confidant 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 20203303d07ffce5c33fb5fcdd92f479eef85e0a
+  data.tar.gz: 72ba74d4b41018265a3ad9d535ec3f479802d5ce
+SHA512:
+  metadata.gz: ff62a6debd26773bdddce93ab885a4b4ad0cd2ed0c3ff5bbf4000e07eef0cbfc1291851fc24fde7e2968b1ce1148095cd6de7364d7b59fccf3fb698be4ab6f91
+  data.tar.gz: 5dd2f41cc9336023c6188dac971a3bf69578dc75cb7f77c277c8bbdbb78f8a55f901a2cbcb16d7fa9258dbbd287e751ed1746b8aa00ab075427789623c60c0bb

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/) 
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased]
+### Added
+
+### Changed
+
+## [0.1.0] - 2016-12-03
+### Added
+- Initial public release of Confidant, with Confidant::Client library and CLI

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Matt Greensmith
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,211 @@
+# Confidant
+
+This is a client for [Confidant](https://lyft.github.io/confidant), an open source secret management service.
+
+[![Gem](https://img.shields.io/gem/v/confidant.svg)](https://rubygems.org/gems/confidant)
+[![Travis](https://img.shields.io/mgreensmith/confidant-client-ruby.svg)](https://travis-ci.org/mgreensmith/confidant-client-ruby)
+
+## Installation
+
+    $ gem install confidant
+
+## Configuration
+
+This client is compatible with the config file format of the [official Python client](https://lyft.github.io/confidant/basics/client/); it should be a drop-in replacement.
+
+The client will automatically look in `~/.confidant` and `/etc/confidant/config` for its configuration. Alternate config files can be specified via the `--config-files` (Ruby `:config_files`) option. Config files can be YAML or JSON format.
+
+The configuration file supports profiles, which let you specify multiple environments in the same file. The default profile is `default`, an alternate profile can be specified with the `--profile` (Ruby: `:profile`) option.
+
+The client does not merge config from multiple files; it expects to find a configuration block for the specified profile in the first file it finds.
+
+The following configuration is supported, with the listed defaults. Some defaults differ from the official Python client, namely `user_type` and `region`. Additionally, this client supports per-command configuration: options provided within config keys named for a CLI command (or `Confidant::Client` method) will be used as to configure that command.
+
+```yaml
+default:
+
+  # URL of the confidant server.
+  url: nil
+
+  # The KMS auth key to use. i.e. alias/authnz-production
+  auth_key: nil
+
+  # Note: unlike the official Python client, this client configures
+  # encryption-context-related options in the top-level config.
+
+  # The IAM role or user to authenticate with. i.e. myservice-production or myuser
+  from: nil
+
+  # The IAM role name of confidant. i.e. confidant-production
+  to: nil
+
+  # The confidant user-type to authenticate as. i.e. user or service
+  user_type: service
+
+  # Provided for compatibility with the official Python client.
+  # Any configured options in auth_context will be flattened into
+  # the top-level config, and will override provided top-level values.
+  auth_context:
+    from: nil
+    to: nil
+    user_type: service
+
+  # The token lifetime, in minutes.
+  token_lifetime: 10
+
+  # The version of the KMS auth token.
+  token_version: 2
+
+  # Use the specified AWS region for authentication.
+  region: us-east-1
+
+  # Example of per-command configuration for the get_service command
+  # get_service:
+  #   service: my-service
+
+  # Not yet implemented in this client, will be ignored if provided:
+  # retries: 0
+  # backoff: 1
+  # token_cache_file: '/run/confidant/confidant_token'
+  # assume_role: nil
+```
+
+When using the CLI, CLI-provided option flags are merged with config file options, with CLI options taking precedence.
+
+When using the client as a Ruby library, options passed as parameters to `Confidant.configure` are merged with config file options, with parameter options taking precedence.
+
+## CLI Usage
+
+```
+NAME
+    confidant - Client for Confidant, an open source secret management system
+
+SYNOPSIS
+    confidant [global options] command [command options] [arguments...]
+
