rails_kms_credentials 0.2.2 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 245a63d7865989070e42dc937647f6ad8239258461d5fcaf3668e18045753357
-  data.tar.gz: 5f4276ca36b188e62511210b5f937d7a84fcaf98cb9feb12219896e58080718d
+  metadata.gz: de88f7dce4457c9f658840f71929a0c6aa0673e30788aae0ea2a5bc3f02a36c2
+  data.tar.gz: abea6732234392d3fd6b61d4cb2cc5677021d40243986e2f6a8f090ef213642f
 SHA512:
-  metadata.gz: add127517fb746cf206330bbe87be6ba45b78a5c5dab11197d264c0647acb4de29fcc7ba72d4cf48042e6ed662bd09d048c500533922b8c76f3c20263d7ae473
-  data.tar.gz: 58b158ccebfa337cf83f14878bbdc87e619f47a67bff0f382a23f62824f6b18aae2d369e82416aa8f50581e5bfe79d5278ed5c4a735fc396dcb66cfd37c936e1
+  metadata.gz: d32fd25ff4c82aee6d86d6e46080d88e07127a988b2400ca30146a895a64339e90e3b23ef898ef8bd38c1ceb09b101b9cdeabfa31febe8969403fd1a723fe1ed
+  data.tar.gz: fdc5491be4b98e9e25e4a3066b7c541a10cc7961ee85a98c3c9e4a5d8b53f4206c10d6b712dc59f889e0827d164099ce73e1489254be6fab126d2d10404526b7

data/lib/rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        class AksWorkloadIdentity < Base
+          ENV_AUTHORITY_HOST = 'AZURE_AUTHORITY_HOST'
+          ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
+          ENV_FEDERATED_TOKEN_FILE = 'AZURE_FEDERATED_TOKEN_FILE'
+          ENV_TENANT_ID = 'AZURE_TENANT_ID'
+
+          
+          attr_reader :authority_host, :client_id, :federated_token_file, :tenant_id
+
+          def initialize(*)
+            super
+            @authority_host = ENV[ENV_AUTHORITY_HOST]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity authority_host' if authority_host.blank?
+            @client_id = ENV[ENV_CLIENT_ID]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity client_id' if @client_id.blank?
+            @federated_token_file = ENV[ENV_FEDERATED_TOKEN_FILE]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity federated_token_file' if @federated_token_file.blank?
+            raise "Missing KmsCredentials AzureKeyVault AksWorkloadIdentity federated_token_file does not exist: `#{@federated_token_file}`" unless File.exist?(@federated_token_file)
+            @tenant_id = ENV[ENV_TENANT_ID]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity tenant_id' if @tenant_id.blank?
+          end
+
+          def get_secrets_list(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          def get_secret(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          private
+
+            def client_assertion
+              @client_assertion ||= File.read(@federated_token_file)
+            end
+
+            def access_token
+              return @access_token if instance_variable_defined?(:@access_token)
+              @_access_token_response = HTTParty.post(
+                "#{authority_host}#{tenant_id}/oauth2/v2.0/token",
+                {
+                  body: {
+                    client_assertion: client_assertion,
+                    client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+                    client_id: client_id,
+                    scope: 'https://vault.azure.net/.default',
+                    grant_type: 'client_credentials',
+                  }
+                }
+              )
+              raise 'KmsCredentials AzureKeyVault AksWorkloadIdentity unable to get access token' unless @_access_token_response.ok?
+              @access_token = @_access_token_response['access_token']
+            end
+
+        end
+
+        add(:aks_workload_identity, AksWorkloadIdentity)
+
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client.rb

@@ -25,5 +25,6 @@ module RailsKmsCredentials
 end
 
 require 'rails_kms_credentials/store/azure_key_vault/client/base'
+require 'rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity'
 require 'rails_kms_credentials/store/azure_key_vault/client/client_credentials'
 require 'rails_kms_credentials/store/azure_key_vault/client/managed_identity'

data/lib/rails_kms_credentials/version.rb

@@ -4,8 +4,8 @@ module RailsKmsCredentials
 
   module Version
     MAJOR = 0
-    MINOR = 2
-    PATCH = 2
+    MINOR = 3
+    PATCH = 1
 
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_kms_credentials
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.1
 platform: ruby
 authors:
 - Taylor Yelverton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-18 00:00:00.000000000 Z
+date: 2023-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -67,6 +67,7 @@ files:
 - lib/rails_kms_credentials/store.rb
 - lib/rails_kms_credentials/store/azure_key_vault.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/base.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/client_credentials.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb