constancy 0.1.5 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7f2b5ae0525b88e9fc9b56f9d5bdcd4d84c143a3
-  data.tar.gz: 6350e6dec7a606733ba292e002bc423dff8634af
+SHA256:
+  metadata.gz: 65a3785bc8276043c12dd3a82fc0da2f23db508f8ccb9de6e074ef3fb34a0c01
+  data.tar.gz: 6f83ec7f19dfe57f28ae56b9179c3c34b9b5419c1bfc8c3f7f4338d08564675b
 SHA512:
-  metadata.gz: 213832240c59baf7d8289a27cc5829d66c7cc6e61a072eaf9a25b20d54d6929f21c8b85a76ac6c0f76cd704dbe180d21a30e0d1adc58564f3d964d58f15e80b7
-  data.tar.gz: c013397a8786af4f9f309a80217440b069c0459f7d71a8c072d1de34c366abbc2f2e4f2c69a31f960f560589e2c681bbe291e40310ff37cf2bba426913661093
+  metadata.gz: 6b4a9af5164674a87cc132d026fd7b7a1205f30ed94d255e37fa43d0ac46922235ab665836c7158f862441106947e3792bcd5d2338ca76f8ceb3cf4c22738c7b
+  data.tar.gz: 3b589b72c830dd07283e5fc5a19c5feb9f7404e4d3f949fa20915a44e9bf91a7fb03b9409e9d66805bb7343dbcdf9d33542bdb69373bc55020f5c82ee26900de

data/README.md

@@ -112,6 +112,29 @@ required. An example `constancy.yml` is below including explanatory comments:
       #   something other than the datacenter of the Consul agent.
       datacenter: dc1
 
+      # token_source - defaults to 'none'
+      #   'none': expect no Consul token (although env vars will be used if they are set)
+      #   'env': expect Consul token to be set in CONSUL_TOKEN or CONSUL_HTTP_TOKEN
+      #   'vault': read Consul token from Vault based on settings in the 'vault' section
+
+    # the vault section is only necessary if consul.token_source is set to 'vault'
+    vault:
+      # url - defaults to the value of VAULT_ADDR
+      #   The REST API endpoint of your Vault server
+      url: https://your.vault.example
+
+      # path - the path to the endpoint from which to read the Consul token
+      #   The Vault URI path to the Consul token - can be either the Consul
+      #   dynamic backend or a KV endpoint with a static value. If the dynamic
+      #   backend is used, the lease will be automatically revoked when
+      #   constancy exits.
+      path: consul/creds/my-role
+
+      # field - name of the field in which the Consul token is stored
+      #   Defaults to 'token' which is the field used by the dynamic backend
+      #   but can be set to something else for static values.
+      field: token
+
     sync:
       # sync is an array of hashes of sync target configurations
       #   Fields:
@@ -184,13 +207,11 @@ Constancy may be partially configured using environment variables:
   is given to `CONSUL_HTTP_TOKEN`) to set an explicit Consul token to use when
   interacting with the API. Otherwise, by default the agent's `acl_token`
   setting is used implicitly.
-
-
-## Automation
-
-For version 0.1, Constancy does not fully support running non-interactively.
-This is primarily to ensure human observation of any changes being made while
-the software matures. Later versions will allow for full automation.
+* `VAULT_ADDR` and `VAULT_TOKEN` - if `consul.token_source` is set to `vault`
+  these variables are used to authenticate to Vault. If `VAULT_TOKEN` is not
+  set, Constancy will attempt to read a token from `~/.vault-token`. If the
+  `url` field is set, it will take priority over the `VAULT_ADDR` environment
+  variable, but one or the other must be set.
 
 
 ## Roadmap
@@ -203,10 +224,10 @@ Constancy is very new software. There's more to be done. Some ideas:
 * Git awareness (branches, commit state, etc)
 * Automated tests
 * Logging of changes to files, syslog, other services
-* Allowing other means of providing a Consul token
 * Pull mode to sync from Consul to local filesystem
 * Using CAS to verify the key has not changed in the interim before updating/deleting
 * Submitting changes in batches using transactions
+* Optional expansion of YAML or JSON files into multiple keys
 
 
 ## Contributing

data/constancy.gemspec

@@ -26,4 +26,5 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'imperium', '~>0.3'
   s.add_dependency 'diffy', '~>3.2'
+  s.add_dependency 'vault', '~>0.12'
 end

data/lib/constancy/cli.rb

@@ -86,6 +86,15 @@ USAGE
           end
           STDERR.puts "  #{e}"
           exit 1
+
+        rescue Constancy::ConsulTokenRequired => e
+          STDERR.puts "constancy: ERROR: No Consul token could be found: #{e}"
+          exit 1
+
+        rescue Constancy::VaultConfigInvalid => e
+          STDERR.puts "constancy: ERROR: Vault configuration invalid: #{e}"
+          exit 1
+
         end
 
         if Constancy.config.sync_targets.count < 1

data/lib/constancy/config.rb

@@ -3,13 +3,18 @@
 class Constancy
   class ConfigFileNotFound < RuntimeError; end
   class ConfigFileInvalid < RuntimeError; end
+  class ConsulTokenRequired < RuntimeError; end
+  class VaultConfigInvalid < RuntimeError; end
 
   class Config
     CONFIG_FILENAMES = %w( constancy.yml )
-    VALID_CONFIG_KEYS = %w( sync consul constancy )
-    VALID_CONSUL_CONFIG_KEYS = %w( url datacenter )
+    VALID_CONFIG_KEYS = %w( sync consul vault constancy )
+    VALID_CONSUL_CONFIG_KEYS = %w( url datacenter token_source )
+    VALID_VAULT_CONFIG_KEYS = %w( url path field )
     VALID_CONSTANCY_CONFIG_KEYS = %w( verbose chomp delete color )
     DEFAULT_CONSUL_URL = "http://localhost:8500"
+    DEFAULT_CONSUL_TOKEN_SOURCE = "none"
+    DEFAULT_VAULT_FIELD = "token"
 
     attr_accessor :config_file, :base_dir, :consul, :sync_targets, :target_whitelist
 
@@ -97,7 +102,83 @@ class Constancy
       end
 
       consul_url = raw['consul']['url'] || Constancy::Config::DEFAULT_CONSUL_URL
+
+      # start with a token from the environment, regardless of the token_source setting
       consul_token = ENV['CONSUL_HTTP_TOKEN'] || ENV['CONSUL_TOKEN']
+
+      case raw['consul']['token_source'] || Constancy::Config::DEFAULT_CONSUL_TOKEN_SOURCE
+      when "none"
+        # nothing to do
+
+      when "env"
+        if consul_token.nil? or consul_token == ""
+          raise Constancy::ConsulTokenRequired.new("Consul token_source is set to 'env' but neither CONSUL_TOKEN nor CONSUL_HTTP_TOKEN is set")
+        end
+
+      when "vault"
+        require 'vault'
+
+        raw['vault'] ||= {}
+        if not raw['vault'].is_a? Hash
+          raise Constancy::ConfigFileInvalid.new("'vault' must be a hash")
+        end
+
+        if (raw['vault'].keys - Constancy::Config::VALID_VAULT_CONFIG_KEYS) != []
+          raise Constancy::ConfigFileInvalid.new("Only the following keys are valid in the vault config: #{Constancy::Config::VALID_VAULT_CONFIG_KEYS.join(", ")}")
+        end
+
+        vault_path = raw['vault']['path']
+        if vault_path.nil? or vault_path == ""
+          raise Constancy::ConfigFileInvalid.new("vault.path must be specified to use vault as a token source")
+        end
+
+        # prioritize the config file over environment variables for vault address
+        vault_addr = raw['vault']['url'] || ENV['VAULT_ADDR']
+        if vault_addr.nil? or vault_addr == ""
+          raise Constancy::VaultConfigInvalid.new("Vault address must be set in vault.url or VAULT_ADDR")
+        end
+
+        vault_token = ENV['VAULT_TOKEN']
+        if vault_token.nil? or vault_token == ""
+          vault_token_file = File.expand_path("~/.vault-token")
+          if File.exist?(vault_token_file)
+            vault_token = File.read(vault_token_file)
+          else
+            raise Constancy::VaultConfigInvalid.new("Vault token must be set in ~/.vault-token or VAULT_TOKEN")
+          end
+        end
+
+        vault_field = raw['vault']['field'] || Constancy::Config::DEFAULT_VAULT_FIELD
+
+        ENV['VAULT_ADDR'] = vault_addr
+        ENV['VAULT_TOKEN'] = vault_token
+
+        begin
+          response = Vault.logical.read(vault_path)
+          consul_token = response.data[vault_field.to_sym]
+
+          if response.lease_id
+            at_exit {
+              begin
+                Vault.sys.revoke(response.lease_id)
+              rescue => e
+                # this is fine
+              end
+            }
+          end
+
+        rescue => e
+          raise Constancy::VaultConfigInvalid.new("Are you logged in to Vault?\n\n#{e}")
+        end
+
+        if consul_token.nil? or consul_token == ""
+          raise Constancy::VaultConfigInvalid.new("Could not acquire a Consul token from Vault")
+        end
+
+      else
+        raise Constancy::ConfigFileInvalid.new("Only the following values are valid for token_source: none, env, vault")
+      end
+
       self.consul = Imperium::Configuration.new(url: consul_url, token: consul_token)
 
       raw['constancy'] ||= {}

data/lib/constancy/version.rb

@@ -1,5 +1,5 @@
 # This software is public domain. No rights are reserved. See LICENSE for more information.
 
 class Constancy
-  VERSION = "0.1.5"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: constancy
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.0
 platform: ruby
 authors:
 - David Adams
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-29 00:00:00.000000000 Z
+date: 2018-12-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: imperium
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
 description: Syncs content from the filesystem to the Consul KV store.
 email: daveadams@gmail.com
 executables:
@@ -77,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Simple filesystem-to-Consul KV synchronization