sanctum 0.8.5.rc4 → 0.8.5.rc5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25943604a0d0c1ecf990e5dd50957ead16063674131ac14b97c0f1dfa70526ec
-  data.tar.gz: a6282afcb3e99108abb97623e3304adcad0025d78193c7680c441f8be905a16c
+  metadata.gz: dff385a40c33fc32dc3c5b57c28c1c8493cf9e01dc6e79cfbfee08269a3bd072
+  data.tar.gz: ebdd7ba3f3a1020357301d281e4dc474195d8b765a25885f96e10e7a7e6b3573
 SHA512:
-  metadata.gz: 6bf7b7f0d5cee948e82611da96eafedf13592b55cfd53af0bf9e314ac698825cd5ca4a9ed4e855e034a3aa751a893f8bbc1ef4b836d2a519bf5a5919d75113d5
-  data.tar.gz: e76954478cfbc3eac2e6e4ea880077bcc7e22193f1f2f6945fafc172ea9f7e8a9be2ca7c7ab5be75ed7b6abbf49ca5209cc8be67f93983eaaa78162332c8e1c9
+  metadata.gz: 23d19761e85666eb94b7c7e25a7957be59ba422f2967a930000b1171ae1280e0417b3ad767fc35e0c5c1a19cb61962c752c06d3ae381a1b54c2ef6e8c4cf9949
+  data.tar.gz: 8563efa095ac2a186572adcd14f999db22070e91803cc6ad89d67c29c009e4f8c6c005675b9f796744dbb76633381ad5df05cc8050366aa32e5e503aa860acb2

data/Dockerfile

@@ -2,7 +2,7 @@ FROM ruby:2.5-alpine
 
 USER root
 
-ENV VERSION 1.0.2
+ENV VERSION 1.0.3
 ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip /tmp/
 ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS /tmp/
 ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS.sig /tmp/

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sanctum (0.8.5.rc4)
+    sanctum (0.8.5.rc5)
       gli (~> 2.18)
       hashdiff (~> 0.3)
       vault (~> 0.12)
@@ -17,13 +17,14 @@ GEM
     hashdiff (0.3.8)
     jaro_winkler (1.5.2)
     method_source (0.9.2)
-    parallel (1.13.0)
+    parallel (1.14.0)
     parser (2.6.0.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
+    psych (3.1.0)
     rainbow (3.0.0)
     rake (12.3.2)
     rspec (3.8.0)
@@ -39,11 +40,12 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
     rspec-support (3.8.0)
-    rubocop (0.63.1)
+    rubocop (0.65.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.5, != 2.5.1.1)
       powerpack (~> 0.1)
+      psych (>= 3.1.0)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.4.0)
@@ -62,7 +64,7 @@ DEPENDENCIES
   pry (~> 0.12.0)
   rake (~> 12.0)
   rspec (~> 3.0)
-  rubocop (~> 0.63.0)
+  rubocop (~> 0.65.0)
   rubocop-rspec (~> 1.32.0)
   sanctum!
 

data/README.md

@@ -28,7 +28,7 @@ using the sanctum gem, you could run `sanctum pull`. Depending on the path you s
 `sanctum push`.
 
 ### KV API v2
-**NOTE: V2 API adds `/data` and `/metadata` endpoints as such sanctum will automatically add `/data` to your local path in order to reflect the endpoints see [Vault kv v2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html)**
+**NOTE: V2 Vault API adds `/data` and `/metadata` to the mounts endpoints see [Vault kv v2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html)**
 
 Lets say you have a vault instance with `kv v2`  enabled backend.
 if you were to run, `vault kv secrets/cool-app/dev/env` you may see something similar to
@@ -52,10 +52,10 @@ token          myrandomtoken
 
 using the sanctum gem, you could run `sanctum pull`. Depending on the path you specified in the `sanctum.yaml` config file; Your local file system would look similar to
 ```
-<path-specified>/data/cool-app/dev/env
+<path-specified>/cool-app/dev/env
 ```
 
-`env` would contain a `transit` encrypted base64 encoded blob, which you could then edit with `sanctum edit <path-specified>/data/cool-app/dev/env`. You could then push any changes with
+`env` would contain a `transit` encrypted base64 encoded blob, which you could then edit with `sanctum edit <path-specified>/cool-app/dev/env`. You could then push any changes with
 `sanctum push`.
 
