configuration_service-provider-vault 3.0.1 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +0 -1
- data/contrib/publish.rb +5 -5
- data/contrib/request.rb +5 -5
- data/lib/configuration_service/provider/vault.rb +24 -15
- data/lib/configuration_service/provider/vault/version.rb +1 -1
- data/lib/configuration_service/test/vault_admin_client.rb +24 -1
- data/lib/configuration_service/test/vault_orchestration_provider.rb +5 -5
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1fff8618caf895c631917064234d9f45b0359573
|
4
|
+
data.tar.gz: 33d5e1e43f9eab2364058b2adf26f1c67d1ffd9b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 50bc248271ea74fcf0274a58198ebbb5096b6815d451108de6029df19ada3c5a7c63c4dad9b621e6f1b5dd40e8e223a1384d3faf7044409c0793ee2ab9781a29
|
7
|
+
data.tar.gz: 6237b17a9fb0c9d840cd72b5e5d8a006102bb0cdd9b43ffe79fd2a396fdbc97fc3c9ed0f3df3c4bc1e62f414246d52ab951ddb75a27fda0c6c31221edf995f73
|
data/Gemfile
CHANGED
data/contrib/publish.rb
CHANGED
@@ -36,12 +36,12 @@ data = begin
|
|
36
36
|
JSON.parse(raw_data)
|
37
37
|
end
|
38
38
|
|
39
|
-
service = ConfigurationService::
|
40
|
-
identifier,
|
41
|
-
ENV["VAULT_TOKEN"],
|
42
|
-
ConfigurationService::Provider::Vault.new(
|
39
|
+
service = ConfigurationService::Client.new(
|
40
|
+
identifier: identifier,
|
41
|
+
credentials: ENV["VAULT_TOKEN"],
|
42
|
+
provider: ConfigurationService::Provider::Vault.new(
|
43
43
|
address: ENV["VAULT_ADDR"]
|
44
44
|
)
|
45
45
|
)
|
46
46
|
|
47
|
-
puts service.publish_configuration(data).metadata
|
47
|
+
puts service.publish_configuration(data: data).metadata
|
data/contrib/request.rb
CHANGED
@@ -41,13 +41,13 @@ end
|
|
41
41
|
end
|
42
42
|
|
43
43
|
identifier = ARGV[0]
|
44
|
-
service = ConfigurationService::
|
45
|
-
identifier,
|
46
|
-
ENV["VAULT_TOKEN"],
|
47
|
-
ConfigurationService::Provider::Vault.new(
|
44
|
+
service = ConfigurationService::Client.new(
|
45
|
+
identifier: identifier,
|
46
|
+
credentials: ENV["VAULT_TOKEN"],
|
47
|
+
provider: ConfigurationService::Provider::Vault.new(
|
48
48
|
address: ENV["VAULT_ADDR"]
|
49
49
|
)
|
50
50
|
)
|
51
51
|
|
52
|
-
configuration = service.request_configuration
|
52
|
+
configuration = service.request_configuration(identifier: identifier)
|
53
53
|
puts formatter[configuration.data]
|
@@ -46,7 +46,7 @@ module ConfigurationService
|
|
46
46
|
# Vault token with +read+ permission on the composed secret path
|
47
47
|
#
|
48
48
|
# @return [ConfigurationService::Configuration] the configuration if found
|
49
|
-
# @return [nil] if the configuration for +identifier was not found
|
49
|
+
# @return [nil] if the configuration for +identifier+ was not found
|
50
50
|
#
|
51
51
|
# @raise [ConfigurationService::AuthorizationError] if the request was not allowed
|
52
52
|
# @raise [ConfigurationService::Error] if the request was allowed but failed
|
@@ -72,8 +72,8 @@ module ConfigurationService
|
|
72
72
|
##
|
73
73
|
# Authorize consumption
|
74
74
|
#
|
75
|
-
# @param [String] identifier
|
76
|
-
# the unique identity of the configuration
|
75
|
+
# @param [String|Array] identifier
|
76
|
+
# the unique identity/identities of the configuration/s
|
77
77
|
# @param [String] token
|
78
78
|
# Vault token with +authorize+ permission on the composed secret path
|
79
79
|
#
|
@@ -83,20 +83,15 @@ module ConfigurationService
|
|
83
83
|
# @raise [ConfigurationService::Error] if the request was allowed but failed
|
84
84
|
##
|
85
85
|
def authorize_consumption(identifier, token)
|
86
|
+
identifiers = [identifier].flatten
|
87
|
+
|
86
88
|
@mutex.synchronize do
|
87
89
|
authenticate(token)
|
88
90
|
|
89
91
|
adapt_exceptions do
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
policy = "read"
|
94
|
-
}
|
95
|
-
EOF
|
96
|
-
if @vault.sys.put_policy(identifier, policy)
|
97
|
-
secret = @vault.auth_token.create(policies: [identifier], no_default_policy: true)
|
98
|
-
secret.auth.client_token
|
99
|
-
end
|
92
|
+
create_policies(identifiers)
|
93
|
+
secret = @vault.auth_token.create(policies: identifiers, no_default_policy: true)
|
94
|
+
secret.auth.client_token
|
100
95
|
end
|
101
96
|
end
|
102
97
|
end
|
@@ -106,7 +101,7 @@ module ConfigurationService
|
|
106
101
|
#
|
107
102
|
# The configuration data and metadata is written to a Vault path composed from the configuration's
|
108
103
|
# +identifier+ and metadata +revision+ by {ConfigurationService::Provider::PathHelper}.
|
109
|
-
# That path is then written to another path, composed from +identifier and the string "latest".
|
104
|
+
# That path is then written to another path, composed from +identifier+ and the string "latest".
|
110
105
|
#
|
111
106
|
# This allows the current configuration to always be retrieved from a predictable path in Vault,
|
112
107
|
# but preserves revision history of configuration.
|
@@ -132,7 +127,7 @@ module ConfigurationService
|
|
132
127
|
|
133
128
|
adapt_exceptions do
|
134
129
|
path = build_path(identifier, revision)
|
135
|
-
@vault.logical.write(path, data: JSON.generate(data), metadata: JSON.generate(metadata), format: "json")
|
130
|
+
result = @vault.logical.write(path, data: JSON.generate(data), metadata: JSON.generate(metadata), format: "json")
|
136
131
|
set_latest_revision(identifier, metadata["revision"])
|
137
132
|
ConfigurationService::Configuration.new(identifier, data, metadata)
|
138
133
|
end
|
@@ -141,6 +136,20 @@ module ConfigurationService
|
|
141
136
|
|
142
137
|
private
|
143
138
|
|
139
|
+
def create_policies(identifiers = [])
|
140
|
+
adapt_exceptions do
|
141
|
+
identifiers.each { |identifier|
|
142
|
+
path = build_path(identifier, "*")
|
143
|
+
policy = <<-EOF
|
144
|
+
path "#{path}" {
|
145
|
+
policy = "read"
|
146
|
+
}
|
147
|
+
EOF
|
148
|
+
@vault.sys.put_policy(identifier, policy)
|
149
|
+
}
|
150
|
+
end
|
151
|
+
end
|
152
|
+
|
144
153
|
# We explicitly disallow a nil token to defeat ::Vault::Client's default behaviour
|
145
154
|
# of reading ENV['VAULT_TOKEN'] and ~/.vault-token, which makes testing harder.
|
146
155
|
#
|
@@ -1,5 +1,6 @@
|
|
1
1
|
require "configuration_service/provider/vault"
|
2
2
|
require "vault"
|
3
|
+
require "configuration_service/provider/vault/path_helper"
|
3
4
|
|
4
5
|
module ConfigurationService
|
5
6
|
|
@@ -58,7 +59,29 @@ module ConfigurationService
|
|
58
59
|
# @return [String] the token
|
59
60
|
#
|
60
61
|
def consumer_token(identifier)
|
61
|
-
|
62
|
+
client = ConfigurationService::Factory.create_client({
|
63
|
+
"token" => @vault.token,
|
64
|
+
"provider_id" => "vault",
|
65
|
+
"provider_config" => {
|
66
|
+
"address" => @vault.address,
|
67
|
+
},
|
68
|
+
"decorators" => ["reference_resolver"],
|
69
|
+
})
|
70
|
+
client.authorize_consumption(identifier: identifier)
|
71
|
+
end
|
72
|
+
|
73
|
+
def latest_path(identifier)
|
74
|
+
ConfigurationService::Provider::Vault::PathHelper.path(identifier)
|
75
|
+
end
|
76
|
+
|
77
|
+
def get_latest_revision(identifier)
|
78
|
+
if response = @vault.logical.read(latest_path(identifier))
|
79
|
+
response.data[:revision]
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
def build_path(identifier, revision)
|
84
|
+
ConfigurationService::Provider::Vault::PathHelper.path(identifier, revision)
|
62
85
|
end
|
63
86
|
|
64
87
|
##
|
@@ -66,16 +66,16 @@ module ConfigurationService
|
|
66
66
|
#
|
67
67
|
# @see http://localhost:8808/docs/ConfigurationService/Test/VaultOrchestrationProvider#token_for-instance_method ConfigurationService::Test::OrchestrationProvider#token_for
|
68
68
|
#
|
69
|
-
def credentials_for(role)
|
69
|
+
def credentials_for(role, identifier = @identifier)
|
70
70
|
case role
|
71
71
|
when :admin
|
72
|
-
VaultAdminClient.new.admin_token
|
72
|
+
VaultAdminClient.new.admin_token
|
73
73
|
when :consumer
|
74
|
-
VaultAdminClient.new.consumer_token(
|
74
|
+
VaultAdminClient.new.consumer_token(identifier)
|
75
75
|
when :publisher
|
76
|
-
VaultAdminClient.new.publisher_token(
|
76
|
+
VaultAdminClient.new.publisher_token(identifier)
|
77
77
|
when :none
|
78
|
-
VaultAdminClient.new.none_token(
|
78
|
+
VaultAdminClient.new.none_token(identifier)
|
79
79
|
else
|
80
80
|
raise "unsupported role #{role}"
|
81
81
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: configuration_service-provider-vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0
|
4
|
+
version: 3.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sheldon Hearn
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-09-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: vault
|