configuration_service-provider-vault 2.0.4 → 2.0.5

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    Y2RjOWIxOThiMjQ3ZDNiZTZhN2ViNTA5NTY0MzFiYzEwNWEyN2NkYw==
-  data.tar.gz: !binary |-
-    MzZkN2FjOWFjMTM0OTgyYWRkYjk3M2ZiZmQwY2YwMGNkNjIwMWM5Yw==
+SHA1:
+  metadata.gz: 4ad0eb637e553d43cb8c83d0f37b73a8eef4b51d
+  data.tar.gz: 2eaeb61b37d37204bf4b6108dbe2722181ef40e7
 SHA512:
-  metadata.gz: !binary |-
-    YjI5YmFhOWFhZWVlNzg4MTY5YjFhMmU5YWFjYzU0YzA0NGUyY2ZhNGM3OTIz
-    MGRlNjZhYmQxZmJmOTQ2Mzc0OGI2MDI0MTAzODIxYWU3YjhkN2U0MDIzZTk4
-    MTk2Mjg4M2NhMzZjNmQ2NTM3Mjg4YzhiZmQxY2E5ZmJiMjAyZTQ=
-  data.tar.gz: !binary |-
-    NzcxNTIwNjE4OGY3N2IxOTM0N2IxYWVjNGVlMTQ1ZWMwZjMzYWZkMzY3MGJm
-    NGUwOGE0NjcwMTU5MGQ1ZGEyNWI3MGQ2ODIyZGMxMjc3ZTU1ZDdjYWZiYjk4
-    NTJjOTdmYWFlMDMyOTI1Y2VhNGJlMDExM2E2MDdlOGRmMGZhOGM=
+  metadata.gz: 9f929cbb7d1c471d498e411aa622f1d77ffe8f55157beb4bc94ff89d07d44d8c32442af3013efbfa7755c59af67c757983e1a9998a7839ee95cd0ae6b058d9f8
+  data.tar.gz: c5ac83991a366e0a8a07faf3ffa4ebbfcd9aa78d7360374dc1c9992bb365441e426014633344d770878ba3dfd464aff19ec71d131015cd2c85284f58d3575c64

data/.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "vault", "~> 0.1"
   spec.add_dependency "configuration_service", "~> 2.0.0"
-  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "cucumber", "~> 2.0"
   spec.add_development_dependency "rspec-expectations", "~> 3.3"

data/.travis.yml

@@ -1,4 +1,10 @@
 language: ruby
 rvm:
+  - 1.9.3
+  - 2.0.0
   - 2.2.2
-before_install: gem install bundler -v 1.10.3
+before_install:
+  - rm -f vault_0.2.0_linux_amd64.zip
+  - wget https://dl.bintray.com/mitchellh/vault/vault_0.2.0_linux_amd64.zip
+  - unzip vault_0.2.0_linux_amd64.zip
+  - sudo mv vault /usr/local/bin/

data/.yardopts

@@ -0,0 +1,5 @@
+--no-private
+--exclude README.md
+--readme README.rdoc
+-
+features/*.feature

data/README.md

@@ -1,7 +1,31 @@
+[![Gem Version](https://badge.fury.io/rb/configuration_service-provider-vault.svg)](http://badge.fury.io/rb/configuration_service-provider-vault) [![Build Status](https://travis-ci.org/hetznerZA/configuration_service-provider-vault.svg?branch=master)](https://travis-ci.org/hetznerZA/configuration_service-provider-vault) [![Dependency Status](https://gemnasium.com/hetznerZA/configuration_service-provider-vault.svg)](https://gemnasium.com/hetznerZA/configuration_service-provider-vault)
+
 # ConfigurationService::Provider::Vault
 
-A service provider for the Ruby [ConfigurationService API](https://rubygems.org/gems/configuration_service).
+A [HashiCorp Vault](https://vaultproject.io) service provider
+for the Ruby [ConfigurationService API](https://github.com/hetznerZA/configuration_service).
+
+
+## Documentation
+
+For documentation of the released gems, see [rubydoc.info](http://www.rubydoc.info/gems/configuration_service-provider-vault).
+
+## Testing
+
+The `Rakefile` provides a default target that launches a development mode vault server.
+It requires that the vault executable be in the `PATH`.
+
+With that requirement satisfied, test as follows:
+
+```shell
+git clone git@github.com:hetznerZA/configuration_service-provider-vault.git
+cd configuration_service-provider-vault
+bundle install
+bundle exec rake
+```
 
+Note that the tests use cucumber features and support files from the `configuration_service` gem;
+do not be surprised when you find no feature files in the `features` subdirectory of this repo.
 
 ## Usage
 

data/README.rdoc

@@ -0,0 +1,47 @@
+= Vault configuration service provider
+
+A {https://vaultproject.io HashiCorp Vault} service provider for the Ruby configuration service API
+defined by {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Base ConfigurationService::Base}
+from the {https://rubygems.org/gems/configuration_service configuration_service gem}.
+
+The provider is defined in {ConfigurationService::Provider::Vault}.
+It is registered against the {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/ProviderRegistry ConfigurationService::ProviderRegistry} with the identifier "vault".
+
+The provider's fulfillment of the API is tested using the configuration_service gem's declarative specification
+implemented with cucumber.
+This package includes an extension of {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Test/OrchestrationProvider ConfigurationService::Test::OrchestrationProvider}
+called {ConfigurationService::Test::VaultOrchestrationProvider},
+which is registered against the {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Test/OrchestrationProviderRegistry ConfigurationService::Test::OrchestrationProviderRegistry} with the identifier "vault".
+
+== Usage
+
+Our +main.rb+ (or +config.ru+ or whatever) is simple:
+
+  require 'bundler'
+  Bundler.require(:default)
+
+  config_service = ConfigurationService::Factory::EnvironmentContext.create
+  config = config_service.request_configuration
+
+  $stderr.puts "Using configuration #{configuration.identifier} #{configuration.metadata}..."
+  acme_config = AcmeConfig.new(configuration.data)
+  acme_config.validate!
+  AcmeApplication.new(acme_config).run
+
+We specify the +configuration_service-provider-vault+ gem in the {http://bundler.io/ bundler} {http://bundler.io/gemfile.html Gemfile}:
+
+  source 'https://rubygems.org'
+
+  gem 'configuration_service-provider-vault'
+  gem 'acme_application'
+
+Then we use the process environment to configure the configuration service factory:
+
+  CFGSRV_IDENTIFIER="acme" \
+  CFGSRV_TOKEN="0b2a80f4-54ce-45f4-8267-f6558fee64af" \
+  CFGSRV_PROVIDER="vault" \
+  CFGSRV_PROVIDER_ADDRESS="http://127.0.0.1:8200" \
+  bundle exec main.rb
+
+Note that +main.rb+ is completely decoupled from the selection of provider and provider configuration.
+We could swap out the Vault provider for some other provider by manipulating only the +Gemfile+ and the environment.

data/lib/configuration_service/provider/vault/path_helper.rb

@@ -20,18 +20,30 @@ module ConfigurationService
         PREFIX = "secret/config/v1" unless defined?(PREFIX)
 
         ##
-        # Returns the path for the given +revision+ of +identifier+
+        # Revision path
+        #
+        # @param [String] identifier
+        #   the unique identity of the configuration
+        # @param [String] revision
+        #   the unique metadata revision of the configuration
+        #
+        # @return [String] the Vault path for the +revision+ of +identifier+
         #
         def self.path(identifier, revision = "latest")
           "#{policy_path(identifier)}/#{revision}"
         end
 
         ##
-        # Returns the policy path for the given +identifier+
+        # Policy path
         #
         # Since policies must apply to all revisions of the identified configuration,
         # the policy path is necessarily broad.
         #
+        # @param [String] identifier
+        #   the unique identity of the configuration
+        #
+        # @return [String] the Vault path for all revisions for +identifier+
+        #
         def self.policy_path(identifier)
           "#{PREFIX}/#{identifier}"
         end

data/lib/configuration_service/provider/vault/version.rb

@@ -4,7 +4,7 @@ module ConfigurationService
 
     class Vault
 
-      VERSION = "2.0.4"
+      VERSION = "2.0.5"
 
     end
 

data/lib/configuration_service/provider/vault.rb

@@ -10,24 +10,38 @@ module ConfigurationService
   module Provider
 
     ##
-    # Vault provider for the configuration service
+    # Vault configuration service provider
     #
-    # Instances of this class are intended to be composed into a ConfigurationService::Base,
-    # usually by a ConfigurationService::Factory.
+    # Instances of this class are intended to be composed into a {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Base ConfigurationService::Base},
+    # usually by a {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Factory ConfigurationService::Factory}.
     #
     class Vault
 
+      ##
+      # @param [Hash] options
+      # @option options [String] :address {https://vaultproject.io HashiCorp Vault} HTTP service URL
       def initialize(options = {})
         address = options[:address] or raise ArgumentError, "missing required argument: address"
         @vault = ::Vault::Client.new(address: address)
       end
 
       ##
-      # Request configuration from Vault
+      # Request configuration
+      #
+      # The Vault secret path is composed by from the +identifier+ and the string "latest" using {ConfigurationService::Provider::PathHelper}.
+      #
+      # @param [String] identifier
+      #   the unique identity of the configuration
+      # @param [String] token
+      #   Vault token with +read+ permission on the composed secret path
+      #
+      # @return [ConfigurationService::Configuration] the configuration if found
+      # @return [nil] if the configuration for +identifier was not found
       #
-      # The Vault secret path is composed by PathHelper, using the +identifier+ and the string "latest".
+      # @raise [ConfigurationService::AuthorizationError] if the request was not allowed
+      # @raise [ConfigurationService::Error] if the request was allowed but failed
       #
-      # See #publish_configuration.
+      # @see #publish_configuration
       #
       def request_configuration(identifier, token)
         authenticate(token)
@@ -44,16 +58,26 @@ module ConfigurationService
       end
 
       ##
-      # Publish configuration to Vault
+      # Publish configuration
       #
-      # The configuration is written to a Vault path composed by PathHelper, using the configuration's
-      # +identifier+ and metadata +revision+ as the path. That path is then written to another path,
-      # also composed by PathHelper, using +identifier+ and the string "latest".
+      # The configuration data and metadata is written to a Vault path composed from the configuration's
+      # +identifier+ and metadata +revision+ by {ConfigurationService::Provider::PathHelper}.
+      # That path is then written to another path, composed from +identifier and the string "latest".
       #
       # This allows the current configuration to always be retrieved from a predictable path in Vault,
       # but preserves revision history of configuration.
       #
-      # TODO make revision history queryable (blocked by https://github.com/hashicorp/vault/issues/111)
+      # @param [ConfigurationService::Configuration] configuration
+      #   the configuration to publish
+      # @param [String] token
+      #   Vault token with +write+ permission on the composed secret path
+      #
+      # @return [ConfigurationService::Configuration] the published configuration
+      #
+      # @raise [ConfigurationService::AuthorizationError] if the request was not allowed
+      # @raise [ConfigurationService::Error] if the request was allowed but failed
+      #
+      # @todo make revision history queryable (blocked by https://github.com/hashicorp/vault/issues/111)
       #
       def publish_configuration(configuration, token)
         authenticate(token)

data/lib/configuration_service/test/vault_admin_client.rb

@@ -0,0 +1,150 @@
+require "configuration_service/provider/vault"
+require "vault"
+
+module ConfigurationService
+
+  module Test
+
+    ##
+    # Fixture helper for Vault test orchestration provider
+    #
+    # It bypasses the {ConfigurationService::Provider::Vault} configuration service provider and manipulates Vault directly.
+    #
+    # Never use this with a production Vault instance.
+    #
+    class VaultAdminClient
+
+      ##
+      # A new instance of VaultAdminClient
+      #
+      # It expects a development mode Vault instance listening at +http://127.0.0.1:8200+ and expects a root token for that
+      # instance in the +VAULT_TOKEN+ envinronment variable.
+      #
+      def initialize
+        @vault = ::Vault::Client.new
+      end
+
+      ##
+      # Delete configuration
+      #
+      # @param [String] identifier
+      #   the configuration identifier
+      #
+      def delete_configuration(identifier)
+        path = ConfigurationService::Provider::Vault::PathHelper.path(identifier)
+        @vault.logical.delete(path)
+      end
+
+      ##
+      # Create a Vault token to request configuration
+      #
+      # @param [String] identifier
+      #   the configuration identifier to authorize the token to read
+      #
+      # @return [String] the token
+      #
+      def consumer_token(identifier)
+        create_token_for(consumer_policy(identifier))
+      end
+
+      ##
+      # Create a Vault policy for requesting configuration
+      #
+      # @param [String] identifier
+      #   the configuration identifier to create the read policy for
+      #
+      # @return [String] the policy
+      #
+      def consumer_policy(identifier)
+        create_policy_for(identifier, "consumer", "read")
+      end
+
+      ##
+      # Create a Vault token to publish configuration
+      #
+      # @param [String] identifier
+      #   the configuration identifier to authorize the token to write
+      #
+      # @return [String] the token
+      #
+      def publisher_token(identifier)
+        create_token_for(publisher_policy(identifier))
+      end
+
+      ##
+      # Create a Vault policy for publishing configuration
+      #
+      # @param [String] identifier
+      #   the configuration identifier to create the write policy for
+      #
+      # @return [String] the policy
+      #
+      def publisher_policy(identifier)
+        create_policy_for(identifier, "publisher", "write")
+      end
+
+      ##
+      # Create a Vault token with no privilege
+      #
+      # @param [String] identifier
+      #   the configuration identifier to deny the token for
+      #
+      # @return [String] the token
+      #
+      def none_token(identifier)
+        create_token_for(none_policy(identifier))
+      end
+
+      ##
+      # Create a Vault deny policy
+      #
+      # @param [String] identifier
+      #   the configuration identifier to create the deny policy for
+      #
+      # @return [String] the policy
+      #
+      def none_policy(identifier)
+        create_policy_for(identifier, "guest", "deny")
+      end
+
+      ##
+      # Test Vault access
+      #
+      # Creates a new {ConfigurationService::Test::VaultAdminClient} and uses it to test connectivity to the development mode Vault instance.
+      #
+      # @raise [::Vault::VaultError] on failure
+      #
+      def self.preflight_check
+        new.send(:preflight_check)
+      end
+
+      private
+
+        def create_token_for(*policy_names)
+          result = @vault.auth_token.create(policies: policy_names)
+          result.auth.client_token
+        end
+
+        def create_policy_for(identifier, role, access_level)
+          "#{identifier}_#{role}".tap do |policy_name|
+            @vault.sys.put_policy(policy_name, policy(identifier, access_level))
+          end
+        end
+
+        def policy(identifier, access_level)
+          policy_path = ConfigurationService::Provider::Vault::PathHelper.policy_path(identifier)
+          %Q<
+            path "#{policy_path}"   { policy = "#{access_level}" }
+            path "#{policy_path}/*" { policy = "#{access_level}" }
+          >
+        end
+
+        def preflight_check
+          @vault.sys.policies
+        end
+
+    end
+
+  end
+
+end