 ## Installation
@@ -108,19 +108,23 @@ The higher the number the higher the precedence.(1 is the lowest precedence, 4 i
 
 ## Configuration file structure
 The configuration file is a Hash represented in YAML format with three possible top-level keys: `sanctum`, `vault`, and `sync`.
-* The `sanctum` section sets global defaults. 
-  * This section is **NOT** required.
-* The `vault` section specifies the url, token, and transit_key to the Vault REST API endpoint.
-  * url, token, and transit_key are **required** and can be set here or through environment variables.
+* The `sanctum` section sets global defaults.
+  * You can choose to set a `transit_key` default under this section, which can be overridden per target
+  * You can choose to set a `secrets_version` default under this section, which can be overridden per target
+* The `vault` section specifies the url, token, to the Vault REST API endpoint.
+  * url, token are **required** and can be set here or through environment variables.
 * The `sync` section sets the local paths and Vault prefixes you wish to synchronize.
   * At lease one application/target definition is required.
+  * If you have not specified a global `transit_key` in the `sanctum` section you must add the key for each target
+
+You can get more info by running `sanctum config` and viewing the generated file.
 
 ## Roadmap
 * <strike>Add vault v2 API support</strike>
 * <strike>Add upgrade option for v2 API</strike>
-* If transit key doesn't exist try to create it(automatically)
-* If secrets mount doesn't exist try to create it(automatically)
 * <strike>Better/more Tests</strike>
+* <strike>Support for multiple transit_keys</strike>
+* <strike>Support for global secrets_version</strike>
 * Built in Backup features
 * Performance optimizations
 * Reorganize/cleanup code(add adapters, etc)

data/docker-compose.test.yml

@@ -9,7 +9,7 @@ services:
     depends_on:
       - vault
   vault:
-    image: vault:1.0.2
+    image: vault:1.0.3
     environment:
       SKIP_SETCAP: "true"
       VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"

data/docker-compose.yml

@@ -11,7 +11,7 @@ services:
     volumes:
       - ".:/usr/src/app"
   vault:
-    image: vault:1.0.2
+    image: vault:1.0.3
     environment:
       SKIP_SETCAP: "true"
       VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"

data/lib/sanctum/cli.rb

@@ -67,7 +67,7 @@ module Sanctum
     desc 'Create an encrypted file'
     arg_name 'path/to/file'
     command :create do |c|
-      common_options c, :config
+      common_options c, :targets, :config
       c.action do |_,_,args|
         Command::Create.new(@options_hash, args).run
       end
@@ -76,7 +76,7 @@ module Sanctum
     desc 'View encrypted file[s]'
     arg_name 'path/to/file'
     command :view do |c|
-      common_options c, :config
+      common_options c, :targets, :config
       c.action do |_,_,args|
         if args.empty?
           help_now! "Please specify at least one argument"
@@ -88,7 +88,7 @@ module Sanctum
     desc 'Edit an encrypted file'
     arg_name 'path/to/file'
     command :edit do |c|
-      common_options c, :config
+      common_options c, :targets, :config
 
       c.action do |_,_,args|
         Command::Edit.new(@options_hash, args).run
@@ -98,7 +98,7 @@ module Sanctum
     desc 'Update secrets mount'
     command :update do |c|
       common_options c, :config, :force
-      c.flag [:targets, :t], desc: 'Comma seperated list of targets', required: true
+      c.flag [:targets, :t], desc: 'Specify target to update', required: true
       c.action do
         Command::Update.new(@options_hash).run
       end

data/lib/sanctum/command/base.rb

@@ -10,21 +10,12 @@ module Sanctum
       include EditorHelper
       include PathsHelper
 
-      attr_reader :options, :args, :transit_key, :targets, :config_file
+      attr_reader :options, :args, :targets, :config_file
 
       def initialize(options={}, args=[])
         @options = options.to_h
         @args = args
-
-        @transit_key = options.fetch(:vault).fetch(:transit_key)
-        # TODO: Fix, way to much is happening to targets in this initializer!
-        @targets = update_prefix_or_path(
-          set_secrets_version(
-            remove_trailing_slash(
-              options.fetch(:sync)
-            )
-          )
-        )
+        @targets = update_targets(options.fetch(:sync))
         @config_file = options.fetch(:config_file)
       end
 
@@ -43,14 +34,26 @@ module Sanctum
         raise
       end
 
+      # TODO: Most of this stuff should probably be done in a separate class, or even back in Samctum::GetConfig
+      # Internal: Modifies each target with some additional logic
+      # Returns: hash
+      def update_targets(targets)
+        default_transit_key = options.fetch(:sanctum).fetch(:transit_key, nil)
+        default_secrets_version = options.fetch(:sanctum).fetch(:secrets_version)
+
+        targets = remove_trailing_slash(targets)
+        targets = set_secrets_version(targets, default_secrets_version)
+        targets = set_transit_key(targets, default_transit_key)
+        targets = update_prefix(targets)
+        targets
+      end
+
       # Internal: automatically detect the api version of the secrets mount
       # and adds :secrets_version to hash if it doesn't exist
       #
       # Parameter: is an array of hashes: [{}, {}]
       # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test", :path=>"vault/vault-test", :secrets_version=>"2"},{}]
-      def set_secrets_version(targets)
-        mounts_hash = mounts_info
-
+      def set_secrets_version(targets, default_secrets_version)
         targets.each do |h|
           if h.key?(:secrets_version)
             # Ensure value is a string
@@ -58,25 +61,49 @@ module Sanctum
             next
           end
 
-          # If mount options is nil default to api version 1 otherwise use version value
-          # generic mounts will not have a version specified
-          if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
-            h[:secrets_version] = "1"
+          if default_secrets_version == "auto"
+            mounts_hash = mounts_info
+
+            # If mount options is nil default to api version 1 otherwise use version value
+            # generic mounts will not have a version specified
+            if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
+              h[:secrets_version] = "1"
+            else
+              h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version).to_s
+            end
+          else
+            h[:secrets_version] = default_secrets_version
+          end
+        end
+      end
+
+      # Internal sets default transit_key if :transit_key doesn't exist in hash
+      #
+      # Parameter: is an array of hashes: [{}, {}]
+      # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test", :path=>"vault/vault-test", :secrets_version=>"2", :transit_key=>"transit/keys/vault-test"},{}]
+      def set_transit_key(targets, default_transit_key)
+        targets = targets.each do |h|
+          if h.key?(:transit_key)
+            # Ensure value is a string
+            h[:transit_key] = h[:transit_key].to_s
+            next
           else
-            h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version).to_s
+            h[:transit_key] = default_transit_key.to_s
           end
         end
+
+        raise "transit_key must be specified under sanctum defaults, or on a per target bases" if targets.any?{ |h| h.dig(:transit_key).nil? }
+        targets
       end
 
-      # Internal, update prefix or path, add `/data` if secrets_version == "2"
+      # Internal, update prefix , add `/data` if secrets_version == "2"
       # Parameter is an array of hashes: [{}, {}]
-      # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test/data", :path=>"vault/vault-test/data", :secrets_version=>"2"},{}]
-      def update_prefix_or_path(targets)
+      # Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test/data", :path=>"vault/vault-test", :secrets_version=>"2"},{}]
+      def update_prefix(targets)
         targets.each do |h|
           next unless h[:secrets_version] == "2"
 
           h[:prefix] = h[:prefix].include?("/data") ? h[:prefix] : "#{h[:prefix]}/data"
-          h[:path] = h[:path].include?("/data") ? h[:path] : "#{h[:path]}/data"
         end
       end
 

data/lib/sanctum/command/check.rb

@@ -9,7 +9,7 @@ module Sanctum
           # Read each file
           local_secrets = read_local_files(local_paths)
           # Decrypt each secret
-          local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
+          local_secrets = VaultTransit.decrypt(vault_client, local_secrets, target[:transit_key])
 
