settings_reader-vault_resolver 0.4.3 → 0.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/lib/settings_reader/vault_resolver/address.rb +4 -0
  3. data/lib/settings_reader/vault_resolver/cache.rb +5 -1
  4. data/lib/settings_reader/vault_resolver/configuration.rb +5 -0
  5. data/lib/settings_reader/vault_resolver/engines/abstract.rb +19 -17
  6. data/lib/settings_reader/vault_resolver/engines/auth.rb +10 -0
  7. data/lib/settings_reader/vault_resolver/entry.rb +4 -0
  8. data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb +3 -2
  9. data/lib/settings_reader/vault_resolver/refresher.rb +20 -3
  10. data/lib/settings_reader/vault_resolver/version.rb +1 -1
  11. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 200d04472a50277f38b29b18a30b565588e4c5fa7c55a2b654b70bb9dbbc0e62
4
- data.tar.gz: 48ec7877b81d458ad9c22b14cdbce6ce05b1a22a141e7c978c3a19c7f6796037
3
+ metadata.gz: 06c1605f97de84c90b6ec0e9c82ba9bfbbe3bd66fa7e1b0e7ef84f576264e581
4
+ data.tar.gz: 546fc50b041e31d4cdd67850eda46b6047c17fb014bb782ffade8e321071e0a0
5
5
  SHA512:
6
- metadata.gz: 365fa301486b2df995dc0eacd1e5492ee2f59dd68c26e251f13d813ed49dec7bb0d295de316c3b4edee924785bc03a61e872e48ad67c75e8dc1caa993ad194d0
7
- data.tar.gz: 9129f937c54959ea99fcd99647889ccfa22b23783f33f89bdc665d5226b562dbcb6369629927076be3c4be869280a87477251b6bd63e1dc39ded8e8bbc62f22f
6
+ metadata.gz: 670cebdbec3ebaf40595ccf60d8e9cd749559e0141a395fe87655d684b406d223fd7e9939faa42dd6e5ae1588b688d04a0d4c7d3960bc56b964f8e1a6faa4bdc
7
+ data.tar.gz: af74dd636a40ba907f8df0fd094b0a1537e4ce4fd9f959efce3b413a0b036c6e35ce892ae67af82e4a493a575086fea4d3c37ebc28df5f44d83e1ebcd3f39742
data/lib/settings_reader/vault_resolver/address.rb CHANGED
@@ -26,6 +26,10 @@ module SettingsReader
26
26
  URI.decode_www_form(@uri.query || '').to_h
27
27
  end
28
28
 
29
+ def no_cache?
30
+ options['no_cache'] == 'true'
31
+ end
32
+
29
33
  def to_s
30
34
  @uri.to_s
31
35
  end
data/lib/settings_reader/vault_resolver/cache.rb CHANGED
@@ -23,7 +23,7 @@ module SettingsReader
23
23
  end
24
24
 
25
25
  def fetch(address, &block)
26
- if (exiting_entry = retrieve(address))
26
+ if !address.no_cache? && (exiting_entry = retrieve(address))
27
27
  exiting_entry
28
28
  else
29
29
  new_entry = block.call(address)
@@ -36,6 +36,10 @@ module SettingsReader
36
36
  @secrets.each_value(&block)
37
37
  end
38
38
 
39
+ def active_entries(&block)
40
+ @secrets.values.select(&:active?).each(&block)
41
+ end
42
+
39
43
  def clear_all
40
44
  @secrets = {}
41
45
  end
data/lib/settings_reader/vault_resolver/configuration.rb CHANGED
@@ -34,6 +34,10 @@ module SettingsReader
34
34
  # Default: empty proc
35
35
  attr_accessor :vault_initializer
36
36
 
37
+ # Block to be executed when "lease not found" error is raised
38
+ # Default: empty proc
39
+ attr_accessor :lease_not_found_handler
40
+
37
41
  def initialize
38
42
  @logger = Logger.new($stdout, level: Logger::ERROR)
39
43
  @retrieval_retries = 2
@@ -43,6 +47,7 @@ module SettingsReader
43
47
  @lease_renew_error_listener = -> {}
44
48
  @lease_renew_success_listener = -> {}
45
49
  @vault_initializer = -> {}
50
+ @lease_not_found_handler = ->(_entry) {}
46
51
  end
47
52
 
48
53
  def setup_lease_refresher(cache, previous_task = nil)
data/lib/settings_reader/vault_resolver/engines/abstract.rb CHANGED
@@ -16,7 +16,7 @@ module SettingsReader
16
16
  end
17
17
 
18
18
  def get(address)
19
- return unless (vault_secret = get_secret_with_authentication(address))
19
+ return unless (vault_secret = get_and_retry_auth(address))
20
20
 
21
21
  wrap_secret(address, vault_secret)
22
22
  rescue Vault::VaultError => e
@@ -26,42 +26,40 @@ module SettingsReader
26
26
  def renew(entry)
27
27
  return unless entry.leased?
28
28
 
29
- new_secret = renew_lease_with_authentication(entry)
29
+ new_secret = renew_and_retry_auth(entry)
30
30
  entry.update_renewed(new_secret)
31
31
  true
32
- rescue Vault::VaultError => e
33
- raise SettingsReader::VaultResolver::Error, e.message
34
32
  end
35
33
 
36
34
  protected
37
35
 
38
- def get_secret_with_authentication(address)
39
- get_secret_with_retries(address)
40
- rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
41
- raise unless e.code == 403
36
+ def get_and_retry_auth(address)
37
+ get_and_retry_connection(address)
38
+ rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
39
+ raise unless auth_error?(e)
42
40
 
