sanctum 0.8.5.rc2 → 0.8.5.rc3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +39 -4
- data/lib/sanctum/command/base.rb +22 -5
- data/lib/sanctum/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b9644d3be1fdfcdd2e01ea42a1a0abd2e695bd3b2e9fe156083b10f64fb61540
|
|
4
|
+
data.tar.gz: 6b467122d7066368cf662a37c00f7d9bad88e7c4e1d9aabbb7dc12d54fed70cc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4b8f3ecbae4f6085c442ff12aa87560d884016a1bae709e7110a6a766d53b133986b148ccb69772acf2d3eb2ddba77c26a0305e41992f5e319ad4a485fe666ee
|
|
7
|
+
data.tar.gz: 9f081fb88da05525f0666a05994a2299136e1f52c37d2979607849dd4db752cb71e15802ac3cdbfeffc515c6f57aba73a1d91c7c32fa8e703f4d667bca0abbd0
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -4,7 +4,11 @@ Local files are encrypted using vaults [transit](https://www.vaultproject.io/api
|
|
|
4
4
|
This makes maintaining multiple vault secrets for multiple applications simple and secure.
|
|
5
5
|
|
|
6
6
|
## Usage Example
|
|
7
|
-
|
|
7
|
+
|
|
8
|
+
### Generic/KV API v1
|
|
9
|
+
**NOTE: If you just starting to use sanctum, and or vault, you should be using API v2 For more info see, [Vault kv v2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html), or [Vault kv v1](https://www.vaultproject.io/docs/secrets/kv/kv-v1.html)**
|
|
10
|
+
|
|
11
|
+
Lets say you have a vault instance with a `generic`, or `kv v1` enabled backend.
|
|
8
12
|
if you were to run, `vault read secrets/cool-app/dev/env` you would see something similar to
|
|
9
13
|
|
|
10
14
|
```
|
|
@@ -23,6 +27,37 @@ using the sanctum gem, you could run `sanctum pull`. Depending on the path you s
|
|
|
23
27
|
`env` would contain a `transit` encrypted base64 encoded blob, which you could then edit with `sanctum edit <path-specified>/cool-app/dev/env`. You could then push any changes with
|
|
24
28
|
`sanctum push`.
|
|
25
29
|
|
|
30
|
+
### KV API v2
|
|
31
|
+
**NOTE: V2 API adds `/data` and `/metadata` endpoints as such sanctum will automatically add `/data` to your local path in order to reflect the endpoints see [Vault kv v2](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html)**
|
|
32
|
+
|
|
33
|
+
Lets say you have a vault instance with `kv v2` enabled backend.
|
|
34
|
+
if you were to run, `vault kv secrets/cool-app/dev/env` you may see something similar to
|
|
35
|
+
|
|
36
|
+
```
|
|
37
|
+
====== Metadata ======
|
|
38
|
+
Key Value
|
|
39
|
+
--- -----
|
|
40
|
+
created_time 2019-02-17T00:58:51.194452314Z
|
|
41
|
+
deletion_time n/a
|
|
42
|
+
destroyed false
|
|
43
|
+
version 1
|
|
44
|
+
|
|
45
|
+
======= Data =======
|
|
46
|
+
Key Value
|
|
47
|
+
--- -----
|
|
48
|
+
db_password heydudeihaveacoolapp
|
|
49
|
+
token myrandomtoken
|
|
50
|
+
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
using the sanctum gem, you could run `sanctum pull`. Depending on the path you specified in the `sanctum.yaml` config file; Your local file system would look similar to
|
|
54
|
+
```
|
|
55
|
+
<path-specified>/data/cool-app/dev/env
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
`env` would contain a `transit` encrypted base64 encoded blob, which you could then edit with `sanctum edit <path-specified>/data/cool-app/dev/env`. You could then push any changes with
|
|
59
|
+
`sanctum push`.
|
|
60
|
+
|
|
26
61
|
## Installation
|
|
27
62
|
|
|
28
63
|
From source:
|
|
@@ -42,7 +77,7 @@ sanctum config - Generate an example config file.
|
|
|
42
77
|
sanctum create - Create an encrypted local file.
|
|
43
78
|
sanctum edit - Edit an encrypted local file.
|
|
44
79
|
sanctum view - View an encrypted local file.
|
|
45
|
-
sanctum update - Update secrets backend to v2
|
|
80
|
+
sanctum update - Update secrets backend to v2 API.
|
|
46
81
|
```
|
|
47
82
|
|
|
48
83
|
|
|
@@ -81,8 +116,8 @@ The configuration file is a Hash represented in YAML format with three possible
|
|
|
81
116
|
* At lease one application/target definition is required.
|
|
82
117
|
|
|
83
118
|
## Roadmap
|
|
84
|
-
* <strike>Add vault v2
|
|
85
|
-
* <strike>Add upgrade option for v2
|
|
119
|
+
* <strike>Add vault v2 API support</strike>
|
|
120
|
+
* <strike>Add upgrade option for v2 API</strike>
|
|
86
121
|
* If transit key doesn't exist try to create it(automatically)
|
|
87
122
|
* If secrets mount doesn't exist try to create it(automatically)
|
|
88
123
|
* <strike>Better/more Tests</strike>
|
data/lib/sanctum/command/base.rb
CHANGED
|
@@ -17,8 +17,14 @@ module Sanctum
|
|
|
17
17
|
@args = args
|
|
18
18
|
|
|
19
19
|
@transit_key = options.fetch(:vault).fetch(:transit_key)
|
|
20
|
-
# TODO: Fix, to much is happening to targets in this initializer!
|
|
21
|
-
@targets = update_prefix_or_path(
|
|
20
|
+
# TODO: Fix, way to much is happening to targets in this initializer!
|
|
21
|
+
@targets = update_prefix_or_path(
|
|
22
|
+
set_secrets_version(
|
|
23
|
+
remove_trailing_slash(
|
|
24
|
+
options.fetch(:sync)
|
|
25
|
+
)
|
|
26
|
+
)
|
|
27
|
+
)
|
|
22
28
|
@config_file = options.fetch(:config_file)
|
|
23
29
|
end
|
|
24
30
|
|
|
@@ -46,19 +52,23 @@ module Sanctum
|
|
|
46
52
|
mounts_hash = mounts_info
|
|
47
53
|
|
|
48
54
|
targets.each do |h|
|
|
49
|
-
|
|
55
|
+
if h.key?(:secrets_version)
|
|
56
|
+
# Ensure value is a string
|
|
57
|
+
h[:secrets_version] = h[:secrets_version].to_s
|
|
58
|
+
next
|
|
59
|
+
end
|
|
50
60
|
|
|
51
61
|
# If mount options is nil default to api version 1 otherwise use version value
|
|
52
62
|
# generic mounts will not have a version specified
|
|
53
63
|
if mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options).nil?
|
|
54
64
|
h[:secrets_version] = "1"
|
|
55
65
|
else
|
|
56
|
-
h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version)
|
|
66
|
+
h[:secrets_version] = mounts_hash.dig(:data, :secret, "#{h[:prefix]}/".to_sym, :options, :version).to_s
|
|
57
67
|
end
|
|
58
68
|
end
|
|
59
69
|
end
|
|
60
70
|
|
|
61
|
-
# Internal,
|
|
71
|
+
# Internal, update prefix or path, add `/data` if secrets_version == "2"
|
|
62
72
|
# Parameter is an array of hashes: [{}, {}]
|
|
63
73
|
# Returns array of hashes: [{:name=>"vault-test", :prefix=>"vault-test/data", :path=>"vault/vault-test/data", :secrets_version=>"2"},{}]
|
|
64
74
|
def update_prefix_or_path(targets)
|
|
@@ -70,6 +80,13 @@ module Sanctum
|
|
|
70
80
|
end
|
|
71
81
|
end
|
|
72
82
|
|
|
83
|
+
def remove_trailing_slash(targets)
|
|
84
|
+
targets.each do |h|
|
|
85
|
+
h[:prefix] = h[:prefix].chomp("/")
|
|
86
|
+
h[:path] = h[:path].chomp("/")
|
|
87
|
+
end
|
|
88
|
+
end
|
|
89
|
+
|
|
73
90
|
def unable_to_determine_version
|
|
74
91
|
warn red(
|
|
75
92
|
"Unable to automatically gather info about mounts. This maybe due to vault connectivity or permissions"\
|
data/lib/sanctum/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sanctum
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.8.5.
|
|
4
|
+
version: 0.8.5.rc3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Corban Raun
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-02-
|
|
11
|
+
date: 2019-02-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: vault
|