sanctum 0.8.5.rc5 → 0.8.6.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dff385a40c33fc32dc3c5b57c28c1c8493cf9e01dc6e79cfbfee08269a3bd072
-  data.tar.gz: ebdd7ba3f3a1020357301d281e4dc474195d8b765a25885f96e10e7a7e6b3573
+  metadata.gz: b898d2e916e8ec1febdcaaa482017484aa1d2c0d7bb407cd0f1e93fb58615622
+  data.tar.gz: 5f34552ae0916fdce2b8903e0548e3656a60e9f950b1e5a656a9f54d500f78f4
 SHA512:
-  metadata.gz: 23d19761e85666eb94b7c7e25a7957be59ba422f2967a930000b1171ae1280e0417b3ad767fc35e0c5c1a19cb61962c752c06d3ae381a1b54c2ef6e8c4cf9949
-  data.tar.gz: 8563efa095ac2a186572adcd14f999db22070e91803cc6ad89d67c29c009e4f8c6c005675b9f796744dbb76633381ad5df05cc8050366aa32e5e503aa860acb2
+  metadata.gz: d72a9696fc57f35c6eb1da437069ba9eb369aec6ce871095296bdd09b753528ac8eeb5ed3023a52f3ae3826df81a5dd70dda8e19a07bdbf860ebd3fd761de895
+  data.tar.gz: c63d24c16472a5170a54f3da4fa2ba5caf472f5cc5b25bbe3ce2d3bd8c41e087ff8efbc640289b45decdbaf74a7e32e30bbdfa5c8344fc33f4b79054808991cf

data/Gemfile.lock

@@ -1,9 +1,10 @@
 PATH
   remote: .
   specs:
-    sanctum (0.8.5.rc5)
+    sanctum (0.8.6.rc1)
       gli (~> 2.18)
       hashdiff (~> 0.3)
+      tty-editor (~> 0.5)
       vault (~> 0.12)
 
 GEM
@@ -13,13 +14,18 @@ GEM
     aws-sigv4 (1.0.3)
     coderay (1.1.2)
     diff-lcs (1.3)
+    equatable (0.5.0)
     gli (2.18.0)
     hashdiff (0.3.8)
     jaro_winkler (1.5.2)
     method_source (0.9.2)
+    necromancer (0.4.0)
     parallel (1.14.0)
     parser (2.6.0.0)
       ast (~> 2.4.0)
+    pastel (0.7.2)
+      equatable (~> 0.5.0)
+      tty-color (~> 0.4.0)
     powerpack (0.1.2)
     pry (0.12.2)
       coderay (~> 1.1.0)
@@ -52,9 +58,28 @@ GEM
     rubocop-rspec (1.32.0)
       rubocop (>= 0.60.0)
     ruby-progressbar (1.10.0)
+    timers (4.3.0)
+    tty-color (0.4.3)
+    tty-cursor (0.6.1)
+    tty-editor (0.5.0)
+      tty-prompt (~> 0.18)
+      tty-which (~> 0.4)
+    tty-prompt (0.18.1)
+      necromancer (~> 0.4.0)
+      pastel (~> 0.7.0)
+      timers (~> 4.0)
+      tty-cursor (~> 0.6.0)
+      tty-reader (~> 0.5.0)
+    tty-reader (0.5.0)
+      tty-cursor (~> 0.6.0)
+      tty-screen (~> 0.6.4)
+      wisper (~> 2.0.0)
+    tty-screen (0.6.5)
+    tty-which (0.4.0)
     unicode-display_width (1.4.1)
     vault (0.12.0)
       aws-sigv4
+    wisper (2.0.0)
 
 PLATFORMS
   ruby

data/lib/sanctum/command/base.rb

@@ -41,6 +41,9 @@ module Sanctum
         default_transit_key = options.fetch(:sanctum).fetch(:transit_key, nil)
         default_secrets_version = options.fetch(:sanctum).fetch(:secrets_version)
 
