cerberus_client 1.5.1 → 2.0.0

data/lib/cerberus/cerberus_auth_info.rb

@@ -0,0 +1,13 @@
+module Cerberus
+  class CerberusAuthInfo
+    attr_reader :iam_principal_arn
+    attr_reader :region
+    attr_reader :credentials
+
+    def initialize(iam_principal_arn, region, credentials = nil)
+      @iam_principal_arn = iam_principal_arn
+      @region = region
+      @credentials = credentials
+    end
+  end
+end

data/lib/cerberus/cerberus_client.rb

@@ -0,0 +1,138 @@
+
+
+module Cerberus
+
+  require_relative('../cerberus_utils/log')
+  require_relative('../cerberus_utils/utils')
+  require_relative('exception/http_error')
+  require_relative('exception/ambiguous_vault_bad_request')
+  require_relative('default_credentials_provider_chain')
+  require('json')
+
+  ##
+  # Client for interacting with the Cerberus API
+  ##
+  class CerberusClient
+
+    # relative path to the Cerberus secrets API
+    SECRET_PATH_PREFIX = "/v1/secret/"
+    SECRET_MAP_DATA_KEY = CERBERUS_LIST_DATA_KEY = "data"
+    CERBERUS_TOKEN_HEADER_KEY = 'X-Vault-Token'
+    CERBERUS_ERRORS_KEY = "errors"
+    CERBERUS_PERMISSION_DENIED_ERR = "permission denied"
+    CERBERUS_LIST_KEYS_KEY = "keys"
+    CERBERUS_LIST_PARAM_KEY = "list"
+    SLASH = "/"
+
+    attr_reader :cerberus_base_url
+    attr_reader :credentials_provider
+
+    ##
+    # Init with the base URL for cerberus
+    ##
+    def initialize(cerberus_url_resolver, credentials_provider_chain)
+
+      require 'net/https'
+
+      @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver)
+      @credentials_provider = credentials_provider_chain.get_credentials_provider
+
+    end # initialize
+
+    ##
+    # Read operation for a specified path.
+    ##
+    def read(path)
+      begin
+        response = read_value_from_cerberus(SECRET_PATH_PREFIX + path)
+        CerberusUtils::Log.instance.debug("CerberusClient::read(path) HTTP response: #{response.code}, #{response.message}")
+        response.body
+
+      rescue => ex
+        CerberusUtils::Log.instance.error("CerberusClient::read(#{path}) unhandled exception trying to read: #{ex.message}")
+        raise ex
+      end
+    end # read
+
+    ##
+    # Returns a list of key names at the specified location. Folders are suffixed with /.
+    # The input must be a folder; list on a file will return nil
+    ##
+    def list(path)
+      begin
+        response = read_value_from_cerberus(SECRET_PATH_PREFIX + path + "?list=true")
+
+        CerberusUtils::Log.instance.debug("CerberusClient::list(#{path}) HTTP response: #{response.code}, #{response.message}")
+
+        json_response_body = JSON.parse(response.body)
+        pathList = json_response_body[CERBERUS_LIST_DATA_KEY][CERBERUS_LIST_KEYS_KEY]
+        CerberusUtils::Log.instance.debug("CerberusClient::list returning #{pathList.join(", ")} ")
+        pathList
+
+      rescue => ex
+
+        # check to see if we threw the Http error with a response object
+        response = (ex.instance_of?(Cerberus::Exception::HttpError)) ? ex.response : nil
+        if(!response.nil? && response.code.to_i == 404)
+          return nil
+        end
+
+        CerberusUtils::Log.instance.error("CerberusClient::list(#{path}) unhandled exception trying to read: #{ex.message}")
+        raise ex
+      end
+    end
+
+    private
+
+    ##
+    # Do an http request to Cerberus using the relative URI passed in
+    ##
+    def read_value_from_cerberus(releative_uri)
+
+      url = URI(@cerberus_base_url + releative_uri)
+      use_ssl, = ! ("#{@cerberus_base_url}".include? "localhost")
+
+      begin
+        headers_map = {CERBERUS_TOKEN_HEADER_KEY => @credentials_provider.get_client_token}
+        response = CerberusUtils::Http.new.make_http_call(url, "GET", use_ssl, nil, headers_map)
+
+      rescue Cerberus::Exception::HttpError => ex
+        # Since Vault wants to pass back 400 bad request for both paths we don't have access to
+        # and paths that don't actually exist at all, I'm sending back a specific error so that implementing clients
+        # can at least understand the situation they find themselves in
+        #
+        # This client could actually work around this problem by first getting a list of all paths we have access to and
+        # determining if the path exists in that list.  If not, 404 (which is more appropriate than 400).
+        # TODO: implement "list > check for path" work around <-- NOTE:  This is a relatively expensive operation
+        if(!ex.response.nil? && (ex.response.code.to_i == 400))
+          raise Exception::AmbiguousVaultBadRequest.new
+        else
+          raise ex
+        end
+
+      end
+
+      response
+
+    end # read_value_from_cerberus
+
+    ##
+    # Parse out the permission errors json
+    ##
+    def has_permission_errors?(json_errors_msg)
+      begin
+        json = JSON.parse(json_errors_msg)
+        json[CERBERUS_ERRORS_KEY].each { |err|
+          if(err == CERBERUS_PERMISSION_DENIED_ERR)
+            return true
+          end
+        }
+      rescue => ex
+        CerberusUtils::Log.instance.warn(
+            "CerberusClient::hasPermissionErrors? called and exception thrown parsing #{json_errors_msg}: #{ex.message}")
+        return false
+      end
+    end
+
+  end
+end