           # Recursively get vault secrets for each prefix specified in sanctum.yaml
           secrets_list = VaultSecrets.new(vault_client, target[:prefix], target[:secrets_version]).get_all

data/lib/sanctum/command/create.rb

@@ -10,16 +10,17 @@ module Sanctum
 
       def run(&block)
         if args.one?
-          path = args[0]
+          path = args.first
           validate_path(path)
-          create_file(path, &block)
+          transit_key = determine_transit_key(path, targets)
+          create_file(path, transit_key, &block)
         else
           raise ArgumentError, red('Please pass only one path argument')
         end
       end
 
       private
-      def create_file(path)
+      def create_file(path, transit_key)
         # Calling vault_client will help prevent a race condition where the token is expired
         # and contents fail to encrypt
         vault_client
@@ -30,7 +31,11 @@ module Sanctum
             yield tmp_file
           else
             editor = ENV.fetch('EDITOR', 'vi')
-            raise red("Error with editor") unless system(editor, tmp_file.path)
+            #This should help in the case where people are using macvim, atom, etc
+            command = Thread.new do
+              raise red("Error with editor") unless system(editor, tmp_file.path)
+            end
+            command.join
           end
 
           contents = File.read(tmp_file.path)
@@ -51,20 +56,9 @@ module Sanctum
         end
       end
 
-      # Check if the path you are creating matches a target path
-      # if secrets_version == 2 /data will be added to the path
-      # See command/base.rb
-      def path_matches_a_target?(path)
-        targets.each do |h|
-          path.to_s.include?(h[:path]) ? (return true) : (return false)
-        end
-      end
-
       def validate_path(path)
         path = Pathname.new(path)
-        keys_to_print = targets.map { |h| h.slice(:name, :path) }
         raise yellow("File exists, use edit command") if path.exist?
-        raise yellow("No targets contain a :path key that matches the path you specified\n#{keys_to_print}") unless path_matches_a_target?(path)
 
         path.dirname.mkpath unless path.dirname.exist?
       end

data/lib/sanctum/command/edit.rb

@@ -9,15 +9,16 @@ module Sanctum
 
       def run(&block)
         if args.one?
-          path = args[0]
-          edit_file(path, &block)
+          path = args.first
+          transit_key = determine_transit_key(path, targets)
+          edit_file(path, transit_key, &block)
         else
           raise ArgumentError, red('Please pass only one path argument')
         end
       end
 
       private
-      def edit_file(path)
+      def edit_file(path, transit_key)
         tmp_file = Tempfile.new(File.basename(path))
 
         begin
@@ -33,7 +34,11 @@ module Sanctum
           else
             previous_contents = File.read(tmp_file.path)
             editor = ENV.fetch('EDITOR', 'vi')
-            raise red("Error with editor") unless system(editor, tmp_file.path )
+            #This should help in the case where people are using macvim, atom, etc
+            command = Thread.new do
+              raise red("Error with editor") unless system(editor, tmp_file.path )
+            end
+            command.join
           end
           contents = File.read(tmp_file.path)
 

data/lib/sanctum/command/editor_helper.rb

@@ -18,17 +18,21 @@ module Sanctum
       def validate(contents)
         validate_json(contents) || validate_yaml(contents) || raise
       rescue
-        fail red("Invalid Contents")
+        fail red("Invalid Contents. Must be valid, json or yaml, in key/value pair format")
       end
 
       def validate_json(json)
-        JSON.parse(json)
-      rescue JSON::ParserError
+        json = JSON.parse(json)
+        raise TypeError.new('Data must be in key/value format') unless json.kind_of? Hash
+        json
+      rescue JSON::ParserError, TypeError
         nil
       end
 
       def validate_yaml(yaml)
-        YAML.load(yaml)
+        yaml = YAML.load(yaml)
+        raise TypeError.new('Data must be in key/value format') unless yaml.kind_of? Hash
+        yaml
       rescue YAML::SyntaxError
         nil
       end
@@ -53,6 +57,17 @@ module Sanctum
         end
       end
 
