sanctum 0.8.2 → 0.8.5.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9da5af097cce5114f4cc439f6ae8ef176aa454365d50a739a3ddccfea18f164f
-  data.tar.gz: f04ce42579a296395fbcd53618f3e4deb779aed2bdc25d11526e9e67bd75ebe7
+  metadata.gz: 7669c1c9dff3c31915cef379c1d95ce55a58e21a8c785f4b543d7a8b55dff42f
+  data.tar.gz: 9d87df11f2f28a3ae833271c6ea35329f82d4f08767765bc3383ef5ae66fccba
 SHA512:
-  metadata.gz: f8436b62b4667e5924a679c9aa6796f5dda9b49a5bbde35e018f6ac7ce58dcc249f2f0224ef755fad9c869ab6ff9ad9876a7fcd2bc51714c606a9998453112c9
-  data.tar.gz: cf830c2961a5e0c0624f2df49044f9f333644e1e45e376e9b4b229b950d5c75700d08cc3cfac3c1df88ecf9e3e4ace8db60c4c27c364ed40c1e746c6fdfbecf4
+  metadata.gz: 144efff039e4dead3c2d14c7557aef22cde70972b9d2130ef7f94acc8dd1f7a28349382e51d81ca927d40d8e434d8a2cf1d366c52d0394a6a5246296151deef0
+  data.tar.gz: 216aedadda62921b7941b52aab144a57a3152dce5f23db1e5febe19d001c4af679c46f53c6c91b2d24b966ca27cb0eeb1a858b01fc56d6582755bcda9ae5fbf8

data/.gitignore

@@ -1,11 +1,11 @@
+.rspec_status
 /.bundle/
 /.yardoc
 /_yardoc/
+/cache/
 /coverage/
 /doc/
 /pkg/
 /spec/reports/
 /tmp/
-
-# rspec failure tracking
-.rspec_status
+docker-compose.override.yml

data/.gitlab-ci.yml

@@ -0,0 +1,22 @@
+---
+image:
+  name: docker/compose:1.23.2
+  entrypoint: ["/bin/sh", "-c"]
+
+variables:
+  COMPOSE_FILE: 'docker-compose.test.yml'
+
+stages:
+  - test
+
+before_script:
+  - docker version
+  - docker info
+  - docker-compose version
+
+testing:
+  stage: test
+  script:
+    - docker-compose build
+    - docker-compose run -T --rm sanctum ls -lart -hu
+    - docker-compose run -T --rm sanctum bundle exec rspec

data/.rubocop.yml

@@ -0,0 +1,39 @@
+---
+require: rubocop-rspec
+
+Rails:
+  Enabled: false
+
+AllCops:
+  DefaultFormatter: progress
+  DisplayCopNames: true
+  Exclude: []
+  CacheRootDirectory: cache/
+
+Bundler/OrderedGems:
+  Enabled: false
+
+RSpec/ExampleLength:
+  Max: 25
+
+Style/FormatString:
+  Enabled: false
+
+Style/FormatStringToken:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+  ConsistentQuotesInMultiline: true
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: consistent_comma
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: consistent_comma
+
+Style/TrailingUnderscoreVariable:
+  Enabled: false
+
+Metrics/MethodLength:
+  Max: 25

data/Dockerfile

@@ -0,0 +1,31 @@
+FROM ruby:2.5-alpine
+
+USER root
+
+ENV VERSION 1.0.2
+ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip /tmp/
+ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS /tmp/
+ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS.sig /tmp/
+
+# Install additional dependencies
+# As well as nice to haves locally
+RUN apk --no-cache add git vim busybox-extras curl gnupg build-base \
+  && until gpg --keyserver hkp://p80.pool.sks-keyservers.net --recv-key 0x348FFC4C; do echo "Retry"; sleep 30; done \
+  && gpg --verify /tmp/vault_${VERSION}_SHA256SUMS.sig \
+  && cat /tmp/vault_${VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum /tmp/vault_${VERSION}_linux_amd64.zip \
+  && unzip /tmp/vault_${VERSION}_linux_amd64.zip \
+  && mv vault /usr/local/bin/ \
+  && rm -rf /tmp/*
+
+# Setup up app directory
+ENV APP_HOME /usr/src/app/
+WORKDIR $APP_HOME
+
+# Add app code
+COPY . $APP_HOME
+
+# Install gems
+RUN bundle install --jobs=8
+
+# Install sanctum gem
+RUN bundle exec rake install