data/lib/cerberus/cerberus_client_token.rb

@@ -2,7 +2,7 @@
 
 module Cerberus
 
-  require_relative('../cerberus_client/log')
+  require_relative('../cerberus_utils/log')
 
   ##
   # Object to hold the Cerberus client token credentials and check for expiration and refresh
@@ -20,8 +20,8 @@ module Cerberus
       @createTime = Time.now
       @cacheLifetimeSec = cacheLifetimeSec
       @policies = policiesArray
-      CerberusClient::Log.instance.debug("AwsCredentials cache lifetime set to #{@cacheLifetimeSec} seconds")
-      CerberusClient::Log.instance.debug("AwsCredentials policies: #{@policies.join(", ")}")
+      CerberusUtils::Log.instance.debug("AwsCredentials cache lifetime set to #{@cacheLifetimeSec} seconds")
+      CerberusUtils::Log.instance.debug("AwsCredentials policies: #{@policies.join(", ")}")
       @authToken = authToken
     end
 

data/lib/cerberus/default_credentials_provider_chain.rb

@@ -1,8 +1,8 @@
 require_relative('../cerberus_client')
-require_relative('../cerberus_client/log')
+require_relative('../cerberus_utils/log')
+require_relative('../cerberus_utils/utils')
 require_relative('exception/no_value_error')
 require_relative('exception/no_valid_providers')
-require_relative('aws_role_credentials_provider')
 require_relative('aws_principal_credentials_provider')
 require_relative('env_credentials_provider')
 
@@ -13,24 +13,25 @@ module Cerberus
   ##
   class DefaultCredentialsProviderChain
 
-    def initialize(urlResolver, instanceMdSvcBaseUrl = nil)
-      vaultBaseUrl = CerberusClient.getUrlFromResolver(urlResolver)
+    # AWS metadata instance URL
+    AWS_EC2_METADATA_URL = "http://169.254.169.254/latest/meta-data"
+
+    def initialize(url_resolver, region = nil, instance_metadata_url = AWS_EC2_METADATA_URL)
 
       # return default array of providers
       @providers = [Cerberus::EnvCredentialsProvider.new,
-                    Cerberus::AwsRoleCredentialsProvider.new(vaultBaseUrl, instanceMdSvcBaseUrl),
-                    Cerberus::AwsPrincipalCredentialsProvider.new(vaultBaseUrl)]
+                    Cerberus::AwsPrincipalCredentialsProvider.new(url_resolver, region, instance_metadata_url)]
     end
 
     ##
     # Return the first provider in the default hierarchy that has a valid token
     ##
-    def getCredentialsProvider
+    def get_credentials_provider
       @providers.each { |p|
         begin
           # if token is assigned, that's the provider we want.
           # providers must throw NoValueError so that we can fall to the next provider if necessary
-          CerberusClient.getCredentialsFromProvider(p)
+          CerberusUtils::get_credentials_from_provider(p)
           return p
 
         rescue Cerberus::Exception::NoValueError
@@ -39,7 +40,7 @@ module Cerberus
       }
 
       # we should have found and returned a valid provider above, else there's a problem
-      CerberusClient::Log.instance.error(" could not find a valid provider")
+      CerberusUtils::Log.instance.error("Could not find a valid provider")
       raise Cerberus::Exception::NoValidProviders.new
     end
   end

data/lib/cerberus/default_url_resolver.rb

@@ -4,20 +4,20 @@ module Cerberus
   require_relative('exception/no_value_error')
 
   ##
-  # The default Vault URL resolver - looks for #{CERBERUS_VAULT_URL_ENV_KEY} in env vars
+  # The default Cerberus URL resolver - looks for #{CERBERUS_URL_ENV_KEY} in env vars
   ##
   class DefaultUrlResolver
 
-    CERBERUS_VAULT_URL_ENV_KEY = "CERBERUS_ADDR"
+    CERBERUS_URL_ENV_KEY = "CERBERUS_ADDR"
 