43
41
  config.vault_initializer.call
44
- get_secret_with_retries(address)
42
+ get_and_retry_connection(address)
45
43
  end
46
44
 
47
- def get_secret_with_retries(address)
45
+ def get_and_retry_connection(address)
48
46
  Vault.with_retries(Vault::HTTPConnectionError, attempts: config.retrieval_retries) do
49
47
  get_secret(address)
50
48
  end
51
49
  end
52
50
 
53
- def renew_lease_with_authentication(address)
54
- renew_lease_with_retries(address)
55
- rescue Vault::HTTPClientError => e # if not authenticated, let's reauthenticate and try once more
56
- raise unless e.code == 403
51
+ def renew_and_retry_auth(entry)
52
+ renew_and_retry_connection(entry)
53
+ rescue Vault::HTTPError => e # if not authenticated, let's reauthenticate and try once more
54
+ raise unless auth_error?(e)
57
55
 
58
56
  config.vault_initializer.call
59
- renew_lease_with_retries(address)
57
+ renew_and_retry_connection(entry)
60
58
  end
61
59
 
62
- def renew_lease_with_retries(address)
60
+ def renew_and_retry_connection(entry)
63
61
  Vault.with_retries(Vault::HTTPConnectionError, attempts: config.lease_renew_retries) do
64
- renew_lease(address)
62
+ renew_lease(entry)
65
63
  end
66
64
  end
67
65
 
@@ -76,6 +74,10 @@ module SettingsReader
76
74
  def wrap_secret(address, secret)
77
75
  SettingsReader::VaultResolver::Entry.new(address, secret)
78
76
  end
77
+
78
+ def auth_error?(error)
79
+ error.code == 403 || error.message =~ /token mac for token_version.*is incorrect/
80
+ end
79
81
  end
80
82
  end
81
83
  end
data/lib/settings_reader/vault_resolver/engines/auth.rb CHANGED
@@ -12,6 +12,16 @@ module SettingsReader
12
12
 
13
13
  protected
14
14
 
15
+ # Auth backend should not retry auth errors as it causing infinite recursion
16
+ def get_and_retry_auth(address)
17
+ get_and_retry_connection(address)
18
+ end
19
+
20
+ # Auth backend should not retry auth errors as it causing infinite recursion
21
+ def renew_and_retry_auth(address)
22
+ renew_and_retry_connection(address)
23
+ end
24
+
15
25
  def get_secret(address)
16
26
  return k8s_auth(address) if address.path == K8S_AUTH
17
27
 
data/lib/settings_reader/vault_resolver/entry.rb CHANGED
@@ -23,6 +23,10 @@ module SettingsReader
23
23
  Time.now > @lease_started + lease_duration
24
24
  end
25
25
 
26
+ def active?
27
+ !expired?
28
+ end
29
+
26
30
  def expires_in
27
31
  return MONTH unless leased?
28
32
 
data/lib/settings_reader/vault_resolver/helpers/vault_authentication.rb CHANGED
@@ -8,8 +8,9 @@ module SettingsReader
8
8
  FAKE_RESOLVER_PATH = 'vault/authentication'.freeze
9
9
 
10
10
  def authenticate_via_k8s(role, route: nil, service_token_path: nil)
11
- params = URI.encode_www_form({ role: role, route: route, service_token_path: service_token_path }.compact)
12
- resolver.resolve("vault://auth/kubernetes/login?#{params}#client_token", FAKE_RESOLVER_PATH)
11
+ params = { role: role, route: route, service_token_path: service_token_path, no_cache: true }
12
+ url_params = URI.encode_www_form(params.compact)
13
+ resolver.resolve("vault://auth/kubernetes/login?#{url_params}#client_token", FAKE_RESOLVER_PATH)
13
14
  end
14
15
 
15
16
  private
data/lib/settings_reader/vault_resolver/refresher.rb CHANGED
@@ -18,7 +18,7 @@ module SettingsReader
18
18
 
19
19
  def refresh
20
20
  info { 'Performing Vault leases refresh' }
21
- promises = cache.entries.map do |entry|
21
+ promises = cache.active_entries.map do |entry|
22
22
  debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
23
23
  refresh_entry(entry)
24
24
  end.compact
@@ -35,10 +35,27 @@ module SettingsReader
35
35
  info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
36
36
  entry
37
37
  rescue StandardError => e
38
- error { "Error refreshing lease for #{entry}: #{e.message}" }
39
- raise SettingsReader::VaultResolver::Error, e.message
38
+ handle_refresh_error(e, entry)
40
39
  end
41
40
  end
41
+
42
+ private
43
+
44
+ def handle_refresh_error(error, entry)
45
+ handle_lease_not_found(entry) if lease_not_found_error?(error)
46
+
47
+ error { "Error refreshing lease for #{entry}: #{error.message}" }
48
+ raise SettingsReader::VaultResolver::Error, error.message
49
+ end
50
+
51
+ def lease_not_found_error?(error)
52
+ error.is_a?(Vault::HTTPClientError) && error.code == 400 && error.message =~ /lease not found/
53
+ end
54
+
55
+ def handle_lease_not_found(entry)
56
+ cache.clear(entry)
57
+ config.lease_not_found_handler.call(entry)
58
+ end
42
59
  end
43
60
  end
44
61
  end
data/lib/settings_reader/vault_resolver/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module SettingsReader
2
2
  module VaultResolver
3
- VERSION = '0.4.3'.freeze
3
+ VERSION = '0.4.5'.freeze
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: settings_reader-vault_resolver
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.3
4
+ version: 0.4.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Volodymyr Mykhailyk
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-09-08 00:00:00.000000000 Z
11
+ date: 2022-09-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: concurrent-ruby