data/Gemfile.lock

@@ -1,49 +1,70 @@
 PATH
   remote: .
   specs:
-    sanctum (0.8.2)
-      gli (~> 2)
-      hashdiff (~> 0)
-      vault (~> 0)
+    sanctum (0.8.5.rc1)
+      gli (~> 2.18)
+      hashdiff (~> 0.3)
+      vault (~> 0.12)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-sigv4 (1.0.2)
+    ast (2.4.0)
+    aws-sigv4 (1.0.3)
     coderay (1.1.2)
     diff-lcs (1.3)
-    gli (2.17.1)
-    hashdiff (0.3.7)
-    method_source (0.9.0)
-    pry (0.11.3)
+    gli (2.18.0)
+    hashdiff (0.3.8)
+    jaro_winkler (1.5.2)
+    method_source (0.9.2)
+    parallel (1.13.0)
+    parser (2.6.0.0)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    rake (10.5.0)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rainbow (3.0.0)
+    rake (12.3.2)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
-    vault (0.11.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    rubocop (0.63.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    rubocop-rspec (1.32.0)
+      rubocop (>= 0.60.0)
+    ruby-progressbar (1.10.0)
+    unicode-display_width (1.4.1)
+    vault (0.12.0)
       aws-sigv4
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.16)
-  pry (~> 0)
-  rake (~> 10.0)
+  bundler (~> 1.0)
+  pry (~> 0.12.0)
+  rake (~> 12.0)
   rspec (~> 3.0)
+  rubocop (~> 0.63.0)
+  rubocop-rspec (~> 1.32.0)
   sanctum!
 
 BUNDLED WITH
-   1.16.2
+   1.17.2

data/README.md

@@ -42,6 +42,7 @@ sanctum config - Generate an example config file.
 sanctum create - Create an encrypted local file.
 sanctum edit   - Edit an encrypted local file.
 sanctum view   - View an encrypted local file.
+sanctum update - Update secrets backend to v2 api.
 ```
 
 
@@ -80,9 +81,14 @@ The configuration file is a Hash represented in YAML format with three possible
   * At lease one application/target definition is required.
 
 ## Roadmap
-* Better/more Tests
+* <strike>Add vault v2 api support</strike>
+* <strike>Add upgrade option for v2 api</strike>
+* If transit key doesn't exist try to create it(automatically)
+* If secrets mount doesn't exist try to create it(automatically)
+* <strike>Better/more Tests</strike>
 * Built in Backup features
 * Performance optimizations
+* Reorganize/cleanup code(add adapters, etc)
 
 ## Backup scenario.
 One possible use case for sanctum is for backing up vault secrets. This feature is NOT built in yet.
@@ -111,10 +117,11 @@ This would allow you to be able to quickly decrypt local secrets in a disaster r
 3. Restore the key to your locally running vault instance.
 
 ## Development
-Ensure you have the [vault](https://www.vaultproject.io/downloads.html) binary in your path. Tests need this in order to setup a dev vault server(`vault server -dev`)
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+Install [docker](https://docs.docker.com/install/) and [docker-compose](https://docs.docker.com/compose/install/)
+After checking out the repo, run `docker-compose build`. To run tests run `docker-compose run --rm sanctum bundle exec rspec`.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To release a new version, `cp docker-compose.override.yml_sample docker-compose.override.yml` and add gem credentials. Update the version number in `version.rb`.
+then run `docker-compose run --rm sanctum bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 

data/docker-compose.override.yml_sample

@@ -0,0 +1,11 @@
+---
+version: '3.4'
+
+services:
+  sanctum:
+    environment:
+      GEM_HOST_API_KEY:
+      GIT_AUTHOR_NAME:
+      GIT_AUTHOR_EMAIL:
+      GIT_COMMITTER_NAME:
+      GIT_COMMITTER_EMAIL:

data/docker-compose.test.yml

@@ -0,0 +1,17 @@
+---
+version: '3.4'
+
+services:
+  sanctum:
+    build:
+      context: "."
+    command: /bin/true
+    depends_on:
+      - vault
+  vault:
+    image: vault:1.0.2
+    environment:
+      SKIP_SETCAP: "true"
+      VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+    command: ["vault", "server", "-dev"]

data/docker-compose.yml

@@ -0,0 +1,19 @@
+---
+version: '3.4'
+
+services:
+  sanctum:
+    build:
+      context: "."
+    command: /bin/true
+    depends_on:
+      - vault
+    volumes:
+      - ".:/usr/src/app"
+  vault:
+    image: vault:1.0.2
+    environment:
+      SKIP_SETCAP: "true"
+      VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+    command: ["vault", "server", "-dev"]

data/lib/sanctum/cli.rb

@@ -95,6 +95,15 @@ module Sanctum
       end
     end
 
+    desc 'Update secrets mount'
+    command :update do |c|
+      common_options c, :config, :force
+      c.flag [:targets, :t], desc: 'Comma seperated list of targets', required: true
+      c.action do
+        Command::Update.new(@options_hash).run
+      end
+    end
+
     pre do |_,_,options,_|
       @options_hash = GetConfig::ConfigMerge.new(config_file: options[:c], targets: options[:t], force: options[:force]).final_options
       Colorizer.colorize = @options_hash[:sanctum][:color]

data/lib/sanctum/command.rb

@@ -13,4 +13,5 @@ require 'sanctum/command/create'
 require 'sanctum/command/edit'
 require 'sanctum/command/pull'
 require 'sanctum/command/push'
+require 'sanctum/command/update'
 require 'sanctum/command/view'

data/lib/sanctum/command/base.rb

@@ -17,7 +17,8 @@ module Sanctum
         @args = args
 
         @transit_key = options.fetch(:vault).fetch(:transit_key)
-        @targets = options.fetch(:sync)
+        # TODO: Fix, to much is happening to targets in this initializer!
+        @targets = update_prefix_or_path(set_secrets_version(options.fetch(:sync)))
         @config_file = options.fetch(:config_file)
       end
 
@@ -25,6 +26,60 @@ module Sanctum
         @vault_client ||= VaultClient.build(options[:vault][:url], options[:vault][:token])
       end
 
+      private
+      # TODO: Fix! This is a bit hacky, will update once vault-ruby gets updated with better support for v2 api
+
+
+      # Internal: gets information about mounts that the user has permissions on
+      # Returns: hash
+      def mounts_info
+        @mounts_info ||= vault_client.request(:get, "/v1/sys/internal/ui/mounts")
+      rescue Vault::HTTPClientError
+        warn red(
+          "Unable to gather info about mounts this maybe due to vault connectivity or permissions"\
+          "\nTo list info about mounts you have permissions to have following permissions added"\
+          "\npath \"sys/internal/ui/mounts\" { capabilities = [\"read\"] }"\
+        )
+      end
+
+
+      # Internal: automatically detect the api version of the secrets mount
+      # and adds :secrets_version to hash if it doesn't exist
+      #
+      # Parameter: is an array of hashes: [{}, {}]
+      # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test", :path=>"vault/vault-test", :secrets_version=>"2"},{}]
+      def set_secrets_version(targets)
+        mounts_hash = mounts_info
+
+        targets.each do |h|
+          next if h.key?(:secrets_version)
+
+          # If mount options is nil default to api version 1 otherwise use version value
+          if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
+            h[:secrets_version] = "1"
+          else
+            h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version)
+          end
+        end
+      rescue Vault::VaultError
+        warn red(
+          "Unable to automatically determine secrets_version. This maybe due to vault connectivity or permissions"\
+          "\nTry again, or you could explicitly add `secrets_version:` to your sanctum.yaml to bypass auto detect"
+        )
+        raise
+      end
+
+      # Internal, add /data to prefix or path if secrets_version == "2"
+      # Parameter is an array of hashes: [{}, {}]
+      # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test/data", :path=>"vault/vault-test/data", :secrets_version=>"2"},{}]
+      def update_prefix_or_path(targets)
+        targets.each do |h|
+          next unless h[:secrets_version] == "2"
+
+          h[:prefix] = h[:prefix].include?("/data") ? h[:prefix] : "#{h[:prefix]}/data"
+          h[:path] = h[:path].include?("/data") ? h[:path] : "#{h[:path]}/data"
+        end
+      end
     end
   end
 end

data/lib/sanctum/command/check.rb

@@ -12,7 +12,7 @@ module Sanctum
           local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
 
           # Recursively get vault secrets for each prefix specified in sanctum.yaml
-          secrets_list = VaultSecrets.new(vault_client, target[:prefix]).get
+          secrets_list = VaultSecrets.new(vault_client, target[:prefix], target[:secrets_version]).get_all
 
           # Only one entry in this hash (which will be the target).
           tree = secrets_list.values.first

data/lib/sanctum/command/pull.rb

@@ -14,7 +14,7 @@ module Sanctum
           end
 
           # Recursively get vault secrets for each prefix specified in sanctum.yaml
-          secrets_list = VaultSecrets.new(vault_client, target[:prefix]).get
+          secrets_list = VaultSecrets.new(vault_client, target[:prefix], target[:secrets_version]).get_all
           secrets_list.each do |k,v|
 
             vault_secrets = build_vault_secrets(v, [target[:path]])

data/lib/sanctum/command/push.rb

@@ -14,14 +14,14 @@ module Sanctum
             force = target.fetch(:force) {options[:sanctum][:force]}
           end
 
-          # Build array of local paths by recursively searching for local files for each prefix specified in sanctum.yaml
+          # Build array of local paths by recursively searching for local files for each path specified in sanctum.yaml
           local_paths = get_local_paths(File.join(File.dirname(config_file), target[:path]))
 
           local_secrets = build_local_secrets(local_paths)
-          vault_secrets = build_vault_secrets(local_paths, target[:prefix], target[:path])
+          vault_secrets = build_vault_secrets(local_paths, target[:prefix], target[:path], target[:secrets_version])
 
           # Compare secrets
-          # vault_secrets paths have been mapped to local_paths to make comparison easier
+          # vault_secrets prefix have been mapped to local_paths to make comparison easier
           differences = compare_secrets(vault_secrets, local_secrets, target[:name], "push")
           next if differences.nil?
 
@@ -36,21 +36,24 @@ module Sanctum
 
           if force
             warn red("#{target[:name]}: Forcefully writing differences to vault(push)")
-            VaultTransit.write_to_vault(vault_client, vault_secrets)
+            VaultTransit.write_to_vault(vault_client, vault_secrets, target[:secrets_version])
           else
             #Confirm with user, and write to local file if approved
             next unless confirmed_with_user?
-            VaultTransit.write_to_vault(vault_client, vault_secrets)
+            VaultTransit.write_to_vault(vault_client, vault_secrets, target[:secrets_version])
           end
         end
       end
 
-      def read_remote(paths, prefix)
+      # Right now this duplicates a bit of logic that already exists in
+      # VaultSecrets client.
+      # TODO: remove this method once code is rearranged
+      def read_remote(paths, prefix, secrets_version)
         tmp_hash = Hash.new
         paths.each do |k,v|
           p = File.join(prefix, k)
           unless vault_client.logical.read(p).nil?
-            v = vault_client.logical.read(p).data
+            v = secrets_version == "2" ? vault_client.logical.read(p).data[:data] : vault_client.logical.read(p).data
             tmp_hash["#{k}"] = v
           else
             next
@@ -77,7 +80,7 @@ module Sanctum
         local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
       end
 
-      def build_vault_secrets(local_paths, target_prefix, target_path)
+      def build_vault_secrets(local_paths, target_prefix, target_path, secrets_version)
         # Map local_paths into vault_paths
         vault_paths = local_paths.map{|x| x.gsub(File.join(File.dirname(config_file), target_path), "")}
 
@@ -86,9 +89,9 @@ module Sanctum
         # We will not for example, see differences if a secret exists in vault but not locally.
 
         # Read secrets from vault
-        vault_secrets = read_remote(vault_paths, target_prefix)
+        vault_secrets = read_remote(vault_paths, target_prefix, secrets_version)
 
-        # To make comparing a bit easier map vault_secrets paths back local_paths
+        # To make comparing a bit easier map vault_secrets prefixs back local_paths
         # Convert to json, then read, to make keys strings vs symbols
         vault_secrets = JSON(map_local_path(vault_secrets, target_path).to_json)
       end

data/lib/sanctum/command/sanctum.example.yaml

@@ -18,15 +18,18 @@ vault:
 
 sync:
   # sync is an array of hashes of sync target configurations
-  # at least one app definition is REQUIRED Fields:
+  # at least one app definition is REQUIRED
+  # Fields:
   #     name - (required) Friendly name of the sync target.
   #     prefix - (required) The vault prefix(secret mount) to synchronize to.
-  #     path - (required) The relative filesystem path to the directory
-  #       containing the files with content to synchronize to Vault.
-  #       This path is calculated relative to the directory containing
-  #       the configuration file.
+  #     path - (required) The relative filesystem path that gets synchronized
+  #       with Vault. This path is calculated relative to the directory containing
+  #       the sanctum configuration file.
   #     force - Whether or not to force push, pull actions (no user input)
   #       This inherits the setting from the `sanctum` section.
+  #     secrets_version - The k/v secrets version `1`, or `2`. Sanctum will try to detect this automatically
+  #       if not valued. This does not apply to `generic` secrets backend.
+  #       see https://www.vaultproject.io/docs/secrets/kv/index.html
   #- name: app-foo
     #prefix: secrets/app-foo
     #path: vault/app-foo

data/lib/sanctum/command/update.rb

@@ -0,0 +1,96 @@
+require "pathname"
+
+module Sanctum
+  module Command
+    class Update < Base
+      def run
+        targets.each do |target|
+          # Use command line if force: true
+          if options[:cli][:force]
+            force = options[:cli][:force]
+          else
+            force = target.fetch(:force) {options[:sanctum][:force]}
+          end
+
+          update_mount(target, force)
+
+        end
+      end
+
+      private
+
+      def update_mount(target, force)
+        data = { options: { version: "2" }, listing_visability: "unauth" }.to_json
+        pre_upgrade_warning
+
+        if force
+          warn yellow("\nUpgrading #{target[:prefix]}")
+          upgrade_response = vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data)
+          upgrade_response.nil? ? nothing_happened_warning : (warn yellow("#{upgrade_response}"))
+        else
+          already_upgraded_warning if target[:secrets_version] == "2"
+          warn yellow("#{vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data)}") if confirm_upgrade?(target)
+        end
+        post_upgrade_warning(target)
+      end
+
+      def pre_upgrade_warning
+        warn yellow(
+          "\nPlease read 'Upgrading from Version 1' documentation BEFORE you upgrade"\
+          "\nThe addition of `/data`, and `/metadata` endpoints will break applications that are depending on v1 endpoints"\
+          "\nYou will want to update permissions policies, and applications BEFORE you upgrade"\
+          "\nhttps://www.vaultproject.io/docs/secrets/kv/kv-v2.html#upgrading-from-version-1"\
+        )
+        additional_acl_warning
+      end
+
+      def post_upgrade_warning(target)
+        warn yellow(
+          "\nOnce the upgrade has been completed, make sure you update your sanctum.yaml."\
+          "\nPlease add the `secrets_version: 2` key to the #{target[:prefix]} config."
+        )
+      end
+
+      def additional_acl_warning
+        warn yellow(
+          "\nIf you use policies to limit secrets access you may need to have your permissions updated"\
+          "\nSee https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#acl-rules for more info"\
+          "\nSpecifically you may need add something similar to the following:"\
+          "\npath \"<secrets_mount>/data/*\" { capabilities = [\"list\",\"read\",\"create\",\"update\",\"delete\"] }"\
+          "\npath \"<secrets_mount>/metadata/*\" { capabilities = [\"list\",\"read\",\"create\",\"update\",\"delete\"] }"\
+          "\npath \"<secrets_mount>/destroy/*\" { capabilities = [\"update\"] }"\
+          "\npath \"<secrets_mount>/delete/*\" { capabilities = [\"update\"] }"\
+          "\npath \"<secrets_mount>/undelete/*\" { capabilities = [\"update\"] }"
+        )
+      end
+
+      def already_upgraded_warning
+        raise red(
+          "Mount appears to have already been updated. This could be due to `secrets_version: 2` specified"\
+          "\nin sanctum.yaml, or the mount having already been upgraded."\
+          "\nTo try anyway you can pass `--force` on the command line"
+        )
+      end
+
+      def nothing_happened_warning
+        warn yellow(
+          "Request was successfull but returned a nil response, this generally means the mount has is already upgraded!"
+        )
+      end
+
+      def confirm_upgrade?(target)
+        warn yellow("\nUpgrading will make the mount temporarily unavailable")
+        warn yellow("Would you like to continue?: ")
+        question = STDIN.gets.chomp.upcase
+
+        if ["Y", "YES"].include? question
+          warn yellow("\nUpgrading #{target[:prefix]}")
+          true
+        else
+          warn yellow("\nSkipping....\n")
+          false
+        end
+      end
+    end
+  end
+end

data/lib/sanctum/get_config/options.rb

@@ -6,15 +6,15 @@ module Sanctum
     class DefaultOptions
       attr_reader :config_file
 
-      def initialize(config_file=nil)
+      def initialize(config_file = nil)
         @config_file = config_file
       end
 
       def run
         {
           config_file: config_file.nil? ? config_file_search : config_file,
-          sanctum: { force: false, color: true },
-          vault: { url: "https://127.0.0.1:8200", token: get_vault_token }
+          sanctum: { color: true, force: false },
+          vault: { token: get_vault_token, url: "https://127.0.0.1:8200" },
         }
       end
 

data/lib/sanctum/vault_secrets.rb

@@ -1,26 +1,39 @@
 module Sanctum
   class VaultSecrets
     include Colorizer
-    attr_reader :vault_client, :prefix
+    attr_reader :vault_client, :prefix, :secrets_version
 
-    def initialize(vault_client, prefix)
+    def initialize(vault_client, prefix, secrets_version="1")
       @vault_client = vault_client
       @prefix = prefix
+      @secrets_version = secrets_version
     end
 
-    def get
-      if invalid_prefix?
-        raise yellow("Warning: Vault prefix: '#{prefix}' does not exist.. ")
-      end
+    # API version 2 uses /metadata path to list, but /data to read.
+    #TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated
+    def get_all
+      raise yellow("Warning: Vault prefix: '#{prefix}' does not exist.. ") if invalid_prefix?
 
       secrets_from_vault = Hash.new
-      secrets_from_vault[prefix] = JSON(list_recursive(prefix).to_json)
+      secrets_from_vault[prefix] = JSON(list_recursive(list_prefix).to_json)
       secrets_from_vault
     end
 
     private
-    def list_recursive(prefix, parent = '')
-      me = File.join(parent, prefix)
+
+    # API version 2 uses /metadata path to list, but /data to read.
+    # TODO remove method and use kv from vault-ruby once available.
+    def list_prefix
+      if secrets_version == "2"
+        prefix.include?("/data") ? prefix.sub(/data/, "metadata") : "#{prefix}/metadata"
+      else
+        prefix
+      end
+    end
+
+    # TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated
+    def list_recursive(list_prefix, parent = '')
+      me = File.join(parent, list_prefix)
       result = vault_client.logical.list(me).inject({}) do |hash, item|
         case item
         when /.*\/$/
@@ -33,14 +46,25 @@ module Sanctum
       result
     end
 
+    # Used by list_recursive method only
+    # API version 2 uses /metadata path to list, but /data to read.
+    # TODO Update to use kv from vault-ruby once available.
     def read_data(item, parent = '')
       me = File.join(parent, item)
-      vault_client.logical.read(me).data
+
+      # me will contain /metadata if secrets_version 2 due to list_prefix method
+      if secrets_version == "2"
+        me = me.sub(/metadata/, "data")
+        vault_client.logical.read(me).data[:data]
+      else
+        vault_client.logical.read(me).data
+      end
     end
 
+    # API version 2 uses /metadata path to list, but /data to read.
+    # TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated
     def invalid_prefix?
-      vault_client.logical.list(prefix).empty?
+      vault_client.logical.list(list_prefix).empty?
     end
-
   end
 end

data/lib/sanctum/vault_transit.rb

@@ -34,13 +34,14 @@ module Sanctum
     def self.write_to_file(vault_client, secrets, transit_key)
       secrets = encrypt(vault_client, secrets, transit_key)
       secrets.each do |k, v|
+        create_path(k)
         File.write(k, v.data[:ciphertext])
       end
     end
 
-    def self.write_to_vault(vault_client, secrets)
+    def self.write_to_vault(vault_client, secrets, secrets_version="1")
       secrets.each do |k, v|
-        vault_client.logical.write(k, v)
+        secrets_version == "2" ? vault_client.logical.write(k, data: v) : vault_client.logical.write(k, v)
       end
     end
 
@@ -56,5 +57,10 @@ module Sanctum
       !vault_client.logical.read(transit_key.to_path).nil?
     end
 
+    def self.create_path(path)
+      path = Pathname.new(path).parent.to_path
+      FileUtils.mkdir_p(path) unless File.directory?(path)
+    end
+
   end
 end

data/lib/sanctum/version.rb

@@ -1,3 +1,3 @@
 module Sanctum
-  VERSION = "0.8.2"
+  VERSION = "0.8.5.rc1"
 end

data/sanctum.gemspec

@@ -23,12 +23,14 @@ Gem::Specification.new do |spec|
   spec.executables   = "sanctum"
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'vault', '~> 0'
-  spec.add_dependency 'hashdiff', '~> 0'
-  spec.add_dependency 'gli', '~> 2'
+  spec.add_dependency 'vault', '~> 0.12'
+  spec.add_dependency 'hashdiff', '~> 0.3'
+  spec.add_dependency 'gli', '~> 2.18'
 
-  spec.add_development_dependency 'bundler', '~> 1.16'
-  spec.add_development_dependency 'pry', '~> 0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '~> 1.0'
+  spec.add_development_dependency 'pry', '~> 0.12.0'
+  spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.63.0'
+  spec.add_development_dependency 'rubocop-rspec', '~> 1.32.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctum
 version: !ruby/object:Gem::Version
-  version: 0.8.2
+  version: 0.8.5.rc1
 platform: ruby
 authors:
 - Corban Raun
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-25 00:00:00.000000000 Z
+date: 2019-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -16,84 +16,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   name: hashdiff
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '2.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '2.18'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.12.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +108,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.63.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.63.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.32.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.32.0
 description: Syncs encrypted content from the filesystem to the Vault secrets store.
 email:
 - corban@raunco.co
@@ -117,7 +145,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".gitlab-ci.yml"
 - ".rspec"
+- ".rubocop.yml"
+- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -126,6 +157,9 @@ files:
 - bin/console
 - bin/sanctum
 - bin/setup
+- docker-compose.override.yml_sample
+- docker-compose.test.yml
+- docker-compose.yml
 - lib/sanctum.rb
 - lib/sanctum/cli.rb
 - lib/sanctum/colorize_string.rb
@@ -141,6 +175,7 @@ files:
 - lib/sanctum/command/pull.rb
 - lib/sanctum/command/push.rb
 - lib/sanctum/command/sanctum.example.yaml
+- lib/sanctum/command/update.rb
 - lib/sanctum/command/view.rb
 - lib/sanctum/get_config.rb
 - lib/sanctum/get_config/config_file.rb
@@ -169,9 +204,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.7.6