+        # TODO: make this better
+        # remove_trailing_slash needs to run first, as some of the other logic in other methods
+        # rely on it
         targets = remove_trailing_slash(targets)
         targets = set_secrets_version(targets, default_secrets_version)
         targets = set_transit_key(targets, default_transit_key)
@@ -63,13 +66,16 @@ module Sanctum
 
           if default_secrets_version == "auto"
             mounts_hash = mounts_info
+            # Use the root path to determine secrets_version
+            prefix = "#{h[:prefix].lines('/').first}"
+            prefix = prefix.include?("/") ? prefix.to_sym : "#{prefix}/".to_sym
 
             # If mount options is nil default to api version 1 otherwise use version value
             # generic mounts will not have a version specified
-            if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
+            if mounts_hash.dig(:data, :secret, prefix, :options).nil?
               h[:secrets_version] = "1"
             else
-              h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version).to_s
+              h[:secrets_version] = mounts_hash.dig(:data, :secret, prefix, :options, :version).to_s
             end
           else
             h[:secrets_version] = default_secrets_version
@@ -103,7 +109,14 @@ module Sanctum
         targets.each do |h|
           next unless h[:secrets_version] == "2"
 
-          h[:prefix] = h[:prefix].include?("/data") ? h[:prefix] : "#{h[:prefix]}/data"
+          # Super gross..., split path into an array
+          path_array = h[:prefix].lines("/")
+          # Add `data/` to the right place in the path if it's not already there
+          if path_array.count == 1
+            h[:prefix] = path_array.insert(1, "/data").join
+          else
+            h[:prefix] = path_array.include?("data/") ? path_array.join : path_array.insert(1, "data/").join
+          end
         end
       end
 
@@ -111,6 +124,7 @@ module Sanctum
         targets.each do |h|
           h[:prefix] = h[:prefix].chomp("/")
           h[:path] = h[:path].chomp("/")
+          h[:transit_key] = h[:transit_key].chomp("/") if h.key?(:transit_key)
         end
       end
 

data/lib/sanctum/command/create.rb

@@ -30,12 +30,7 @@ module Sanctum
           if block_given?
             yield tmp_file
           else
-            editor = ENV.fetch('EDITOR', 'vi')
-            #This should help in the case where people are using macvim, atom, etc
-            command = Thread.new do
-              raise red("Error with editor") unless system(editor, tmp_file.path)
-            end
-            command.join
+            TTY::Editor.open(tmp_file.path)
           end
 
           contents = File.read(tmp_file.path)

data/lib/sanctum/command/diff_helper.rb

@@ -12,6 +12,8 @@ module Sanctum
             puts green("#{diff[0].to_s + diff[1].join(" => ").to_s} => #{diff[2]}")
           else
             puts red("#{diff[0].to_s + diff[1].join(" => ").to_s} => #{diff[2]}")
+            # If a secret is changed, we should show the change
+            puts green("+#{diff[1].join(" => ").to_s} => #{diff[3]}") if diff.fetch(3, false)
           end
         end
         differences

data/lib/sanctum/command/edit.rb

@@ -33,12 +33,7 @@ module Sanctum
             yield tmp_file
           else
             previous_contents = File.read(tmp_file.path)
-            editor = ENV.fetch('EDITOR', 'vi')
-            #This should help in the case where people are using macvim, atom, etc
-            command = Thread.new do
-              raise red("Error with editor") unless system(editor, tmp_file.path )
-            end
-            command.join
+            TTY::Editor.open(tmp_file.path)
           end
           contents = File.read(tmp_file.path)
 

data/lib/sanctum/command/editor_helper.rb

@@ -1,6 +1,7 @@
+require 'json'
 require 'securerandom'
+require 'tty-editor'
 require 'yaml'
-require 'json'
 
 module Sanctum
   module Command

data/lib/sanctum/command/pull.rb

@@ -5,6 +5,7 @@ module Sanctum
     class Pull < Base
 
       def run
+        puts yellow("Running `pull` for the following targets: \n#{targets.map{ |h| h.dig(:name)}.to_yaml.gsub("---\n", '')}")
         targets.each do |target|
           # Use command line if force: true
           if options[:cli][:force]

data/lib/sanctum/command/push.rb

@@ -6,6 +6,7 @@ module Sanctum
     class Push < Base
 
       def run
+        puts yellow("Running `push` for the following targets: \n#{targets.map{ |h| h.dig(:name)}.to_yaml.gsub("---\n", '')}")
         targets.each do |target|
           # Use command line if force: true
           if options[:cli][:force]

data/lib/sanctum/version.rb

@@ -1,3 +1,3 @@
 module Sanctum
-  VERSION = "0.8.5.rc5"
+  VERSION = "0.8.6.rc1"
 end

data/sanctum.gemspec

@@ -17,15 +17,17 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>=2.5.0'
 
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features)/})
+    exclude = [%r{^(test|spec|features|examples)/}, %r{docker.*}i, %r{\.gitlab-ci.yml}]
+    f.match(Regexp.union(exclude))
   end
   spec.bindir        = "bin"
   spec.executables   = "sanctum"
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'vault', '~> 0.12'
-  spec.add_dependency 'hashdiff', '~> 0.3'
   spec.add_dependency 'gli', '~> 2.18'
+  spec.add_dependency 'hashdiff', '~> 0.3'
+  spec.add_dependency 'tty-editor', '~> 0.5'
+  spec.add_dependency 'vault', '~> 0.12'
 
   spec.add_development_dependency 'bundler', '~> 1.0'
   spec.add_development_dependency 'pry', '~> 0.12.0'

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: sanctum
 version: !ruby/object:Gem::Version
-  version: 0.8.5.rc5
+  version: 0.8.6.rc1
 platform: ruby
 authors:
 - Corban Raun
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-06 00:00:00.000000000 Z
+date: 2019-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: vault
+  name: gli
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: '2.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: '2.18'
 - !ruby/object:Gem::Dependency
   name: hashdiff
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +39,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.3'
 - !ruby/object:Gem::Dependency
-  name: gli
+  name: tty-editor
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.18'
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.18'
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -145,10 +159,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- ".gitlab-ci.yml"
 - ".rspec"
 - ".rubocop.yml"
-- Dockerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -157,11 +169,6 @@ files:
 - bin/console
 - bin/sanctum
 - bin/setup
-- docker-compose.override.yml_sample
-- docker-compose.test.yml
-- docker-compose.yml
-- examples/single_target/example_policy.hcl
-- examples/single_target/sanctum.yaml
 - lib/sanctum.rb
 - lib/sanctum/cli.rb
 - lib/sanctum/colorize_string.rb

data/.gitlab-ci.yml

@@ -1,22 +0,0 @@
----
-image:
-  name: docker/compose:1.23.2
-  entrypoint: ["/bin/sh", "-c"]
-
-variables:
-  COMPOSE_FILE: 'docker-compose.test.yml'
-
-stages:
-  - test
-
-before_script:
-  - docker version
-  - docker info
-  - docker-compose version
-
-testing:
-  stage: test
-  script:
-    - docker-compose build
-    - docker-compose run -T --rm sanctum ls -lart -hu
-    - docker-compose run -T --rm sanctum bundle exec rspec

data/Dockerfile

@@ -1,31 +0,0 @@
-FROM ruby:2.5-alpine
-
-USER root
-
-ENV VERSION 1.0.3
-ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip /tmp/
-ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS /tmp/
-ADD https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_SHA256SUMS.sig /tmp/
-
-# Install additional dependencies
-# As well as nice to haves locally
-RUN apk --no-cache add git vim busybox-extras curl gnupg build-base \
-  && until gpg --keyserver hkp://p80.pool.sks-keyservers.net --recv-key 0x348FFC4C; do echo "Retry"; sleep 30; done \
-  && gpg --verify /tmp/vault_${VERSION}_SHA256SUMS.sig \
-  && cat /tmp/vault_${VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum /tmp/vault_${VERSION}_linux_amd64.zip \
-  && unzip /tmp/vault_${VERSION}_linux_amd64.zip \
-  && mv vault /usr/local/bin/ \
-  && rm -rf /tmp/*
-
-# Setup up app directory
-ENV APP_HOME /usr/src/app/
-WORKDIR $APP_HOME
-
-# Add app code
-COPY . $APP_HOME
-
-# Install gems
-RUN bundle install --jobs=8
-
-# Install sanctum gem
-RUN bundle exec rake install

data/docker-compose.override.yml_sample

@@ -1,11 +0,0 @@
----
-version: '3.4'
-
-services:
-  sanctum:
-    environment:
-      GEM_HOST_API_KEY:
-      GIT_AUTHOR_NAME:
-      GIT_AUTHOR_EMAIL:
-      GIT_COMMITTER_NAME:
-      GIT_COMMITTER_EMAIL:

data/docker-compose.test.yml

@@ -1,17 +0,0 @@
----
-version: '3.4'
-
-services:
-  sanctum:
-    build:
-      context: "."
-    command: /bin/true
-    depends_on:
-      - vault
-  vault:
-    image: vault:1.0.3
-    environment:
-      SKIP_SETCAP: "true"
-      VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"
-      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
-    command: ["vault", "server", "-dev"]

data/docker-compose.yml

@@ -1,19 +0,0 @@
----
-version: '3.4'
-
-services:
-  sanctum:
-    build:
-      context: "."
-    command: /bin/true
-    depends_on:
-      - vault
-    volumes:
-      - ".:/usr/src/app"
-  vault:
-    image: vault:1.0.3
-    environment:
-      SKIP_SETCAP: "true"
-      VAULT_DEV_ROOT_TOKEN_ID: "514c55f0-c452-99e3-55e0-8301b770b92c"
-      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
-    command: ["vault", "server", "-dev"]

data/examples/single_target/example_policy.hcl

@@ -1,54 +0,0 @@
-# Helpful documentation can be found
-# https://www.vaultproject.io/guides/identity/policies
-# https://www.vaultproject.io/docs/concepts/policies.html
-# https://learn.hashicorp.com/vault/getting-started/policies
-#
-# You can make permissions more granular or limited by specifying deeper paths
-# Example: `path "sanctum-test/data/dev/*"`, etc.
-#
-################# Read/Write v2 api example #################################################
-path "sanctum-test/data/*" { capabilities = ["list","read","create","update","delete"] }
-path "sanctum-test/metadata/*" { capabilities = ["list","read","create","update","delete"] }
-path "sanctum-test/destroy/*" { capabilities = ["update"] }
-path "sanctum-test/delete/*" { capabilities = ["update"] }
-path "sanctum-test/undelete/*" { capabilities = ["update"] }
-#############################################################################################
-
-################# Read/Write v1/generic example ###################################
-path "sanctum-test/*" { capabilities = ["list","read","create","update","delete"] }
-###################################################################################
-
-################## Additional sys/ and sys/mount permissions ############################################
-# Grant access to tune existing mount
-# Required to upgrade from v1/generic to v2
-path "sys/mounts/sanctum-test/tune" { capabilities = ["read", "update"] }
-# Grant broader permission to specific mount
-path "sys/mounts/sanctum-test" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }
-# Read health checks
-path "sys/health" { capabilities = ["read", "sudo"] }
-# View capabilities of token
-path "sys/capabilities" { capabilities = ["create", "update"] }
-# View capabilities of token
-path "sys/capabilities-self" { capabilities = ["create", "update"] }
-# View mount info for mounts that you have permissions on
-path "sys/internal/ui/mounts" { capabilities = ["read"] }
-#########################################################################################################
-
-################### Transit permissions###########################################################
-# General permission on key
-path "transit/keys/sanctum-test" { capabilities = ["list","read","create","update", "delete"] }
-# Permission to rotate keys
-path "transit/keys/sanctum-test/rotate" { capabilities = ["list","read","create","update"] }
-# Permission to modify transit key config
-path "transit/keys/sanctum-test/config" { capabilities = ["list","read","create","update"] }
-# Permission to backup key
-#path "transit/backup/sanctum-test" { capabilities = ["list","read"] }
-# Permission to restore key
-#path "transit/restore/sanctum-test" { capabilities = ["list","read","create","update"] }
-# Transit encryption endpoint
-path "transit/encrypt/sanctum-test" { capabilities = ["list","read","create","update"] }
-# Transit decrypt endpoint
-path "transit/decrypt/sanctum-test" { capabilities = ["list","read","create","update"] }
-# Transit rewrap permissions
-path "transit/rewrap/sanctum-test" { capabilities = ["list","read","create","update"] }
-##################################################################################################