+      #TODO: Don't like this.. need to figure out a better way.
+      #Maybe require uses to specify the target when `create, update, or edit?`
+      def determine_transit_key(path, targets)
+        if targets.count > 1
+          targets.each do |h|
+            path.to_s.include?(h[:path]) ? (h[:transit_key]) : (raise "Unable to determine transit_key to use, please specify target via `-t <target>`")
+          end
+        else
+          targets.first[:transit_key]
+        end
+      end
     end
   end
 end

data/lib/sanctum/command/pull.rb

@@ -18,7 +18,7 @@ module Sanctum
           secrets_list.each do |k,v|
 
             vault_secrets = build_vault_secrets(v, [target[:path]])
-            local_secrets = build_local_secrets(vault_secrets)
+            local_secrets = build_local_secrets(vault_secrets, target[:transit_key])
 
             #Compare secrets, if there are no differences continue to next target
             differences = compare_secrets(vault_secrets, local_secrets, target[:name], "pull")
@@ -33,11 +33,11 @@ module Sanctum
             if force
               # Write files to disk and encrypt with transit
               warn red("#{target[:name]}: Forcefully writing differences to disk(pull)")
-              VaultTransit.write_to_file(vault_client, vault_secrets, transit_key)
+              VaultTransit.write_to_file(vault_client, vault_secrets, target[:transit_key])
             else
               #Confirm with user, and write to local file if approved
               next unless confirmed_with_user?
-              VaultTransit.write_to_file(vault_client, vault_secrets, transit_key)
+              VaultTransit.write_to_file(vault_client, vault_secrets, target[:transit_key])
             end
           end
         end
@@ -65,7 +65,7 @@ module Sanctum
         vault_secrets
       end
 
-      def build_local_secrets(vault_secrets)
+      def build_local_secrets(vault_secrets, transit_key)
 
         # read_local_files uses vault_secrets paths to create a new hash with local paths and values.
         # This means that we will only compare secrets/paths that exist in both vault and locally.

data/lib/sanctum/command/push.rb

@@ -17,7 +17,7 @@ module Sanctum
           # Build array of local paths by recursively searching for local files for each path specified in sanctum.yaml
           local_paths = get_local_paths(File.join(File.dirname(config_file), target[:path]))
 
-          local_secrets = build_local_secrets(local_paths)
+          local_secrets = build_local_secrets(local_paths, target[:transit_key])
           vault_secrets = build_vault_secrets(local_paths, target[:prefix], target[:path], target[:secrets_version])
 
           # Compare secrets
@@ -73,7 +73,7 @@ module Sanctum
         tmp_hash
       end
 
-      def build_local_secrets(local_paths)
+      def build_local_secrets(local_paths, transit_key)
         # Read each local file
         local_secrets = read_local_files(local_paths)
         # Decrypt local secrets

data/lib/sanctum/command/sanctum.example.yaml

@@ -1,20 +1,23 @@
 # sanctum.yml
 sanctum:
-  # force - defaults to false. Setting to true modifies behavior of push and pull commands.
-  #   If true you will not be asked if you want to overwrite changes.
-  #force: false
   # color - defaults to true. Setting to false will disable color to tty
   #color: true
+  # force - defaults to false. Setting to true modifies behavior of push and pull commands.
+  #   If true you will not be asked if you want to overwrite changes. Can be overridden on a per target basis.
+  #force: false
+  # secrets_version - defaults to `auto`, which will try to automatically detect secrets_version
+  #   can be overridden on a per target basis
+  #secrets_version: auto
+  # transit_key - (required if not set ) default transit_key to be used, can be overridden on a per target basis
+  #   Transit key ring used to encrypt/decrypt secrets for local storage.
+  #   If you need to use multiple transit_keys you will need to create seperate config files
+  #transit_key: transit/keys/app-foo
 
 vault:
   # url - will use `ENV["VAULT_ADDR"]` if available, otherwise defaults to http://localhost:8200
   #url: http://localhost:8200
   # token - (required) will use `ENV["VAULT_TOKEN"]` if available, otherwise tries to read from `ENV["HOME"]/.vault-token`
   #token: aaabbbcc-ddee-ffgg-hhii-jjkkllmmnnoop
-  # transit_key - (required) will use `ENV["SANCTUM_TRANSIT_KEY"]` if available.
-  #   Transit key ring used to encrypt/decrypt secrets for local storage.
-  #   If you need to use multiple transit_keys you will need to create seperate config files
-  #transit_key: transit/keys/app-foo
 
 sync:
   # sync is an array of hashes of sync target configurations
@@ -26,11 +29,18 @@ sync:
   #       with Vault. This path is calculated relative to the directory containing
   #       the sanctum configuration file.
   #     force - Whether or not to force push, pull actions (no user input)
-  #       This inherits the setting from the `sanctum` section.
+  #       Inherits the setting from the `sanctum` section.
   #     secrets_version - The k/v secrets version `1`, or `2`. Sanctum will try to detect this automatically
-  #       if not valued. This does not apply to `generic` secrets backend.
-  #       see https://www.vaultproject.io/docs/secrets/kv/index.html
+  #       if not valued. Inherits the setting from the `sanctum` section.
+  #     transit_key - (required if not set in `sanctum` section) Transit key ring used to encrypt/decrypt secrets
+  #     for local storage. Inherits the setting from the `sanctum` section.
   #- name: app-foo
     #prefix: secrets/app-foo
     #path: vault/app-foo
     #force: false
+  #- name: app-bar
+    #prefix: app-bar
+    #path: vault/app-bar
+    #transit_key: transit/keys/app-bar
+    #secrets_version: 2
+    #force: false

data/lib/sanctum/command/update.rb

@@ -34,8 +34,6 @@ module Sanctum
           upgrade_response = confirm_upgrade?(target) ? vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data) : nil
         end
         upgrade_response.nil? ? nothing_happened_warning : (warn yellow("#{upgrade_response}\n#{post_upgrade_warning}"))
-
-        post_upgrade_tasks(target)
       end
 
       def pre_upgrade_warning
@@ -91,30 +89,6 @@ module Sanctum
           false
         end
       end
-
-      # Post upgrade tasks if mount is being upgraded from generic mount or v1 mount to v2 mount
-      # Ensure local files mimic vault v2 by add `/data` to local path
-      def post_upgrade_tasks(target)
-        config_path = Pathname.new(config_file).dirname.to_s
-        full_target_path = "#{config_path}/#{target[:path]}"
-
-        old_path = full_target_path.include?("/data") ? full_target_path.sub(/\/data/, "") : full_target_path
-        new_path = full_target_path.include?("/data") ? full_target_path : "#{full_target_path}/data"
-
-        # If old path does not exist, chances are sanctum upgrade is being run before sanctum pull/push.
-        return unless File.directory?(old_path)
-
-        files_to_move = Dir.chdir(old_path) { Dir.glob('*') }.delete_if {|i| i == "data"}
-        unless files_to_move.empty?
-          FileUtils.mkdir_p(new_path) unless File.directory?(new_path)
-          files_to_move.each do |f|
-            FileUtils.mv("#{old_path}/#{f}", new_path, secure: true)
-          end
-        end
-      rescue
-        warn red("Post upgrade tasks failed")
-        raise
-      end
     end
   end
 end

data/lib/sanctum/command/view.rb

@@ -5,9 +5,15 @@ module Sanctum
     class View < Base
 
       def run(command="less")
-        raise ArgumentError, red('Please provide at least one path') if args.empty?
+        if args.one?
+          path = args.first
+          transit_key = determine_transit_key(path, targets)
+        else
+          raise ArgumentError, red('Please pass only one path argument')
+        end
 
-        local_secrets = read_local_files(args)
+        #TODO: Fix later, expects an array of paths
+        local_secrets = read_local_files(["#{path}"])
         local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
         begin
           IO.popen(command, "w") { |f| f.puts "#{local_secrets.to_yaml}" }

data/lib/sanctum/get_config/config_merge.rb

@@ -17,24 +17,34 @@ module Sanctum
         @force = force
       end
 
-      def final_options
+      def default_options
         # default_options will search for config_file or take the path specified via cli
-        default_options = DefaultOptions.new(config_file).run
-        config_options = ConfigFile.new(default_options[:config_file]).run
-        env_options = Env.new.run
-        cli_options = {cli: {targets: targets, force: force }}
+        DefaultOptions.new(config_file).run
+      end
 
+      def config_options
+        config_options = ConfigFile.new(default_options[:config_file]).run
         # Check that targets specified via commandline actually exist in config_file and update config_options[:sync] array
         config_options = check_targets(targets, config_options) unless targets.nil?
+        config_options
+      end
 
-        merge_options(default_options, config_options, env_options, cli_options)
+      def env_options
+        Env.new.run
       end
 
+      def cli_options
+        { cli: { targets: targets, force: force } }
+      end
 
       def merge_options(default_options, config_options, env_options, cli_options)
         default_options.deep_merge(config_options).deep_merge(env_options).deep_merge(cli_options)
       end
 
+      def final_options
+        merge_options(default_options, config_options, env_options, cli_options)
+      end
+
       def check_targets(targets, config_options)
         tmp_array = Array.new
         sync = config_options[:sync]

data/lib/sanctum/get_config/env.rb

@@ -4,7 +4,7 @@ module Sanctum
       attr_reader :env_options
 
       def initialize
-        @env_options = {vault: {url: ENV["VAULT_ADDR"], token: ENV["VAULT_TOKEN"], transit_key: ENV["SANCTUM_TRANSIT_KEY"]}}
+        @env_options = { vault: { url: ENV["VAULT_ADDR"], token: ENV["VAULT_TOKEN"] } }
       end
 
       def run

data/lib/sanctum/get_config/options.rb

@@ -13,7 +13,7 @@ module Sanctum
       def run
         {
           config_file: config_file.nil? ? config_file_search : config_file,
-          sanctum: { color: true, force: false },
+          sanctum: { color: true, force: false, secrets_version: "auto", transit_key: nil },
           vault: { token: get_vault_token, url: "https://127.0.0.1:8200" },
         }
       end

data/lib/sanctum/vault_transit.rb

@@ -8,6 +8,8 @@ module Sanctum
     def self.encrypt(vault_client, secrets, transit_key)
       transit_key = Pathname.new(transit_key)
 
+      #TODO probably nice to do this check earlier on,
+      #Such as in command/base
       unless transit_key_exist?(vault_client, transit_key)
         raise red("#{transit_key} does not exist")
       end

data/lib/sanctum/version.rb

@@ -1,3 +1,3 @@
 module Sanctum
-  VERSION = "0.8.5.rc4"
+  VERSION = "0.8.5.rc5"
 end

data/sanctum.gemspec

@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'pry', '~> 0.12.0'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
-  spec.add_development_dependency 'rubocop', '~> 0.63.0'
+  spec.add_development_dependency 'rubocop', '~> 0.65.0'
   spec.add_development_dependency 'rubocop-rspec', '~> 1.32.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sanctum
 version: !ruby/object:Gem::Version
-  version: 0.8.5.rc4
+  version: 0.8.5.rc5
 platform: ruby
 authors:
 - Corban Raun
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-26 00:00:00.000000000 Z
+date: 2019-03-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.63.0
+        version: 0.65.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.63.0
+        version: 0.65.0
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement