chef 17.3.48-universal-mingw32 → 17.6.15-universal-mingw32

data/lib/chef/run_context/cookbook_compiler.rb

@@ -32,6 +32,7 @@ class Chef
       attr_reader :events
       attr_reader :run_list_expansion
       attr_reader :logger
+      attr_reader :run_context
 
       def initialize(run_context, run_list_expansion, events)
         @run_context = run_context
@@ -43,23 +44,51 @@ class Chef
 
       # Chef::Node object for the current run.
       def node
-        @run_context.node
+        run_context.node
       end
 
       # Chef::CookbookCollection object for the current run
       def cookbook_collection
-        @run_context.cookbook_collection
+        run_context.cookbook_collection
       end
 
       # Resource Definitions from the compiled cookbooks. This is populated by
       # calling #compile_resource_definitions (which is called by #compile)
       def definitions
-        @run_context.definitions
+        run_context.definitions
+      end
+
+      # The global waiver_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::WaiverCollection]
+      #
+      def waiver_collection
+        run_context.waiver_collection
+      end
+
+      # The global input_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::inputCollection]
+      #
+      def input_collection
+        run_context.input_collection
+      end
+
+      # The global profile_collection hanging off of the run_context, used by
+      # compile_compliance and the compliance phase that runs inspec
+      #
+      # @returns [Chef::Compliance::ProfileCollection]
+      #
+      def profile_collection
+        run_context.profile_collection
       end
 
       # Run the compile phase of the chef run. Loads files in the following order:
       # * Libraries
       # * Ohai
+      # * Compliance Profiles/Waivers
       # * Attributes
       # * LWRPs
       # * Resource Definitions
@@ -73,6 +102,7 @@ class Chef
       def compile
         compile_libraries
         compile_ohai_plugins
+        compile_compliance
         compile_attributes
         compile_lwrps
         compile_resource_definitions
@@ -98,7 +128,7 @@ class Chef
 
       # Loads library files from cookbooks according to #cookbook_order.
       def compile_libraries
-        @events.library_load_start(count_files_by_segment(:libraries))
+        events.library_load_start(count_files_by_segment(:libraries))
         cookbook_order.each do |cookbook|
           eager_load_libraries = cookbook_collection[cookbook].metadata.eager_load_libraries
           if eager_load_libraries == true # actually true, not truthy
@@ -110,14 +140,14 @@ class Chef
             end
           end
         end
-        @events.library_load_complete
+        events.library_load_complete
       end
 
       # Loads Ohai Plugins from cookbooks, and ensure any old ones are
       # properly cleaned out
       def compile_ohai_plugins
         ohai_plugin_count = count_files_by_segment(:ohai)
-        @events.ohai_plugin_load_start(ohai_plugin_count)
+        events.ohai_plugin_load_start(ohai_plugin_count)
         FileUtils.rm_rf(Chef::Config[:ohai_segment_plugin_path])
 
         cookbook_order.each do |cookbook|
@@ -131,57 +161,81 @@ class Chef
           node.consume_ohai_data(ohai)
         end
 
-        @events.ohai_plugin_load_complete
+        events.ohai_plugin_load_complete
+      end
+
+      # Loads the compliance segment files from the cookbook into the collections
+      # hanging off of the run_context, for later use in the compliance phase
+      # inspec run.
+      #
+      def compile_compliance
+        events.compliance_load_start
+        events.profiles_load_start
+        cookbook_order.each do |cookbook|
+          load_profiles_from_cookbook(cookbook)
+        end
+        events.profiles_load_complete
+        events.inputs_load_start
+        cookbook_order.each do |cookbook|
+          load_inputs_from_cookbook(cookbook)
+        end
+        events.inputs_load_complete
+        events.waivers_load_start
+        cookbook_order.each do |cookbook|
+          load_waivers_from_cookbook(cookbook)
+        end
+        events.waivers_load_complete
+        events.compliance_load_complete
       end
 
       # Loads attributes files from cookbooks. Attributes files are loaded
       # according to #cookbook_order; within a cookbook, +default.rb+ is loaded
       # first, then the remaining attributes files in lexical sort order.
       def compile_attributes
-        @events.attribute_load_start(count_files_by_segment(:attributes, "attributes.rb"))
+        events.attribute_load_start(count_files_by_segment(:attributes, "attributes.rb"))
         cookbook_order.each do |cookbook|
           load_attributes_from_cookbook(cookbook)
         end
-        @events.attribute_load_complete
+        events.attribute_load_complete
       end
 
       # Loads LWRPs according to #cookbook_order. Providers are loaded before
       # resources on a cookbook-wise basis.
       def compile_lwrps
         lwrp_file_count = count_files_by_segment(:providers) + count_files_by_segment(:resources)
-        @events.lwrp_load_start(lwrp_file_count)
+        events.lwrp_load_start(lwrp_file_count)
         cookbook_order.each do |cookbook|
           load_lwrps_from_cookbook(cookbook)
         end
-        @events.lwrp_load_complete
+        events.lwrp_load_complete
       end
 
       # Loads resource definitions according to #cookbook_order
       def compile_resource_definitions
-        @events.definition_load_start(count_files_by_segment(:definitions))
+        events.definition_load_start(count_files_by_segment(:definitions))
         cookbook_order.each do |cookbook|
           load_resource_definitions_from_cookbook(cookbook)
         end
-        @events.definition_load_complete
+        events.definition_load_complete
       end
 
       # Iterates over the expanded run_list, loading each recipe in turn.
       def compile_recipes
-        @events.recipe_load_start(run_list_expansion.recipes.size)
+        events.recipe_load_start(run_list_expansion.recipes.size)
         run_list_expansion.recipes.each do |recipe|
 
           path = resolve_recipe(recipe)
-          @run_context.load_recipe(recipe)
-          @events.recipe_file_loaded(path, recipe)
+          run_context.load_recipe(recipe)
+          events.recipe_file_loaded(path, recipe)
         rescue Chef::Exceptions::RecipeNotFound => e
-          @events.recipe_not_found(e)
+          events.recipe_not_found(e)
           raise
         rescue Exception => e
-          @events.recipe_file_load_failed(path, e, recipe)
+          events.recipe_file_load_failed(path, e, recipe)
           raise
 
         end
-        @events.recipe_load_complete
+        events.recipe_load_complete
       end
 
       # Whether or not a cookbook is reachable from the set of cookbook given
@@ -225,7 +279,7 @@ class Chef
         attr_file_basename = ::File.basename(filename, ".rb")
         node.include_attribute("#{cookbook_name}::#{attr_file_basename}")
       rescue Exception => e
-        @events.attribute_file_load_failed(filename, e)
+        events.attribute_file_load_failed(filename, e)
         raise
       end
 
@@ -234,9 +288,9 @@ class Chef
 
           logger.trace("Loading cookbook #{cookbook_name}'s library file: #{filename}")
           Kernel.require(filename)
-          @events.library_file_loaded(filename)
+          events.library_file_loaded(filename)
         rescue Exception => e
-          @events.library_file_load_failed(filename, e)
+          events.library_file_load_failed(filename, e)
           raise
 
         end
@@ -260,18 +314,18 @@ class Chef
       def load_lwrp_provider(cookbook_name, filename)
         logger.trace("Loading cookbook #{cookbook_name}'s providers from #{filename}")
         Chef::Provider::LWRPBase.build_from_file(cookbook_name, filename, self)
-        @events.lwrp_file_loaded(filename)
+        events.lwrp_file_loaded(filename)
       rescue Exception => e
-        @events.lwrp_file_load_failed(filename, e)
+        events.lwrp_file_load_failed(filename, e)
         raise
       end
 
       def load_lwrp_resource(cookbook_name, filename)
         logger.trace("Loading cookbook #{cookbook_name}'s resources from #{filename}")
         Chef::Resource::LWRPBase.build_from_file(cookbook_name, filename, self)
-        @events.lwrp_file_loaded(filename)
+        events.lwrp_file_loaded(filename)
       rescue Exception => e
-        @events.lwrp_file_load_failed(filename, e)
+        events.lwrp_file_load_failed(filename, e)
         raise
       end
 