data/lib/configuration_service/test/vault_orchestration_provider.rb

@@ -0,0 +1,88 @@
+require 'configuration_service/test'
+require 'configuration_service/provider/vault'
+
+require_relative "vault_admin_client"
+
+module ConfigurationService
+
+  module Test
+
+    ##
+    # Test orchestration provider for testing the {ConfigurationService::Provider::Vault} service provider
+    #
+    # Registered to the {http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Test/OrchestrationProviderRegistry ConfigurationService::Test::OrchestrationProviderRegistry} as "vault".
+    #
+    class VaultOrchestrationProvider < ConfigurationService::Test::OrchestrationProvider
+
+      ##
+      # The registered identifier of the service provider under test
+      #
+      # @see http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Test/OrchestrationProvider#service_provider_id-instance_method ConfigurationService::Test::OrchestrationProvider#service_provider_id
+      #
+      def service_provider_id
+        "vault"
+      end
+
+      ##
+      # The configuration for the service provider under test
+      #
+      # @see http://www.rubydoc.info/gems/configuration_service/ConfigurationService/Test/OrchestrationProvider#service_provider_configuration-instance_method ConfigurationService::Test::OrchestrationProvider#service_provider_configuration
+      #
+      def service_provider_configuration
+        {address: "http://127.0.0.1:8200"}
+      end
+
+      ##
+      # The service provider under test
+      #
+      # @see ihttp://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#service_provider-instance_method ConfigurationService::Test::OrchestrationProvider#service_provider
+      #
+      def service_provider
+        ConfigurationService::Provider::Vault.new(service_provider_configuration)
+      end
+
+      ##
+      # A broken service provider
+      #
+      # @see http://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#broken_service_provider-instance_method ConfigurationService::Test::OrchestrationProvider#broken_service_provider
+      #
+      def broken_service_provider
+        ConfigurationService::Provider::Vault.new(address: "http://127.0.0.1:8201")
+      end
+
+      ##
+      # Delete configuration data
+      #
+      # @see http://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#delete_configuration-instance_method ConfigurationService::Test::OrchestrationProvider#delete_configuration
+      #
+      def delete_configuration
+        VaultAdminClient.new.delete_configuration(@identifier)
+      end
+
+      ##
+      # Provide a token that authorizes a role
+      #
+      # The token is supplied by {ConfigurationService::Test::VaultAdminClient}.
+      #
+      # @see http://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#token_for-instance_method ConfigurationService::Test::OrchestrationProvider#token_for
+      #
+      def token_for(role)
+        case role
+        when :consumer
+          VaultAdminClient.new.consumer_token(@identifier)
+        when :publisher
+          VaultAdminClient.new.publisher_token(@identifier)
+        when :none
+          VaultAdminClient.new.none_token(@identifier)
+        else
+          raise "unsupported role #{role}"
+        end
+      end
+
+    end
+
+  end
+
+end
+
+ConfigurationService::Test::OrchestrationProviderRegistry.instance.register("vault", ConfigurationService::Test::VaultOrchestrationProvider)

metadata

@@ -1,97 +1,97 @@
 --- !ruby/object:Gem::Specification
 name: configuration_service-provider-vault
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.0.5
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-08-20 00:00:00.000000000 Z
+date: 2015-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
 - !ruby/object:Gem::Dependency
   name: configuration_service
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.7'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-expectations
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.3'
 description: A HashiCorp Vault provider for the Configuration Service
@@ -101,17 +101,21 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gemspec
-- .gitignore
-- .travis.yml
+- ".gemspec"
+- ".gitignore"
+- ".travis.yml"
+- ".yardopts"
 - Gemfile
 - README.md
+- README.rdoc
 - Rakefile
 - bin/console
 - bin/setup
 - lib/configuration_service/provider/vault.rb
 - lib/configuration_service/provider/vault/path_helper.rb
 - lib/configuration_service/provider/vault/version.rb
+- lib/configuration_service/test/vault_admin_client.rb
+- lib/configuration_service/test/vault_orchestration_provider.rb
 homepage: http://www.hetzner.co.za
 licenses: []
 metadata: {}
@@ -121,12 +125,12 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
@@ -136,3 +140,4 @@ signing_key:
 specification_version: 4
 summary: Vault provider for Configuration Service
 test_files: []
+has_rdoc: