blobfish-azure-keyvault-ruby 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +11 -0
- data/Gemfile +4 -0
- data/README.md +28 -0
- data/blobfish-azure-keyvault-ruby.gemspec +23 -0
- data/lib/blobfish/keyvault.rb +10 -0
- data/lib/blobfish/keyvault/api_version.rb +7 -0
- data/lib/blobfish/keyvault/authenticated_requestor.rb +36 -0
- data/lib/blobfish/keyvault/certificate.rb +24 -0
- data/lib/blobfish/keyvault/private_key.rb +27 -0
- data/lib/blobfish/keyvault/version.rb +5 -0
- metadata +96 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 0c1049b41eee7072d1d270b3c7a0216743e0880f
|
|
4
|
+
data.tar.gz: ff779e037f2ab6606c55d51fff48236c6590bd4b
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: ae7efa284f86c8b641069562a7d425f774bc9462dca0732facacc298d028f67a1c4f4023a30a1fcdf15bb99227322d6ea6d5e80701a22f08c067c4a65c10da6d
|
|
7
|
+
data.tar.gz: 4d5a98a558192983b9dc57557f17bfc92edcd4d6441a017d3f9b801ef426e2684f16987b4f76476dfca3c45f7ce98161b385f370844eebca00975cbfd6238693
|
data/.gitignore
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# Blobfish::Keyvault
|
|
2
|
+
|
|
3
|
+
This gem allows to sign with a key stored in Azure Key Vault as well as getting a certificate from Azure Key Vault. It manages authentication to Azure Key Vault in a very simple way for the client.
|
|
4
|
+
|
|
5
|
+
## TODOs
|
|
6
|
+
|
|
7
|
+
- Evaluate to remove the concept of a certificate and private key classes.
|
|
8
|
+
- Evaluate to fork https://github.com/stuartbarr/azure-key-vault making a major refactor to get a similar API to the one in the official https://github.com/Azure/azure-keyvault-java, or just start from scratch?. Anyway maintain the name of this gem in the 'blobfish' namespace, i.e. 'blobfish-azure-keyvault-ruby' with the 'blobfish-' prefix to avoid eventually clashing with an eventual official gem that could be published by Microsoft.
|
|
9
|
+
|
|
10
|
+
## Installation
|
|
11
|
+
|
|
12
|
+
Add this line to your application's Gemfile:
|
|
13
|
+
|
|
14
|
+
```ruby
|
|
15
|
+
gem 'blobfish-azure-keyvault-ruby'
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
And then execute:
|
|
19
|
+
|
|
20
|
+
$ bundle
|
|
21
|
+
|
|
22
|
+
Or install it yourself as:
|
|
23
|
+
|
|
24
|
+
$ gem install blobfish-azure-keyvault-ruby
|
|
25
|
+
|
|
26
|
+
## Usage
|
|
27
|
+
|
|
28
|
+
For a demonstration project (in spanish) see https://github.com/hablutzel1/blobfish-azure-keyvault-ruby-demo.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# coding: utf-8
|
|
2
|
+
lib = File.expand_path("../lib", __FILE__)
|
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
|
+
require "blobfish/keyvault/version"
|
|
5
|
+
|
|
6
|
+
Gem::Specification.new do |spec|
|
|
7
|
+
spec.name = "blobfish-azure-keyvault-ruby"
|
|
8
|
+
spec.version = Blobfish::Keyvault::VERSION
|
|
9
|
+
spec.authors = ["Jaime Hablutzel"]
|
|
10
|
+
spec.email = ["hablutzel1@gmail.com"]
|
|
11
|
+
|
|
12
|
+
spec.summary = "Blobfish's Ruby client for Azure Key Vault."
|
|
13
|
+
spec.description = "Ruby client currently allowing to simplify performing certain operations in Azure Key Vault (getting a certificate and signing)."
