gemakv 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/configuration.rb +19 -0
- data/lib/extraction.rb +169 -0
- data/lib/gemakv.rb +8 -0
- metadata +45 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: b5010d457c13a3a8ba4786d7ca2d0a753cd2207b400dc5457fbc15804aafc603
|
|
4
|
+
data.tar.gz: 771b8e0ac95ec2f8e2b7719e0a6a4baf3006eb19c7cf70a8e106b95a0b931524
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 878eb3dde5500d70108cb007ada7997980bc31fbc97d301e4fa80c18f0fa443b837825bc29a8a765430e858292066117f75826b062c6e980d967d1ccc9c2e631
|
|
7
|
+
data.tar.gz: d8d8cb36f5435645e12d7ede7ab8839b888481e9428aa44712c658878e80624b3f60c5a6bf776aea9d2469c6a5b8cc3800a4555c7ace2eaa6701e49614e894ab
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
|
|
2
|
+
class Configuration
|
|
3
|
+
attr_accessor :azure_tenant_id, :azure_client_id, :azure_client_secret, :azure_subscription_id, :vault_base_url, :api_version, :resource, :azure_certificate_thumbprint, :azure_certificate_private_key_file
|
|
4
|
+
|
|
5
|
+
def initialize
|
|
6
|
+
|
|
7
|
+
@azure_tenant_id = ENV["AZURE_VAULT_TENANT_ID"]
|
|
8
|
+
@azure_client_id = ENV["AZURE_VAULT_CLIENT_ID"]
|
|
9
|
+
@azure_client_secret = ENV["AZURE_VAULT_CLIENT_SECRET"]
|
|
10
|
+
@azure_subscription_id = ENV["AZURE_VAULT_SUBSCRIPTION_ID"]
|
|
11
|
+
@vault_base_url = ENV["AZURE_VAULT_BASE_URL"]
|
|
12
|
+
@api_version = ENV["AZURE_VAULT_API_VERSION"]
|
|
13
|
+
@resource = "https://vault.azure.net"
|
|
14
|
+
@azure_certificate_thumbprint = nil
|
|
15
|
+
@azure_certificate_private_key_file = nil
|
|
16
|
+
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
end
|
data/lib/extraction.rb
ADDED
|
@@ -0,0 +1,169 @@
|
|
|
1
|
+
require 'singleton'
|
|
2
|
+
require 'configuration'
|
|
3
|
+
require 'httparty'
|
|
4
|
+
|
|
5
|
+
class Extraction
|
|
6
|
+
include HTTParty
|
|
7
|
+
include Singleton
|
|
8
|
+
|
|
9
|
+
def self.initialize
|
|
10
|
+
@configuration = Configuration.new
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def self.get_value(secret_name, secret_version = nil)
|
|
14
|
+
get_secret(secret_name, secret_version)
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
|
|
18
|
+
### Get a Secret value from Microsoft Azure Vault
|
|
19
|
+
## secret_name: Name of the Key which contain the value
|
|
20
|
+
## secret_version (optional): Version of the key value we need, by omitting version the system to use the latest available version
|
|
21
|
+
def self.get_secret(secret_name, secret_version = nil)
|
|
22
|
+
# GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.1
|
|
23
|
+
vault_base_url = @configuration.vault_base_url
|
|
24
|
+
api_version = @configuration.api_version
|
|
25
|
+
azure_certificate_thumbprint = @configuration.azure_certificate_thumbprint
|
|
26
|
+
|
|
27
|
+
auth_token = nil
|
|
28
|
+
if azure_certificate_thumbprint.nil?
|
|
29
|
+
auth_token = get_auth_token()
|
|
30
|
+
else
|
|
31
|
+
auth_token = get_auth_certificate_token()
|
|
32
|
+
end
|
|
33
|
+
puts("es es el valor del auth token")
|
|
34
|
+
puts(auth_token)
|
|
35
|
+
|
|
36
|
+
return nil if auth_token.nil?
|
|
37
|
+
|
|
38
|
+
url = "#{vault_base_url}/secrets/#{secret_name}/#{secret_version}?api-version=#{api_version}"
|
|
39
|
+
headers = { 'Authorization' => "Bearer " + auth_token }
|
|
40
|
+
|
|
41
|
+
begin
|
|
42
|
+
response = HTTParty.get(url, {headers: headers})
|
|
43
|
+
|
|
44
|
+
puts("llego hasta aca")
|
|
45
|
+
puts(url)
|
|
46
|
+
puts(response)
|
|
47
|
+
return response.parsed_response['value']
|
|
48
|
+
rescue HTTParty::Error => e
|
|
49
|
+
puts "HTTParty ERROR: #{e.message}"
|
|
50
|
+
raise e
|
|
51
|
+
rescue Exception => e
|
|
52
|
+
puts "ERROR: #{e.message}"
|
|
53
|
+
raise e
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def self.get_auth_token
|
|
58
|
+
#Microsoft identity platform and the OAuth 2.0 client credentials flow
|
|
59
|
+
# https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
|
|
60
|
+
# https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow#request-an-access-token
|
|
61
|
+
|
|
62
|
+
azure_tenant_id = @configuration.azure_tenant_id
|
|
63
|
+
azure_client_id = @configuration.azure_client_id
|
|
64
|
+
azure_client_secret = @configuration.azure_client_secret
|
|
65
|
+
resource = @configuration.resource
|
|
66
|
+
|
|
67
|
+
authUrl = "https://login.microsoftonline.com/#{azure_tenant_id}/oauth2/token"
|
|
68
|
+
|
|
69
|
+
data = {
|
|
70
|
+
'grant_type': 'client_credentials',
|
|
71
|
+
'client_id': azure_client_id,
|
|
72
|
+
'client_secret': azure_client_secret,
|
|
73
|
+
'resource': resource
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
begin
|
|
77
|
+
|
|
78
|
+
response= HTTParty.post(authUrl, body: data)
|
|
79
|
+
token = nil
|
|
80
|
+
|
|
81
|
+
puts(response)
|
|
82
|
+
|
|
83
|
+
if response
|
|
84
|
+
#puts response.to_json
|
|
85
|
+
token = response.parsed_response['access_token']
|
|
86
|
+
end
|
|
87
|
+
return token
|
|
88
|
+
rescue HTTParty::Error => e
|
|
89
|
+
puts "HTTParty ERROR: #{e.message}"
|
|
90
|
+
raise e
|
|
91
|
+
rescue Exception => e
|
|
92
|
+
puts "ERROR: #{e.message}"
|
|
93
|
+
raise e
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
def self.get_auth_certificate_token
|
|
97
|
+
|
|
98
|
+
begin
|
|
99
|
+
# Microsoft identity platform and the OAuth 2.0 client credentials flow
|
|
100
|
+
#
|
|
101
|
+
# Certificat that was upload to Azure was generated with:
|
|
102
|
+
# openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_certificate.pem -nodes -days 3650
|
|
103
|
+
#
|
|
104
|
+
# To obtain the x5t encode base64 thumbprint of the certificate:
|
|
105
|
+
# echo $(openssl x509 -in public_certificate.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64
|
|
106
|
+
|
|
107
|
+
# https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
|
|
108
|
+
# https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow#request-an-access-token
|
|
109
|
+
|
|
110
|
+
azure_tenant_id = @configuration.azure_tenant_id
|
|
111
|
+
azure_client_id = @configuration.azure_client_id
|
|
112
|
+
resource = @configuration.resource
|
|
113
|
+
azure_certificate_thumbprint = @configuration.azure_certificate_thumbprint
|
|
114
|
+
azure_certificate_private_key_file = @configuration.azure_certificate_private_key_file
|
|
115
|
+
|
|
116
|
+
authUrl = "https://login.microsoftonline.com/#{azure_tenant_id}/oauth2/token"