     ##
-    # Look for the vault url in the env var
+    # Look for the cerberus url in the env var
     ##
-    def getUrl
-      urlOption = ENV[CERBERUS_VAULT_URL_ENV_KEY]
+    def get_url
+      url_option = ENV[CERBERUS_URL_ENV_KEY]
 
-      if(urlOption != nil)
-        return urlOption
+      if(url_option != nil)
+        return url_option
       else
         raise Cerberus::Exception::NoValueError
       end

data/lib/cerberus/env_credentials_provider.rb

@@ -5,18 +5,18 @@ module Cerberus
   require_relative('exception/no_value_error')
 
   ##
-  # The Environment variable credentials provider - looks for #{CERBERUS_VAULT_TOKEN_ENV_KEY} in env vars
+  # The Environment variable credentials provider - looks for #{CERBERUS_TOKEN_ENV_KEY} in env vars
   ##
   class EnvCredentialsProvider
 
-    CERBERUS_VAULT_TOKEN_ENV_KEY = "CERBERUS_TOKEN"
+    CERBERUS_TOKEN_ENV_KEY = "CERBERUS_TOKEN"
 
     ##
-    # Look for the vault token in the env var
+    # Look for the cerberus token in the env var
     ##
-    def getClientToken
+    def get_client_token
 
-      tokenOption = ENV[CERBERUS_VAULT_TOKEN_ENV_KEY]
+      tokenOption = ENV[CERBERUS_TOKEN_ENV_KEY]
 
       if(tokenOption != nil)
         return tokenOption

data/lib/cerberus_client.rb

@@ -1,5 +1,5 @@
-require_relative('cerberus_client/version')
-require_relative('cerberus/vault_client')
+require_relative('cerberus_utils/version')
+require_relative('cerberus/cerberus_client')
 require_relative('cerberus/default_url_resolver')
 require_relative('cerberus/default_credentials_provider_chain')
 require_relative('cerberus/assumed_role_credentials_provider_chain')
@@ -7,56 +7,46 @@ require_relative('cerberus/assumed_role_credentials_provider_chain')
 module CerberusClient
 
   ##
-  # Get the vault client using the default vaultUrlResolver and default credentialsProviderChain
+  # Get the cerberus client using the default cerberus_url_resolver and default credentialsProviderChain
   ##
-  def self.getDefaultVaultClient()
-    vaultUrlResolver = Cerberus::DefaultUrlResolver.new
-    return Cerberus::VaultClient.new(vaultUrlResolver, 
-                                     Cerberus::DefaultCredentialsProviderChain.new(vaultUrlResolver))
+  def self.get_default_cerberus_client()
+    cerberus_url_resolver = Cerberus::DefaultUrlResolver.new
+    return Cerberus::CerberusClient.new(
+        cerberus_url_resolver,
+        Cerberus::DefaultCredentialsProviderChain.new(cerberus_url_resolver))
   end
 
   ##
-  # Get the vault client using the provided vaultUrlResolver and the credentialsProviderChain
+  # Get the cerberus client using the provided cerberus_url_resolver and the credentialsProviderChain
   ##
-  def self.getVaultClientWithUrlResolver(vaultUrlResolver)
-     return Cerberus::VaultClient.new(vaultUrlResolver, Cerberus::DefaultCredentialsProviderChain.new(vaultUrlResolver))
+  def self.get_cerberus_client_with_url_resolver(cerberus_url_resolver)
+    return Cerberus::CerberusClient.new(cerberus_url_resolver, Cerberus::DefaultCredentialsProviderChain.new(cerberus_url_resolver))
   end
 
   ##
-  # Get the vault client using the provided vaultUrlResolver and the credentialsProviderChain
+  # Get the cerberus client using the provided cerberus_url_resolver and the credentialsProviderChain
   ##
-  def self.getVaultClient(vaultUrlResolver, credentialsProviderChain)
-    return Cerberus::VaultClient.new(vaultUrlResolver, credentialsProviderChain)
+  def self.get_cerberus_client_with_metadata_url(ec2_metadata_service_url)
+    cerberus_url_resolver = Cerberus::DefaultUrlResolver.new
+    return Cerberus::CerberusClient.new(
+        cerberus_url_resolver,
+        Cerberus::DefaultCredentialsProviderChain.new(cerberus_url_resolver, nil, ec2_metadata_service_url))
   end
 
-  def self.getVaultClientForAssumedRole(vaultUrlResolver, roleName, roleRegion, roleAccountId)
-    return Cerberus::VaultClient.new(vaultUrlResolver, Cerberus::AssumedRoleCredentialsProviderChain.new(vaultUrlResolver,
-                                                                                                     nil,
-                                                                                                     roleName,
-                                                                                                     roleRegion,
-                                                                                                     roleAccountId))
-  end
-
-
   ##
-  # Get credentials from implementing credentialProvider
+  # Get the cerberus client using the provided cerberus_url_resolver and the credentialsProviderChain
   ##
-  def self.getCredentialsFromProvider(credentialProvider)
-    return credentialProvider.getClientToken
+  def self.get_cerberus_client(cerberus_url_resolver, credentialsProviderChain)
+    return Cerberus::CerberusClient.new(cerberus_url_resolver, credentialsProviderChain)
   end
 
-  ##
-  # Get credentials provider from chain implementing get getCredentialsProvider
-  ##
-  def self.getCredentialsProviderFromChain(credentialProviderChain)
-    return credentialProviderChain.getCredentialsProvider
-  end
-
-  ##
-  # Get url from implementing url resolver
-  ##
-  def self.getUrlFromResolver(vaultUrlResolver)
-    return vaultUrlResolver.getUrl
+  def self.get_cerberus_client_for_assumed_role(cerberus_url_resolver, iam_principal_arn, region)
+    return Cerberus::CerberusClient.new(
+        cerberus_url_resolver,
+        Cerberus::AssumedRoleCredentialsProviderChain.new(
+            cerberus_url_resolver,
+            iam_principal_arn,
+            region))
   end
 
 end # CerberusClient module

data/lib/{cerberus_client → cerberus_utils}/default_logger.rb

@@ -1,5 +1,5 @@
 
-module CerberusClient
+module CerberusUtils
 
   require('logger')
 

data/lib/{cerberus_client → cerberus_utils}/http.rb

@@ -1,5 +1,5 @@
 
-module CerberusClient
+module CerberusUtils
 
   require_relative('../cerberus/exception/http_error')
   require('net/http')
@@ -15,14 +15,14 @@ module CerberusClient
     # Generic HTTP handler for Cerberus Client needs
     # uri: the fully qualified URI object to call
     # method: the HTTP method to use'
-    # useSSL: boolean - use HTTPS or not
-    # jsonData: if not nil, made the request body and 'Content-Type' header is set to "application/json"
+    # use_ssl: boolean - use HTTPS or not
+    # json_data: if not nil, made the request body and 'Content-Type' header is set to "application/json"
     # headers: if not nil, should be a HashMap of header Key, Values
     ##
-    def doHttp(uri, method, useSSL, jsonData = nil, headersMap = nil)
+    def make_http_call(uri, method, use_ssl, json_data = nil, headers_map = nil)
 
       begin
-        CerberusClient::Log.instance.debug("Http::doHttp -> uri: #{uri}, method: #{method}, useSSL: #{useSSL}, jsonData: #{jsonData}")
+        CerberusUtils::Log.instance.debug("Http::make_http_call -> uri: #{uri}, method: #{method}, use_ssl: #{use_ssl}, json_data: #{json_data}")
 
         http = Net::HTTP.new(uri.host, uri.port)
 
@@ -36,12 +36,13 @@ module CerberusClient
                 raise NotImplementedError
             end
 
-        if(jsonData != nil); request.body = "#{jsonData}"; request['Content-Type'] = "application/json"; end
+        if(json_data != nil); request.body = "#{json_data}"; request['Content-Type'] = "application/json"; end
 
-        if(headersMap != nil); headersMap.each{ |headerKey, headerValue| request[headerKey] = headerValue } end
-        request['X-Cerberus-Client'] = "CerberusRubyClient/#{CerberusClient::VERSION}"
+        if(headers_map != nil); headers_map.each{ |headerKey, headerValue| request[headerKey] = headerValue } end
+        request['X-Cerberus-Client'] = "CerberusRubyClient/#{CerberusUtils::VERSION}"
 
-        http.use_ssl = useSSL
+        puts request
+        http.use_ssl = use_ssl
         response = http.request(request)
 
         # this is just for convenience handling down the stack... response object inclucded with the exception

data/lib/{cerberus_client → cerberus_utils}/log.rb

@@ -1,4 +1,4 @@
-module CerberusClient
+module CerberusUtils
 
   require_relative('default_logger')
   require('singleton')

data/lib/cerberus_utils/utils.rb

@@ -0,0 +1,24 @@
+module CerberusUtils
+  
+  ##
+  # Get credentials from implementing credential_provider
+  ##
+  def self.get_credentials_from_provider(credential_provider)
+    return credential_provider.get_client_token
+  end
+
+  ##
+  # Get credentials provider from chain implementing get get_credentials_provider
+  ##
+  def self.get_credentials_provider_from_chain(credential_provider_chain)
+    return credential_provider_chain.get_credentials_provider
+  end
+
+  ##
+  # Get url from implementing url resolver
+  ##
+  def self.get_url_from_resolver(cerberus_url_resolver)
+    return cerberus_url_resolver.get_url
+  end
+  
+end