rails_kms_credentials 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 245a63d7865989070e42dc937647f6ad8239258461d5fcaf3668e18045753357
-  data.tar.gz: 5f4276ca36b188e62511210b5f937d7a84fcaf98cb9feb12219896e58080718d
+  metadata.gz: c0273094dabd151a67eb56db4f3211b88264a2cce57ca9ab1877cffc7b4ad691
+  data.tar.gz: 151cdc9835b37d4d6207af37cec2ac926ec31165790e91d1d8ad8a4a93bff334
 SHA512:
-  metadata.gz: add127517fb746cf206330bbe87be6ba45b78a5c5dab11197d264c0647acb4de29fcc7ba72d4cf48042e6ed662bd09d048c500533922b8c76f3c20263d7ae473
-  data.tar.gz: 58b158ccebfa337cf83f14878bbdc87e619f47a67bff0f382a23f62824f6b18aae2d369e82416aa8f50581e5bfe79d5278ed5c4a735fc396dcb66cfd37c936e1
+  metadata.gz: 6957d12ad6e5d28458248dac4ccec8b49a568237d9fcdf954341b486e190d78febdee246ddf7b70371ec7c87d4883afc7edc282a44ed5e301ad7db0c735d9d2e
+  data.tar.gz: 38bebac72a46d229b0b000c559863d901f2b2be1dd3e0d4ce9de1c3ec73b4de39db976aa6bf4284e65a592c393e1ce90e8619ddcebd43ab440ca465e641d252b

data/lib/rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        class AksWorkloadIdentity < Base
+          ENV_AUTHORITY_HOST = 'AZURE_AUTHORITY_HOST'
+          ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
+          ENV_FEDERATED_TOKEN_FILE = 'AZURE_FEDERATED_TOKEN_FILE'
+          ENV_TENANT_ID = 'AZURE_TENANT_ID'
+
+          
+          attr_reader :authority_host, :client_id, :federated_token_file, :tenant_id
+
+          def initialize(*)
+            super
+            @authority_host = ENV[ENV_AUTHORITY_HOST]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity authority_host' if authority_host.blank?
+            @client_id = ENV[ENV_CLIENT_ID]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity client_id' if @client_id.blank?
+            @federated_token_file = ENV[ENV_FEDERATED_TOKEN_FILE]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity federated_token_file' if @federated_token_file.blank?
+            raise "Missing KmsCredentials AzureKeyVault AksWorkloadIdentity federated_token_file does not exist: `#{@federated_token_file}`" unless File.exist?(@federated_token_file)
+            @tenant_id = ENV[ENV_TENANT_ID]
+            raise 'Missing KmsCredentials AzureKeyVault AksWorkloadIdentity tenant_id' if @tenant_id.blank?
+          end
+
+          def get_secrets_list(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          def get_secret(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          private
+
+            def client_secret
+              @client_secret ||= File.read(@federated_token_file)
+            end
+
+            def access_token
+              return @access_token if instance_variable_defined?(:@access_token)
+              @_access_token_response = HTTParty.post(
+                "#{authority_host}/#{tenant_id}/oauth2/v2.0/token",
+                {
+                  body: {
+                    client_id: client_id,
+                    client_secret: client_secret,
+                    scope: 'https://vault.azure.net/.default',
+                    grant_type: 'client_credentials',
+                  }
+                }
+              )
+              raise 'KmsCredentials AzureKeyVault AksWorkloadIdentity unable to get access token' unless @_access_token_response.ok?
+              @access_token = @_access_token_response['access_token']
+            end
+
+        end
+
+        add(:aks_workload_identity, AksWorkloadIdentity)
+
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client.rb

@@ -25,5 +25,6 @@ module RailsKmsCredentials
 end
 
 require 'rails_kms_credentials/store/azure_key_vault/client/base'
+require 'rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity'
 require 'rails_kms_credentials/store/azure_key_vault/client/client_credentials'
 require 'rails_kms_credentials/store/azure_key_vault/client/managed_identity'

data/lib/rails_kms_credentials/version.rb

@@ -4,8 +4,8 @@ module RailsKmsCredentials
 
   module Version
     MAJOR = 0
-    MINOR = 2
-    PATCH = 2
+    MINOR = 3
+    PATCH = 0
 
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_kms_credentials
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Taylor Yelverton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-18 00:00:00.000000000 Z
+date: 2023-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -67,6 +67,7 @@ files:
 - lib/rails_kms_credentials/store.rb
 - lib/rails_kms_credentials/store/azure_key_vault.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client/aks_workload_identity.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/base.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/client_credentials.rb
 - lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb