azure-key-vault 0.0.15 → 0.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14f95ef2cb7bf5a35564eaf2cdcabdfe2021ae82c70dd216d2b414aabcc08b00
-  data.tar.gz: ed2933a058f17415caacf02ccac98d5d63ee9dda71dbebd6fa577caf5fc44bb6
+  metadata.gz: 4cc02b995cb48c3f671d511f0ab77f33d25389a74440279ee64087ac17c08e6a
+  data.tar.gz: 7008d4837aac317e8834c52b461a6305fedc7b8d1e2f430be78ad993a8096247
 SHA512:
-  metadata.gz: 5823c8f29e088da5ceafe4907884af4fa7a018de9e0dceac1fcfe27d16b2e84787bdc34bfe4eff31ab1cf781e0558c9efa345d3b7430092ffb3d2f20f42f17ae
-  data.tar.gz: bc90aa686f941a5a78c86b55230966d33045e1d4622fd22d9280f9eb679d7f382a18adaff2fb97ff70935d146cb44f07fea510da73f82dd05d037ae9ce51fd51
+  metadata.gz: fc4201b1240909dca6f396409a9a2fc4152fc3bc0bc59e07a945352bd8ab5285254ffb64e3b6a49c9bac2d37114b6accce06e32a6e0fb56c80c3b1abc6184655
+  data.tar.gz: fcaa0a644e14f68298633912f2a99ccc81e090597f5061372f240e9007e15a346de9550d5edc4fbbc83b2b4ccecf6d23cf0fc03b1935fc5b4f50f1463eaef3ca

data/.rspec

@@ -0,0 +1,2 @@
+--require spec_helper
+--format documentation

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    azure-key-vault (0.0.15)
+    azure-key-vault (0.0.16)
       json_pure (~> 2.1)
       rest-client (~> 2.0)
 
@@ -11,9 +11,10 @@ GEM
     ast (2.3.0)
     coderay (1.1.2)
     diff-lcs (1.3)
-    domain_name (0.5.20170404)
+    domain_name (0.5.20180417)
       unf (>= 0.0.5, < 1.0.0)
     ffi (1.9.18)
+    ffi (1.9.18-x64-mingw32)
     formatador (0.2.5)
     guard (2.14.2)
       formatador (>= 0.2.4)
@@ -44,9 +45,9 @@ GEM
       ruby_dep (~> 1.2)
     lumberjack (1.0.12)
     method_source (0.9.0)
-    mime-types (3.1)
+    mime-types (3.2.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0521)
+    mime-types-data (3.2018.0812)
     nenv (0.3.0)
     netrc (0.11.0)
     notiffany (0.1.1)
@@ -66,7 +67,8 @@ GEM
       ffi (>= 0.5.0, < 2)
     rb-readline (0.5.5)
     rdoc (4.3.0)
-    rest-client (2.0.2)
+    rest-client (2.0.2-x64-mingw32)
+      ffi (~> 1.9)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
@@ -96,11 +98,12 @@ GEM
     thor (0.20.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.7.4)
+    unf_ext (0.0.7.5-x64-mingw32)
     unicode-display_width (1.3.0)
 
 PLATFORMS
   ruby
+  x64-mingw32
 
 DEPENDENCIES
   azure-key-vault!
@@ -116,4 +119,4 @@ DEPENDENCIES
   rubocop
 
 BUNDLED WITH
-   1.12.5
+   1.16.2

data/LICENCE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Mike Scott
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -1,4 +1,7 @@
 # azure-key-vault
+
+[![Gem Version](https://badge.fury.io/rb/azure-key-vault.svg)](https://badge.fury.io/rb/azure-key-vault)
+
 Ruby wrapper for Azure Key Vault REST API
 
 ## Examples
@@ -6,6 +9,9 @@ Ruby wrapper for Azure Key Vault REST API
 ### Get an access token
 `bearer_token = KeyVault::Auth.new(tenant_id, client_id, client_secret).bearer_token`
 