|
|
14
|
+
spec.homepage = "https://github.com/hablutzel1/blobfish-azure-keyvault-ruby"
|
|
15
|
+
|
|
16
|
+
spec.files = `git ls-files -z`.split("\x0").reject do |f|
|
|
17
|
+
f.match(%r{^(test|spec|features)/})
|
|
18
|
+
end
|
|
19
|
+
spec.require_paths = ["lib"]
|
|
20
|
+
spec.add_runtime_dependency 'rest-client'
|
|
21
|
+
spec.add_runtime_dependency 'json'
|
|
22
|
+
spec.add_development_dependency "bundler", "~> 1.15"
|
|
23
|
+
end
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
require 'rest-client'
|
|
2
|
+
require 'json'
|
|
3
|
+
|
|
4
|
+
module Blobfish
|
|
5
|
+
module Keyvault
|
|
6
|
+
class AuthenticatedRequestor
|
|
7
|
+
@authorization_header = nil
|
|
8
|
+
def initialize(client_id, client_secret)
|
|
9
|
+
@client_id = client_id
|
|
10
|
+
@client_secret = client_secret
|
|
11
|
+
end
|
|
12
|
+
def execute(method, url, payload = nil, headers = {})
|
|
13
|
+
begin
|
|
14
|
+
perform_request(method, url, payload, headers)
|
|
15
|
+
rescue RestClient::Unauthorized => e
|
|
16
|
+
renew_access_token(e.response.headers[:www_authenticate])
|
|
17
|
+
perform_request(method, url, payload, headers)
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
private
|
|
21
|
+
def perform_request(method, url, payload, headers)
|
|
22
|
+
RestClient::Request.execute(:method => method, :url => url, :payload => payload, :headers => {Authorization: @authorization_header}.merge!(headers))
|
|
23
|
+
end
|
|
24
|
+
# TODO check for possible concurrency problems around the calls to 'renew_access_token', for example, if two different threads end up in the first 'perform_request' call (the one before the 'rescue') with an expired token at the same time, both will end up in a call to 'renew_access_token' generating unnecessarily more than one 'access_token'.
|
|
25
|
+
def renew_access_token(www_authenticate_header)
|
|
26
|
+
# TODO look for an standard way to parse this WWW-Authenticate header content.
|
|
27
|
+
auth_url = www_authenticate_header.match(/authorization="(.*?)"/i).captures.first
|
|
28
|
+
auth_url << '/oauth2/token'
|
|
29
|
+
# TODO extract the 'https://vault.azure.net' 'resource' from the WWW-Authenticate header. Could it really differ from 'https://vault.azure.net'?.
|
|
30
|
+
response = RestClient::Request.execute(method: :post, url: auth_url, payload: {grant_type: 'client_credentials', client_id: @client_id, client_secret: @client_secret, resource: 'https://vault.azure.net'}, headers: {'Content-Type': 'application/x-www-form-urlencoded'})
|
|
31
|
+
access_token = JSON.parse(response)['access_token']
|
|
32
|
+
@authorization_header = "Bearer #{access_token}"
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'blobfish/keyvault/authenticated_requestor'
|
|
2
|
+
require 'blobfish/keyvault/api_version'
|
|
3
|
+
require 'json'
|
|
4
|
+
require 'base64'
|
|
5
|
+
|
|
6
|
+
module Blobfish
|
|
7
|
+
module Keyvault
|
|
8
|
+
class Certificate
|
|
9
|
+
def initialize(certificate_id, requestor)
|
|
10
|
+
url = certificate_id + '?api-version=' + ApiVersion::DEFAULT_API_VERSION
|
|
11
|
+
response = requestor.execute(:get, url)
|
|
12
|
+
@cert_b64 = JSON.parse(response)['cer']
|
|
13
|
+
end
|
|
14
|
+
def to_base64()
|
|
15
|
+
@cert_b64
|
|
16
|
+
end
|
|
17
|
+
def public_key
|
|
18
|
+
cert_as_der = Base64.decode64(@cert_b64)
|
|
19
|
+
certificate = OpenSSL::X509::Certificate.new cert_as_der
|
|
20
|
+
certificate.public_key
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
require 'blobfish/keyvault/authenticated_requestor'
|
|
2
|
+
require 'blobfish/keyvault/api_version'
|
|
3
|
+
require 'json'
|
|
4
|
+
require 'base64'
|
|
5
|
+
|
|
6
|
+
module Blobfish
|
|
7
|
+
module Keyvault
|
|
8
|
+
class PrivateKey
|
|
9
|
+
# @param [AuthenticatedRequestor] requestor
|
|
10
|
+
def initialize(key_id, requestor)
|
|
11
|
+
@key_id = key_id
|
|
12
|
+
@requestor = requestor
|
|
13
|
+
end
|
|
14
|
+
def sign(digest, data)
|
|
15
|
+
raise NotImplementedError, 'Only SHA-256 digest signature algorithm is currently supported.' unless digest.instance_of? OpenSSL::Digest::SHA256
|
|
16
|
+
sha256 = Digest::SHA256.new
|
|
17
|
+
base64_digest = Base64.strict_encode64(sha256.digest(data))
|
|
18
|
+
url = @key_id + '/sign?api-version=' + ApiVersion::DEFAULT_API_VERSION
|
|
19
|
+
response = @requestor.execute(:post, url, {alg: 'RS256', value: base64_digest}.to_json, {'Content-Type': "application/json"})
|
|
20
|
+
base64_signature = JSON.parse(response)['value']
|
|
21
|
+
base64_signature.tr!('-_', '+/')
|
|
22
|
+
# TODO check: the previous 'base64_signature' could be missing padding '=' (equals) chars. Confirm that it is never required to complete the padding chars before decoding.
|
|
23
|
+
Base64.decode64(base64_signature)
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: blobfish-azure-keyvault-ruby
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Jaime Hablutzel
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2017-06-08 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rest-client
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '0'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '0'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: json
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ">="
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '0'
|
|
34
|
+
type: :runtime
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: bundler
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - "~>"
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '1.15'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '1.15'
|
|
55
|
+
description: Ruby client currently allowing to simplify performing certain operations
|
|
56
|
+
in Azure Key Vault (getting a certificate and signing).
|
|
57
|
+
email:
|
|
58
|
+
- hablutzel1@gmail.com
|
|
59
|
+
executables: []
|
|
60
|
+
extensions: []
|
|
61
|
+
extra_rdoc_files: []
|
|
62
|
+
files:
|
|
63
|
+
- ".gitignore"
|
|
64
|
+
- Gemfile
|
|
65
|
+
- README.md
|
|
66
|
+
- blobfish-azure-keyvault-ruby.gemspec
|
|
67
|
+
- lib/blobfish/keyvault.rb
|
|
68
|
+
- lib/blobfish/keyvault/api_version.rb
|
|
69
|
+
- lib/blobfish/keyvault/authenticated_requestor.rb
|
|
70
|
+
- lib/blobfish/keyvault/certificate.rb
|
|
71
|
+
- lib/blobfish/keyvault/private_key.rb
|
|
72
|
+
- lib/blobfish/keyvault/version.rb
|
|
73
|
+
homepage: https://github.com/hablutzel1/blobfish-azure-keyvault-ruby
|
|
74
|
+
licenses: []
|
|
75
|
+
metadata: {}
|
|
76
|
+
post_install_message:
|
|
77
|
+
rdoc_options: []
|
|
78
|
+
require_paths:
|
|
79
|
+
- lib
|
|
80
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
81
|
+
requirements:
|
|
82
|
+
- - ">="
|
|
83
|
+
- !ruby/object:Gem::Version
|
|
84
|
+
version: '0'
|
|
85
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - ">="
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '0'
|
|
90
|
+
requirements: []
|
|
91
|
+
rubyforge_project:
|
|
92
|
+
rubygems_version: 2.4.5.2
|
|
93
|
+
signing_key:
|
|
94
|
+
specification_version: 4
|
|
95
|
+
summary: Blobfish's Ruby client for Azure Key Vault.
|
|
96
|
+
test_files: []
|