cerberus_client 1.2.1 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -13
- data/.travis.yml +14 -0
- data/README.md +7 -2
- data/cerberus_client.gemspec +3 -2
- data/lib/cerberus/aws_role_credentials_provider.rb +45 -7
- data/lib/cerberus_client/version.rb +1 -1
- metadata +33 -18
checksums.yaml
CHANGED
@@ -1,15 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
|
5
|
-
data.tar.gz: !binary |-
|
6
|
-
YjIwYzE2M2NjNjA3NDMxYzVjMjhiZmRhZGYzYjFlN2RmNWExNGE0Nw==
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: c9c2c6f6e7a6835b0a8681dceffdebbff7a83633
|
4
|
+
data.tar.gz: cd165f1d90a67a582b5092482f2215984da19d22
|
7
5
|
SHA512:
|
8
|
-
metadata.gz:
|
9
|
-
|
10
|
-
ZTg1OGQ3NzY3MDk1NzU5ZTRlZWE0OGE5MWU4NGQ0ZWNhNDNmZGRhZDkxM2I2
|
11
|
-
YjZkZmU2NGI4YmM2NzJjMDRlODYzZTQ5YzNkMTcyMTAyNDNmNTM=
|
12
|
-
data.tar.gz: !binary |-
|
13
|
-
ZDVhZjkzNzJkMmU3ZGRmMjY0MDhmMjg5ODlhYTBhMWRmN2FkM2RjOWJhY2Q2
|
14
|
-
ZTg4ZTZhOTU4MDU1ZDQ0NjgxMmYwZmI1NTRhNzIxMzRhYTFjMzkzYjI4YmNm
|
15
|
-
NDQ5ODMzNTY0MTA4NmI5MjNlMmEzMzViMDhlNWM1Y2E5MGI5Mjg=
|
6
|
+
metadata.gz: 1265585ef0f9fbf30069b14fc70dad9c3ca2f570471fb4e2079ca5ac78910bcabc14a0efb1f40e73e2575d36b252abd0665717a01e7f5143e3e36b8382c4c261
|
7
|
+
data.tar.gz: 0aed3abacaf93e8e4d012ff15f993ad2ff602d5901a149106107b4071f37f3879597c0f1fd18957c0c4ef02f69411fcc2da1a124ddb8660196892376fd5b3b50
|
data/.travis.yml
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
language: ruby
|
2
|
+
rvm:
|
3
|
+
- 2.0
|
4
|
+
- jruby
|
5
|
+
script: bundle exec rspec spec
|
6
|
+
deploy:
|
7
|
+
provider: rubygems
|
8
|
+
api_key:
|
9
|
+
secure: Qt16Y+xUbDJS1zGdXj+EFbxyj+P6+eE+KZygCvEI4s3tOmpFgPfOAhAZ0FJYZ93DjU9DjmhpXjJ/z9Ho872XKzdTnMd8PUgLts1ktnbmrsHnunMye6II9xvesMB4gaM2JogzoBdu80udMYy6tj4o1MWzJo2lVDYkFkkoEDhtOkOdExqwX2x5v9FDDzMfVKC309e7ZjuuGBQZCGxGj9J0xxOgRZkD2O/n71qo0Z0f/wFg7ELVAF1BQTBrGmoWji2yI+jtALQhlVxYfnoINPt3/P++ZvJQJrlDpRozDT/hH8Gxe+AOwqur+a3xdXrqGOw6q+/BPcYDwzlwlNTo9WiGYv1ZmZRm7UzA9iE2PU8TP7nxITP/yV5iJ502i7TDsz2RJkwXHppSLLgfGaHWvnKqPZzULgK9A3WjxQih3Bis3QlmAnkq8cnfn4wF6NUPi4cy2k/fJLYwKPUTDynRmPDiI0al02DU5nOA9MJCVYTF/pQMBDpS3CB957pkTBEhHv4OT9iJO/NJfzsP2l/tFxquQciAi67aB3HRNxHXGo4haWdplvHhgD0Col6AcLlvIlOXbuHpxHJXjlm/c/pWzXGg0zQ5OjxNtGkPgJ7UkwNpZadmdee5hNXqyQHi5a2kXAoAZyccHZf0YvY1/1KzB1qxyJD57H+mFesjeKH5+mACXfI=
|
10
|
+
gem: cerberus_client
|
11
|
+
on:
|
12
|
+
tags: true
|
13
|
+
repo: Nike-Inc/cerberus-ruby-client
|
14
|
+
branch: publish-gem
|
data/README.md
CHANGED
@@ -1,5 +1,10 @@
|
|
1
1
|
# Cerberus Ruby Client
|
2
2
|
|
3
|
+
[![Gem](https://img.shields.io/gem/v/cerberus_client.svg)](https://rubygems.org/gems/cerberus_client)
|
4
|
+
[![Downloads](https://img.shields.io/gem/dt/cerberus_client.svg)](https://rubygems.org/gems/cerberus_client)
|
5
|
+
[![Build](https://img.shields.io/travis/USER/REPO/BRANCH.svg)](https://travis-ci.org/Nike-Inc/cerberus-ruby-client)
|
6
|
+
|
7
|
+
|
3
8
|
This is a Ruby based client library for communicating with Vault via HTTP and enables authentication schemes specific
|
4
9
|
to AWS and Cerberus.
|
5
10
|
|
@@ -15,7 +20,7 @@ These installation instructions need to be updated after we open source and publ
|
|
15
20
|
Add this to your application's Gemfile:
|
16
21
|
|
17
22
|
```ruby
|
18
|
-
source
|
23
|
+
source 'https://rubygems.org'
|
19
24
|
gem 'cerberus_client'
|
20
25
|
```
|
21
26
|
|
@@ -26,7 +31,7 @@ $ bundle
|
|
26
31
|
|
27
32
|
Or do it yourself:
|
28
33
|
```bash
|
29
|
-
$ gem install cerberus_client
|
34
|
+
$ gem install cerberus_client
|
30
35
|
```
|
31
36
|
|
32
37
|
## Usage
|
data/cerberus_client.gemspec
CHANGED
@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
|
|
28
28
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
29
29
|
spec.require_paths = ["lib"]
|
30
30
|
|
31
|
-
spec.add_development_dependency
|
32
|
-
spec.add_development_dependency
|
31
|
+
spec.add_development_dependency 'aws-sdk', '~> 2'
|
32
|
+
spec.add_development_dependency 'rspec', '~> 3.0'
|
33
|
+
spec.add_development_dependency 'bundler', '~> 1.13'
|
33
34
|
end
|
@@ -55,7 +55,11 @@ module Cerberus
|
|
55
55
|
##
|
56
56
|
def getClientToken
|
57
57
|
|
58
|
-
if (@
|
58
|
+
if (@role.nil?)
|
59
|
+
raise Cerberus::Exception::NoValueError
|
60
|
+
end
|
61
|
+
|
62
|
+
if (@clientToken.nil?)
|
59
63
|
@clientToken = getCredentialsFromCerberus
|
60
64
|
end
|
61
65
|
|
@@ -70,12 +74,37 @@ module Cerberus
|
|
70
74
|
|
71
75
|
end
|
72
76
|
|
77
|
+
##
|
78
|
+
# Policy: if we are given these three pieces of data, we will assume a role to do auth
|
79
|
+
##
|
80
|
+
def should_assume_role?(roleAccountId, roleName, roleRegion)
