dsv-sdk 0.0.1.pre.SNAPSHOT

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 202d144ecdbd1258d681b6fb2af3bed61324742348466746f432d38d1860b0bc
+  data.tar.gz: acb8f986eec3d37aaa0a01424865b5fd08aa7a04f3a1308c4bcecbcb8850b6ad
+SHA512:
+  metadata.gz: 89c1554fce29a350a0f46f94a36c54a69de9f4fe5185682d9df457fcba608d054b3276dc62ae756fda9e05bf84e39111a4d2d6e22550cc119acd46b7b8dd76df
+  data.tar.gz: 7074d4be9fa997ef7935f03d9c347de6163c9c8aa5272d49e08500b6a71ab5e4e63c5fd7c5c3c45a8ab0289cce90e8a4f63e2cebcafe0ccf5d3f59d41acf62b0

data/lib/vault/client.rb

@@ -0,0 +1,33 @@
+class Vault::Client
+    CLIENTS_RESOURCE = "clients".freeze
+  
+    # Fetch desired client information from the specified Vault
+    #
+    # @param vault [Vault] The initialized Vault
+    # @param id [String] The ID of the client
+    #
+    # @return client [Hash]
+    def self.fetch(vault, id)
+      @vault = vault
+      client = @vault.accessResource("GET", CLIENTS_RESOURCE, id, nil)
+    end
+  
+    # Mark the client as ready to be removed
+    #
+    # @param vault [Vault] The initialized Vault
+    # @param id [String] The ID of the client
+    def self.delete(vault, id)
+      vault.accessResource("DELETE", CLIENTS_RESOURCE, id, nil, nil)
+    end
+
+    # Create the client for the desired Vault
+    #
+    # @param vault [Vault] The initialized Vault
+    # @param role_Name [String] Name of the role to create
+    def self.create(vault, role_name)
+      client_data = {
+        role: role_name
+      }
+      vault.accessResource("POST", CLIENTS_RESOURCE, "/", client_data)
+    end
+  end

data/lib/vault/role.rb

@@ -0,0 +1,16 @@
+require './lib/vault.rb'
+class Vault::Role
+    ROLES_RESOURCE = "roles".freeze
+  
+    # Return the specified role
+    #
+    # @param vault [Vault] The initialized Vault
+    # @param name [String] Name of the role
+    #
+    # @return role [Hash]
+    def self.fetch(vault, name)
+      @vault = vault
+  
+      role = @vault.accessResource("GET", ROLES_RESOURCE, name, nil)
+    end
+  end

data/lib/vault/secret.rb

@@ -0,0 +1,17 @@
+
+# Utilized to fetch secrets from an initialzed +Vault+
+class Vault::Secret
+    SECRETS_RESOURCE = "secrets".freeze
+  
+    # Fetch secrets from the server
+    #
+    # @param vault [Server]
+    # @param path [String] path to the secret
+    #
+    # @return [Hash] of the secret
+    def self.fetch(vault, path)
+        @vault = vault
+  
+        @secret = @vault.accessResource("GET", SECRETS_RESOURCE, path, nil)
+    end
+  end

data/lib/vault/vault.rb

@@ -0,0 +1,183 @@
+require 'json'
+require 'faraday'
+require 'logger'
+
+##
+# If we're in the +test+ environment just dump logs to Null
+# Otherwise, use stdout
+if ENV['test']
+  $logger = Logger.new(IO::NULL)
+else
+  $logger = Logger.new(STDOUT)
+end
+
+##
+# Invoked when the API returns an +API_AccessDenied+ error
+class AccessDeniedException < StandardError; end;
+class ResourceNotFoundException < StandardError; end;
+class InvalidConfigurationException < StandardError; end;
+class InvalidCredentialsException < StandardError; end;
+class InvalidMethodTypeException < StandardError; end;
+class UnrecognizedResourceException < StandardError; end;
+
+class Vault
+  DEFAULT_URL_TEMPLATE = "https://%s.secretsvaultcloud.%s/v1/%s%s"
+  DEFAULT_TLD = "com"
+
+  # Initialize a +Vault+ object with provided configuration.
+  #
+  # @param config [Hash]
+  #   - client_id: ''
+  #   - client_secret: ''
+  #   - tld: 'com'
+  #   - tenant: ''
+  def initialize(config = nil)
+
+    if config 
+      @configuration = config.collect{|k,v| [k.to_s, v]}.to_h
+    else
+      @configuration = {}
+
+      @configuration['client_id'] = ENV['DSV_CLIENT_ID']
+      @configuration['client_secret'] = ENV['DSV_CLIENT_SECRET']
+      @configuration['tenant'] = ENV['DSV_TENANT']
+      @configuration['tld'] = ENV['DSV_TLD']
+    end
+
+    if @configuration['client_id'].nil? || @configuration['client_secret'].nil?
+      $logger.error("Must provide client_id and client_secret")
+      raise InvalidConfigurationException
+    end
+
+    $logger.debug("Vault is configured for client_id: #{@configuration['client_id']}")
+  end
+
+  # Helper method to access a resource via API
+  #
+  # @param method [String] HTTP Request Method
+  # @param resource [String] The resource type to invoke
+  # @param path [String] The API Path to request
+  # @param input [String] Input to send via POST/PUT body
+  #
+  # @return [Hash] - return Hash of JSON contents
+  #
+  # - +AccessDeniedException+ is raised if the server responds with an +API_AccessDenied+ error
+  # - +InvalidMethodTypeException+ is raised if a method other than +["GET", "POST", "PUT", "DELETE"]+ is provided
+  # - +UnrecognizedResourceException+ is raised if a resource other than +["clients", "roles", "secrets"]+ is requested
+  def accessResource(method, resource, path, input, parse_json=true)
+    unless ["GET", "POST", "PUT", "DELETE"].include?(method.upcase)
+      $logger.error "Invalid request method: #{method}"
+      raise InvalidMethodTypeException
+    end
+
+    unless ["clients", "roles", "secrets"].include? resource
+      message = "unrecognized resource"
+      $logger.debug "#{message}, #{resource}"
+
+      raise UnrecognizedResourceException
+    end
+
+    body = ""
+
+    unless input.nil?
+      body = input.to_json
+    end
+
+    accessToken = getAccessToken
+
+    # Yikes, normally not a fan of metaprogramming
+    # We first ensured that `method` is legit to prevent
+    # arbitrary method invocation
+    url = urlFor(resource, path)
+    $logger.debug "Sending request to: #{url}"
+    resp = Faraday.send(method.downcase, url) do | req |
+      req.headers['Authorization'] = "Bearer #{accessToken}"
+      req.body = body unless body.empty?
+
+      if ["POST", "PUT"].include?(method.upcase)
+        req.headers['Content-Type'] = 'application/json'
+      end
+    end
+
+    data = resp.body
+
+    return data unless parse_json
+
+    begin
+      hash = JSON.parse(data)
+
+      if hash['errorCode'] == "API_AccessDenied"
+        raise AccessDeniedException
+      end
+
+      if hash['message'] == "Invalid permissions"
+        raise AccessDeniedException
+      end
+
+      if hash['code'] == 404
+        raise ResourceNotFoundException
+      end
+      
+    rescue JSON::ParserError => e
+      $logger.error "Error parsing JSON: #{e.to_s}"
+      raise e
+    end
+
+    return hash
+  end
+
+  # Query API for OAuth token
+  #
+  # - +InvalidCredentialsException+ is returned if the provided credentials are not valid
+  # 
+  # @return [String]
+  def getAccessToken
+    grantRequest = {
+      grant_type: "client_credentials",
+      client_id: @configuration['client_id'],
+      client_secret: @configuration['client_secret']
+    }.to_json
+
+    url = urlFor("token")
+
+    $logger.debug "calling #{url} with client_id #{@configuration['client_id']}"
+
+    response = Faraday.post(
+      url, 
+      grantRequest,
+      "Content-Type" => "application/json"
+    )
+
+    unless response.status == 200
+      $logger.debug "grant response error: #{response.body}"
+      raise InvalidCredentialsException
+    end
+
+    begin
+      grant = JSON.parse(response.body)
+      return grant['accessToken']
+    rescue JSON::ParserError => e
+      $logger.error "Error parsing JSON: #{e.to_s}"
+      raise e
+    end
+  end
+
+  # Generate the URL for a specific request.
+  # This factors in several configuration options including:
+  # - +tenant+
+  # - +tld+
+  #
+  # @param resource [String] The specific API resource to request
+  # @param path [String] The path to the resource
+  #
+  # @return [String] The generated URL for the request
+  def urlFor(resource, path=nil)
+
+    if path != nil
+      path = "/#{path.delete_prefix("/")}"
+    end
+
+    sprintf(DEFAULT_URL_TEMPLATE, @configuration['tenant'], @configuration['tld'] || DEFAULT_TLD, resource, path)
+  end
+  
+end

data/lib/vault.rb

@@ -0,0 +1,7 @@
+class Vault
+  require 'vault/vault'
+
+  require 'vault/client'
+  require 'vault/secret'
+  require 'vault/role'
+end

metadata

@@ -0,0 +1,62 @@
+--- !ruby/object:Gem::Specification
+name: dsv-sdk
+version: !ruby/object:Gem::Version
+  version: 0.0.1.pre.SNAPSHOT
+platform: ruby
+authors:
+- John Poulin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+description: The Thycotic DevOps Secrets Vault SDK for Ruby
+email: john.m.poulin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/vault.rb
+- lib/vault/client.rb
+- lib/vault/role.rb
+- lib/vault/secret.rb
+- lib/vault/vault.rb
+homepage: https://rubygems.org/gems/hola
+licenses:
+- Apache-2.0
+metadata:
+  github_repo: ssh://github.com/forced-request/dsv-ruby-sdk
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: dsv-sdk
+test_files: []