settings_reader-vault_resolver 0.4.0 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 041a3786bc1f140cee0811ed25d307ea90a0183b1e2a9b2f4b9101c9517a03f8
-  data.tar.gz: 4449fc9d7b17afb83b69be9cf1795b9c8ce4c0aef52ecd048d52d15ff6ad58cd
+  metadata.gz: 200d04472a50277f38b29b18a30b565588e4c5fa7c55a2b654b70bb9dbbc0e62
+  data.tar.gz: 48ec7877b81d458ad9c22b14cdbce6ce05b1a22a141e7c978c3a19c7f6796037
 SHA512:
-  metadata.gz: ff78c9900e1c2391eb8a5200aea1c5f46226c7d1924b601aaf4310bfd3b17921847f057ce9ca180cd5d438b0d37c09cc33434e581e429faa63138ddb4b2cce07
-  data.tar.gz: 27838f4e0b45e9ee97ef13bbf757c0a7d1c3c4a1b88dcabfb1fb717ce20fc023e0e584549e94b59890abd624f4820eb2fa765df3d463c097481fc95c825b2564
+  metadata.gz: 365fa301486b2df995dc0eacd1e5492ee2f59dd68c26e251f13d813ed49dec7bb0d295de316c3b4edee924785bc03a61e872e48ad67c75e8dc1caa993ad194d0
+  data.tar.gz: 9129f937c54959ea99fcd99647889ccfa22b23783f33f89bdc665d5226b562dbcb6369629927076be3c4be869280a87477251b6bd63e1dc39ded8e8bbc62f22f

data/.circleci/config.yml

@@ -0,0 +1,114 @@
+
+version: 2.1
+
+orbs:
+  ci: matic/orb-common@0.2
+  ruby: circleci/ruby@1.8.0
+
+jobs:
+
+  rspec-test:
+    resource_class: small
+    parameters:
+      ruby-version:
+        type: string
+    docker:
+      - image: cimg/ruby:<< parameters.ruby-version >>
+        environment:
+          COVERAGE: true
+          CODECOV_TOKEN: a0c859b6-dfb7-4d9f-9933-2dd945cdd960
+          VAULT_ADDR: 'http://127.0.0.1:8200'
+          VAULT_TOKEN: 'vault_root_token'
+      - image: vault
+        environment:
+          VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
+          SKIP_SETCAP: true
+      - image: postgres:14.1-alpine
+        environment:
+          POSTGRES_DB: 'app_db'
+          POSTGRES_USER: 'vault_root'
+          POSTGRES_PASSWORD: 'root_password'
+    steps:
+      - checkout
+      - ruby/install-deps
+      - run:
+          name: Set up vault
+          command: sh local/vault/setup.sh
+      - run:
+          name: Run RSpec Tests
+          command: bundle exec rspec
+      - store_test_results:
+          path: reports/rspec
+      - store_artifacts:
+          path: reports/rspec
+      - ci/slack-stage-message
+
+  rubocop:
+    resource_class: small
+    docker:
+      - image: cimg/ruby:2.5
+    steps:
+      - checkout
+      - ruby/install-deps
+      - run:
+          name: Run rubocop
+          command: bundle exec rubocop --parallel
+
+  release:
+    parameters:
+      tag:
+        type: string
+        default: "default-tag"
+    docker:
+      - image: cimg/ruby:2.7.5
+    environment:
+      RELEASE_TAG: << parameters.tag >>
+    steps:
+      - checkout
+      - ruby/install-deps
+      - run:
+          name: Set up credentials
+          command: |
+              mkdir -p $HOME/.gem
+              touch $HOME/.gem/credentials
+              chmod 0600 $HOME/.gem/credentials
+              printf -- "---\n:rubygems_api_key: $RUBYGEMS_API_KEY\n" > $HOME/.gem/credentials
+      - run:
+          name: Set version
+          command: sed -i "s/[[:digit:]].[[:digit:]].[[:digit:]]/${RELEASE_TAG}/g" $(find . -name "version.rb")
+      - run:
+          name: Build gem
+          command: gem build *.gemspec
+      - run:
+          name: Push gem
+          command: gem push *.gem
+
+workflows:
+
+  settings_reader-vault_resolver.build-pull-request:
+    when:
+      not:
+        equal: [ main, << pipeline.git.branch >> ]
+    jobs:
+
+      - rspec-test:
+          context: global
+          matrix:
+            parameters:
+              ruby-version: [ '2.5', '2.6', '2.7', '3.0' ]
+
+      - rubocop:
+          name: Rubocop
+          context: global
+
+  settings_reader-vault_resolver.release:
+    jobs:
+
+      - release:
+          tag: << pipeline.git.tag >>
+          context: gem-publishing
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /\d\.\d\.\d/ # It should be [digin dot digit dot digit] format

data/.github/workflows/linters.yml

@@ -9,19 +9,6 @@ on:
     - cron: '30 0 * * 1'
 
 jobs:
-  rubocop:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: 2.5
-          bundler-cache: true
-      - name: Run rubocop
-        run: bundle exec rubocop --parallel
 
   code-ql:
     name: Analyze

data/.github/workflows/main.yml

@@ -10,64 +10,6 @@ on:
     types: [published]
 
 jobs:
-  build:
-    env:
-      COVERAGE: true
-      CODECOV_TOKEN: a0c859b6-dfb7-4d9f-9933-2dd945cdd960
-      VAULT_ADDR: 'http://127.0.0.1:8200'
-      VAULT_TOKEN: 'vault_root_token'
-
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        ruby: [ '2.5.x', '2.6.x', '2.7.x', '3.0.x' ]
-    services:
-      vault:
-        image: vault
-        ports:
-          - "8200:8200"
-        env:
-          VAULT_DEV_ROOT_TOKEN_ID: vault_root_token
-          SKIP_SETCAP: true
-      db:
-        image: postgres:14.1-alpine
-        ports:
-          - "5432:5432"
-        env:
-          POSTGRES_USER: 'vault_root'
-          POSTGRES_PASSWORD: 'root_password'
-          POSTGRES_DB: 'app_db'
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Cache dependencies
-        uses: actions/cache@v1
-        with:
-          path: vendor/bundle
-          key: ${{ runner.OS }}-ruby-${{ matrix.ruby }}
-          restore-keys: ${{ runner.OS }}-
-
-      - name: Set up Ruby
-        uses: actions/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-      - name: Set up Bundler
-        run: gem install bundler:2.1.4
-      - name: Set up Dependencies
-        run: bundle install --path vendor/bundle
-      - name: Set up Vault
-        run: sh local/vault/setup.sh
-
-      - name: Run specs
-        env:
-          COVERAGE: true
-        run: bundle exec rspec
-
-      - name: Upload coverage
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-        run: bash <(curl -s https://codecov.io/bash)
 
   release:
     runs-on: ubuntu-latest

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 ## [Unreleased]
 
+## [0.4.2]
+### Fixes
+- Fix lost secret data after lease renewal
+- Fix exception when getting value from secret with nil data
+
+## [0.4.1]
+### Changes
+- Broader entry secret data access to allow retrieval of secret attributes
+
+### Fixes
+- Fix exception when retrieving authenticating via k8s endpoint
+
+### New features
+- Retry secret retrieval and renewal
+- Capture more vault exceptions including connectivity errors
+- Introduce vault engine adapter concept
+- Separate kv, database, and auth engine logic
+
 ## [0.4.0]
 ### Breaking changes
 - Reworked authentication helpers interface
@@ -55,7 +73,9 @@
 - Secrets caching
 - Automatic secrets lease renewal
 
-[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.4.0...HEAD
+[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.4.2...HEAD
+[0.4.2]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.4.2
+[0.4.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.4.1
 [0.4.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.4.0
 [0.3.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.3.0
 [0.2.4]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.4

data/README.md

@@ -33,7 +33,8 @@ AppSettings = SettingsReader.load do |config|
   # Configure vault resolver
   SettingsReader::VaultResolver.configure do |vault_resolver_config|
     vault_resolver_config.logger = Rails.logger
-    # ... VaultResolver configurations
+    vault_resolver_config.vault_initializer = -> { authenticate_vault }
+    # ... other VaultResolver configurations
   end
   
   # Add vault resolver as one of resolvers

data/docker-compose.yml

@@ -7,7 +7,7 @@ services:
       - "8200:8200"
     environment:
       VAULT_DEV_ROOT_TOKEN_ID: 'vault_root_token'
-      SKIP_SETCAP: true
+      SKIP_SETCAP: 'true'
   db:
     image: postgres:14.1-alpine
     ports:
@@ -26,5 +26,5 @@ services:
     environment:
       VAULT_ADDR: 'http://vault:8200'
       VAULT_TOKEN: 'vault_root_token'
-      SKIP_SETCAP: true
+      SKIP_SETCAP: 'true'
     command: sh /etc/vault/setup.sh

data/lib/settings_reader/vault_resolver/cache.rb

@@ -36,6 +36,10 @@ module SettingsReader
         @secrets.each_value(&block)
       end
 