+VERSION
+    0.1.0
+
+GLOBAL OPTIONS
+    --config-files=arg       - Comma separated list of configuration files to use (default: ~/.confidant,/etc/confidant/config)
+    --from=arg               - The IAM role or user to authenticate with. i.e. myservice-production or myuser (default: none)
+    --help                   - Show this message
+    -k, --auth-key=arg       - The KMS auth key to use. i.e. alias/authnz-production (default: none)
+    -l, --token-lifetime=arg - The token lifetime, in minutes. (default: none)
+    --log-level=arg          - Logging verbosity. (default: info)
+    --profile=arg            - Configuration profile to use. (default: default)
+    --region=arg             - Use the specified region for authentication. (default: none)
+    --to=arg                 - The IAM role name of confidant. i.e. confidant-production (default: none)
+    --token-version=arg      - The version of the KMS auth token. (default: none)
+    -u, --url=arg            - URL of the confidant server. (default: none)
+    --user-type=arg          - The confidant user-type to authenticate as. i.e. user or service (default: none)
+    --version                - Display the program version
+
+COMMANDS
+    get_service - Get credentials for a service
+    help        - Shows a list of commands or help for one command
+    show_config - Show the current config
+```
+
+The CLI returns JSON to `STDOUT`, for drop-in compatibility with the official Python client.
+
+Logs are written to `STDERR` by default. TO write logs to a file, redirect `STDERR` output:
+
+```
+confidant 2>/some/log/file
+```
+
+## Library Usage
+
+Require the client.
+
+```ruby
+require 'confidant'
+```
+
+### Configuration
+
+Configure the library via `Confidant.configure`.
+
+An insufficiently-specified config, or any errors during configuration, will raise `Confidant::ConfigurationError`
+
+```ruby
+# Configure Confidant using options from config file only:
+Confidant.configure
+
+# Or provide options as parameters, which will be merged onto
+# the options from the config file, with parameter options
+# taking precedence:
+Confidant.configure(
+    auth_key: 'alias/authnz-production',
+    from: 'myservice-production',
+    to: 'confidant-production',
+    get_service: {
+        service: 'myservice-production'
+    }
+)
+```
+
+### Get Service
+
+Get credentials for a service from the Confidant server via `Confidant.get_service`
+
+JSON responses from the server are returned as Ruby `Hash`es.
+
+```ruby
+# If a service name was provided in config,
+# i.e. `get_service: { service: 'my-service' }`,
+# `get_service` will get that service's credentials:
+Confidant.get_service
+=> {"account"=>nil,
+ "blind_credentials"=>[],
+ "credentials"=>
+  [{"credential_pairs"=>{"my_fancy_secret"=>"I love cats!", "something_is"=>"A super secret!"},
+<SNIP>
+
+# Or, provide a service name via parameter:
+Confidant.get_service('my-service')
+```
+
+### Multiple Clients
+
+Use multiple client instances with different configurations simultaneously by instantiating `Confidant::Configurator` and `Confidant::Client` directly:
+
+```ruby
+default_config = Confidant::Configurator.new
+default_client = Confidant::Client.new(default_config)
+default_client.get_service('my-service')
+
+production_config = Confidant::Configurator.new(profile: 'production')
+production_client = Confidant::Client.new(production_config)
+production_client.get_service('my-service-production')
+```
+
+## WARNING
+
+This client is pre-alpha, and does not have feature parity with the official Python client!
+
+#### Things that work
+
+- The `get_service` CLI command (`Client.get_service`) can fetch service credentials from a Confidant server using a v2 KMS authentication token.
+- All currently-available CLI options are correctly configurable.
+
+#### Things that have not been implemented yet
+
+- Any other CLI command, notably everything to do with server-blinded credentials
+- API retries/backoff
+- The `confidant-format` formatter
+- KMS v1 auth tokens
+- Token caching
+- Assuming an IAM role
+- MFA tokens
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/mgreensmith/confidant-client-ruby.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/bin/confidant