|
|
117
|
+
exp = Time.now.to_i + 4 * 3600
|
|
118
|
+
nbf = Time.now.to_i - 3600
|
|
119
|
+
jti = SecureRandom.uuid
|
|
120
|
+
|
|
121
|
+
#//x5t THUMBPRINT of Cert
|
|
122
|
+
header = {
|
|
123
|
+
"alg": "RS256",
|
|
124
|
+
"typ": "JWT",
|
|
125
|
+
"x5t": azure_certificate_thumbprint
|
|
126
|
+
}
|
|
127
|
+
#Claim (payload)
|
|
128
|
+
payload = {
|
|
129
|
+
"aud": authUrl,
|
|
130
|
+
"exp": exp,
|
|
131
|
+
"iss": azure_client_id,
|
|
132
|
+
"jti": jti,
|
|
133
|
+
"nbf": nbf,
|
|
134
|
+
"sub": azure_client_id
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
token = "#{Base64.strict_encode64(header.to_json)}.#{Base64.strict_encode64(payload.to_json)}"
|
|
138
|
+
|
|
139
|
+
# Get the private key, from the file
|
|
140
|
+
azure_certificate_private_key = OpenSSL::PKey.read(File.read(azure_certificate_private_key_file))
|
|
141
|
+
# The hash algorithm, I assume SHA256 is being used
|
|
142
|
+
base64_signature = Base64.strict_encode64(azure_certificate_private_key.sign(OpenSSL::Digest::SHA256.new, token))
|
|
143
|
+
|
|
144
|
+
jwt_client_assertion = "#{token}.#{base64_signature}"
|
|
145
|
+
|
|
146
|
+
data = {
|
|
147
|
+
'grant_type': 'client_credentials',
|
|
148
|
+
'client_id': azure_client_id,
|
|
149
|
+
'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
|
|
150
|
+
'client_assertion': jwt_client_assertion,
|
|
151
|
+
'resource': resource
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
response = HTTParty.post(authUrl, body: data)
|
|
155
|
+
token = nil
|
|
156
|
+
|
|
157
|
+
if response
|
|
158
|
+
token = response.parsed_response['access_token']
|
|
159
|
+
end
|
|
160
|
+
return token
|
|
161
|
+
rescue HTTParty::Error => e
|
|
162
|
+
puts "HTTParty ERROR: #{e.message}"
|
|
163
|
+
raise e
|
|
164
|
+
rescue Exception => e
|
|
165
|
+
puts "ERROR: #{e.message}"
|
|
166
|
+
raise e
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
end
|
data/lib/gemakv.rb
ADDED
metadata
ADDED
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: gemakv
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Erick Ramírez
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2022-12-12 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Way to access securely to AKV secrets
|
|
14
|
+
email:
|
|
15
|
+
- erramire@microsoft.com
|
|
16
|
+
executables: []
|
|
17
|
+
extensions: []
|
|
18
|
+
extra_rdoc_files: []
|
|
19
|
+
files:
|
|
20
|
+
- lib/configuration.rb
|
|
21
|
+
- lib/extraction.rb
|
|
22
|
+
- lib/gemakv.rb
|
|
23
|
+
homepage: https://github.com/erramire/gemtestakv
|
|
24
|
+
licenses: []
|
|
25
|
+
metadata: {}
|
|
26
|
+
post_install_message:
|
|
27
|
+
rdoc_options: []
|
|
28
|
+
require_paths:
|
|
29
|
+
- lib
|
|
30
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
31
|
+
requirements:
|
|
32
|
+
- - ">="
|
|
33
|
+
- !ruby/object:Gem::Version
|
|
34
|
+
version: '0'
|
|
35
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
36
|
+
requirements:
|
|
37
|
+
- - ">="
|
|
38
|
+
- !ruby/object:Gem::Version
|
|
39
|
+
version: '0'
|
|
40
|
+
requirements: []
|
|
41
|
+
rubygems_version: 3.3.26
|
|
42
|
+
signing_key:
|
|
43
|
+
specification_version: 4
|
|
44
|
+
summary: Azure Key Vault get Secret
|
|
45
|
+
test_files: []
|