+      def clear_all
+        @secrets = {}
+      end
+
       private
 
       def cache_key(address)

data/lib/settings_reader/vault_resolver/configuration.rb

@@ -30,14 +30,19 @@ module SettingsReader
       # Default: empty proc
       attr_accessor :lease_renew_error_listener
 
+      # Block to be executed for initialization and authorization
+      # Default: empty proc
+      attr_accessor :vault_initializer
+
       def initialize
         @logger = Logger.new($stdout, level: Logger::ERROR)
         @retrieval_retries = 2
         @lease_refresh_interval = 60
         @lease_renew_delay = 300
         @lease_renew_retries = 4
-        @lease_renew_error_listener = proc {}
-        @lease_renew_success_listener = proc {}
+        @lease_renew_error_listener = -> {}
+        @lease_renew_success_listener = -> {}
+        @vault_initializer = -> {}
       end
 
       def setup_lease_refresher(cache, previous_task = nil)

data/lib/settings_reader/vault_resolver/engines/abstract.rb

@@ -16,7 +16,7 @@ module SettingsReader
         end
 
         def get(address)
-          return unless (vault_secret = get_secret_with_retries(address))
+          return unless (vault_secret = get_secret_with_authentication(address))
 
           wrap_secret(address, vault_secret)
         rescue Vault::VaultError => e
@@ -26,7 +26,7 @@ module SettingsReader
         def renew(entry)
           return unless entry.leased?
 
-          new_secret = renew_lease_with_retries(entry)
+          new_secret = renew_lease_with_authentication(entry)
           entry.update_renewed(new_secret)
           true
         rescue Vault::VaultError => e
@@ -35,12 +35,30 @@ module SettingsReader
 
         protected
 
+        def get_secret_with_authentication(address)
+          get_secret_with_retries(address)
+        rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
+          raise unless e.code == 403
+
+          config.vault_initializer.call
+          get_secret_with_retries(address)
+        end
+
         def get_secret_with_retries(address)
           Vault.with_retries(Vault::HTTPConnectionError, attempts: config.retrieval_retries) do
             get_secret(address)
           end
         end
 
+        def renew_lease_with_authentication(address)
+          renew_lease_with_retries(address)
+        rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
+          raise unless e.code == 403
+
+          config.vault_initializer.call
+          renew_lease_with_retries(address)
+        end
+
         def renew_lease_with_retries(address)
           Vault.with_retries(Vault::HTTPConnectionError, attempts: config.lease_renew_retries) do
             renew_lease(address)

data/lib/settings_reader/vault_resolver/entry.rb

@@ -2,13 +2,14 @@ module SettingsReader
   module VaultResolver
     # Wrapper around vault secret object
     class Entry
-      attr_reader :address, :secret
+      attr_reader :address, :secret, :data
 
       MONTH = 30 * 60 * 60
 
       def initialize(address, secret)
         @address = address
         @secret = secret
+        @data = extract_data(secret)
         @lease_started = Time.now
       end
 
@@ -34,11 +35,15 @@ module SettingsReader
 
       def update_renewed(new_secret)
         @secret = new_secret
+        @data = @data.merge(extract_data(new_secret).compact)
         @lease_started = Time.now
       end
 
       def value_for(attribute)
-        secret.data[attribute.to_sym]
+        return data[attribute.to_sym] if data.key?(attribute.to_sym)
+        return secret.public_send(attribute) if secret.respond_to?(attribute)
+
+        nil
       end
 
       def to_s
@@ -48,6 +53,12 @@ module SettingsReader
       def lease_duration
         @secret.lease_duration.to_i
       end
+
+      private
+
+      def extract_data(secret)
+        secret.respond_to?(:data) && secret.data ? secret.data : {}
+      end
     end
   end
 end

data/lib/settings_reader/vault_resolver/version.rb

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = '0.4.0'.freeze
+    VERSION = '0.4.3'.freeze
   end
 end

data/lib/settings_reader/vault_resolver.rb

@@ -28,6 +28,7 @@ module SettingsReader
     def self.configure(&block)
       @configuration = SettingsReader::VaultResolver::Configuration.new
       block&.call(@configuration)
+      @configuration.vault_initializer.call
       @refresher_timer_task = @configuration.setup_lease_refresher(cache, refresher_timer_task)
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.3
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-04-12 00:00:00.000000000 Z
+date: 2022-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -62,6 +62,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".github/workflows/linters.yml"
 - ".github/workflows/main.yml"
 - ".gitignore"
@@ -118,7 +119,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Settings Reader plugin to resolve values using in Hashicorp Vault