Merge pull request #92 from gbevan/D20190423_simpler_api_consumption

document simpler api consumption where TLS is trusted.

Author: gbevan

README.md

@@ -1,6 +1,7 @@
 # gostint - A Shallow RESTful api for Ansible, Terraform ...
 ... and basically anything you would like to run as jobs in docker containers.
-Authenticated and end-to-end encrypted with Hashicorp Vault with Secret Injection
+Authenticated and (optionally) end-to-end encrypted with Hashicorp Vault with
+Secret Injection
 * https://goethite.github.io/gostint/
 
 > gostint:
@@ -28,8 +29,12 @@ JSON jobs used in these tests are in the respective [tests](tests/) files.
 * [Brainstorming job sequence diagrams](docs/jobsequence.md)
 
 ## Features
-* Integrated with Hashicorp Vault's AppRole Authentication, Transit end-to-end
-  encryption, Cubbyhole, Token Wrapping and KV Secrets.
+* Integrated with Hashicorp Vault's AppRole Authentication.
+* Optionally consume Hashicorp Vault's Transit end-to-end
+  encryption, Cubbyhole and Token Wrapping if routing requests through
+  untrusted networks (e.g. where TLS end-to-end encryption is not available).
+* If TLS encryption is unbroken a much simpler way to consume the API is
+  available.
 * Secrets in Vault can be referenced in a job request, which are then injected
   into the job's running container.
 * Additional content can be flexibly injected into the job container from the

docs/jobsequence.md

@@ -1,4 +1,6 @@
-# Job Sequence Diagrams Brainstorming the Protocol Using Hashicorp Vault
+# Job Sequence Diagrams Brainstorming ...
+... the Protocol for Traversing Untrusted Networks with Broken TLS Encryption Using Hashicorp Vault.  Note that a simpler way of submitting jobs to gostint can be used if
+you have unbroken TLS (either direct or via SNI Routing).
 
 ![First thoughts on job submission protocol](job_diag1.mermaid.png)
 * Requestor and poster here are the same enitity.
@@ -86,7 +88,7 @@ poster / routing.
 ![job via intermediary](job_via_intermediary.mermaid.png)
 ---
 
-Copyright 2018 Graham Lee Bevan <graham.bevan@ntlworld.com>
+Copyright 2018-2019 Graham Lee Bevan <graham.bevan@ntlworld.com>
 
 <a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons Licence" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.
 

jobqueues/jobqueues.go

@@ -1046,8 +1046,8 @@ func (job *Job) runContainer(ctx *context.Context, cli *client.Client, container
 	if status != 0 {
 		finalStatus = "failed"
 	}
-	logmsg.Warn("output:%v", buf.String())
-	logmsg.Warn("stderr:%v", buferr.String())
+	// logmsg.Warn("output:%v", buf.String())
+	// logmsg.Warn("stderr:%v", buferr.String())
 
 	job.UpdateJob(bson.M{
 		"status":      finalStatus,

tests/bats/0200_job10_ansible_play_hashivault_vars.sh tests/bats/0200_job11_ansible_play_hashivault_vars.sh

@@ -1,31 +1,49 @@
 #!/usr/bin/env bats
 
-@test "Submitting job1 busybox without cubbyhole should return json" {
+@test "Simple api - Submitting job1 busybox should return json" {
   # Get a default token for the api post authentication
-  TOKEN=$(vault write -f auth/token/create policies=default -format=json | jq .auth.client_token -r)
+  TOKEN=$(
+    vault write -f \
+      auth/token/create \
+      policies=default \
+      -format=json \
+      | jq .auth.client_token -r
+  )
+  # TOKEN=$(vault write -f auth/token/create policies=gostint-client -format=json | jq .auth.client_token -r)
   echo "TOKEN: $TOKEN" >&2
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(
+    vault write -wrap-ttl=144h \
+      -f auth/approle/role/$GOSTINT_ROLENAME/secret-id \
+      -format=json \
+      | jq .wrap_info.token -r
+  )
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
+  # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid
 
-  QNAME=$(cat ../job1.json | jq .qname -r)
-
-  # Create new job request with the wrapped secret id
+  # Create new job request with payload
   jq --arg wrap_secret_id "$WRAPSECRETID" \
-    '. | .wrap_secret_id=$wrap_secret_id' \
-    < ../job1.json >$BATS_TMPDIR/job_ncby.json
-  cat $BATS_TMPDIR/job_ncby.json >&2
-
-  J="$(curl -k -s https://127.0.0.1:3232/v1/api/job --header "X-Auth-Token: $TOKEN" -X POST -d @$BATS_TMPDIR/job_ncby.json | tee $BATS_TMPDIR/job1_ncby.json)"
+     '. | .wrap_secret_id=$wrap_secret_id' \
+     < ../job1.json >$BATS_TMPDIR/job.json
+  cat $BATS_TMPDIR/job.json >&2
+
+  J="$(
+    curl -k -s https://127.0.0.1:3232/v1/api/job \
+      --header "X-Auth-Token: $TOKEN" \
+      -X POST \
+      -d @$BATS_TMPDIR/job.json \
+      | tee $BATS_TMPDIR/job1.json
+  )"
   echo "J: $J" >&2
   [ "$J" != "" ]
+  # /bin/false
 }
 
 @test "job1 should be queued in the play job1 queue" {
 
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
   echo "J: $J" >&2
 
   id=$(echo $J | jq ._id -r)
@@ -38,7 +56,7 @@
 @test "Be able to retrieve the current status" {
   TOKEN="$(cat $BATS_TMPDIR/token)"
   echo "TOKEN: $TOKEN" >&2
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
 
   ID=$(echo $J | jq ._id -r)
 
@@ -52,7 +70,7 @@
 @test "Status should eventually be success" {
   TOKEN="$(cat $BATS_TMPDIR/token)"
   echo "TOKEN: $TOKEN" >&2
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
 
   ID=$(echo $J | jq ._id -r)
   echo "ID:$ID" >&2
@@ -70,12 +88,12 @@
     fi
   done
   echo "status after:$status" >&2
-  echo "$R" > $BATS_TMPDIR/job1_ncby.final.json
+  echo "$R" > $BATS_TMPDIR/job1.final.json
   [ "$status" == "success" ]
 }
 
 @test "Should have final output in json" {
-  R="$(cat $BATS_TMPDIR/job1_ncby.final.json)"
+  R="$(cat $BATS_TMPDIR/job1.final.json)"
 
   echo "R:$R" >&2
   output="$(echo $R | jq .output -r)"
@@ -86,7 +104,7 @@
 @test "Should delete the job id" {
   TOKEN="$(cat $BATS_TMPDIR/token)"
   echo "TOKEN: $TOKEN" >&2
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
 
   ID=$(echo $J | jq ._id -r)
   echo "ID:$ID" >&2
@@ -102,7 +120,7 @@
 @test "Lookup for deleted id should return Not Found error" {
   TOKEN="$(cat $BATS_TMPDIR/token)"
   echo "TOKEN: $TOKEN" >&2
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
 
   ID=$(echo $J | jq ._id -r)
   echo "ID:$ID" >&2
@@ -116,7 +134,7 @@
 @test "Lookup for garbage id should return Invalid job ID error" {
   TOKEN="$(cat $BATS_TMPDIR/token)"
   echo "TOKEN: $TOKEN" >&2
-  J="$(cat $BATS_TMPDIR/job1_ncby.json)"
+  J="$(cat $BATS_TMPDIR/job1.json)"
 
   R="$(curl -k -s https://127.0.0.1:3232/v1/api/job/DOESNOTEXIST --header "X-Auth-Token: $TOKEN")"
   echo "R:$R" >&2

tests/bats/0101_job1_busybox_nocby.sh tests/bats/1100_simple_job1_busybox.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bats
+
+@test "Simple API - Submitting job2 ansible ping should return json" {
+  # Get a default token for the api post authentication
+  TOKEN=$(
+    vault write -f \
+      auth/token/create \
+      policies=default \
+      -format=json \
+      | jq .auth.client_token -r
+  )
+  echo "$TOKEN"
+  echo "$TOKEN" > $BATS_TMPDIR/token
+
+  # Get secretId for the approle
+  WRAPSECRETID=$(
+    vault write -wrap-ttl=144h \
+      -f auth/approle/role/$GOSTINT_ROLENAME/secret-id \
+      -format=json \
+      | jq .wrap_info.token -r
+  )
+  echo "WRAPSECRETID: $WRAPSECRETID" >&2
+  # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid
+
+    # Create new job request with payload
+  jq --arg wrap_secret_id "$WRAPSECRETID" \
+     '. | .wrap_secret_id=$wrap_secret_id' \
+     < ../job2_ansible.json >$BATS_TMPDIR/job.json
+  cat $BATS_TMPDIR/job.json >&2
+
+  J="$(
+    curl -k -s https://127.0.0.1:3232/v1/api/job \
+      --header "X-Auth-Token: $TOKEN" \
+      -X POST \
+      -d @$BATS_TMPDIR/job.json \
+      | tee $BATS_TMPDIR/job2.json
+  )"
+  [ "$J" != "" ]
+}
+
+@test "job2 should be queued in the play job2 queue" {
+
+  J="$(cat $BATS_TMPDIR/job2.json)"
+
+  id=$(echo $J | jq ._id -r)
+  status=$(echo $J | jq .status -r)
+  qname=$(echo $J | jq .qname -r)
+
+  [ "$id" != "" ] && [ "$status" == "queued" ] && [ "$qname" == "play job2" ]
+}
+
+@test "Be able to retrieve the current status" {
+  TOKEN="$(cat $BATS_TMPDIR/token)"
+  echo "TOKEN: $TOKEN" >&2
+  J="$(cat $BATS_TMPDIR/job2.json)"
+
+  ID=$(echo $J | jq ._id -r)
+
+  R="$(curl -k -s https://127.0.0.1:3232/v1/api/job/$ID --header "X-Auth-Token: $TOKEN")"
+  echo "R:$R" >&2
+  status=$(echo $R | jq .status -r)
+
+  [ "$status" == "queued" -o "$status" == "running" ]
+}
+
+@test "Status should eventually be success" {
+  TOKEN="$(cat $BATS_TMPDIR/token)"
+  echo "TOKEN: $TOKEN" >&2
+  J="$(cat $BATS_TMPDIR/job2.json)"
+
+  ID=$(echo $J | jq ._id -r)
+  echo "ID:$ID" >&2
+
+  status="queued"
+  for i in {1..40}
+  do
+    sleep 5
+    R="$(curl -k -s https://127.0.0.1:3232/v1/api/job/$ID --header "X-Auth-Token: $TOKEN")"
+    echo "R:$R" >&2
+    status=$(echo $R | jq .status -r)
+    if [ "$status" != "queued" -a "$status" != "running" ]
+    then
+      break
+    fi
+  done
+  echo "status after:$status" >&2
+  echo "$R" > $BATS_TMPDIR/job2.final.json
+  [ "$status" == "success" ]
+}
+
+@test "Should have final output in json" {
+  R="$(cat $BATS_TMPDIR/job2.final.json)"
+
+  echo "R:$R" >&2
+  output="$(echo $R | jq .output -r)"
+
+  echo "$output" | grep "pong"
+}