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'confidant'
+require 'confidant/cli'
+
+exit Confidant::CLI.run(ARGV)

data/lib/confidant.rb

@@ -0,0 +1,40 @@
+require 'logging'
+
+include Logging.globally(:log)
+
+require 'confidant/version'
+
+# This is a set of client libs for Confidant
+module Confidant
+  Logging.logger.root.appenders = Logging.appenders.stderr
+  Logging.logger.root.level = :info
+
+  # An invalid configuration was provided
+  class ConfigurationError < StandardError
+  end
+
+  require 'confidant/configurator'
+  require 'confidant/client'
+
+  module_function
+
+  ### Wrap common workflow into module methods for end-user simplicity.
+
+  def configure(config = {})
+    @configurator = Configurator.new(config)
+  end
+
+  def get_service(service = nil)
+    unless @configurator
+      raise ConfigurationError, 'Not configured, run Confidant.configure'
+    end
+    Client.new(@configurator).get_service(service)
+  end
+
+  def log_exception(klass, ex)
+    klass.log.error("#{ex.class} : #{ex.message}")
+    ex.backtrace.each do |frame|
+      klass.log.debug("\t#{frame}")
+    end
+  end
+end

data/lib/confidant/cli.rb

@@ -0,0 +1,135 @@
+require 'yaml'
+require 'gli'
+
+module Confidant
+  # Creates a CLI that fronts the Confidant client
+  class CLI
+    extend GLI::App
+
+    program_desc 'Client for Confidant, an open source secret management system'
+    version Confidant::VERSION
+
+    ### Global configuration options
+
+    # 'flag' options take params
+
+    desc 'Comma separated list of configuration files to use'
+    flag 'config-files', default_value:
+      Confidant::Configurator::DEFAULT_OPTS[:config_files].join(',')
+
+    desc 'Configuration profile to use.'
+    flag 'profile', default_value:
+      Confidant::Configurator::DEFAULT_OPTS[:profile]
+
+    desc 'Logging verbosity.'
+    flag 'log-level', default_value:
+      Confidant::Configurator::DEFAULT_OPTS[:log_level]
+
+    desc 'URL of the confidant server.'
+    flag %w(u url)
+
+    desc 'The KMS auth key to use. i.e. alias/authnz-production'
+    flag ['k', 'auth-key']
+
+    desc 'The token lifetime, in minutes.'
+    flag ['l', 'token-lifetime']
+
+    desc 'The version of the KMS auth token.'
+    flag 'token-version'
+
+    desc 'The IAM role or user to authenticate with. ' \
+         'i.e. myservice-production or myuser'
+    flag 'from'
+
+    desc 'The IAM role name of confidant. i.e. confidant-production'
+    flag 'to'
+
+    desc 'The confidant user-type to authenticate as. i.e. user or service'
+    flag 'user-type'
+
+    desc 'Use the specified region for authentication.'
+    flag 'region'
+
