bolt 1.34.0 → 1.35.0

data/lib/bolt/plugin/vault.rb

@@ -1,206 +0,0 @@
-# frozen_string_literal: true
-
-module Bolt
-  class Plugin
-    class Vault
-      class VaultHTTPError < Bolt::Error
-        def initialize(response)
-          err = JSON.parse(response.body)['errors']
-          m = String.new("#{response.code} \"#{response.msg}\"")
-          m << ": #{err.join(';')}" unless err.nil?
-          super(m, 'bolt.plugin/vault-http-error')
-        end
-      end
-
-      attr_reader :config
-
-      # All requests for secrets must have a token in the request header
-      TOKEN_HEADER = "X-Vault-Token"
-
-      # Default header for all requests, including auth methods
-      DEFAULT_HEADER = {
-        "Content-Type" => "application/json",
-        "Accept" => "application/json"
-      }.freeze
-
-      # Make sure no unexpected keys are in the config
-      def validate_config(config)
-        known_keys = %w[server_url auth cacert]
-
-        config.each do |key, _v|
-          next if known_keys.include?(key)
-          raise Bolt::ValidationError, "Unexpected key in Vault plugin config: #{key}"
-        end
-      end
-
-      # Make sure no unexpected keys are in the inventory config and
-      # that required keys are present
-      def validate_options(opts)
-        known_keys = %w[_plugin server_url auth path field version cacert]
-        required_keys = %w[path]
-
-        opts.each do |key, _v|
-          next if known_keys.include?(key)
-          raise Bolt::ValidationError, "Unexpected key in inventory config: #{key}"
-        end
-
-        required_keys.each do |key|
-          next if opts[key]
-          raise Bolt::ValidationError, "Expected key in inventory config: #{key}"
-        end
-      end
-
-      def name
-        'vault'
-      end
-
-      def hooks
-        [:resolve_reference]
-      end
-
-      def initialize(config:, **_opts)
-        validate_config(config)
-        @config = config
-        @logger = Logging.logger[self]
-      end
-
-      def resolve_reference(opts)
-        validate_options(opts)
-
-        header = {
-          TOKEN_HEADER => token(opts)
-        }
-
-        response = request(:Get, uri(opts), opts, nil, header)
-
-        parse_response(response, opts)
-      end
-
-      # Request uri - built up from Vault server url and secrets path
-      def uri(opts, path = nil)
-        url = opts['server_url'] || config['server_url'] || ENV['VAULT_ADDR']
-
-        # Handle the different versions of the API
-        if opts['version'] == 2
-          mount, store = opts['path'].split('/', 2)
-          opts['path'] = [mount, 'data', store].join('/')
-        end
-
-        path ||= opts['path']
-
-        URI.parse(File.join(url, "v1", path))
-      end
-
-      # Configure the http/s client
-      def client(uri, opts)
-        client = Net::HTTP.new(uri.host, uri.port)
-
-        if uri.scheme == 'https'
-          cacert = opts['cacert'] || config['cacert'] || ENV['VAULT_CACERT']
-
-          unless cacert
-            raise Bolt::ValidationError, "Expected cacert to be set when using https"
-          end
-
-          client.use_ssl = true
-          client.ssl_version = :TLSv1_2
-          client.ca_file = cacert
-          client.verify_mode = OpenSSL::SSL::VERIFY_PEER
-        end
-
-        client
-      end
-
-      # Auth token to vault server
-      def token(opts)
-        if (auth = opts['auth'] || config['auth'])
-          request_token(auth, opts)
-        else
-          ENV['VAULT_TOKEN']
-        end
-      end
-
-      def request(verb, uri, opts, data, header = {})
-        # Add on any header options
-        header = DEFAULT_HEADER.merge(header)
-
-        # Create the HTTP request
-        client = client(uri, opts)
-        request = Net::HTTP.const_get(verb).new(uri.request_uri, header)
-
-        # Attach any data
-        request.body = data if data
-
-        # Send the request
-        begin
-          response = client.request(request)
-        rescue StandardError => e
-          raise Bolt::Error.new(
-            "Failed to connect to #{uri}: #{e.message}",
-            'CONNECT_ERROR'
-          )
-        end
-
-        case response
-        when Net::HTTPOK
-          JSON.parse(response.body)
-        else
-          raise VaultHTTPError, response
-        end
-      end
-
-      def parse_response(response, opts)
-        data = case opts['version']
-               when 2
-                 response['data']['data']
-               else
-                 response['data']
-               end
-
-        if opts['field']
-          unless data[opts['field']]
-            raise Bolt::ValidationError, "Unknown secrets field: #{opts['field']}"
-          end
-          data[opts['field']]
-        else
-          data
-        end
-      end
-
-      # Request a token from Vault using one of the auth methods
-      def request_token(auth, opts)
-        case auth['method']
-        when 'token'
-          auth_token(auth)
-        when 'userpass'
-          auth_userpass(auth, opts)
-        else
-          raise Bolt::ValidationError, "Unknown auth method: #{auth['method']}"
-        end
-      end
-
-      def validate_auth(auth, required_keys)
-        required_keys.each do |key|
-          next if auth[key]
-          raise Bolt::ValidationError, "Expected key in #{auth['method']} auth method: #{key}"
-        end
-      end
-
-      # Authenticate with Vault using the 'Token' auth method
-      def auth_token(auth)
-        validate_auth(auth, %w[token])
-        auth['token']
-      end
-
-      # Authenticate with Vault using the 'Userpass' auth method
-      def auth_userpass(auth, opts)
-        validate_auth(auth, %w[user pass])
-        path = "auth/userpass/login/#{auth['user']}"
-        uri = uri(opts, path)
-        data = { "password" => auth['pass'] }.to_json
-
-        request(:Post, uri, opts, data)['auth']['client_token']
-      end
-    end
-  end
-end