RubyGems - settings_reader-vault_resolver - Versions diffs - 0.4.3 → 0.4.4 - Mend

settings_reader-vault_resolver 0.4.3 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/lib/settings_reader/vault_resolver/address.rb +4 -0
data/lib/settings_reader/vault_resolver/cache.rb +1 -1
data/lib/settings_reader/vault_resolver/engines/abstract.rb +18 -14
data/lib/settings_reader/vault_resolver/engines/auth.rb +10 -0
data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb +3 -2
data/lib/settings_reader/vault_resolver/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 200d04472a50277f38b29b18a30b565588e4c5fa7c55a2b654b70bb9dbbc0e62
-  data.tar.gz: 48ec7877b81d458ad9c22b14cdbce6ce05b1a22a141e7c978c3a19c7f6796037
+  metadata.gz: 5135f50633e103f09f6f30bf956295fc9290a6b75dfd7864e0296ecc9f467f35
+  data.tar.gz: d80b42374412c4053538af7e2ba9a984f0f53219fed76aa440a1a35494167b33
 SHA512:
-  metadata.gz: 365fa301486b2df995dc0eacd1e5492ee2f59dd68c26e251f13d813ed49dec7bb0d295de316c3b4edee924785bc03a61e872e48ad67c75e8dc1caa993ad194d0
-  data.tar.gz: 9129f937c54959ea99fcd99647889ccfa22b23783f33f89bdc665d5226b562dbcb6369629927076be3c4be869280a87477251b6bd63e1dc39ded8e8bbc62f22f
+  metadata.gz: 57f47f6d9d9cbea621fa523560129021ceb70c5c9b4175f34f367387bfc76992cae6f5761fb11d36a04bf3111ff156b2ea7c4d7c69703b0256be14e51c973849
+  data.tar.gz: 9789a9fe5ac8bfebb040eae0998d977806daaed20b05a35655d77cf8615aeab6f1023e933ff59c71dd3ce79061f8675f09e8da97d079c02b1b1d95377905e536

data/lib/settings_reader/vault_resolver/address.rb CHANGED Viewed

@@ -26,6 +26,10 @@ module SettingsReader
         URI.decode_www_form(@uri.query || '').to_h
       end
+      def no_cache?
+        options['no_cache'] == 'true'
+      end
       def to_s
         @uri.to_s
       end

data/lib/settings_reader/vault_resolver/cache.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module SettingsReader
       end
       def fetch(address, &block)
-        if (exiting_entry = retrieve(address))
+        if !address.no_cache? && (exiting_entry = retrieve(address))
           exiting_entry
         else
           new_entry = block.call(address)

data/lib/settings_reader/vault_resolver/engines/abstract.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module SettingsReader
         end
         def get(address)
-          return unless (vault_secret = get_secret_with_authentication(address))
+          return unless (vault_secret = get_and_retry_auth(address))
           wrap_secret(address, vault_secret)
         rescue Vault::VaultError => e
@@ -26,7 +26,7 @@ module SettingsReader
         def renew(entry)
           return unless entry.leased?
-          new_secret = renew_lease_with_authentication(entry)
+          new_secret = renew_and_retry_auth(entry)
           entry.update_renewed(new_secret)
           true
         rescue Vault::VaultError => e
@@ -35,31 +35,31 @@ module SettingsReader
         protected
-        def get_secret_with_authentication(address)
-          get_secret_with_retries(address)
-        rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
-          raise unless e.code == 403
+        def get_and_retry_auth(address)
+          get_and_retry_connection(address)
+        rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
+          raise unless auth_error?(e)
           config.vault_initializer.call
-          get_secret_with_retries(address)
+          get_and_retry_connection(address)
         end
-        def get_secret_with_retries(address)
+        def get_and_retry_connection(address)
           Vault.with_retries(Vault::HTTPConnectionError, attempts: config.retrieval_retries) do
             get_secret(address)
           end
         end
-        def renew_lease_with_authentication(address)
-          renew_lease_with_retries(address)
-        rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
-          raise unless e.code == 403
+        def renew_and_retry_auth(address)
+          renew_and_retry_connection(address)
+        rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
+          raise unless auth_error?(e)
           config.vault_initializer.call
-          renew_lease_with_retries(address)
+          renew_and_retry_connection(address)
         end
-        def renew_lease_with_retries(address)
+        def renew_and_retry_connection(address)
           Vault.with_retries(Vault::HTTPConnectionError, attempts: config.lease_renew_retries) do
             renew_lease(address)
           end
@@ -76,6 +76,10 @@ module SettingsReader
         def wrap_secret(address, secret)
           SettingsReader::VaultResolver::Entry.new(address, secret)
         end
+        def auth_error?(error)
+          error.code == 403 || error.message =~ /token mac for token_version.*is incorrect/
+        end
       end
     end
   end

data/lib/settings_reader/vault_resolver/engines/auth.rb CHANGED Viewed

@@ -12,6 +12,16 @@ module SettingsReader
         protected
+        # Auth backend should not retry auth errors as it causing infinite recursion
+        def get_and_retry_auth(address)
+          get_and_retry_connection(address)
+        end
+        # Auth backend should not retry auth errors as it causing infinite recursion
+        def renew_and_retry_auth(address)
+          renew_and_retry_connection(address)
+        end
         def get_secret(address)
           return k8s_auth(address) if address.path == K8S_AUTH

data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb CHANGED Viewed

@@ -8,8 +8,9 @@ module SettingsReader
         FAKE_RESOLVER_PATH = 'vault/authentication'.freeze
         def authenticate_via_k8s(role, route: nil, service_token_path: nil)
-          params = URI.encode_www_form({ role: role, route: route, service_token_path: service_token_path }.compact)
-          resolver.resolve("vault://auth/kubernetes/login?#{params}#client_token", FAKE_RESOLVER_PATH)
+          params = { role: role, route: route, service_token_path: service_token_path, no_cache: true }
+          url_params = URI.encode_www_form(params.compact)
+          resolver.resolve("vault://auth/kubernetes/login?#{url_params}#client_token", FAKE_RESOLVER_PATH)
         end
         private

data/lib/settings_reader/vault_resolver/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = '0.4.3'.freeze
+    VERSION = '0.4.4'.freeze
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-08 00:00:00.000000000 Z
+date: 2022-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby