if vault.secure_download -%}
+/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig:
+  file.managed:
+    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
+    - skip_verify: true
+    - require:
+      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
 
-#{% if vault.secure_download %}
-#download shasums:
-#  cmd.run:
-#    - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS -o /tmp/vault_{{ vault.version }}_SHA256SUMS
-#    - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS
-#
-#download shasums sig:
-#  cmd.run:
-#    - name: curl --silent -L https://releases.hashicorp.com/vault/{{ vault.version }}/vault_{{ vault.version }}_SHA256SUMS.sig -o /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
-#    - creates: /tmp/vault_{{ vault.version }}_SHA256SUMS.sig
-#
-#/tmp/hashicorp.asc:
-#  file.managed:
-#    - source: salt://vault/files/hashicorp.asc.jinja
-#    - template: jinja
-#
-#import key:
-#  cmd.run:
-#    - name: gpg --import /tmp/hashicorp.asc
-#    - unless: gpg --list-keys {{ vault.hashicorp_key_id }}
-#    - requires:
-#      - file: /tmp/hashicorp.asc
-#      - cmd: vault packages
-#
-#verify shasums sig:
-#  cmd.run:
-#    - name: gpg --verify /tmp/vault_{{ vault.version }}_SHA256SUMS.sig /tmp/vault_{{ vault.version }}_SHA256SUMS
-#    - require:
-#      - cmd: download shasums
-#      - cmd: import key
-#
-#verify vault:
-#  cmd.run:
-#    - name: "shasum -a 256 -c vault_{{ vault.version }}_SHA256SUMS 2>&1 | grep -q \"vault_{{ vault.version }}_linux_amd64.zip: OK\""
-#    - cwd: /tmp
-#    - require:
-#      - cmd: download vault
-#      - cmd: verify shasums sig
-#{% endif %}
-#
-#install vault:
-#  cmd.run:
-#    - name: unzip /tmp/vault_{{ vault.version }}_linux_amd64.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
-#    - require:
-#      - cmd: download vault
-#      - pkg: unzip
-#      {% if vault.secure_download %}
-#      - cmd: verify vault
-#      {% endif %}
-#    - creates: /usr/local/bin/vault
-#
-#vault set cap mlock:
-#  cmd.run:
-#    - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
-#    - onchanges:
-#      - cmd: install vault
+
+/tmp/hashicorp.asc:
+  file.managed:
+    - source: salt://vault/files/hashicorp.asc.jinja
+    - template: jinja
+
+vault_gpg_pkg:
+  pkg.installed:
+    - name: {{ vault.gpg_pkg }}
+
+import key:
+  cmd.run:
+    - name: gpg --import /tmp/hashicorp.asc
+    - unless: gpg --list-keys {{ vault.hashicorp_key_id }}
+    - require:
+      - /tmp/hashicorp.asc
+      - vault_gpg_pkg
+
+verify shasums sig:
+  cmd.run:
+    - name: gpg --verify /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
+    - require:
+      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
+      - import key
+    - prereq:
+      - /usr/local/bin/vault
+{%- endif %}
diff --git a/vault/map.jinja b/vault/map.jinja
@@ -1,2 +1,11 @@
 {% import_yaml "vault/defaults.yaml" as defaults %}
-{% set vault = salt['pillar.get']('vault', default=defaults['vault'], merge=True) %}
+{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %}
+
+{% set vault = salt['grains.filter_by'](
+    defaults,
+    merge=salt['grains.filter_by'](
+      osfamilymap,
+      merge=salt['pillar.get']('vault', {}),
+    ),
+    base='vault')
+ %}
diff --git a/vault/osfamilymap.yaml b/vault/osfamilymap.yaml
@@ -0,0 +1,2 @@
+RedHat:
+  gpg_pkg: gnupg2
diff --git a/vault/server.sls b/vault/server.sls
@@ -23,7 +23,13 @@ include:
     - watch_in:
       - service: vault
 
-  {%- if vault.self_signed_cert.enabled %}
+vault_set_cap_mlock:
+  cmd.run:
+    - name: setcap cap_ipc_lock=+ep $(readlink -f /usr/local/bin/vault)
+    - onchanges:
+      - /usr/local/bin/vault
+
+{%   if vault.self_signed_cert.enabled -%}
 openssl:
   pkg.installed
 
@@ -39,8 +45,8 @@ generate self signed SSL certs:
       - /etc/vault/config
     - require_in:
       - service: vault
-  {%- endif %}
-{% endif %}
+{%   endif %}
+{%- endif %}
 
 {%- if grains.init == 'systemd' %}
 /etc/systemd/system/vault.service:
