sanctum 0.8.5.rc1 → 0.8.5.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7669c1c9dff3c31915cef379c1d95ce55a58e21a8c785f4b543d7a8b55dff42f
-  data.tar.gz: 9d87df11f2f28a3ae833271c6ea35329f82d4f08767765bc3383ef5ae66fccba
+  metadata.gz: 6dc55aef33e0ba6113e5577b80799818e64a8953d0643d6b029335b84a5edc23
+  data.tar.gz: 52638d7d39ccb21cb830288081d9ca23017e3582e991603ec8f084175f0f3034
 SHA512:
-  metadata.gz: 144efff039e4dead3c2d14c7557aef22cde70972b9d2130ef7f94acc8dd1f7a28349382e51d81ca927d40d8e434d8a2cf1d366c52d0394a6a5246296151deef0
-  data.tar.gz: 216aedadda62921b7941b52aab144a57a3152dce5f23db1e5febe19d001c4af679c46f53c6c91b2d24b966ca27cb0eeb1a858b01fc56d6582755bcda9ae5fbf8
+  metadata.gz: 475976714b4229cd2e9a4dce401ed6aada1decbb2da6e73f55e7de3ba95e8ea17ef0aa0e4b84be9225713d8cacfe2260236b75cc75e21d396bcb6d63403463f5
+  data.tar.gz: 16b9465d78eeceb1580c8203eb8c21096d6a398d3b2c6c023f8c4e68bbfbe698c21be2cc9f52daf81175d35706f2a95b89a07214ccba1f4dde38ed7ef4303e8e

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sanctum (0.8.5.rc1)
+    sanctum (0.8.5.rc2)
       gli (~> 2.18)
       hashdiff (~> 0.3)
       vault (~> 0.12)

data/README.md

@@ -63,7 +63,7 @@ VAULT_TOKEN=
 ```
 
 **Variables order of precedence**
-The higher the number the higher the precedence.(Command line arguments will always win).
+The higher the number the higher the precedence.(1 is the lowest precedence, 4 is the highest, Command line arguments will always win).
 
 1. Default variables (Documented in sanctum.yaml)
 2. Config file

data/examples/single_target/example_policy.hcl

@@ -0,0 +1,54 @@
+# Helpful documentation can be found
+# https://www.vaultproject.io/guides/identity/policies
+# https://www.vaultproject.io/docs/concepts/policies.html
+# https://learn.hashicorp.com/vault/getting-started/policies
+#
+# You can make permissions more granular or limited by specifying deeper paths
+# Example: `path "sanctum-test/data/dev/*"`, etc.
+#
+################# Read/Write v2 api example #################################################
+path "sanctum-test/data/*" { capabilities = ["list","read","create","update","delete"] }
+path "sanctum-test/metadata/*" { capabilities = ["list","read","create","update","delete"] }
+path "sanctum-test/destroy/*" { capabilities = ["update"] }
+path "sanctum-test/delete/*" { capabilities = ["update"] }
+path "sanctum-test/undelete/*" { capabilities = ["update"] }
+#############################################################################################
+
+################# Read/Write v1/generic example ###################################
+path "sanctum-test/*" { capabilities = ["list","read","create","update","delete"] }
+###################################################################################
+
+################## Additional sys/ and sys/mount permissions ############################################
+# Grant access to tune existing mount
+# Required to upgrade from v1/generic to v2
+path "sys/mounts/sanctum-test/tune" { capabilities = ["read", "update"] }
+# Grant broader permission to specific mount
+path "sys/mounts/sanctum-test" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }
+# Read health checks
+path "sys/health" { capabilities = ["read", "sudo"] }
+# View capabilities of token
+path "sys/capabilities" { capabilities = ["create", "update"] }
+# View capabilities of token
+path "sys/capabilities-self" { capabilities = ["create", "update"] }
+# View mount info for mounts that you have permissions on
+path "sys/internal/ui/mounts" { capabilities = ["read"] }
+#########################################################################################################
+
+################### Transit permissions###########################################################
+# General permission on key
+path "transit/keys/sanctum-test" { capabilities = ["list","read","create","update", "delete"] }
+# Permission to rotate keys
+path "transit/keys/sanctum-test/rotate" { capabilities = ["list","read","create","update"] }
+# Permission to modify transit key config
+path "transit/keys/sanctum-test/config" { capabilities = ["list","read","create","update"] }
+# Permission to backup key
+#path "transit/backup/sanctum-test" { capabilities = ["list","read"] }
+# Permission to restore key
+#path "transit/restore/sanctum-test" { capabilities = ["list","read","create","update"] }
+# Transit encryption endpoint
+path "transit/encrypt/sanctum-test" { capabilities = ["list","read","create","update"] }
+# Transit decrypt endpoint
+path "transit/decrypt/sanctum-test" { capabilities = ["list","read","create","update"] }
+# Transit rewrap permissions
+path "transit/rewrap/sanctum-test" { capabilities = ["list","read","create","update"] }
+##################################################################################################

data/examples/single_target/sanctum.yaml

@@ -0,0 +1,14 @@
+# sanctum.yml
+sanctum:
+  force: false
+  color: true
+
+vault:
+  url: http://localhost:8200
+  token: my_cool_token
+  transit_key: transit/keys/sanctum-test
+
+sync:
+  - name: sanctum-test
+    prefix: sanctum-test    #Refers to vault
+    path: vault/sanctum-test #Refers to local path relative to sanctum.yaml

data/lib/sanctum/command/base.rb

@@ -28,21 +28,15 @@ module Sanctum
 
       private
       # TODO: Fix! This is a bit hacky, will update once vault-ruby gets updated with better support for v2 api
-
-
       # Internal: gets information about mounts that the user has permissions on
       # Returns: hash
       def mounts_info
         @mounts_info ||= vault_client.request(:get, "/v1/sys/internal/ui/mounts")
-      rescue Vault::HTTPClientError
-        warn red(
-          "Unable to gather info about mounts this maybe due to vault connectivity or permissions"\
-          "\nTo list info about mounts you have permissions to have following permissions added"\
-          "\npath \"sys/internal/ui/mounts\" { capabilities = [\"read\"] }"\
-        )
+      rescue Vault::VaultError
+        unable_to_determine_version
+        raise
       end
 
-
       # Internal: automatically detect the api version of the secrets mount
       # and adds :secrets_version to hash if it doesn't exist
       #
@@ -55,18 +49,13 @@ module Sanctum
           next if h.key?(:secrets_version)
 
           # If mount options is nil default to api version 1 otherwise use version value
+          # generic mounts will not have a version specified
           if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
             h[:secrets_version] = "1"
           else
             h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version)
           end
         end
-      rescue Vault::VaultError
-        warn red(
-          "Unable to automatically determine secrets_version. This maybe due to vault connectivity or permissions"\
-          "\nTry again, or you could explicitly add `secrets_version:` to your sanctum.yaml to bypass auto detect"
-        )
-        raise
       end
 
       # Internal, add /data to prefix or path if secrets_version == "2"
@@ -80,6 +69,15 @@ module Sanctum
           h[:path] = h[:path].include?("/data") ? h[:path] : "#{h[:path]}/data"
         end
       end
+
+      def unable_to_determine_version
+        warn red(
+          "Unable to automatically gather info about mounts. This maybe due to vault connectivity or permissions"\
+          "\nTo list info about mounts you may need to have following permissions added"\
+          "\npath \"sys/internal/ui/mounts\" { capabilities = [\"read\"] }"\
+          "\nAlternitivley add `secrets_version: <version>` for each target specified in sanctum.yaml to bypass autodetect"
+        )
+      end
     end
   end
 end

data/lib/sanctum/command/create.rb

@@ -51,9 +51,21 @@ module Sanctum
         end
       end
 
+      # Check if the path you are creating matches a target path
+      # if secrets_version == 2 /data will be added to the path
+      # See command/base.rb
+      def path_matches_a_target?(path)
+        targets.each do |h|
+          path.to_s.include?(h[:path]) ? (return true) : (return false)
+        end
+      end
+
       def validate_path(path)
         path = Pathname.new(path)
+        keys_to_print = targets.map { |h| h.slice(:name, :path) }
         raise yellow("File exists, use edit command") if path.exist?
+        raise yellow("No targets contain a :path key that matches the path you specified\n#{keys_to_print}") unless path_matches_a_target?(path)
+
         path.dirname.mkpath unless path.dirname.exist?
       end
 

data/lib/sanctum/command/update.rb

@@ -4,17 +4,17 @@ module Sanctum
   module Command
     class Update < Base
       def run
-        targets.each do |target|
-          # Use command line if force: true
-          if options[:cli][:force]
-            force = options[:cli][:force]
-          else
-            force = target.fetch(:force) {options[:sanctum][:force]}
-          end
-
-          update_mount(target, force)
+        raise red("Please only specify one target") if targets.count > 1
+        target = targets.first
 
+        # Use command line if force: true
+        if options[:cli][:force]
+          force = options[:cli][:force]
+        else
+          force = target.fetch(:force) {options[:sanctum][:force]}
         end
+
+        update_mount(target, force)
       end
 
       private
@@ -24,30 +24,34 @@ module Sanctum
         pre_upgrade_warning
 
         if force
-          warn yellow("\nUpgrading #{target[:prefix]}")
-          upgrade_response = vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data)
-          upgrade_response.nil? ? nothing_happened_warning : (warn yellow("#{upgrade_response}"))
+          # When force option is used we will try to run the upgrade command mount, even if it's already been upgraded
+          # Request will be a no-op and return null. So we need to remove `data` from the prefix if it's been added.
+          force_prefix = target[:prefix].include?("/data") ? target[:prefix].sub(/\/data/, "") : target[:prefix]
+          warn yellow("\nUpgrading #{force_prefix}")
+          upgrade_response = vault_client.request(:post, "/v1/sys/mounts/#{force_prefix}/tune", data)
         else
           already_upgraded_warning if target[:secrets_version] == "2"
-          warn yellow("#{vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data)}") if confirm_upgrade?(target)
+          upgrade_response = confirm_upgrade?(target) ? vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data) : nil
         end
-        post_upgrade_warning(target)
+        upgrade_response.nil? ? nothing_happened_warning : (warn yellow("#{upgrade_response}\n#{post_upgrade_warning}"))
+
+        post_upgrade_tasks(target)
       end
 
       def pre_upgrade_warning
         warn yellow(
           "\nPlease read 'Upgrading from Version 1' documentation BEFORE you upgrade"\
-          "\nThe addition of `/data`, and `/metadata` endpoints will break applications that are depending on v1 endpoints"\
+          "\nThe addition of `/data`, and `/metadata` endpoints will break applications that are dependant on v1 endpoints"\
           "\nYou will want to update permissions policies, and applications BEFORE you upgrade"\
           "\nhttps://www.vaultproject.io/docs/secrets/kv/kv-v2.html#upgrading-from-version-1"\
         )
         additional_acl_warning
       end
 
-      def post_upgrade_warning(target)
+      def post_upgrade_warning
         warn yellow(
-          "\nOnce the upgrade has been completed, make sure you update your sanctum.yaml."\
-          "\nPlease add the `secrets_version: 2` key to the #{target[:prefix]} config."
+          "\nOnce the upgrade has been completed update sanctum.yaml."\
+          "\nPlease add or update `secrets_version:` key to each configured target."\
         )
       end
 
@@ -55,12 +59,7 @@ module Sanctum
         warn yellow(
           "\nIf you use policies to limit secrets access you may need to have your permissions updated"\
           "\nSee https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#acl-rules for more info"\
-          "\nSpecifically you may need add something similar to the following:"\
-          "\npath \"<secrets_mount>/data/*\" { capabilities = [\"list\",\"read\",\"create\",\"update\",\"delete\"] }"\
-          "\npath \"<secrets_mount>/metadata/*\" { capabilities = [\"list\",\"read\",\"create\",\"update\",\"delete\"] }"\
-          "\npath \"<secrets_mount>/destroy/*\" { capabilities = [\"update\"] }"\
-          "\npath \"<secrets_mount>/delete/*\" { capabilities = [\"update\"] }"\
-          "\npath \"<secrets_mount>/undelete/*\" { capabilities = [\"update\"] }"
+          "\nSee examples/single_target for updated policy example."\
         )
       end
 
@@ -74,12 +73,13 @@ module Sanctum
 
       def nothing_happened_warning
         warn yellow(
-          "Request was successfull but returned a nil response, this generally means the mount has is already upgraded!"
+          "Request returned a nil response, which could mean mount is already upgraded"
         )
       end
 
       def confirm_upgrade?(target)
         warn yellow("\nUpgrading will make the mount temporarily unavailable")
+        warn red("\nPlease ensure you are fully synced(all secrets have been pushed/pulled)")
         warn yellow("Would you like to continue?: ")
         question = STDIN.gets.chomp.upcase
 
@@ -87,10 +87,34 @@ module Sanctum
           warn yellow("\nUpgrading #{target[:prefix]}")
           true
         else
-          warn yellow("\nSkipping....\n")
+          raise yellow("\nSkipping....\n")
           false
         end
       end
+
+      # Post upgrade tasks if mount is being upgraded from generic mount or v1 mount to v2 mount
+      # Ensure local files mimic vault v2 by add `/data` to local path
+      def post_upgrade_tasks(target)
+        config_path = Pathname.new(config_file).dirname.to_s
+        full_target_path = "#{config_path}/#{target[:path]}"
+
+        old_path = full_target_path.include?("/data") ? full_target_path.sub(/\/data/, "") : full_target_path
+        new_path = full_target_path.include?("/data") ? full_target_path : "#{full_target_path}/data"
+
+        # If old path does not exist, chances are sanctum upgrade is being run before sanctum pull/push.
+        return unless File.directory?(old_path)
+
+        files_to_move = Dir.chdir(old_path) { Dir.glob('*') }.delete_if {|i| i == "data"}
+        unless files_to_move.empty?
+          FileUtils.mkdir_p(new_path) unless File.directory?(new_path)
+          files_to_move.each do |f|
+            FileUtils.mv("#{old_path}/#{f}", new_path, secure: true)
+          end
+        end
+      rescue
+        warn red("Post upgrade tasks failed")
+        raise
+      end
     end
   end
 end

data/lib/sanctum/vault_secrets.rb

@@ -12,7 +12,10 @@ module Sanctum
     # API version 2 uses /metadata path to list, but /data to read.
     #TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated
     def get_all
-      raise yellow("Warning: Vault prefix: '#{prefix}' does not exist.. ") if invalid_prefix?
+      raise yellow(
+        "Vault prefix: '#{prefix}' does not exist, or doesn't contain any secrets to pull/check"\
+        "\nEnsure mount is enabled and use `sanctum create`, and `sanctum push` to add secrets"
+      ) if invalid_prefix?
 
       secrets_from_vault = Hash.new
       secrets_from_vault[prefix] = JSON(list_recursive(list_prefix).to_json)

data/lib/sanctum/version.rb

@@ -1,3 +1,3 @@
 module Sanctum
-  VERSION = "0.8.5.rc1"
+  VERSION = "0.8.5.rc2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctum
 version: !ruby/object:Gem::Version
-  version: 0.8.5.rc1
+  version: 0.8.5.rc2
 platform: ruby
 authors:
 - Corban Raun
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-14 00:00:00.000000000 Z
+date: 2019-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -160,6 +160,8 @@ files:
 - docker-compose.override.yml_sample
 - docker-compose.test.yml
 - docker-compose.yml
+- examples/single_target/example_policy.hcl
+- examples/single_target/sanctum.yaml
 - lib/sanctum.rb
 - lib/sanctum/cli.rb
 - lib/sanctum/colorize_string.rb