cerberus_client 1.2.1

data/lib/cerberus/vault_client.rb

@@ -0,0 +1,207 @@
+
+
+module Cerberus
+
+  require_relative('../cerberus_client/log')
+  require_relative('exception/http_error')
+  require_relative('exception/ambiguous_vault_bad_request')
+  require_relative('default_credentials_provider_chain')
+  require('json')
+
+  ##
+  # Client for interacting with the Vault API
+  ##
+  class VaultClient
+
+    # relative path to the Vault secrets API
+    SECRET_PATH_PREFIX = "/v1/secret/"
+    SECRET_MAP_DATA_KEY = VAULT_LIST_DATA_KEY = "data"
+    VAULT_TOKEN_HEADER_KEY = 'X-Vault-Token'
+    VAULT_ERRORS_KEY = "errors"
+    VAULT_PERMISSION_DENIED_ERR = "permission denied"
+    VAULT_LIST_KEYS_KEY = "keys"
+    VAULT_LIST_PARAM_KEY = "list"
+    SLASH = "/"
+
+    attr_reader :vaultBaseUrl
+    attr_reader :credentialsProvider
+
+    ##
+    # Init with the base URL for vault
+    ##
+    def initialize(urlResolver, credentialsProviderChain)
+
+      require 'net/https'
+
+      @vaultBaseUrl = CerberusClient.getUrlFromResolver(urlResolver)
+      @credentialsProvider = credentialsProviderChain.getCredentialsProvider
+
+    end # initialize
+
+    ##
+    # Read operation for a specified path.
+    ##
+    def read(path)
+
+      begin
+        response = doVaultHttpGet(SECRET_PATH_PREFIX + path)
+        CerberusClient::Log.instance.debug("VaultClient::read(path) HTTP response: #{response.code}, #{response.message}")
+        response.body
+
+      rescue => ex
+        CerberusClient::Log.instance.error("VaultClient::read(#{path}) unhandled exception trying to read: #{ex.message}")
+        raise ex
+      end
+    end # read
+
+    ##
+    # Read operation for a specified path.
+    ##
+    def readKey(path, key)
+      begin
+        CerberusClient::Log.instance.error("VaultClient::read(#{path}, #{key})")
+
+        readPathAndIterateOnDataWithProc(path, &(Proc.new { |k, v| if(key == k); return v; end }) )
+
+        # else, we didn't find it
+        return nil
+
+      rescue => ex
+        CerberusClient::Log.instance.error("VaultClient::read(#{path}, #{key}) unhandled exception trying to read: #{ex.message}")
+        raise ex
+      end
+    end
+
+    ##
+    # Returns a list of key names at the specified location. Folders are suffixed with /.
+    # The input must be a folder; list on a file will return nil
+    ##
+    def list(path)
+      begin
+        response = doVaultHttpGet(SECRET_PATH_PREFIX + path + "?list=true")
+
+        CerberusClient::Log.instance.debug("VaultClient::list(#{path}) HTTP response: #{response.code}, #{response.message}")
+
+        jsonResonseBody = JSON.parse(response.body)
+        pathList = jsonResonseBody[VAULT_LIST_DATA_KEY][VAULT_LIST_KEYS_KEY]
+        CerberusClient::Log.instance.debug("VaultClient::list returning #{pathList.join(", ")} ")
+        pathList
+
+      rescue => ex
+
+        # check to see if we threw the Http error with a response object
+        response = (ex.instance_of?(Cerberus::Exception::HttpError)) ? ex.response : nil
+        if(!response.nil? && response.code.to_i == 404)
+          return nil
+        end
+
+        CerberusClient::Log.instance.error("VaultClient::list(#{path}) unhandled exception trying to read: #{ex.message}")
+        raise ex
+      end
+    end
+
+    ##
+    # This is potentially an expensive operation depending on the depth of the tree we're trying to parse
+    # It recursively walks 'path' and returns a hash of all child [path] => [array of keys] found under 'path'
+    # if 'path' is a folder, it must have a trailing slash ('/').  If 'path' is an "end node" or "vault file", then it
+    # should not have a trailing slash ('/')
+    ##
+    def describe!(path, resultHash = nil)
+
+      CerberusClient::Log.instance.debug("VaultClient::describe!(#{path})")
+
+      if(resultHash == nil)
+        resultHash = Hash.new()
+      end
+
+      curChildren = list(path)
+
+      # if curChildren is nil, it's possible there are no children or that we don't have access
+      # It's also possible it is the "end" of the path... what Vault calls "the file"
+      # in that case, we should send back the keys in that path so give it a shot
+      if(curChildren.nil?)
+        resultHash[path] = Array.new
+        readPathAndIterateOnDataWithProc(path, &(Proc.new { |key, value| resultHash[path] << key }) )
+        return resultHash
+      end
+
+      curChildren.each { |childNode|
+        curLocation = path + childNode
+        # if childNode ends with '/' then we have a directory we need to call into
+        if(childNode.end_with?(SLASH))
+          describe!(curLocation, resultHash)
+        else # it is a "directory" that contains keys
+          resultHash[curLocation] = Array.new
+          readPathAndIterateOnDataWithProc(curLocation, &(Proc.new { |key, value| resultHash[curLocation] << key }) )
+        end
+      }
+      return resultHash
+    end
+
+    private
+
+
+    ##
+    #  Attempts to execute the proc passed in on every key, value located in the 'data' element read at 'path'
+    ##
+    def readPathAndIterateOnDataWithProc(path, &p)
+      jsonResponseBody = JSON.parse(read(path))
+      jsonResponseBody[VAULT_LIST_DATA_KEY].each { |dataMapKey, dataMapValue|
+        p.call(dataMapKey, dataMapValue)
+      }
+    end
+
+    ##
+    # Do an http request to Vault using the relative URI passed in
+    ##
+    def doVaultHttpGet(relativeUri)
+
+      url = URI(@vaultBaseUrl + relativeUri)
+
+      begin
+        response = CerberusClient::Http.new.doHttp(url,
+                                                 'GET', true, nil,
+                                                 {VAULT_TOKEN_HEADER_KEY =>
+                                                      CerberusClient.getCredentialsFromProvider(@credentialsProvider)})
+
+      rescue Cerberus::Exception::HttpError => ex
+        # Since Vault wants to pass back 400 bad request for both paths we don't have access to
+        # and paths that don't actually exist at all, I'm sending back a specific error so that implementing clients
+        # can at least understand the situation they find themselves in
+        #
+        # This client could actually work around this problem by first getting a list of all paths we have access to and
+        # determining if the path exists in that list.  If not, 404 (which is more appropriate than 400).
+        # TODO: implement "list > check for path" work around <-- NOTE:  This is a relatively expensive operation
+
+        if(!ex.response.nil? && (ex.response.code.to_i == 400) && (hasPermissionErrors?(ex.response.body)))
+          raise Exception::AmbiguousVaultBadRequest.new
+        else
+          raise ex
+        end
+
+      end
+
+      response
+
+    end # doVaultHttp
+
+    ##
+    # Parse out the permission errors json
+    ##
+    def hasPermissionErrors?(jsonErrorsMsg)
+      begin
+        json = JSON.parse(jsonErrorsMsg)
+        json[VAULT_ERRORS_KEY].each { |err|
+          if(err == VAULT_PERMISSION_DENIED_ERR)
+            return true
+          end
+        }
+      rescue => ex
+        CerberusClient::Log.instance.warn(
+            "VaultClient::hasPermissionErrors? called and exception thrown parsing #{jsonErrorsMsg}: #{ex.message}")
+        return false
+      end
+    end
+
+  end
+end

data/lib/cerberus_client.rb

@@ -0,0 +1,62 @@
+require_relative('cerberus_client/version')
+require_relative('cerberus/vault_client')
+require_relative('cerberus/default_url_resolver')
+require_relative('cerberus/default_credentials_provider_chain')
+require_relative('cerberus/assumed_role_credentials_provider_chain')
+
+module CerberusClient
+
+  ##
+  # Get the vault client using the default vaultUrlResolver and default credentialsProviderChain
+  ##
+  def self.getDefaultVaultClient()
+    vaultUrlResolver = Cerberus::DefaultUrlResolver.new
+    return Cerberus::VaultClient.new(vaultUrlResolver, 
+                                     Cerberus::DefaultCredentialsProviderChain.new(vaultUrlResolver))
+  end
+
+  ##
+  # Get the vault client using the provided vaultUrlResolver and the credentialsProviderChain
+  ##
+  def self.getVaultClientWithUrlResolver(vaultUrlResolver)
+     return Cerberus::VaultClient.new(vaultUrlResolver, Cerberus::DefaultCredentialsProviderChain.new(vaultUrlResolver))
+  end
+
+  ##
+  # Get the vault client using the provided vaultUrlResolver and the credentialsProviderChain
+  ##
+  def self.getVaultClient(vaultUrlResolver, credentialsProviderChain)
+    return Cerberus::VaultClient.new(vaultUrlResolver, credentialsProviderChain)
+  end
+
+  def self.getVaultClientForAssumedRole(vaultUrlResolver, roleName, roleRegion, roleAccountId)
+    return Cerberus::VaultClient.new(vaultUrlResolver, Cerberus::AssumedRoleCredentialsProviderChain.new(vaultUrlResolver,
+                                                                                                     nil,
+                                                                                                     roleName,
+                                                                                                     roleRegion,
+                                                                                                     roleAccountId))
+  end
+
+
+  ##
+  # Get credentials from implementing credentialProvider
+  ##
+  def self.getCredentialsFromProvider(credentialProvider)
+    return credentialProvider.getClientToken
+  end
+
+  ##
+  # Get credentials provider from chain implementing get getCredentialsProvider
+  ##
+  def self.getCredentialsProviderFromChain(credentialProviderChain)
+    return credentialProviderChain.getCredentialsProvider
+  end
+
+  ##
+  # Get url from implementing url resolver
+  ##
+  def self.getUrlFromResolver(vaultUrlResolver)
+    return vaultUrlResolver.getUrl
+  end
+
+end # CerberusClient module

data/lib/cerberus_client/default_logger.rb

@@ -0,0 +1,64 @@
+
+module CerberusClient
+
+  require('logger')
+
+  ##
+  # Instantiated by the Log singleton
+  # can be replaced by the user provided the Logger supports the four log level outputs
+  ##
+  class DefaultLogger
+
+    ##
+    # Init the default logger
+    ##
+    def initialize
+      @logger = Logger.new STDOUT
+      # log level should be configurable
+      @logger.level = Logger::DEBUG
+      @logger.formatter = proc do |severity, datetime, progname, msg|
+
+        severityFormatted = case severity
+          when "ERROR"
+            "\e[31m#{severity}\e[0m"
+          when "WARN"
+            "\e[33m#{severity}\e[0m"
+          when "DEBUG"
+            "\e[37m#{severity}\e[0m"
+          else
+            "#{severity}"
+        end
+
+        "#{datetime.strftime('%Y-%m-%d %H:%M:%S.%L')} #{severityFormatted}: #{msg}\n"
+      end
+    end
+
+    ##
+    # Log a error message to the default logger
+    ##
+    def error(msg)
+      @logger.error(msg)
+    end
+
+    ##
+    # Log a warning message to the default logger
+    ##
+    def warn(msg)
+      @logger.warn(msg)
+    end
+
+    ##
+    # Log a info message to the default logger
+    ##
+    def info(msg)
+      @logger.info(msg)
+    end
+
+    ##
+    # Log a debug message to the default logger
+    ##
+    def debug(msg)
+      @logger.debug(msg)
+    end
+  end
+end

data/lib/cerberus_client/http.rb

@@ -0,0 +1,67 @@
+
+module CerberusClient
+
+  require_relative('../cerberus/exception/http_error')
+  require('net/http')
+  require_relative('log')
+
+  ##
+  #
+  ##
+  class Http
+
+    ##
+    # Generic HTTP handler for Cerberus Client needs
+    # uri: the fully qualified URI object to call
+    # method: the HTTP method to use'
+    # useSSL: boolean - use HTTPS or not
+    # jsonData: if not nil, made the request body and 'Content-Type' header is set to "application/json"
+    # headers: if not nil, should be a HashMap of header Key, Values
+    ##
+    def doHttp(uri, method, useSSL, jsonData = nil, headersMap = nil)
+
+      begin
+        CerberusClient::Log.instance.debug("Http::doHttp -> uri: #{uri}, method: #{method}, useSSL: #{useSSL}, jsonData: #{jsonData}")
+
+        http = Net::HTTP.new(uri.host, uri.port)
+
+        request =
+            case method
+              when 'GET'
+                Net::HTTP::Get.new(uri.request_uri)
+              when 'POST'
+                Net::HTTP::Post.new(uri.request_uri)
+              else
+                raise NotImplementedError
+            end
+
+        if(jsonData != nil); request.body = "#{jsonData}"; request['Content-Type'] = "application/json"; end
+
+        if(headersMap != nil); headersMap.each{ |headerKey, headerValue| request[headerKey] = headerValue } end
+
+        http.use_ssl = useSSL
+        response = http.request(request)
+
+        # this is just for convenience handling down the stack... response object inclucded with the exception
+        if(response.code.to_i < 200 || response.code.to_i >= 300)
+          raise Cerberus::Exception::HttpError.new(
+              "Http response code is non-2xx value: #{response.code}, #{response.body}",
+              response)
+        end
+
+        return response
+
+      rescue => ex
+        # log a warning
+        Log.instance.warn("Exception executing http: #{ex.message}, ex.class #{ex.class}")
+
+        # check to see if we threw the Http error with a response object
+        response = (ex.instance_of?(Cerberus::Exception::HttpError)) ? ex.response : nil
+
+        # raise a specific error that some policy can be enforced on
+        raise Cerberus::Exception::HttpError.new(ex.message, response)
+      end
+    end
+
+  end
+end

data/lib/cerberus_client/log.rb

@@ -0,0 +1,59 @@
+module CerberusClient
+
+  require_relative('default_logger')
+  require('singleton')
+
+  ##
+  # Singleton providing logging capabilities for the Cerberus Client
+  # Users can setup their own logger by calling Log.instance.setLoggingProvider
+  # and impelmenting the four log level output methods
+  ##
+  class Log
+    include Singleton
+
+    attr_reader :logProvider
+
+    ##
+    # Called by Singleton to setup our instance - default logger instantiated
+    # can be replaced by the user
+    ##
+    def initialize
+      @logProvider = DefaultLogger.new
+    end
+
+    ##
+    # Set the logger to be used by Cerberus Client
+    ##
+    def setLoggingProvider(logProvider)
+      @logProvider = logProvider
+    end
+
+    ##
+    # Log a error message to the default logger
+    ##
+    def error(msg)
+      @logProvider.error(msg)
+    end
+
+    ##
+    # Log a warning message to the default logger
+    ##
+    def warn(msg)
+      @logProvider.warn(msg)
+    end
+
+    ##
+    # Log a info message to the default logger
+    ##
+    def info(msg)
+      @logProvider.info(msg)
+    end
+
+    ##
+    # Log a debug message to the default logger
+    ##
+    def debug(msg)
+      @logProvider.debug(msg)
+    end
+  end
+end