+    # TODO: Implement support for these.
+
+    # desc 'Assume the specified IAM role.'
+    # flag 'assume-role'
+
+    # desc 'Number of retries that should be attempted on ' \
+    #      'confidant server errors.'
+    # flag 'retries'
+
+    # 'switch' options are booleans
+
+    # desc 'Prompt for an MFA token.'
+    # switch 'mfa'
+
+    ### Commands
+
+    desc 'Get credentials for a service'
+    command :get_service do |c|
+      c.desc 'The service to get.'
+      c.flag 'service'
+
+      c.action do |_global_options, _options, _|
+        log.debug 'Running get_service command'
+        client = Confidant::Client.new(@configurator)
+        client.suppress_errors
+        puts JSON.pretty_generate(client.get_service)
+      end
+    end
+
+    desc 'Show the current config'
+    command :show_config do |c|
+      c.action do |_global_options, _options, _|
+        puts @configurator.config.to_yaml
+      end
+    end
+
+    ### Hooks
+
+    pre do |global_options, command, options, _|
+      Logging.logger.root.level = global_options['log-level'].to_sym
+
+      opts = clean_opts(global_options)
+      opts[command.name] = clean_opts(options) if options
+
+      log.debug "Parsed CLI options: #{opts}"
+      @configurator = Confidant::Configurator.new(opts, command.name)
+    end
+
+    on_error do |ex|
+      Confidant.log_exception(self, ex)
+      false # return false to suppress standard message
+    end
+
+    ### Helper methods
+
+    # Try and clean up GLI's output into something useable.
+    def self::clean_opts(gli_opts)
+      # GLI provides String and Symbol keys for each flag/switch.
+      # We want the String keys (because some of our flags have dashes,
+      # and GLI makes :"dash-keys" symbols which need extra work to clean)
+      string_opts = gli_opts.select { |k, _| k.is_a?(String) }
+
+      # Convert the dashes in key names to underscores and symbolize the keys.
+      opts = {}
+      string_opts.each_pair { |k, v| opts[k.tr('-', '_').to_sym] = v }
+
+      # Convert :config_files into an array.
+      if opts[:config_files]
+        opts[:config_files] = opts[:config_files].split(',')
+      end
+
+      # Remove unneeded hash pairs:
+      # - nils: GLI returns 'nil' default for non-specified flag-type opts
+      # - false: GLI returns 'false' default for non-specified switch-type opts
+      # Removing false values also removes GLI's :help and :version keys
+      # - single-letter keys: these opts all have longer-form doppelgangers
+      opts.delete_if { |k, v| v.nil? || v == false || k.length == 1 }
+
+      #  Now, only defaulted and explicitly-specified options remain.
+      opts
+    end
+  end
+end

data/lib/confidant/client.rb

@@ -0,0 +1,137 @@
+require 'json'
+require 'base64'
+require 'aws-sdk-core'
+require 'rest-client'
+
+require 'confidant/configurator'
+
+module Confidant
+  # The Confidant Client implementation
+  class Client
+    TOKEN_SKEW_SECONDS = 3 * 60
+    TIME_FORMAT = '%Y%m%dT%H%M%SZ'.freeze
+
+    attr_accessor :config
+
+    # Initialize with a +configurator+, which is
+    # an instance of Confidant::Configurator
+    def initialize(configurator)
+      @config = configurator.config
+      @kms = Aws::KMS::Client.new(region: config[:region])
+      @suppress_errors = false
+    end
+
+    # Return a Hash of credentials from the confidant API
+    # for +service+, either explicitly-provided, or from config.
+    def get_service(service = nil)
+      log.debug "Requesting #{api_service_url(service_name(service))} " \
+                "as user #{api_user}"
+      response = RestClient::Request.execute(
+        method: :get,
+        url: api_service_url(service_name(service)),
+        user: api_user,
+        password: generate_token,
+        headers: {
+          user_agent: RestClient::Platform.default_user_agent.prepend(
+            "confidant-client/#{Confidant::VERSION} "
+          )
+        }
+      )
+
+      JSON.parse(response.body)
+    rescue => ex
+      Confidant.log_exception(self, ex)
+      @suppress_errors ? api_error_response : raise
+    end
+
+    # The Python client suppresses API errors,
+    # returning { result: false } instead.
+    # Mimic this behavior based on the truthiness of +enable+.
+    # This is generally only called from Confidant::CLI
+    def suppress_errors(enable = true)
+      @suppress_errors = enable
+      true
+    end
+
+    private
+
+    # Return the name of the service for which we
+    # should fetch credentials from the confidant API.
+    # Returns +service+ if provided, or the config
+    # value at @config[:get_service][:service]
+    # Raises +ConfigurationError+ if no service was
+    # provided or configured.
+    def service_name(service = nil)
+      return service unless service.nil?
+      if @config[:get_service] && @config[:get_service][:service]
+        return @config[:get_service][:service]
+      end
+      raise ConfigurationError,
+            'Service name must be specified, or provided in config as ' \
+            '{get_service: { service: \'my-service\' }'
+    end
+
+    # Return the name of the user that will connect to the confidant API
+    # TODO(v1-auth-support): Support v1-style user names.
+    def api_user
+      format(
+        '%s/%s/%s',
+        @config[:token_version],
+        @config[:user_type],
+        @config[:from]
+      )
+    end
+
+    # The URL to get credentials for +service+ from the Confidant server.
+    def api_service_url(service)
+      format('%s/v1/services/%s', @config[:url], service)
+    end
+
+    # The falsey response to return when
+    # @suppress_errors is true,
+    # rather than raising exceptions.
+    def api_error_response
+      { 'result' => 'false' }
+    end
+
+    # The content of a confidant auth token payload,
+    # to be encrypted by KMS.
+    def token_payload
+      now = Time.now.utc
+
+      start_time = (now - TOKEN_SKEW_SECONDS)
+
+      end_time = (
+        now - TOKEN_SKEW_SECONDS +
+        (@config[:token_lifetime].to_i * 60)
+      )
+
+      { not_before: start_time.strftime(TIME_FORMAT),
+        not_after: end_time.strftime(TIME_FORMAT) }.to_json
+    end
+
+    # Return an auth token for the confidant service,
+    # encrypted via KMS.
+    def generate_token
+      # TODO(v1-auth-support): Handle the different encryption_context
+      if @config[:token_version].to_i != 2
+        raise ConfigurationError,
+              'This client only supports KMS v2 auth tokens.'
+      end
+
+      encrypt_params = {
+        key_id: @config[:auth_key],
+        plaintext: token_payload,
+        encryption_context: {
+          to: @config[:to],
+          from: @config[:from],
+          user_type: @config[:user_type]
+        }
+      }
+
+      log.debug "Asking KMS to encrypt: #{encrypt_params}"
+      resp = @kms.encrypt(encrypt_params)
+      Base64.strict_encode64(resp.ciphertext_blob)
+    end
+  end
+end

data/lib/confidant/configurator.rb

@@ -0,0 +1,148 @@
+require 'yaml'
+require 'active_support/hash_with_indifferent_access'
+
+module Confidant
+  # Builds configuration for the Confidant client
+  class Configurator
+    # Default configration options for the Confidant module
+    # and this Configurator class, and not for the Client.
+    # Pass these through to the CLI for use in the `pre` hook,
+    # and strip them out of the final config hash used by the Client.
+    DEFAULT_OPTS = {
+      config_files: %w(~/.confidant /etc/confidant/config),
+      profile: 'default',
+      log_level: 'info'
+    }.freeze
+
+    # Default configuration options for the Client.
+    DEFAULTS = {
+      token_lifetime: 10,
+      token_version: 2,
+      user_type: 'service',
+      region: 'us-east-1'
+    }.freeze
+
+    # Keys that must exist in the final config in order for
+    # the Client to be able to function.
+    MANDATORY_CONFIG_KEYS = {
+      global: [:url, :auth_key, :from, :to],
+      get_service: [:service]
+    }.freeze
+
+    attr_reader :config
+
+    # Instantiate with a hash of configuration +opts+,and optionally
+    # the name of a +command+ that may have mandatory config options
+    # that should be validated along with the global config.
+    def initialize(opts = {}, command = nil)
+      configure(opts, command)
+    end
+
+    # Given a hash of configuration +opts+, and optionally the name
+    # of a +command+ that may have mandatory config options
+    # that should be validated along with the global config,
+    # load configuration from files, merge config keys together,
+    # and validate the presence of sufficient top-level config keys
+    # and command-specific config keys to be able to use the client.
+    #
+    # Saves and returns the final merged config.
+    def configure(opts, command = nil)
+      # Merge 'opts' onto DEFAULT_OPTS so that we can self-configure.
+      # This is a noop if we were called from CLI,
+      # as those keys are defaults in GLI and guaranteed to exist in 'opts',
+      # but this is necessary if we were invoked as a lib.
+      config = DEFAULT_OPTS.dup.merge(opts)
+      log.debug "Local config: #{config}"
+
+      # Merge local config over the profile config from file.
+      config = profile_config(
+        config[:config_files],
+        config[:profile]
+      ).dup.merge(config)
+
+      # We don't need any of the internal DEFAULT_OPTS any longer
+      DEFAULT_OPTS.keys.each { |k| config.delete(k) }
+
+      # Merge config onto local DEFAULTS
+      # to backfill any keys that are needed for KMS.
+      config = DEFAULTS.dup.merge(config)
+
+      @config = config
+      validate_config(command)
+      log.debug "Authoritative config: #{config}"
+      @config
+    end
+
+    # Validate the instance's @config for the presence of
+    # all global mandatory config keys. If +command+ is provided,
+    # validate the presence of all mandatory config keys specific
+    # to that command, otherwise validate that mandatory config keys
+    # exist for any command keys that exist in the top-level hash.
+    # Raises +ConfigurationError+ if mandatory config options are missing.
+    def validate_config(command = nil)
+      missing_keys = MANDATORY_CONFIG_KEYS[:global] - @config.keys
+
+      commands_to_verify = if command
+                             [command.to_sym]
+                           else
+                             (MANDATORY_CONFIG_KEYS.keys & @config.keys)
+                           end
+
+      commands_to_verify.each do |cmd|
+        missing = missing_keys_for_command(cmd)
+        next if missing.empty?
+        missing_keys << "#{cmd}[#{missing.join(',')}]"
+      end
+
+      return true if missing_keys.empty?
+      raise ConfigurationError,
+            "Missing required config keys: #{missing_keys.join(', ')}"
+    end
+
+    private
+
+    # Return a hash of the config for the provided +profile+ from
+    # the first-existing file in the provided array of +config_files+.
+    def profile_config(config_files, profile)
+      config = nil
+      config_files.each do |config_file|
+        next unless File.exist?(File.expand_path(config_file))
+        log.debug "found config file: #{config_file}"
+        config = profile_from_file(config_file, profile)
+        break
+      end
+      log.debug "Profile config: #{config}"
+      config || {}
+    end
+
+    # Given the pathname of a YAML or JSON +config_file+ and the name
+    # of a config +profile+ within that file, load the file and
+    # return a +Hash+ of the contents of that profile key.
+    def profile_from_file(config_file, profile)
+      content = YAML.load_file(File.expand_path(config_file))
+
+      # Fetch options from file for the specified profile
+      unless content.key?(profile)
+        raise ConfigurationError,
+              "Profile '#{profile}' not found in '#{config_file}"
+      end
+      profile_config = content[profile].symbolize_keys!
+
+      # Merge the :auth_context keys into the top-level hash.
+      profile_config.merge!(profile_config[:auth_context].symbolize_keys!)
+      profile_config.delete_if { |k, _| k == :auth_context }
+      profile_config
+    end
+
+    # Given a +command+, return an +array+ of
+    # the key names from MANDATORY_CONFIG_KEYS for that command,
+    # that are not present in the current @config
+    def missing_keys_for_command(command)
+      mandatory_keys = MANDATORY_CONFIG_KEYS[command] || []
+      return [] if mandatory_keys.empty?
+      return mandatory_keys unless @config[command] &&
+                                   @config[command].is_a?(Hash)
+      mandatory_keys - @config[command].keys
+    end
+  end
+end

data/lib/confidant/version.rb

@@ -0,0 +1,3 @@
+module Confidant
+  VERSION = '0.1.0'.freeze
+end

data/spec/confidant/client_spec.rb

@@ -0,0 +1,92 @@
+require 'spec_helper'
+
+describe Confidant::Client do
+  before do
+    Logging.logger.root.appenders = nil
+
+    config = {
+      user_type: 'philosopher',
+      from: 'hypatia',
+      to: 'aedesia',
+      region: 'alexandria',
+      auth_key: 'astrolabe',
+      url: 'athens',
+      token_version: 2
+    }
+
+    @client = Confidant::Client.new(Confidant::Configurator.new(config))
+
+    allow(RestClient::Platform)
+      .to receive(:default_user_agent).and_return('sextant')
+
+    stub_const('Confidant::VERSION', '999')
+  end
+
+  context '#get_service' do
+    before do
+      allow_any_instance_of(Confidant::Client)
+        .to receive(:generate_token).and_return('tympan')
+    end
+
+    it 'can get credentials for a service from the API' do
+      allow_any_instance_of(Confidant::Client)
+        .to receive(:generate_token).and_return('tympan')
+
+      api_response = double
+      expect(api_response).to receive(:body).and_return('{ "hello": "world" }')
+
+      expect(RestClient::Request).to receive(:execute).with(
+        method: :get,
+        url: 'athens/v1/services/oracle',
+        user: '2/philosopher/hypatia',
+        password: 'tympan',
+        headers: { user_agent: 'confidant-client/999 sextant' }
+      ).and_return(api_response)
+
+      expect(@client.get_service('oracle')).to eq('hello' => 'world')
+    end
+
+    it 'does not suppress errors by default' do
+      expect(RestClient::Request).to receive(:execute).and_raise(StandardError)
+      expect { @client.get_service('oracle') }.to raise_error(StandardError)
+    end
+
+    it 'suppresses errors if @suppress_errors is true' do
+      expect(RestClient::Request).to receive(:execute).and_raise(StandardError)
+      @client.suppress_errors
+      expect(@client.get_service('oracle')).to eq('result' => 'false')
+    end
+  end
+
+  context '#generate_token' do
+    it 'can generate a v2 auth token' do
+      kms_response = double
+      expect(kms_response).to receive(:ciphertext_blob).and_return('12345')
+
+      allow_any_instance_of(Aws::KMS::Client)
+        .to receive(:encrypt).and_return(kms_response)
+
+      # Expect Bas64-encoded :ciphertext_blob
+      expect(@client.send(:generate_token)).to eq('MTIzNDU=')
+    end
+
+    it 'raises if a v1 token is requested' do
+      @client.config[:token_version] = 1
+      expect { @client.send(:generate_token) }
+        .to raise_error(Confidant::ConfigurationError)
+    end
+  end
+
+  context '#service_name' do
+    it 'returns a provided service name from parameter' do
+      @client.config[:get_service] = { service: 'aristotle' }
+      expect(@client.send(:service_name, 'plato')).to eq('plato')
+      expect(@client.send(:service_name)).to eq('aristotle')
+    end
+
+    it 'raises if a service name was not provided or configured' do
+      expect { @client.send(:service_name) }
+        .to raise_error(Confidant::ConfigurationError)
+    end
+  end
+end

data/spec/confidant_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe Confidant do
+  it 'has a version number' do
+    expect(Confidant::VERSION).not_to be nil
+  end
+
+  context 'module workflow' do
+    it 'exposes #configure' do
+      expect(Confidant).to respond_to(:configure).with(0..1).arguments
+    end
+
+    it 'exposes #get_service' do
+      expect(Confidant).to respond_to(:configure).with(0..1).arguments
+    end
+  end
+
+  it 'has a #log_exception helper' do
+    expect(Confidant).to respond_to(:log_exception).with(2).arguments
+  end
+end
+
+describe Confidant::ConfigurationError do
+  it 'subclasses StandardError' do
+    expect(Confidant::ConfigurationError).to be_kind_of(StandardError.class)
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+
+require 'simplecov'
+SimpleCov.start do
+  add_filter '/spec/'
+end
+
+require 'confidant'
+require 'confidant/cli'

metadata

@@ -0,0 +1,225 @@
+--- !ruby/object:Gem::Specification
+name: confidant
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Matt Greensmith
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: logging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.46'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: gem-release
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+description: 
+email:
+- matt@mattgreensmith.net
+executables:
+- confidant
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- bin/confidant
+- lib/confidant.rb
+- lib/confidant/cli.rb
+- lib/confidant/client.rb
+- lib/confidant/configurator.rb
+- lib/confidant/version.rb
+- spec/confidant/client_spec.rb
+- spec/confidant_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/mgreensmith/confidant-client-ruby
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: A CLI and client library for the Confidant secret management service.
+test_files: []