dd-vault 0.12.0

data/lib/vault/api/logical.rb

@@ -0,0 +1,150 @@
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {Logical} methods.
+    # @return [Logical]
+    def logical
+      @logical ||= Logical.new(self)
+    end
+  end
+
+  class Logical < Request
+    # List the secrets at the given path, if the path supports listing. If the
+    # the path does not exist, an exception will be raised.
+    #
+    # @example
+    #   Vault.logical.list("secret") #=> [#<Vault::Secret>, #<Vault::Secret>, ...]
+    #
+    # @param [String] path
+    #   the path to list
+    #
+    # @return [Array<String>]
+    def list(path, options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/#{encode_path(path)}", {}, headers)
+      json[:data][:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Read the secret at the given path. If the secret does not exist, +nil+
+    # will be returned.
+    #
+    # @example
+    #   Vault.logical.read("secret/password") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to read
+    #
+    # @return [Secret, nil]
+    def read(path, params = {}, options = {})
+      headers = extract_headers!(options)
+      json = client.get("/v1/#{encode_path(path)}", params, headers)
+      return Secret.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the secret at the given path with the given data. Note that the
+    # data must be a {Hash}!
+    #
+    # @example
+    #   Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    #
+    # @return [Secret]
+    def write(path, data = {}, options = {})
+      headers = extract_headers!(options)
+      json = client.put("/v1/#{encode_path(path)}", JSON.fast_generate(data), headers)
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+
+    # Delete the secret at the given path. If the secret does not exist, vault
+    # will still return true.
+    #
+    # @example
+    #   Vault.logical.delete("secret/password") #=> true
+    #
+    # @param [String] path
+    #   the path to delete
+    #
+    # @return [true]
+    def delete(path)
+      client.delete("/v1/#{encode_path(path)}")
+      return true
+    end
+
+    # Unwrap the data stored against the given token. If the secret does not
+    # exist, `nil` will be returned.
+    #
+    # @example
+    #   Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] wrapper
+    #   the token to use when unwrapping the value
+    #
+    # @return [Secret, nil]
+    def unwrap(wrapper)
+      client.with_token(wrapper) do |client|
+        json = client.get("/v1/cubbyhole/response")
+        secret = Secret.decode(json)
+
+        # If there is nothing in the cubbyhole, return early.
+        if secret.nil? || secret.data.nil? || secret.data[:response].nil?
+          return nil
+        end
+
+        # Extract the response and parse it into a new secret.
+        json = JSON.parse(secret.data[:response], symbolize_names: true)
+        secret = Secret.decode(json)
+        return secret
+      end
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Unwrap a token in a wrapped response given the temporary token.
+    #
+    # @example
+    #   Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> "0f0f40fd-06ce-4af1-61cb-cdc12796f42b"
+    #
+    # @param [String, Secret] wrapper
+    #   the token to unwrap
+    #
+    # @return [String, nil]
+    def unwrap_token(wrapper)
+      # If provided a secret, grab the token. This is really just to make the
+      # API a bit nicer.
+      if wrapper.is_a?(Secret)
+        wrapper = wrapper.wrap_info.token
+      end
+
+      # Unwrap
+      response = unwrap(wrapper)
+
+      # If nothing was there, return nil
+      if response.nil? || response.auth.nil?
+        return nil
+      end
+
+      return response.auth.client_token
+    rescue HTTPError => e
+      raise
+    end
+  end
+end

data/lib/vault/api/secret.rb

@@ -0,0 +1,156 @@
+require "time"
+
+require_relative "../response"
+
+module Vault
+  # Secret is a representation of a secret from Vault. Almost all data returned
+  # from Vault is represented as a secret.
+  class Secret < Response
+    # @!attribute [r] auth
+    #   Authentication information for this secret, if any. Most secrets will
+    #   contain this field, but it may also be `nil`. When authenticating to
+    #   Vault, the resulting Vault token will be included in this embedded
+    #   field.
+    #
+    #   @example Authenticating to Vault
+    #     secret = Vault.auth.userpass("username", "password")
+    #     secret.auth.client_token #=> "fdb29070-6379-70c9-ca3a-46152fb66de1"
+    #
+    #   @return [SecretAuth, nil]
+    field :auth, load: ->(v) { SecretAuth.decode(v) }
+
+    # @!attribute [r] data
+    #   Arbitrary data returned by the secret. The keys returned are dependent
+    #   upon the request made. For more information on the names of the keys
+    #   that may be returned, please see the Vault documentation.
+    #
+    #   @example Reading data
+    #     secret = Vault.auth.token("abcd1234")
+    #     secret.data[:id] #=> "abcd1234"
+    #     secret.data[:ttl] #=> 0
+    #
+    #   @return [Hash<Symbol, Object>]
+    field :data, freeze: true
+
+    # @!attribute [r] lease_duration
+    #   The number of seconds this lease is valid. If this number is 0 or nil,
+    #   the secret does not expire.
+    #
+    #   @example Getting lease duration
+    #     secret = Vault.logical.read("secret/foo")
+    #     secret.lease_duration #=> 2592000 # 30 days
+    #
+    #   @return [Fixnum]
+    field :lease_duration
+
+    # @!attribute [r] lease_id
+    #   Unique ID for the lease associated with this secret. The `lease_id` is a
+    #   path and UUID that uniquely represents the secret. This may be used for
+    #   renewing and revoking the secret, if permitted.
+    #
+    #   @example Getting lease ID
+    #     secret = Vault.logical.read("postgresql/creds/readonly")
+    #     secret.lease_id #=> "postgresql/readonly/fdb29070-6379-70c9-ca3a-46152fb66de1"
+    #
+    #   @return [String]
+    field :lease_id
+
+    # @!method [r] renewable?
+    #   Returns whether this lease is renewable.
+    #
+    #   @example Checking if a lease is renewable
+    #     secret = Vault.logical.read("secret/foo")
+    #     secret.renewable? #=> false
+    #
+    #   @return [Boolean]
+    field :renewable, as: :renewable?
+
+    # @!attribute [r] warnings
+    #   List of warnings returned by the Vault server. These are returned by the
+    #   Vault server and may include deprecation information, new APIs, or
+    #   request using the API differently in the future.
+    #
+    #   @example Display warnings
+    #     result = Vault.logical.read("secret/foo")
+    #     result.warnings #=> ["This path has been deprecated"]
+    #
+    #   @return [Array<String>, nil]
+    field :warnings, freeze: true
+
+    # @!attribute [r] wrap_info
+    #   Wrapped information sent with the request (only present in Vault 0.6+).
+    #   @return [WrapInfo, nil]
+    field :wrap_info, load: ->(v) { WrapInfo.decode(v) }
+  end
+
+  # SecretAuth is a struct that contains the information about auth data, if
+  # present. This is never returned alone and is usually embededded in a
+  # {Secret}.
+  class SecretAuth < Response
+    # @!attribute [r] accessor
+    #   Accessor for the token. This is like a `lease_id`, but for a token.
+    #   @return [String]
+    field :accessor
+
+    # @!attribute [r] client_token
+    #   The client token for this authentication.
+    #   @return [String]
+    field :client_token
+
+    # @!attribute [r] lease_duration
+    #   Number of seconds the token is valid.
+    #   @return [Fixnum]
+    field :lease_duration
+
+    # @!attribute [r] metadata
+    #   Arbitrary metadata from the authentication.
+    #
+    #   @example Listing metadata attached to an authentication
+    #     auth.metadata #=> { :username => "sethvargo" }
+    #
+    #   @return [Hash<Symbol, Object>, nil]
+    field :metadata, freeze: true
+
+    # @!attribute [r] policies
+    #   List of policies attached to this authentication.
+    #
+    #   @example Listing policies attached to an authentication
+    #     auth.policies #=> ["default"]
+    #
+    #   @return [Array<String>, nil]
+    field :policies, freeze: true
+
+    # @!attribute [r] renewable
+    #   Returns whether this authentication is renewable.
+    #
+    #   @example Checking if an authentication is renewable
+    #     auth.renewable? #=> false
+    #
+    #   @return [Boolean]
+    field :renewable, as: :renewable?
+  end
+
+  # WrapInfo is the information returned by a wrapped response. This is almost
+  # always embedded as part of a {Secret}.
+  class WrapInfo < Response
+    # @!attribute [r] token
+    #   Wrapped response token. This token may be used to unwrap the response.
+    #   @return [String]
+    field :token
+
+    # @!attribute [r] wrapped_accessor
+    #   Accessor for the wrapped token. This is like a `lease_id`, but for a token.
+    #   @return [String]
+    field :wrapped_accessor
+
+    # @!attribute [r] creation_time
+    #   Date & time when the wrapped token was created
+    #   @return [Time]
+    field :creation_time, load: ->(v) { Time.parse(v) }
+
+    # @!attribute [r] ttl
+    #   The TTL on the token returned in seconds.
+    #   @return [Fixnum]
+    field :ttl
+  end
+end

data/lib/vault/api/sys/audit.rb

@@ -0,0 +1,91 @@
+require "json"
+
+module Vault
+  class Audit < Response
+    # @!attribute [r] description
+    #   Description of the audit backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] options
+    #   Map of options configured to the audit backend.
+    #   @return [Hash<Symbol, Object>]
+    field :options
+
+    # @!attribute [r] type
+    #   Name of the audit backend.
+    #   @return [String]
+    field :type
+  end
+
+  class Sys
+    # List all audits for the vault.
+    #
+    # @example
+    #   Vault.sys.audits #=> { :file => #<Audit> }
+    #
+    # @return [Hash<Symbol, Audit>]
+    def audits
+      json = client.get("/v1/sys/audit")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Audit.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular audit. Note: the +options+ depend heavily on the
+    # type of audit being enabled. Please refer to audit-specific documentation
+    # for which need to be enabled.
+    #
+    # @example
+    #   Vault.sys.enable_audit("/file-audit", "file", "File audit", path: "/path/on/disk") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the audit
+    # @param [String] type
+    #   the type of audit to enable
+    # @param [String] description
+    #   a human-friendly description of the audit backend
+    # @param [Hash] options
+    #   audit-specific options
+    #
+    # @return [true]
+    def enable_audit(path, type, description, options = {})
+      client.put("/v1/sys/audit/#{encode_path(path)}", JSON.fast_generate(
+        type:        type,
+        description: description,
+        options:     options,
+      ))
+      return true
+    end
+
+    # Disable a particular audit. If an audit does not exist, and error will be
+    # raised.
+    #
+    # @param [String] path
+    #   the path of the audit to disable
+    #
+    # @return [true]
+    def disable_audit(path)
+      client.delete("/v1/sys/audit/#{encode_path(path)}")
+      return true
+    end
+
+    # Generates a HMAC verifier for a given input.
+    #
+    # @example
+    #   Vault.sys.audit_hash("file-audit", "my input") #=> "hmac-sha256:30aa7de18a5e90bbc1063db91e7c387b32b9fa895977eb8c177bbc91e7d7c542"
+    #
+    # @param [String] path
+    #   the path of the audit backend
+    # @param [String] input
+    #   the input to generate a HMAC for
+    #
+    # @return [String]
+    def audit_hash(path, input)
+      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input))
+      json = json[:data] if json[:data]
+      json[:hash]
+    end
+  end
+end

data/lib/vault/api/sys/auth.rb

@@ -0,0 +1,116 @@
+require "json"
+
+module Vault
+  class Auth < Response
+    # @!attribute [r] description
+    #   Description of the auth backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Name of the auth backend.
+    #   @return [String]
+    field :type
+  end
+
+  class AuthConfig < Response
+    # @!attribute [r] default_lease_ttl
+    #   The default time-to-live.
+    #   @return [String]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   The maximum time-to-live.
+    #   @return [String]
+    field :max_lease_ttl
+  end
+
+  class Sys
+    # List all auths in Vault.
+    #
+    # @example
+    #   Vault.sys.auths #=> {:token => #<Vault::Auth type="token", description="token based credentials">}
+    #
+    # @return [Hash<Symbol, Auth>]
+    def auths
+      json = client.get("/v1/sys/auth")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Auth.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular authentication at the given path.
+    #
+    # @example
+    #   Vault.sys.enable_auth("github", "github") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the auth
+    # @param [String] type
+    #   the type of authentication
+    # @param [String] description
+    #   a human-friendly description (optional)
+    #
+    # @return [true]
+    def enable_auth(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Disable a particular authentication at the given path. If not auth
+    # exists at that path, an error will be raised.
+    #
+    # @example
+    #   Vault.sys.disable_auth("github") #=> true
+    #
+    # @param [String] path
+    #   the path to disable
+    #
+    # @return [true]
+    def disable_auth(path)
+      client.delete("/v1/sys/auth/#{encode_path(path)}")
+      return true
+    end
+
+    # Read the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github") #=> #<Vault::AuthConfig "default_lease_ttl"=3600, "max_lease_ttl"=7200>
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def auth_tune(path)
+      json = client.get("/v1/sys/auth/#{encode_path(path)}/tune")
+      return AuthConfig.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github", "default_lease_ttl" => 600, "max_lease_ttl" => 1200 ) #=>  true
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def put_auth_tune(path, config = {})
+      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config))
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+  end
+end

data/lib/vault/api/sys/health.rb

@@ -0,0 +1,63 @@
+require "json"
+
+module Vault
+  class HealthStatus < Response
+    # @!attribute [r] initialized
+    #   Whether the Vault server is Initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+
+    # @!attribute [r] sealed
+    #   Whether the Vault server is Sealed.
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute [r] standby
+    #   Whether the Vault server is in Standby mode.
+    #   @return [Boolean]
+    field :standby, as: :standby?
+
+    # @!attribute [r] replication_performance_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_performance_mode
+
+    # @!attribute [r] replication_dr_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_dr_mode
+
+    # @!attribute [r] server_time_utc
+    #   Server time in Unix seconds, UTC
+    #   @return [Fixnum]
+    field :server_time_utc
+
+    # @!attribute [r] version
+    #   Server Vault version string (added in 0.6.1)
+    #   @return [String]
+    field :version
+
+    # @!attribute [r] cluster_name
+    #   Server cluster name
+    #   @return [String]
+    field :cluster_name
+
+    # @!attribute [r] cluster_id
+    #   Server cluster UUID
+    #   @return [String]
+    field :cluster_id
+  end
+
+  class Sys
+    # Show the health status for this vault.
+    #
+    # @example
+    #   Vault.sys.health_status #=> #Vault::HealthStatus @initialized=true, @sealed=false, @standby=false, @replication_performance_mode="disabled", @replication_dr_mode="disabled", @server_time_utc=1519776728, @version="0.9.3", @cluster_name="vault-cluster-997f514e", @cluster_id="c2dad70a-6d88-a06d-69f6-9ae7f5485998">
+    #
+    # @return [HealthStatus]
+    def health_status
+      json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200})
+      return HealthStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/init.rb

@@ -0,0 +1,83 @@
+require "json"
+
+module Vault
+  class InitResponse < Response
+    # @!attribute [r] keys
+    #   List of unseal keys.
+    #   @return [Array<String>]
+    field :keys
+
+    # @!attribute [r] keys_base64
+    #   List of unseal keys, base64-encoded
+    #   @return [Array<String>]
+    field :keys_base64
+
+    # @!attribute [r] root_token
+    #   Initial root token.
+    #   @return [String]
+    field :root_token
+  end
+
+  class InitStatus < Response
+    # @!method initialized?
+    #   Returns whether the Vault server is initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+  end
+
+  class Sys
+    # Show the initialization status for this vault.
+    #
+    # @example
+    #   Vault.sys.init_status #=> #<Vault::InitStatus initialized=true>
+    #
+    # @return [InitStatus]
+    def init_status
+      json = client.get("/v1/sys/init")
+      return InitStatus.decode(json)
+    end
+
+    # Initialize a new vault.
+    #
+    # @example
+    #   Vault.sys.init #=> #<Vault::InitResponse keys=["..."] root_token="...">
+    #
+    # @param [Hash] options
+    #   the list of init options
+    #
+    # @option options [String] :root_token_pgp_key
+    #   optional base64-encoded PGP public key used to encrypt the initial root
+    #   token.
+    # @option options [Fixnum] :secret_shares
+    #   the number of shares
+    # @option options [Fixnum] :secret_threshold
+    #   the number of keys needed to unlock
+    # @option options [Array<String>] :pgp_keys
+    #   an optional Array of base64-encoded PGP public keys to encrypt sharees
+    # @option options [Fixnum] :stored_shares
+    #   the number of shares that should be encrypted by the HSM for
+    #   auto-unsealing
+    # @option options [Fixnum] :recovery_shares
+    #   the number of shares to split the recovery key into
+    # @option options [Fixnum] :recovery_threshold
+    #   the number of shares required to reconstruct the recovery key
+    # @option options [Array<String>] :recovery_pgp_keys
+    #   an array of PGP public keys used to encrypt the output for the recovery
+    #   keys
+    #
+    # @return [InitResponse]
+    def init(options = {})
+      json = client.put("/v1/sys/init", JSON.fast_generate(
+        root_token_pgp_key: options.fetch(:root_token_pgp_key, nil),
+        secret_shares:      options.fetch(:secret_shares, options.fetch(:shares, 5)),
+        secret_threshold:   options.fetch(:secret_threshold, options.fetch(:threshold, 3)),
+        pgp_keys:           options.fetch(:pgp_keys, nil),
+        stored_shares:      options.fetch(:stored_shares, nil),
+        recovery_shares:    options.fetch(:recovery_shares, nil),
+        recovery_threshold: options.fetch(:recovery_threshold, nil),
+        recovery_pgp_keys:  options.fetch(:recovery_pgp_keys, nil),
+      ))
+      return InitResponse.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/leader.rb

@@ -0,0 +1,48 @@
+module Vault
+  class LeaderStatus < Response
+    # @!method ha_enabled?
+    #   Returns whether the high-availability mode is enabled.
+    #   @return [Boolean]
+    field :ha_enabled, as: :ha_enabled?
+
+    # @!method leader?
+    #   Returns whether the Vault server queried is the leader.
+    #   @return [Boolean]
+    field :is_self, as: :leader?
+
+    # @!attribute [r] address
+    #   URL where the server is running.
+    #   @return [String]
+    field :leader_address, as: :address
+
+    # @deprecated Use {#ha_enabled?} instead
+    def ha?; ha_enabled?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_leader?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_self?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def self?; leader?; end
+  end
+
+  class Sys
+    # Determine the leader status for this vault.
+    #
+    # @example
+    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">
+    #
+    # @return [LeaderStatus]
+    def leader
+      json = client.get("/v1/sys/leader")
+      return LeaderStatus.decode(json)
+    end
+
+    def step_down
+      client.put("/v1/sys/step-down", nil)
+      return true
+    end
+  end
+end