configuration_service-provider-vault 2.0.19 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gemspec +1 -1
- data/.gitignore +3 -0
- data/.rspec +1 -0
- data/Gemfile +1 -0
- data/lib/configuration_service/provider/vault.rb +64 -32
- data/lib/configuration_service/provider/vault/version.rb +1 -1
- data/lib/configuration_service/test/vault_admin_client.rb +9 -0
- data/lib/configuration_service/test/vault_orchestration_provider.rb +11 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e5acb4fbf878e0d84cef5766e8628701edf27f6b
|
4
|
+
data.tar.gz: a2d9c40fc71fc3e05eaff49f43d9d7d5f70981bc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3ee50c274680de1e9dfa0c46d95554f59f8d1028eef2d1190ebb4eac6c5d574a6eb49916eebc4694560e8e849e8ea2413fcf75635da0eef949817edc76ba518c
|
7
|
+
data.tar.gz: 43e3d6c9c6ecfa0bafa14b4b43e19f2ee68a1626159df5644d10da6888199c605768521b5054fdb7f6c34b12b0e9f60625e78d2b825e0391beb887152bc2d1a8
|
data/.gemspec
CHANGED
@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
|
|
21
21
|
spec.required_ruby_version = '>= 2.1'
|
22
22
|
|
23
23
|
spec.add_dependency "vault", "~> 0.4"
|
24
|
-
spec.add_dependency "configuration_service", "~>
|
24
|
+
spec.add_dependency "configuration_service", "~> 4.0.0"
|
25
25
|
spec.add_development_dependency "bundler", "~> 1.7"
|
26
26
|
spec.add_development_dependency "rake", "~> 11.1"
|
27
27
|
spec.add_development_dependency "cucumber", "~> 2.0"
|
data/.gitignore
CHANGED
data/.rspec
CHANGED
data/Gemfile
CHANGED
@@ -69,6 +69,38 @@ module ConfigurationService
|
|
69
69
|
end
|
70
70
|
end
|
71
71
|
|
72
|
+
##
|
73
|
+
# Authorize consumption
|
74
|
+
#
|
75
|
+
# @param [String] identifier
|
76
|
+
# the unique identity of the configuration
|
77
|
+
# @param [String] token
|
78
|
+
# Vault token with +authorize+ permission on the composed secret path
|
79
|
+
#
|
80
|
+
# @return [Sting] token
|
81
|
+
#
|
82
|
+
# @raise [ConfigurationService::AuthorizationError] if the request was not allowed
|
83
|
+
# @raise [ConfigurationService::Error] if the request was allowed but failed
|
84
|
+
##
|
85
|
+
def authorize_consumption(identifier, token)
|
86
|
+
@mutex.synchronize do
|
87
|
+
authenticate(token)
|
88
|
+
|
89
|
+
adapt_exceptions do
|
90
|
+
path = build_path(identifier, "*")
|
91
|
+
policy = <<-EOF
|
92
|
+
path "#{path}" {
|
93
|
+
policy = "read"
|
94
|
+
}
|
95
|
+
EOF
|
96
|
+
if @vault.sys.put_policy(identifier, policy)
|
97
|
+
secret = @vault.auth_token.create(policies: [identifier], no_default_policy: true)
|
98
|
+
secret.auth.client_token
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
|
72
104
|
##
|
73
105
|
# Publish configuration
|
74
106
|
#
|
@@ -109,45 +141,45 @@ module ConfigurationService
|
|
109
141
|
|
110
142
|
private
|
111
143
|
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
144
|
+
# We explicitly disallow a nil token to defeat ::Vault::Client's default behaviour
|
145
|
+
# of reading ENV['VAULT_TOKEN'] and ~/.vault-token, which makes testing harder.
|
146
|
+
#
|
147
|
+
def authenticate(token)
|
148
|
+
token or raise ConfigurationService::AuthorizationError, "non-nil token required"
|
149
|
+
@vault.token = token
|
150
|
+
end
|
119
151
|
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
end
|
130
|
-
rescue ::Vault::VaultError => ex
|
131
|
-
raise ConfigurationService::Error, ex.message
|
152
|
+
def adapt_exceptions
|
153
|
+
yield
|
154
|
+
rescue ::Vault::MissingTokenError
|
155
|
+
raise ConfigurationService::AuthorizationError, "missing token"
|
156
|
+
rescue ::Vault::HTTPError => ex
|
157
|
+
if ex.errors.include?("permission denied")
|
158
|
+
raise ConfigurationService::AuthorizationError, "permission denied"
|
159
|
+
else
|
160
|
+
raise
|
132
161
|
end
|
162
|
+
rescue ::Vault::VaultError => ex
|
163
|
+
raise ConfigurationService::Error, ex.message
|
164
|
+
end
|
133
165
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
end
|
166
|
+
def get_latest_revision(identifier)
|
167
|
+
if response = @vault.logical.read(latest_path(identifier))
|
168
|
+
response.data[:revision]
|
138
169
|
end
|
170
|
+
end
|
139
171
|
|
140
|
-
|
141
|
-
|
142
|
-
|
172
|
+
def set_latest_revision(identifier, revision)
|
173
|
+
@vault.logical.write(latest_path(identifier), revision: revision)
|
174
|
+
end
|
143
175
|
|
144
|
-
|
145
|
-
|
146
|
-
|
176
|
+
def latest_path(identifier)
|
177
|
+
PathHelper.path(identifier)
|
178
|
+
end
|
147
179
|
|
148
|
-
|
149
|
-
|
150
|
-
|
180
|
+
def build_path(identifier, revision)
|
181
|
+
PathHelper.path(identifier, revision)
|
182
|
+
end
|
151
183
|
|
152
184
|
end
|
153
185
|
|
@@ -40,6 +40,15 @@ module ConfigurationService
|
|
40
40
|
@vault.logical.delete(path)
|
41
41
|
end
|
42
42
|
|
43
|
+
##
|
44
|
+
# Return a vault admin token
|
45
|
+
#
|
46
|
+
# @return [String] the token
|
47
|
+
#
|
48
|
+
def admin_token
|
49
|
+
@vault.token
|
50
|
+
end
|
51
|
+
|
43
52
|
##
|
44
53
|
# Create a Vault token to request configuration
|
45
54
|
#
|
@@ -66,8 +66,10 @@ module ConfigurationService
|
|
66
66
|
#
|
67
67
|
# @see http://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#token_for-instance_method ConfigurationService::Test::OrchestrationProvider#token_for
|
68
68
|
#
|
69
|
-
def
|
69
|
+
def credentials_for(role)
|
70
70
|
case role
|
71
|
+
when :admin
|
72
|
+
VaultAdminClient.new.admin_token()
|
71
73
|
when :consumer
|
72
74
|
VaultAdminClient.new.consumer_token(@identifier)
|
73
75
|
when :publisher
|
@@ -79,6 +81,14 @@ module ConfigurationService
|
|
79
81
|
end
|
80
82
|
end
|
81
83
|
|
84
|
+
##
|
85
|
+
# @deprecated use credentials_for()
|
86
|
+
##
|
87
|
+
def token_for(role)
|
88
|
+
warn "[DEPRECATION] token_for() is deprecated. Please use credentials_for()."
|
89
|
+
credentials_for(role)
|
90
|
+
end
|
91
|
+
|
82
92
|
end
|
83
93
|
|
84
94
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: configuration_service-provider-vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sheldon Hearn
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-08-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: vault
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 4.0.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 4.0.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|