secrets_cli 0.4.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: df8b479ed5bcee7c806ee75767cfe27b302b2509
-  data.tar.gz: f5b712d98a1cad4360e5c0ff4634c4f233333f8f
+  metadata.gz: 4118924f144c963dee59107590614d200c292885
+  data.tar.gz: 345e252e99f89ddc81576c37ac2921ae1860e157
 SHA512:
-  metadata.gz: 26df7b2f3baf5ce79cbf48ae29a7e0a56e82e2f0b6cbbffc85d24fa7da171bd6c0c1c593bb1e37d4c84e062cdd53a7c019dc6d4755c92f35ab8ffea8b21e424f
-  data.tar.gz: f6061b1517d2f88da2321ef5f39ecce2cd440e96a1aa9e1239d42ba0a27cf8f63b45823ffe88e9f3c086ebd4bc6cba5d6954852648cacdb2c84946ad83329b5f
+  metadata.gz: 43b93238ba31eb5e30d5a336b8d7d3905f252bc8b93b2360553071475d31d66d2f0e8195ef6023878d968d185f9f39f58cf721335c98cf0d01b6c924e0dfee4e
+  data.tar.gz: 945a6e09d1a74943b820749ae92a9933793bef3d61c76d31c1657a1fa98d88b4c4bb6fc1e02a204bd42edd14098a3e657dd4f5202cc0f370d6de80dad998332c

data/.gitignore

@@ -8,3 +8,4 @@
 /spec/reports/
 /tmp/
 .secrets
+/config/

data/README.md

@@ -24,8 +24,6 @@ Or install it yourself as:
 
 ## Prerequisites
 
-`vault` must be installed on system. This gem adds a dependency to `vault-binaries` which will install `vault` for you.
-
 The following environment variables need to be set:
 
 For `vault` itself:
@@ -34,8 +32,10 @@ For `vault` itself:
 
 For `secrets_cli`:
 
-    VAULT_AUTH_METHOD - this is auth method ('github' or 'token' supported for now)
+    VAULT_AUTH_METHOD - this is auth method ('github', 'token' or 'app_id' supported for now)
     VAULT_AUTH_TOKEN - this is vault auth token
+    VAULT_AUTH_APP_ID - machine app_id
+    VAULT_AUTH_USER_ID - machine user_id which matches app_id
 
 For github token you only need `read:org` permissions.
 
@@ -57,12 +57,11 @@ Example of the `.secrets`:
     :secrets_file: config/application.yml   # file where your secrets are kept, depending on your environment gem (figaro, dotenv, etc)
     :secrets_storage_key: rails/my_project/ # vault 'storage_key' where your secrets will be kept.
 
-### Auth
+### Policies
 
-    $ secrets auth
+    $ secrets policies
 
-You need to first authenticate yourself on vault server to be able to read and write.
-Needs to be done only _once_ for specific token.
+To get all the policies your auth grants please use this command.
 
 ### storage_keys and environments
 
@@ -79,10 +78,6 @@ Environment is `development` by default, but it can be overwriten by passing `--
 
 This will only read from vault.
 
-Example of executed command:
-
-    vault read rails/my_project/development
-
 ### Pull
 
     $ secrets pull
@@ -109,4 +104,3 @@ Bug storage_keyrts and pull requests are welcome on GitHub at https://github.com
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
-

data/exe/secrets

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-# $LOAD_PATH << 'lib'
+$LOAD_PATH << 'lib'
 require 'rubygems'
 require 'commander/import'
 require 'secrets_cli'
@@ -20,13 +20,11 @@ command :init do |c|
   end
 end
 
-command :auth do |c|
-  c.syntax = 'secrets auth [options]'
-  c.summary = 'Use to authenticate with vault server'
-  c.option '-T', '--auth_token STRING', String, 'Auth token or $SECRETS_VAULT_AUTH_TOKEN'
-  c.option '-m', '--auth_method STRING', String, 'github or token'
+command :policies do |c|
+  c.syntax = 'secrets policies'
+  c.summary = 'Check what policies your auth has'
   c.action do |_args, options|
-    SecretsCli::Check::Vault.new(options).call
+    options.default verbose: true
     SecretsCli::Vault::Auth.new(options).call
   end
 end
@@ -39,7 +37,7 @@ command :pull do |c|
   c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
   c.option '-d', '--secrets_dir STRING', String, 'Override secrets_dir, default: "."'
   c.action do |_args, options|
-    SecretsCli::Check::Secrets.new(options).call
+    SecretsCli::Vault::Auth.new(options).call
     SecretsCli::Vault::Pull.new(options).call
   end
 end
@@ -52,7 +50,7 @@ command :push do |c|
   c.option '-f', '--secrets_file STRING', String, 'Override secrets_file'
   c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
   c.action do |_args, options|
-    SecretsCli::Check::Secrets.new(options).call
+    SecretsCli::Vault::Auth.new(options).call
     SecretsCli::Vault::Push.new(options).call
   end
 end
@@ -63,7 +61,7 @@ command :read do |c|
   c.option '-e', '--environment STRING', String, 'Set environment, default: development'
   c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
   c.action do |_args, options|
-    SecretsCli::Check::Secrets.new(options).call
+    SecretsCli::Vault::Auth.new(options).call
     SecretsCli::Vault::Read.new(options).call
   end
 end

data/lib/secrets_cli/check/vault.rb

@@ -12,8 +12,12 @@ module SecretsCli
       def call
         error! 'Missing vault' if TTY::Which.which('vault').nil?
         error! 'Missing VAULT_ADDR env' if ENV['VAULT_ADDR'].nil?
-        error! 'Missing VAULT_AUTH_TOKEN env' if missing_auth_token?
         error! 'Missing VAULT_AUTH_METHOD env' if missing_auth_method?
+        if auth_method == 'app_id'
+          error! 'Missing VAULT_AUTH_APP_ID' if missing_auth_app_id?
+          error! 'Missing VAULT_AUTH_USER_ID' if missing_auth_user_id?
+        end
+        error! 'Missing VAULT_AUTH_TOKEN env' if missing_auth_token?
       end
 
       private
@@ -25,6 +29,18 @@ module SecretsCli
       def missing_auth_method?
         options.auth_method.nil? && ENV['VAULT_AUTH_METHOD'].nil?
       end
+
+      def missing_auth_app_id?
+        options.auth_app_id.nil? && ENV['VAULT_AUTH_APP_ID'].nil?
+      end
+
+      def missing_auth_user_id?
+        options.auth_user_id.nil? && ENV['VAULT_AUTH_USER_ID'].nil?
+      end
+
+      def auth_method
+        ENV['VAULT_AUTH_METHOD']
+      end
     end
   end
 end

data/lib/secrets_cli/configuration.rb

@@ -20,7 +20,7 @@ module SecretsCli
     end
 
     def self.write(config)
-      File.open(SECRETS_CONFIG_FILE, 'w') { |f| f.write(config.to_yaml) }
+      File.open(SECRETS_CONFIG_FILE, 'w') { |file| file.write(config.to_yaml) }
     end
   end
 end

data/lib/secrets_cli/vault/auth.rb

@@ -5,20 +5,25 @@ module SecretsCli
 
       def initialize(options)
         super
-        @auth_token = options.auth_token || ENV['VAULT_AUTH_TOKEN']
-        @auth_method = options.auth_method || ENV['VAULT_AUTH_METHOD']
+        SecretsCli::Check::Vault.new(options).call
+        @auth_method = ENV['VAULT_AUTH_METHOD']
+        @auth_token = ENV['VAULT_AUTH_TOKEN']
+        @auth_app_id = ENV['VAULT_AUTH_APP_ID']
+        @auth_user_id = ENV['VAULT_AUTH_USER_ID']
       end
 
       private
 
-      attr_reader :auth_token, :auth_method
+      attr_reader :auth_token, :auth_method, :auth_app_id, :auth_user_id
 
       def command
         case auth_method
         when 'github'
-          "vault auth -method=github token=#{auth_token}"
+          ::Vault.auth.github(auth_token).auth[:policies]
         when 'token'
-          "vault auth #{auth_token}"
+          ::Vault.auth.token(auth_token).auth[:policies]
+        when 'app_id'
+          ::Vault.auth.app_id(auth_app_id, auth_user_id).auth[:policies]
         else
           error! "Unknown auth method #{auth_method}"
         end

data/lib/secrets_cli/vault/base.rb

@@ -10,14 +10,9 @@ module SecretsCli
       end
 
       def call
-        print_verbose(command) if config.verbose
-        Open3.popen2e(command) do |_stdin, stdout_and_stderr, wait_thr|
-          if wait_thr.value.success?
-            prompt.ok(stdout_and_stderr.read)
-          else
-            error(stdout_and_stderr.read)
-          end
-        end
+        options.verbose ? prompt.ok(command) : command
+      rescue => exception
+        error!(exception.message)
       end
 
       private

data/lib/secrets_cli/vault/pull.rb

@@ -5,14 +5,18 @@ module SecretsCli
 
       def initialize(options)
         super
+        SecretsCli::Check::Secrets.new(options).call
         @secrets_file = options.secrets_file || config.secrets_file
         @secrets_dir = options.secrets_dir || '.'
       end
 
-      def call
-        secrets = super.first
+      private
+
+      def command
+        secrets = super
         print_verbose("Writing to #{secrets_file}")
-        File.open(File.join(secrets_dir, secrets_file), 'w') { |f| f.write(secrets) }
+        File.open(File.join(secrets_dir, secrets_file), 'w') { |file| file.write(secrets) }
+        secrets
       end
     end
   end

data/lib/secrets_cli/vault/push.rb

@@ -5,6 +5,7 @@ module SecretsCli
 
       def initialize(options)
         super
+        SecretsCli::Check::Secrets.new(options).call
         @secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
         @secrets_file = options.secrets_file || config.secrets_file
         @secrets = File.read(secrets_file)
@@ -18,7 +19,8 @@ module SecretsCli
       private
 
       def command
-        "vault write #{secrets_full_storage_key} #{SECRETS_FIELD}=\"#{secrets}\""
+        ::Vault.logical.write(secrets_full_storage_key, SECRETS_FIELD => secrets)
+        secrets
       end
 
       def are_you_sure?

data/lib/secrets_cli/vault/read.rb

@@ -3,6 +3,8 @@ module SecretsCli
     class Read < SecretsCli::Vault::Base
       def initialize(options)
         super
+        options.default verbose: true
+        SecretsCli::Check::Secrets.new(options).call
         @secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
       end
 
@@ -11,7 +13,8 @@ module SecretsCli
       attr_reader :secrets_storage_key
 
       def command
-        "vault read --field=#{SECRETS_FIELD} #{secrets_full_storage_key}"
+        secret = ::Vault.logical.read(secrets_full_storage_key)
+        secret.data[SECRETS_FIELD]
       end
     end
   end

data/lib/secrets_cli/version.rb

@@ -1,3 +1,3 @@
 module SecretsCli
-  VERSION = '0.4.0'
+  VERSION = '1.0.0'
 end

data/lib/secrets_cli.rb

@@ -3,6 +3,7 @@ require 'tty-prompt'
 require 'tty-which'
 require 'open3'
 require 'singleton'
+require 'vault'
 require 'secrets_cli/helpers'
 require 'secrets_cli/configuration'
 require 'secrets_cli/init'
@@ -17,9 +18,9 @@ require 'secrets_cli/vault/pull'
 require 'secrets_cli/vault/push'
 require 'secrets_cli/version'
 
-# require 'pry'
+require 'pry'
 
 module SecretsCli
   SECRETS_CONFIG_FILE = '.secrets'
-  SECRETS_FIELD = 'secrets'
+  SECRETS_FIELD = :secrets
 end

data/secrets_cli.gemspec

@@ -33,5 +33,5 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'commander'
   spec.add_runtime_dependency 'tty', '~> 0.4.0'
-  spec.add_runtime_dependency 'vault-binaries'
+  spec.add_runtime_dependency 'vault'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secrets_cli
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Stjepan Hadjic
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-03-15 00:00:00.000000000 Z
+date: 2016-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -95,7 +95,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.4.0
 - !ruby/object:Gem::Dependency
-  name: vault-binaries
+  name: vault
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="