@@ -288,6 +342,36 @@ class Chef
         end
       end
 
+      # Load the compliance segment files from a single cookbook
+      #
+      def load_profiles_from_cookbook(cookbook_name)
+        # This identifies profiles by their inspec.yml file, we recurse into subdirs so the profiles may be deeply
+        # nested in a subdir structure for organization.  You could have profiles inside of profiles but
+        # since that is not coherently defined, you should not.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "profiles/**/inspec.{yml,yaml}" ]) do |filename|
+          profile_collection.from_file(filename, cookbook_name)
+        end
+      end
+
+      def load_waivers_from_cookbook(cookbook_name)
+        # This identifies waiver files as any yaml files under the waivers subdir.  We recurse into subdirs as well
+        # so that waivers may be nested in subdirs for organization.  Any other files are ignored.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "waivers/**/*.{yml,yaml}" ]) do |filename|
+          waiver_collection.from_file(filename, cookbook_name)
+        end
+      end
+
+      def load_inputs_from_cookbook(cookbook_name)
+        # This identifies input files as any yaml files under the inputs subdir.  We recurse into subdirs as well
+        # so that inputs may be nested in subdirs for organization.  Any other files are ignored.
+        #
+        each_file_in_cookbook_by_segment(cookbook_name, :compliance, [ "inputs/**/*.{yml,yaml}" ]) do |filename|
+          input_collection.from_file(filename, cookbook_name)
+        end
+      end
+
       def load_resource_definitions_from_cookbook(cookbook_name)
         files_in_cookbook_by_segment(cookbook_name, :definitions).each do |filename|
           next unless File.extname(filename) == ".rb"
@@ -300,9 +384,9 @@ class Chef
               logger.info("Overriding duplicate definition #{key}, new definition found in #{filename}")
               newval
             end
-            @events.definition_file_loaded(filename)
+            events.definition_file_loaded(filename)
           rescue Exception => e
-            @events.definition_file_load_failed(filename, e)
+            events.definition_file_load_failed(filename, e)
             raise
           end
         end

data/lib/chef/run_context.rb

@@ -25,6 +25,9 @@ require_relative "log"
 require_relative "recipe"
 require_relative "run_context/cookbook_compiler"
 require_relative "event_dispatch/events_output_stream"
+require_relative "compliance/input_collection"
+require_relative "compliance/waiver_collection"
+require_relative "compliance/profile_collection"
 require_relative "train_transport"
 require_relative "exceptions"
 require "forwardable" unless defined?(Forwardable)
@@ -120,10 +123,28 @@ class Chef
 
     # Handle to the global action_collection of executed actions for reporting / data_collector /etc
     #
-    # @return [Chef::ActionCollection
+    # @return [Chef::ActionCollection]
     #
     attr_accessor :action_collection
 
+    # Handle to the global profile_collection of inspec profiles for the compliance phase
+    #
+    # @return [Chef::Compliance::ProfileCollection]
+    #
+    attr_accessor :profile_collection
+
+    # Handle to the global waiver_collection of inspec waiver files for the compliance phase
+    #
+    # @return [Chef::Compliance::WaiverCollection]
+    #
+    attr_accessor :waiver_collection
+
+    # Handle to the global input_collection of inspec input files for the compliance phase
+    #
+    # @return [Chef::Compliance::inputCollection]
+    #
+    attr_accessor :input_collection
+
     # Pointer back to the Chef::Runner that created this
     #
     attr_accessor :runner
@@ -198,6 +219,9 @@ class Chef
       @loaded_attributes_hash = {}
       @reboot_info = {}
       @cookbook_compiler = nil
+      @input_collection = Chef::Compliance::InputCollection.new(events)
+      @waiver_collection = Chef::Compliance::WaiverCollection.new(events)
+      @profile_collection = Chef::Compliance::ProfileCollection.new(events)
 
       initialize_child_state
     end
@@ -674,6 +698,8 @@ class Chef
         events=
         has_cookbook_file_in_cookbook?
         has_template_in_cookbook?
+        input_collection
+        input_collection=
         load
         loaded_attribute
         loaded_attributes
@@ -688,6 +714,8 @@ class Chef
         node
         node=
         open_stream
+        profile_collection
+        profile_collection=
         reboot_info
         reboot_info=
         reboot_requested?
@@ -700,6 +728,8 @@ class Chef
         transport
         transport_connection
         unreachable_cookbook?
+        waiver_collection
+        waiver_collection=
       }
 
       def initialize(parent_run_context)

data/lib/chef/secret_fetcher/akeyless_vault.rb

@@ -0,0 +1,57 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require_relative "hashi_vault"
+
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::AKeylessVault
+    # A fetcher that fetches a secret from AKeyless Vault.  Initial implementation is
+    # based on HashiVault , because AKeyless provides a compatibility layer that makes this possible.
+    # Future revisions will use native akeyless authentication.
+    #
+    # Required config:
+    # :access_id - the access id of the API key
+    # :access_key - the access key of the API key
+    #
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: "my-access-id", access_key: "my-access-key"  }, run_context )
+    # fetcher.fetch("/secret/data/secretkey1")
+    #
+    AKEYLESS_VAULT_PROXY_ADDR = "https://hvp.akeyless.io".freeze
+    class AKeylessVault < HashiVault
+      def validate!
+        if config[:access_key].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the secret access key in the configuration as :secret_access_key")
+        end
+        if config[:access_id].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the access key id in the configuration as :access_key_id")
+        end
+
+        config[:vault_addr] ||= AKEYLESS_VAULT_PROXY_ADDR
+        config[:auth_method] = :token
+        config[:token] = "#{config[:access_id]}..#{config[:access_key]}"
+        super
+      end
+    end
+  end
+end
+