|
81
|
+
!(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
|
82
|
+
end
|
83
|
+
|
84
|
+
##
|
85
|
+
# Policy: if we do not have an instance MD service URL and we can't assume a role, then this instance
|
86
|
+
# of the provider cannot use a role to provide credentials. Primarily used for testing.
|
87
|
+
##
|
88
|
+
def have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
|
89
|
+
(!instanceMdSvcBaseUrl.nil? || should_assume_role?(roleName, roleRegion, roleAccountId))
|
90
|
+
end
|
91
|
+
|
73
92
|
private
|
74
93
|
|
94
|
+
##
|
95
|
+
# Uses provided data to determine how to construct the AwsRoleInfo use by this provider
|
96
|
+
##
|
75
97
|
def get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
|
76
|
-
|
98
|
+
|
99
|
+
# if we have no metedata about how to auth, we do nothing
|
100
|
+
# this is used in unit testing primarily
|
101
|
+
if (!have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId))
|
102
|
+
return nil;
|
103
|
+
elsif (should_assume_role(roleAccountId, roleName, roleRegion))
|
104
|
+
# we are assuming a role to do auth
|
77
105
|
return get_role_from_provided_info(roleName, roleRegion, roleAccountId)
|
78
106
|
else
|
107
|
+
# we are using a role that the instance has associated with it
|
79
108
|
@instanceMdSvcBaseUrl = instanceMdSvcBaseUrl.nil? ? INSTANCE_METADATA_SVC_BASE_URL : instanceMdSvcBaseUrl
|
80
109
|
|
81
110
|
# collect instance MD we need to auth with Cerberus
|
@@ -83,12 +112,25 @@ module Cerberus
|
|
83
112
|
end
|
84
113
|
end
|
85
114
|
|
115
|
+
|
116
|
+
##
|
117
|
+
# Get an AwsRoleInfo object from the provided data
|
118
|
+
##
|
86
119
|
def get_role_from_provided_info(roleName, roleRegion, roleAccountId)
|
87
|
-
|
120
|
+
|
121
|
+
role_creds = Aws::AssumeRoleCredentials.new(
|
122
|
+
client: Aws::STS::Client.new(region: roleRegion),
|
123
|
+
role_arn: "arn:aws:iam::#{roleAccountId}:role/#{roleName}",
|
124
|
+
role_session_name: "hiera-cpe-build")
|
88
125
|
|
89
126
|
return AwsRoleInfo.new(roleName, roleRegion, roleAccountId, credentials: role_creds)
|
90
127
|
end
|
91
128
|
|
129
|
+
##
|
130
|
+
# Use the instance metadata to extract the role information
|
131
|
+
# This function should only be called from an EC2 instance otherwise the http
|
132
|
+
# call will fail.
|
133
|
+
##
|
92
134
|
def get_role_from_instance_metadata
|
93
135
|
role_arn = getIAMRoleARN
|
94
136
|
region = getRegionFromAZ(getAvailabilityZone)
|
@@ -103,10 +145,6 @@ module Cerberus
|
|
103
145
|
return AwsRoleInfo.new(role_name, region, account_id, nil)
|
104
146
|
end
|
105
147
|
|
106
|
-
def should_assume_role(roleAccountId, roleName, roleRegion)
|
107
|
-
!(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
|
108
|
-
end
|
109
|
-
|
110
148
|
##
|
111
149
|
# Reach out to the Cerberus management service and get an auth token
|
112
150
|
##
|
metadata
CHANGED
@@ -1,43 +1,57 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cerberus_client
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Joe Teibel
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-03-
|
11
|
+
date: 2017-03-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
name:
|
14
|
+
name: aws-sdk
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - ~>
|
17
|
+
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '2'
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- - ~>
|
24
|
+
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '2'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: rspec
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - ~>
|
31
|
+
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '3.0'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - ~>
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '3.0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: bundler
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
39
46
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
47
|
+
version: '1.13'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '1.13'
|
41
55
|
description: This is a Ruby based client library for communicating with Vault via
|
42
56
|
HTTP and enables authentication schemes specific to AWS and Cerberus. This client
|
43
57
|
currently supports read-only operations (write operations are not yet implemented,
|
@@ -49,8 +63,9 @@ executables: []
|
|
49
63
|
extensions: []
|
50
64
|
extra_rdoc_files: []
|
51
65
|
files:
|
52
|
-
- .gitignore
|
53
|
-
- .rspec
|
66
|
+
- ".gitignore"
|
67
|
+
- ".rspec"
|
68
|
+
- ".travis.yml"
|
54
69
|
- CHANGELOG.md
|
55
70
|
- CONTRIBUTING.md
|
56
71
|
- Gemfile
|
@@ -85,18 +100,18 @@ require_paths:
|
|
85
100
|
- lib
|
86
101
|
required_ruby_version: !ruby/object:Gem::Requirement
|
87
102
|
requirements:
|
88
|
-
- -
|
103
|
+
- - ">="
|
89
104
|
- !ruby/object:Gem::Version
|
90
105
|
version: '0'
|
91
106
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
92
107
|
requirements:
|
93
|
-
- -
|
108
|
+
- - ">="
|
94
109
|
- !ruby/object:Gem::Version
|
95
110
|
version: '0'
|
96
111
|
requirements: []
|
97
112
|
rubyforge_project:
|
98
|
-
rubygems_version: 2.4.
|
113
|
+
rubygems_version: 2.4.5
|
99
114
|
signing_key:
|
100
115
|
specification_version: 4
|
101
|
-
summary:
|
116
|
+
summary: '["A Ruby Client for Cerberus, a secure property store for cloud applications"]'
|
102
117
|
test_files: []
|