configuration_service-provider-vault 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b6fbf02628baa05b01e86460e79683b31a4614ed
+  data.tar.gz: 38593989390fd441064766c7d22b3c8a7643a5c1
+SHA512:
+  metadata.gz: acc301f249f02ec8189bb905258dce1b22c55d13e794bca1628697d9c8c4b0b25f5704d8793f74e5ac7f7f17b85aef7fc28ae3bfcded3a8081688213afb967f6
+  data.tar.gz: ec587b1fea57526fbdc0adbdddbeeb53d10cb210eef6449acb41d66797ace6c80066d4665a95957d8e2621d717e98f1204b6c299d993dbc9954aca984e124e83

data/.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'configuration_service/provider/vault/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "configuration_service-provider-vault"
+  spec.version       = ConfigurationService::Provider::Vault::VERSION
+  spec.authors       = ["Sheldon Hearn"]
+  spec.email         = ["sheldonh@starjuice.net"]
+
+  spec.summary       = %q{Vault provider for Configuration Service}
+  spec.description   = %q{A HashiCorp Vault provider for the Configuration Service}
+  spec.homepage      = "http://www.hetzner.co.za"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "vault", "~> 0.1"
+  spec.add_dependency "configuration_service", "~> 1.1.0"
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "cucumber", "~> 2.0"
+  spec.add_development_dependency "rspec-expectations", "~> 3.3"
+end

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.2
+before_install: gem install bundler -v 1.10.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in configuration_service-vault.gemspec
+gemspec

data/README.md

@@ -0,0 +1,77 @@
+# ConfigurationService::Provider::Vault
+
+A service provider for the Ruby [ConfigurationService API](https://rubygems.org/gems/configuration_service).
+
+
+## Usage
+
+The recommended approach to creating a configuration service client is to use a factory
+from the [configuration_service](https://rubygems.org/gems/configuration_service) gem.
+See the documentation for the ConfigurationService::Factory package for a list of
+available factories.
+
+For example, we can use the ConfigurationService::Factory::EnvironmentContext factory
+to create and configure a configuration service client backed by the vault provider as
+follows.
+
+Our `main.rb` (or `config.ru` or whatever) is simple:
+
+```ruby
+require 'bundler'
+Bundler.require(:default)
+
+service = ConfigurationService::Factory::EnvironmentContext.create
+if configuraton = service.request_configuration
+  AcmeApplication.new(configuration.data).run
+else
+  raise "configuration not found"
+end
+```
+
+This relies on a [bundler](http://bundler.io) Gemfile to provide the
+configuration\_service-provider-vault gem:
+
+```ruby
+source 'https://rubygems.org'
+
+gem 'configuration_service-provider-vault'
+gem 'acme_application'
+```
+
+Now we use the process environment to configure the EnvironmentContext factory:
+
+```shell
+  CFGSRV_IDENTIFIER="acme" \
+  CFGSRV_TOKEN="0b2a80f4-54ce-45f4-8267-f6558fee64af" \
+  CFGSRV_PROVIDER="vault" \
+  CFGSRV_PROVIDER_ADDRESS="http://127.0.0.1:8200" \
+  bundle exec main.rb
+```
+
+Note that `main.rb` is completely decoupled from the selection of provider and
+provider configuration. We could swap and/or reconfigure the provider by
+manipulating only the Gemfile and the environment.
+
+If you insist on hard-coding everything, or if your strategy for bootstrapping
+the configuration service isn't expressed by an existing factory yet, you can
+construct the service yourself:
+
+```ruby
+# Bad example
+
+require 'configuration_service/provider/vault'
+require 'acme_application'
+
+service = ConfigurationService.new(
+  "acme",
+  "0b2a80f4-54ce-45f4-8267-f6558fee64af",
+  ConfigurationService::Provider::Vault.new(
+    address: "http://127.0.0.1:8200"
+  )
+)
+if configuraton = service.request_configuration
+  AcmeApplication.new(configuration.data).run
+else
+  raise "configuration not found"
+end
+```

data/Rakefile

@@ -0,0 +1,77 @@
+require "bundler/gem_tasks"
+
+desc "Test the Vault provider for Configuration Service against a Vault development server"
+task :test do
+  with_devserver do
+    Rake::Task["just_test"].invoke
+  end
+end
+
+desc "Run cucumber without starting a Vault development server"
+task :just_test do
+  gem = Gem::Specification.find_by_name("configuration_service")
+  features_path = gem.full_gem_path + "/features"
+  sh %{TEST_ORCHESTRATION_PROVIDER=vault bundle exec cucumber -r #{features_path} -r ./features/support #{features_path}}
+end
+
+def with_devserver
+  assert_no_vault_server
+  devserver_start
+  begin
+    yield
+  ensure
+    devserver_stop
+  end
+end
+
+def assert_no_vault_server
+  require "socket"
+
+  begin
+    Socket.tcp('127.0.0.1', 8200).close
+    raise "can't start devserver; localhost already listening on TCP port 8200"
+  rescue Errno::ECONNREFUSED
+  end
+end
+
+def devserver_start
+  require "open3"
+
+  channel, notify = IO.pipe
+
+  fork do
+    channel.close
+    begin
+      _, stdout, _, wait_thr = Open3.popen3("vault server -dev")
+    rescue
+      notify.puts("Process.exit(0)")
+      raise
+    end
+
+    vault_pid = wait_thr[:pid]
+    notify.puts("ENV['VAULT_PID']='#{vault_pid}'")
+    while line = stdout.gets
+      line.chomp!
+      if line =~ /export VAULT_ADDR='([^']+)'/
+        notify.puts("ENV['VAULT_ADDR']='#{$1}'")
+      elsif line =~ /^Root Token: (.+)/
+        notify.puts("ENV['VAULT_TOKEN']='#{$1}'")
+        notify.close
+        break
+      end
+    end
+    Process.detach(vault_pid)
+    Process.exit(0)
+  end
+
+  notify.close
+  while line = channel.gets
+    line.chomp!
+    eval line
+  end
+  %w[VAULT_PID VAULT_ADDR VAULT_TOKEN].each { |s| $stderr.puts "export #{s}='#{ENV[s]}'" }
+end
+
+def devserver_stop
+  Process.kill("TERM", ENV['VAULT_PID'].to_i)
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "configuration_service/vault"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/configuration_service/provider/vault.rb

@@ -0,0 +1,98 @@
+require "configuration_service"
+require "vault"
+require "json"
+require "time"
+
+require_relative "vault/index_helper"
+
+module ConfigurationService
+
+  module Provider
+
+    class Vault
+
+      def initialize(address:)
+        @vault = ::Vault::Client.new(address: address)
+      end
+
+      def request_configuration(identifier, token)
+        authenticate(token)
+
+        adapt_exceptions do
+          if revision = get_latest_revision(identifier)
+            index = build_index(identifier, revision)
+            if response = @vault.logical.read(index)
+              data, metadata = JSON.parse(response.data[:data]), JSON.parse(response.data[:metadata])
+              ConfigurationService::Configuration.new(identifier, data, metadata)
+            end
+          end
+        end
+      end
+
+      def publish_configuration(configuration, token)
+        authenticate(token)
+
+        identifier, data, metadata = configuration.identifier, configuration.data, configuration.metadata
+        revision = metadata["revision"] or raise "can't publish configuration without revision in metadata"
+
+        adapt_exceptions do
+          index = build_index(identifier, revision)
+          @vault.logical.write(index, data: JSON.generate(data), metadata: JSON.generate(metadata), format: "json")
+          set_latest_revision(identifier, metadata["revision"])
+          ConfigurationService::Configuration.new(identifier, data, metadata)
+        end
+      end
+
+      def key(identifier)
+        self.class.key(identifier)
+      end
+
+      private
+
+        # We explicitly disallow a nil token to defeat ::Vault::Client's default behaviour
+        # of reading ENV['VAULT_TOKEN'] and ~/.vault-token, which makes testing harder.
+        #
+        def authenticate(token)
+          token or raise ConfigurationService::AuthorizationError, "non-nil token required"
+          @vault.token = token
+        end
+
+        def adapt_exceptions
+          yield
+        rescue ::Vault::MissingTokenError
+          raise ConfigurationService::AuthorizationError, "missing token"
+        rescue ::Vault::HTTPError => ex
+          if ex.errors.include?("permission denied")
+            raise ConfigurationService::AuthorizationError, "permission denied"
+          else
+            raise
+          end
+        rescue ::Vault::VaultError => ex
+          raise ConfigurationService::Error, ex.message
+        end
+
+        def get_latest_revision(identifier)
+          if response = @vault.logical.read(latest_index(identifier))
+            response.data[:revision]
+          end
+        end
+
+        def set_latest_revision(identifier, revision)
+          @vault.logical.write(latest_index(identifier), revision: revision)
+        end
+
+        def latest_index(identifier)
+          IndexHelper.index(identifier)
+        end
+
+        def build_index(identifier, revision)
+          IndexHelper.index(identifier, revision)
+        end
+
+    end
+
+  end
+
+end
+
+ConfigurationService::ProviderRegistry.instance.register("vault", ConfigurationService::Provider::Vault)

data/lib/configuration_service/provider/vault/index_helper.rb

@@ -0,0 +1,25 @@
+module ConfigurationService
+
+  module Provider
+
+    class Vault
+
+      module IndexHelper
+
+        PREFIX = "secret/config/v1"
+
+        def self.index(identifier, revision = "latest")
+          "#{policy_index(identifier)}/#{revision}"
+        end
+
+        def self.policy_index(identifier)
+          "#{PREFIX}/#{identifier}"
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/configuration_service/provider/vault/version.rb

@@ -0,0 +1,13 @@
+module ConfigurationService
+
+  module Provider
+
+    class Vault
+
+      VERSION = "1.0.0"
+
+    end
+
+  end
+
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification
+name: configuration_service-provider-vault
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Sheldon Hearn
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-08-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: configuration_service
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+description: A HashiCorp Vault provider for the Configuration Service
+email:
+- sheldonh@starjuice.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gemspec"
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/configuration_service/provider/vault.rb
+- lib/configuration_service/provider/vault/index_helper.rb
+- lib/configuration_service/provider/vault/version.rb
+homepage: http://www.hetzner.co.za
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Vault provider for Configuration Service
+test_files: []
+has_rdoc: