dd-vault 0.12.0

data/lib/vault/api/sys/lease.rb

@@ -0,0 +1,49 @@
+module Vault
+  class Sys
+    # Renew a lease with the given ID.
+    #
+    # @example
+    #   Vault.sys.renew("aws/username") #=> #<Vault::Secret ...>
+    #
+    # @param [String] id
+    #   the lease ID
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(id, increment = 0)
+      json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
+        increment: increment,
+      ))
+      return Secret.decode(json)
+    end
+
+    # Revoke the secret at the given id. If the secret does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.revoke("aws/username") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke(id)
+      client.put("/v1/sys/revoke/#{id}", nil)
+      return true
+    end
+
+    # Revoke all secrets under the given prefix.
+    #
+    # @example
+    #   Vault.sys.revoke_prefix("aws") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke_prefix(id)
+      client.put("/v1/sys/revoke-prefix/#{id}", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/mount.rb

@@ -0,0 +1,103 @@
+require "json"
+
+module Vault
+  class Mount < Response
+    # @!attribute [r] config
+    #   Arbitrary configuration for the backend.
+    #   @return [Hash<Symbol, Object>]
+    field :config
+
+    # @!attribute [r] description
+    #   Description of the mount.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Type of the mount.
+    #   @return [String]
+    field :type
+  end
+
+  class Sys < Request
+    # List all mounts in the vault.
+    #
+    # @example
+    #   Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
+    #
+    # @return [Hash<Symbol, Mount>]
+    def mounts
+      json = client.get("/v1/sys/mounts")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Mount.decode(v)]
+      end.flatten]
+    end
+
+    # Create a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount("pg", "postgresql", "Postgres user management") #=> true
+    #
+    # @param [String] path
+    #   the path to mount at
+    # @param [String] type
+    #   the type of mount
+    # @param [String] description
+    #   a human-friendly description (optional)
+    def mount(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Tune a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount_tune("pki", max_lease_ttl: '87600h') #=> true
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    def mount_tune(path, data = {})
+      json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.fast_generate(data))
+      return true
+    end
+
+    # Unmount the thing at the given path. If the mount does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.unmount("pg") #=> true
+    #
+    # @param [String] path
+    #   the path to unmount
+    #
+    # @return [true]
+    def unmount(path)
+      client.delete("/v1/sys/mounts/#{encode_path(path)}")
+      return true
+    end
+
+    # Change the name of the mount
+    #
+    # @example
+    #   Vault.sys.remount("pg", "postgres") #=> true
+    #
+    # @param [String] from
+    #   the origin mount path
+    # @param [String] to
+    #   the new mount path
+    #
+    # @return [true]
+    def remount(from, to)
+      client.post("/v1/sys/remount", JSON.fast_generate(
+        from: from,
+        to:   to,
+      ))
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/policy.rb

@@ -0,0 +1,92 @@
+require "json"
+
+module Vault
+  class Policy < Response
+    # @!attribute [r] name
+    #   Name of the policy.
+    #
+    #   @example Get the name of the policy
+    #     policy.name #=> "default"
+    #
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] rules
+    #   Raw HCL policy.
+    #
+    #   @example Display the list of rules
+    #     policy.rules #=> "path \"secret/foo\" {}"
+    #
+    #   @return [String]
+    field :rules
+  end
+
+  class Sys
+    # The list of policies in vault.
+    #
+    # @example
+    #   Vault.sys.policies #=> ["root"]
+    #
+    # @return [Array<String>]
+    def policies
+      client.get("/v1/sys/policy")[:policies]
+    end
+
+    # Get the policy by the given name. If a policy does not exist by that name,
+    # +nil+ is returned.
+    #
+    # @example
+    #   Vault.sys.policy("root") #=> #<Vault::Policy rules="">
+    #
+    # @return [Policy, nil]
+    def policy(name)
+      json = client.get("/v1/sys/policy/#{encode_path(name)}")
+      return Policy.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Create a new policy with the given name and rules.
+    #
+    # @example
+    #   policy = <<-EOH
+    #     path "sys" {
+    #       policy = "deny"
+    #     }
+    #   EOH
+    #   Vault.sys.put_policy("dev", policy) #=> true
+    #
+    # It is recommend that you load policy rules from a file:
+    #
+    # @example
+    #   policy = File.read("/path/to/my/policy.hcl")
+    #   Vault.sys.put_policy("dev", policy)
+    #
+    # @param [String] name
+    #   the name of the policy
+    # @param [String] rules
+    #   the policy rules
+    #
+    # @return [true]
+    def put_policy(name, rules)
+      client.put("/v1/sys/policy/#{encode_path(name)}", JSON.fast_generate(
+        rules: rules,
+      ))
+      return true
+    end
+
+    # Delete the policy with the given name. If a policy does not exist, vault
+    # will not return an error.
+    #
+    # @example
+    #   Vault.sys.delete_policy("dev") #=> true
+    #
+    # @param [String] name
+    #   the name of the policy
+    def delete_policy(name)
+      client.delete("/v1/sys/policy/#{encode_path(name)}")
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/seal.rb

@@ -0,0 +1,81 @@
+require "json"
+
+module Vault
+  class SealStatus < Response
+    # @!method sealed?
+    #   Returns if the Vault is sealed.
+    #
+    #   @example Check if the Vault is sealed
+    #     status.sealed? #=> true
+    #
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute t
+    #   Threshold of keys required to unseal the Vault.
+    #
+    #   @example Get the threshold of keys
+    #     status.t #=> 3
+    #
+    #   @return [Fixnum]
+    field :t
+
+    # @!attribute n
+    #   Total number of unseal keys.
+    #
+    #   @example Get the total number of keys
+    #     status.n #=> 5
+    #
+    #   @return [Fixnum]
+    field :n
+
+    # @!attribute progress
+    #   Number of keys that have been entered.
+    #
+    #   @example Get the current unseal progress
+    #     status.progress #=> 2
+    #
+    #   @return [Fixnum]
+    field :progress
+  end
+
+  class Sys
+    # Get the current seal status.
+    #
+    # @example
+    #   Vault.sys.seal_status #=> #<Vault::SealStatus sealed=false, t=1, n=1, progress=0>
+    #
+    # @return [SealStatus]
+    def seal_status
+      json = client.get("/v1/sys/seal-status")
+      return SealStatus.decode(json)
+    end
+
+    # Seal the vault. Warning: this will seal the vault!
+    #
+    # @example
+    #   Vault.sys.seal #=> true
+    #
+    # @return [true]
+    def seal
+      client.put("/v1/sys/seal", nil)
+      return true
+    end
+
+    # Unseal the vault with the given shard.
+    #
+    # @example
+    #   Vault.sys.unseal("abcd-1234") #=> #<Vault::SealStatus sealed=true, t=3, n=5, progress=1>
+    #
+    # @param [String] shard
+    #   the key to use
+    #
+    # @return [SealStatus]
+    def unseal(shard)
+      json = client.put("/v1/sys/unseal", JSON.fast_generate(
+        key: shard,
+      ))
+      return SealStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys.rb

@@ -0,0 +1,25 @@
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {Sys} methods.
+    # @return [Sys]
+    def sys
+      @sys ||= Sys.new(self)
+    end
+  end
+
+  class Sys < Request; end
+end
+
+require_relative "sys/audit"
+require_relative "sys/auth"
+require_relative "sys/health"
+require_relative "sys/init"
+require_relative "sys/leader"
+require_relative "sys/lease"
+require_relative "sys/mount"
+require_relative "sys/policy"
+require_relative "sys/seal"

data/lib/vault/api.rb

@@ -0,0 +1,12 @@
+module Vault
+  module API
+    require_relative "api/approle"
+    require_relative "api/auth_token"
+    require_relative "api/auth_tls"
+    require_relative "api/auth"
+    require_relative "api/help"
+    require_relative "api/logical"
+    require_relative "api/secret"
+    require_relative "api/sys"
+  end
+end