data/lib/chef/secret_fetcher/aws_secrets_manager.rb

@@ -17,6 +17,7 @@
 #
 
 require_relative "base"
+require "aws-sdk-core"
 require "aws-sdk-secretsmanager"
 
 class Chef
@@ -26,21 +27,32 @@ class Chef
   # It is possible to pass options that configure it to use alternative credentials.
   # This implementation supports fetching with version.
   #
-  # NOTE: This does not yet support automatic retries, which the AWS client does by default.
+  # @note ':region' is required configuration.  If it is not explicitly provided,
+  # and it is not available via global AWS config, we will pull it from node ohai data by default.
+  # If this isn't correct, you will need to explicitly override it.
+  # If it is not available via ohai data either (such as if you have the AWS plugin disabled)
+  # then the converge will fail with an error.
+  #
+  # @note: This does not yet support automatic retries, which the AWS client does by default.
   #
   # For configuration options see https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method
   #
-  # Note that ~/.aws default and environment-based configurations are supported by default in the
-  # ruby SDK.
   #
   # Usage Example:
   #
-  # fetcher = SecretFetcher.for_service(:aws_secrets_manager, { region: "us-east-1" })
+  # fetcher = SecretFetcher.for_service(:aws_secrets_manager)
   # fetcher.fetch("secretkey1", "v1")
   class SecretFetcher
     class AWSSecretsManager < Base
+      def validate!
+        config[:region] = config[:region] || Aws.config[:region] || run_context.node.dig("ec2", "region")
+        if config[:region].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Missing required config for AWS secret fetcher: :region")
+        end
+      end
+
       # @param identifier [String] the secret_id
-      # @param version [String] the secret version. Not usd at this time
+      # @param version [String] the secret version.
       # @return Aws::SecretsManager::Types::GetSecretValueResponse
       def do_fetch(identifier, version)
         client = Aws::SecretsManager::Client.new(config)

data/lib/chef/secret_fetcher/azure_key_vault.rb

@@ -2,29 +2,36 @@ require_relative "base"
 
 class Chef
   class SecretFetcher
-    # == Chef::SecretFetcher::AWSSecretsManager
+    # == Chef::SecretFetcher::AzureKeyVault
     # A fetcher that fetches a secret from Azure Key Vault. Supports fetching with version.
     #
     # In this initial iteration this authenticates via token obtained from the OAuth2  /token
     # endpoint.
     #
-    # Usage Example:
+    # Validation of required configuration (vault name) is not performed until
+    # `fetch` time, to allow for embedding the vault name in with the secret
+    # name, such as "my_vault/secretkey1".
     #
-    # fetcher = SecretFetcher.for_service(:azure_key_vault)
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, { vault: "my_vault" }, run_context )
     # fetcher.fetch("secretkey1", "v1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:azure_key_vault, {}, run_context )
+    # fetcher.fetch("my_vault/secretkey1", "v1")
     class AzureKeyVault < Base
-      def validate!
-        @vault = config[:vault]
-        if @vault.nil?
-          raise Chef::Exceptions::Secret::MissingVaultName.new("You must provide a vault name to service options as vault: 'vault_name'")
-        end
-      end
 
       def do_fetch(name, version)
         token = fetch_token
+        vault, name = resolve_vault_and_secret_name(name)
+        if vault.nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide a vault name to fetcher options as vault: 'vault_name' or in the secret name as 'vault_name/secret_name'")
+        end
 
         # Note that `version` is optional after the final `/`. If nil/"", the latest secret version will be fetched.
-        secret_uri = URI.parse("https://#{@vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
+        secret_uri = URI.parse("https://#{vault}.vault.azure.net/secrets/#{name}/#{version}?api-version=7.2")
         http = Net::HTTP.new(secret_uri.host, secret_uri.port)
         http.use_ssl = true
 
@@ -41,6 +48,21 @@ class Chef
         end
       end
 
+      # Determine the vault name and secret name from the provided name.
+      # If it is not in the provided name in the form "vault_name/secret_name"
+      # it will determine the vault name from `config[:vault]`.
+      # @param name [String] the secret name or vault and secret name in the form "vault_name/secret_name"
+      # @return Array[String, String] vault and secret name respectively
+      def resolve_vault_and_secret_name(name)
+        # We support a simplified approach where the vault name is not passed i
+        # into configuration, but
+        if name.include?("/")
+          name.split("/", 2)
+        else
+          [config[:vault], name]
+        end
+      end
+
       def fetch_token
         token_uri = URI.parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net")
         http = Net::HTTP.new(token_uri.host, token_uri.port)

data/lib/chef/secret_fetcher/base.rb

@@ -25,13 +25,17 @@ class Chef
   class SecretFetcher
     class Base
       attr_reader :config
+      # Note that this is only available in the context of a recipe.
+      # Since that's the only place it's intended to be used, that's probably OK.
+      attr_reader :run_context
 
       # Initialize a new SecretFetcher::Base
       #
       # @param config [Hash] Configuration hash.  Expected configuration keys and values
       # will vary based on implementation, and are validated in `validate!`.
-      def initialize(config)
+      def initialize(config, run_context)
         @config = config
+        @run_context = run_context
       end
 
       # Fetch the named secret by invoking implementation-specific [Chef::SecretFetcher::Base#do_fetch]
@@ -52,7 +56,7 @@ class Chef
       # @raise [Chef::Exceptions::Secret::ConfigurationInvalid] if it is not.
       def validate!; end
 
-      # Called to fetch the secret identified by 'identifer'.  Implementations
+      # Called to fetch the secret identified by 'identifier'.  Implementations
       # should expect that `validate!` has been invoked before `do_fetch`.
       #
       # @param identifier [Object] Unique identifier of the secret to be retrieved.

data/lib/chef/secret_fetcher/hashi_vault.rb

@@ -0,0 +1,100 @@
+#
+# Author:: Marc Paradise (<marc@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "base"
+require "aws-sdk-core" # Support for aws instance profile auth
+require "vault"
+class Chef
+  class SecretFetcher
+    # == Chef::SecretFetcher::HashiVault
+    # A fetcher that fetches a secret from Hashi Vault.
+    #
+    # Does not yet support fetching with version when a versioned key store is in use.
+    # In this initial iteration the only supported authentication is IAM role-based
+    #
+    # Required config:
+    # :auth_method - one of :iam_role, :token.  default: :iam_role
+    # :vault_addr - the address of a running Vault instance, eg https://vault.example.com:8200
+    #
+    # For `:token` auth: `:token` - a Vault token valid for authentication.
+    #
+    # For `:iam_role`:  `:role_name` - the name of the role in Vault that was created
+    # to support authentication via IAM.  See the Vault documentation for details[1].
+    # A Terraform example is also available[2]
+    #
+    #
+    # [1] https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
+    # [2] https://registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
+    #             an IAM principal ARN bound to it.
+    #
+    # Optional config
+    # :namespace - the namespace under which secrets are kept.  Only supported in with Vault Enterprise
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: "testing-role", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    #
+    # @example
+    #
+    # fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: "s.1234abcdef", vault_addr: https://localhost:8200}, run_context )
+    # fetcher.fetch("secretkey1")
+    SUPPORTED_AUTH_TYPES = %i{iam_role token}.freeze
+    class HashiVault < Base
+
+      # Validate and authenticate the current session using the configured auth strategy and parameters
+      def validate!
+        if config[:vault_addr].nil?
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
+        end
+
+        Vault.address = config[:vault_addr]
+        Vault.namespace = config[:namespace] unless config[:namespace].nil?
+
+        case config[:auth_method]
+        when :token
+          if config[:token].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
+          end
+
+          Vault.auth.token(config[:token])
+        when :iam_role, nil
+          if config[:role_name].nil?
+            raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
+          end
+
+          Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
+        else
+          raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
+        end
+      end
+
+      # @param identifier [String] Identifier of the secret to be fetched, which should
+      # be the full path of that secret, eg 'secret/example'
+      # @param _version [String] not used in this implementation
+      # @return [Hash] containing key/value pairs stored at the location given in 'identifier'
+      def do_fetch(identifier, _version)
+        result = Vault.logical.read(identifier)
+        raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil?
+
+        result.data
+      end
+    end
+  end
+end
+