+### Get an access token using Managed Identity
+`bearer_token = KeyVault::ManagedIdentityAuth.new().bearer_token`
+
 ### Get client for and existing Azure Key Vault
 `vault = KeyVault::Client.new(vault_name, bearer_token)`
 

data/lib/key_vault.rb

@@ -1,9 +1,11 @@
 require 'key_vault/version'
 require 'key_vault/client'
 require 'key_vault/auth'
+require 'key_vault/managed_identity_auth'
 
 # Provides a simple Ruby interface for the Azure Key Vault REST API
 module KeyVault
   # The default Azure REST API version
-  DEFAULT_API_VERSION = '2016-10-01'.freeze
+  VAULT_API_VERSION = '2016-10-01'.freeze
+  METADATA_API_VERSION = '2018-04-02'.freeze
 end

data/lib/key_vault/client.rb

@@ -21,10 +21,10 @@ module KeyVault
     # +vault_name+:: The name of the key vault
     # +bearer_token+:: The token obtained from #KeyVault::Auth
     # +api_version+:: (*optional*) Version of the azure REST API to use.
-    #                 Defaults to +DEFAULT_API_VERSION+
-    def initialize(vault_name, bearer_token, api_version: DEFAULT_API_VERSION)
+    #                 Defaults to +VAULT_API_VERSION+
+    def initialize(vault_name, bearer_token, api_version: VAULT_API_VERSION)
       @vault_name = vault_name
-      @api_version = api_version || DEFAULT_API_VERSION
+      @api_version = api_version || VAULT_API_VERSION
       @bearer_token = bearer_token
       @vault_url = Url.new(@vault_name)
     end

data/lib/key_vault/managed_identity_auth.rb

@@ -0,0 +1,42 @@
+require 'rest-client'
+require 'json'
+module KeyVault
+  # Authenticator for Azure Key Vault using Managed Identity
+  class ManagedIdentityAuth
+    # Create authenticator using Managed Identity
+    # ==== Parameters:
+    # +api_version+:: (*optional*) Version of the azure Metadata REST API to use.
+    #                 Defaults to +METADATA_API_VERSION+
+    def initialize(api_version: METADATA_API_VERSION)
+      @api_version = api_version || METADATA_API_VERSION
+    end
+
+    # Authenticates with Azure using OAUTH 2.0
+    # ==== Returns:
+    # A string containing the bearer token for insertion into request headers
+    # ==== Raises:
+    # +ArgumentError+:: If the authentication request format is invalid
+    # +KeyVault::Unauthorized+:: If authentication fails authorization
+    def bearer_token
+      result = RestClient::Request.execute(method: :get,
+                                           url: url,
+                                           headers: headers)
+      token_resp = JSON.parse(result)
+      "Bearer #{token_resp['access_token']}"
+    rescue RestClient::BadRequest
+      raise ArgumentError, 'Could not authenticate to Azure (Bad Request)'
+    rescue RestClient::Unauthorized
+      raise KeyVault::Unauthorized
+    end
+
+    private
+
+    def headers
+      { 'Metadata' => 'true' }
+    end
+
+    def url
+      "http://169.254.169.254/metadata/identity/oauth2/token?api-version=#{@api_version}&resource=https://vault.azure.net"
+    end
+  end
+end

data/lib/key_vault/version.rb

@@ -1,4 +1,4 @@
 module KeyVault
   # Version number of this gem
-  VERSION = '0.0.15'.freeze
+  VERSION = '0.0.16'.freeze
 end

data/spec/key_vault/client_spec.rb

@@ -12,7 +12,7 @@ describe KeyVault::Client do
 
     it 'defaults api_version' do
       client = KeyVault::Client.new(vault_name, bearer_token)
-      expect(client.api_version).to eq KeyVault::DEFAULT_API_VERSION
+      expect(client.api_version).to eq KeyVault::VAULT_API_VERSION
     end
 
     it 'allows setting of api_version' do
@@ -25,7 +25,7 @@ describe KeyVault::Client do
   describe '.get_secret' do
     let(:secret_name) { 'the-secret' }
     let(:secret_value) { 'top secret' }
-    let(:api_version) { KeyVault::DEFAULT_API_VERSION }
+    let(:api_version) { KeyVault::VAULT_API_VERSION }
     let(:secret_url) { "https://#{vault_name}.vault.azure.net/secrets/#{secret_name}?api-version=#{api_version}" }
     let(:valid_response) do
       <<-RESPONSE

data/spec/key_vault/managed_identity_auth_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+describe KeyVault::ManagedIdentityAuth do
+
+  describe('#new') do
+    it 'requires no parameters' do
+      auth = KeyVault::ManagedIdentityAuth.new()
+      expect(auth).not_to be_nil
+    end
+  end
+
+  describe '.bearer_token' do
+    subject(:auth) { KeyVault::ManagedIdentityAuth.new() }
+    let(:auth_url) { "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-04-02&resource=https://vault.azure.net" }
+    let(:access_token) { 'theaccesstoken' }
+    let(:auth_response) { %Q[{
+      "token_type":"Bearer",
+      "some_other_params":"...",
+      "resource":"https://vault.azure.net",
+      "access_token":"#{access_token}"
+    }] }
+
+    let(:rest_request) do
+      class_double('RestClient::Request')
+        .as_stubbed_const(:transfer_nested_constants => true)
+    end
+    
+    it 'authenticates with Microsoft OAUTH' do
+      expect(rest_request).to receive(:execute).and_return(auth_response)
+      auth.bearer_token
+    end
+
+    it 'raises argument error if bad request is returned' do
+      expect(rest_request).to receive(:execute).and_raise(RestClient::BadRequest)
+      expect{auth.bearer_token}.to raise_error(ArgumentError)
+    end
+
+    it 'raises custom Unauthorized exception if unauthorized' do
+      expect(rest_request).to receive(:execute).and_raise(RestClient::Unauthorized)
+      expect{auth.bearer_token}.to raise_error(KeyVault::Unauthorized)
+    end
+
+    it 'calls REST API get from the authentication url' do
+      expect(rest_request).to receive(:execute)
+         .with(hash_including(method: :get, url: auth_url))
+          .and_return(auth_response)
+      auth.bearer_token
+    end 
+
+    it 'returns the access_token as bearer token' do
+      expect(rest_request).to receive(:execute).and_return(auth_response)
+      expect(auth.bearer_token).to eq("Bearer #{access_token}")
+    end
+
+  end
+end

data/spec/key_vault/version_spec.rb

@@ -2,6 +2,6 @@ require 'spec_helper'
 
 describe 'KeyVault::VERSION' do
   it 'gets the correct version' do
-    expect(KeyVault::VERSION).to eq '0.0.15'
+    expect(KeyVault::VERSION).to eq '0.0.16'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: azure-key-vault
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.16
 platform: ruby
 authors:
 - Mike Scott
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2019-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json_pure
@@ -184,9 +184,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".rspec"
 - Gemfile
 - Gemfile.lock
 - Guardfile
+- LICENCE
 - README.md
 - Rakefile
 - azurekeyvault.gemspec
@@ -194,10 +196,12 @@ files:
 - lib/key_vault/auth.rb
 - lib/key_vault/client.rb
 - lib/key_vault/exceptions.rb
+- lib/key_vault/managed_identity_auth.rb
 - lib/key_vault/url.rb
 - lib/key_vault/version.rb
 - spec/key_vault/auth_spec.rb
 - spec/key_vault/client_spec.rb
+- spec/key_vault/managed_identity_auth_spec.rb
 - spec/key_vault/url_spec.rb
 - spec/key_vault/version_spec.rb
 - spec/spec_helper.rb