RubyGems - lambda_vault_auth - Versions diffs - 0.0.0 → 0.0.1 - Mend

lambda_vault_auth 0.0.0 → 0.0.1

Files changed (4) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b709606a9982fe1e6f8248acbb72436217e231f3d20bd6f808f963faf366a472
-  data.tar.gz: a1d035fc195ee1a0c62ea2e901687b71c954c013053f8199e7ecc73a985d6cd4
+  metadata.gz: 6e9794bac03588fc9ad7caf0d29aacdca294575705196667f9eee9c2fcf9bb3b
+  data.tar.gz: 2d4f4831c045a811ec11af35bbdc931bb5e9269ceab04c228e9f746f33705727
 SHA512:
-  metadata.gz: bd519447ef2828f5720af18996a84dd7a9365c64c20168b2220f2cfcc31d7f072df196581c9e37daa007e0ad8277a0419288b82750e28b1cbbeb15c1f7366c8b
-  data.tar.gz: bf6e89e32c382c60b6b216ba5d31901af1043c757ed99e1233bc2728a50061a8a87148c51043128f3f6d34fa083e8e6800a85533b413b51196d4177096a87fa0
+  metadata.gz: dfa49c64e9d2b801503059d84cdd71ba80d7cb92247006b9b1997f05eb45ac2b0502c6fe234fb9dc14f3cf10714f05eb8cf5512d4a4f1239117c63b56e9f6315
+  data.tar.gz: c6cbf16a2a56e15c585ee10cf80a3d3e2d44616710175400e747171b3ee9c5906a55b9e790e1997305cbf69d51b659dbf68b58106bddc6d8533d210db1ff3f6e

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.0.0
1	+ 0.0.1

data/lib/lambda_vault_auth.rb CHANGED

@@ -1,9 +1,6 @@
 require 'aws-sdk-core'
 require 'vault'
-# TODO: support the advanced vault header in the signature, since it gives us better security
-# VAULT_AUTH_HEADER_NAME = "X-Vault-AWS-IAM-Server-ID".freeze
 # LambdaVaultAuth
 class LambdaVaultAuth
   # Internal class for Vault interactions
@@ -17,8 +14,9 @@ class LambdaVaultAuth
                 :renewal_window,
                 :ttl
-    def initialize(sts = Aws::STS::Client.new, env = ENV)
-      @sts = sts
+    DEFAULT_STS_URI = 'https://sts.amazonaws.com'.freeze
+    def initialize(env = ENV)
       @client = new_client_from_environment(env)
       # TODO: Make the following configurable
@@ -45,9 +43,13 @@ class LambdaVaultAuth
       handle_token(auth_token.renew_self(ttl))
     end
+    def login_route
+      "/v1/auth/#{@auth_provider}/login"
+    end
     def new_client_from_environment(env)
       addr = env.fetch('VAULT_ADDR')
-      # @auth_header = env.fetch('VAULT_AUTH_HEADER')
+      @auth_header = env['VAULT_AUTH_HEADER'] # may be nil
       @auth_provider = env.fetch('VAULT_AUTH_PROVIDER')
       @auth_role = env.fetch('VAULT_AUTH_ROLE')
@@ -57,26 +59,15 @@ class LambdaVaultAuth
     end
     def authenticate!
-      req = @sts.get_caller_identity.context.http_request
+      secret = client.auth.aws_iam(@auth_role, Aws::CredentialProviderChain.new.resolve, @auth_header, DEFAULT_STS_URI, login_route)
-      data = {
-        'iam_http_request_method': req.http_method,
-        'iam_request_body': Base64.strict_encode64(req.body.read),
-        'iam_request_headers': Base64.strict_encode64(req.headers.to_h.to_json),
-        'iam_request_url': Base64.strict_encode64(req.endpoint.to_s),
-        'role': @auth_role
-      }
-      secret = client.logical.write("auth/#{@auth_provider}/login", data)
-      warn secret.warnings unless secret.warnings.empty?
+      warn secret.warnings unless secret.warnings.nil? or secret.warnings.empty?
       handle_token(secret)
-      # create the required data to renew/validate
-      # populate the token on the client and hand that to the user
     end
+    # create the required data to renew/validate
+    # populate the token on the client and hand that to the user
     def handle_token(secret)
       @auth_token = secret.auth
       @ttl = secret.lease_duration
@@ -89,7 +80,6 @@ class LambdaVaultAuth
   # to help manage the lifecycle of a vault and access the credentials
   def self.vault
     @vault ||= Vaulter.new
-    @sts ||= Aws::STS::Client.new
     return @vault.client unless @vault.expired?

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lambda_vault_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
 platform: ruby
 authors:
 - Ryan Taylor