vault-kv 0.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +42 -0
- data/.rspec +2 -0
- data/.travis.yml +29 -0
- data/CHANGELOG.md +228 -0
- data/Gemfile +3 -0
- data/LICENSE +362 -0
- data/README.md +212 -0
- data/Rakefile +6 -0
- data/lib/vault.rb +49 -0
- data/lib/vault/api.rb +13 -0
- data/lib/vault/api/approle.rb +218 -0
- data/lib/vault/api/auth.rb +316 -0
- data/lib/vault/api/auth_tls.rb +92 -0
- data/lib/vault/api/auth_token.rb +242 -0
- data/lib/vault/api/help.rb +33 -0
- data/lib/vault/api/kv.rb +207 -0
- data/lib/vault/api/logical.rb +150 -0
- data/lib/vault/api/secret.rb +168 -0
- data/lib/vault/api/sys.rb +25 -0
- data/lib/vault/api/sys/audit.rb +91 -0
- data/lib/vault/api/sys/auth.rb +116 -0
- data/lib/vault/api/sys/health.rb +63 -0
- data/lib/vault/api/sys/init.rb +83 -0
- data/lib/vault/api/sys/leader.rb +48 -0
- data/lib/vault/api/sys/lease.rb +49 -0
- data/lib/vault/api/sys/mount.rb +103 -0
- data/lib/vault/api/sys/policy.rb +92 -0
- data/lib/vault/api/sys/seal.rb +81 -0
- data/lib/vault/client.rb +447 -0
- data/lib/vault/configurable.rb +48 -0
- data/lib/vault/defaults.rb +197 -0
- data/lib/vault/encode.rb +19 -0
- data/lib/vault/errors.rb +72 -0
- data/lib/vault/persistent.rb +1158 -0
- data/lib/vault/persistent/connection.rb +42 -0
- data/lib/vault/persistent/pool.rb +48 -0
- data/lib/vault/persistent/timed_stack_multi.rb +70 -0
- data/lib/vault/request.rb +43 -0
- data/lib/vault/response.rb +89 -0
- data/lib/vault/vendor/connection_pool.rb +150 -0
- data/lib/vault/vendor/connection_pool/timed_stack.rb +178 -0
- data/lib/vault/vendor/connection_pool/version.rb +5 -0
- data/lib/vault/version.rb +3 -0
- data/vault.gemspec +30 -0
- metadata +186 -0
@@ -0,0 +1,316 @@
|
|
1
|
+
require "json"
|
2
|
+
|
3
|
+
require_relative "secret"
|
4
|
+
require_relative "../client"
|
5
|
+
|
6
|
+
module Vault
|
7
|
+
class Client
|
8
|
+
# A proxy to the {Auth} methods.
|
9
|
+
# @return [Auth]
|
10
|
+
def auth
|
11
|
+
@auth ||= Authenticate.new(self)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
class Authenticate < Request
|
16
|
+
# Authenticate via the "token" authentication method. This authentication
|
17
|
+
# method is a bit bizarre because you already have a token, but hey,
|
18
|
+
# whatever floats your boat.
|
19
|
+
#
|
20
|
+
# This method hits the `/v1/auth/token/lookup-self` endpoint after setting
|
21
|
+
# the Vault client's token to the given token parameter. If the self lookup
|
22
|
+
# succeeds, the token is persisted onto the client for future requests. If
|
23
|
+
# the lookup fails, the old token (which could be unset) is restored on the
|
24
|
+
# client.
|
25
|
+
#
|
26
|
+
# @example
|
27
|
+
# Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
|
28
|
+
# Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"
|
29
|
+
#
|
30
|
+
# @param [String] new_token
|
31
|
+
# the new token to try to authenticate and store on the client
|
32
|
+
#
|
33
|
+
# @return [Secret]
|
34
|
+
def token(new_token)
|
35
|
+
old_token = client.token
|
36
|
+
client.token = new_token
|
37
|
+
json = client.get("/v1/auth/token/lookup-self")
|
38
|
+
secret = Secret.decode(json)
|
39
|
+
return secret
|
40
|
+
rescue
|
41
|
+
client.token = old_token
|
42
|
+
raise
|
43
|
+
end
|
44
|
+
|
45
|
+
# Authenticate via the "app-id" authentication method. If authentication is
|
46
|
+
# successful, the resulting token will be stored on the client and used for
|
47
|
+
# future requests.
|
48
|
+
#
|
49
|
+
# @example
|
50
|
+
# Vault.auth.app_id(
|
51
|
+
# "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
|
52
|
+
# "3b87be76-95cf-493a-a61b-7d5fc70870ad",
|
53
|
+
# ) #=> #<Vault::Secret lease_id="">
|
54
|
+
#
|
55
|
+
# @example with a custom mount point
|
56
|
+
# Vault.auth.app_id(
|
57
|
+
# "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
|
58
|
+
# "3b87be76-95cf-493a-a61b-7d5fc70870ad",
|
59
|
+
# mount: "new-app-id",
|
60
|
+
# )
|
61
|
+
#
|
62
|
+
# @param [String] app_id
|
63
|
+
# @param [String] user_id
|
64
|
+
# @param [Hash] options
|
65
|
+
# additional options to pass to the authentication call, such as a custom
|
66
|
+
# mount point
|
67
|
+
#
|
68
|
+
# @return [Secret]
|
69
|
+
def app_id(app_id, user_id, options = {})
|
70
|
+
payload = { app_id: app_id, user_id: user_id }.merge(options)
|
71
|
+
json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
|
72
|
+
secret = Secret.decode(json)
|
73
|
+
client.token = secret.auth.client_token
|
74
|
+
return secret
|
75
|
+
end
|
76
|
+
|
77
|
+
# Authenticate via the "approle" authentication method. If authentication is
|
78
|
+
# successful, the resulting token will be stored on the client and used for
|
79
|
+
# future requests.
|
80
|
+
#
|
81
|
+
# @example
|
82
|
+
# Vault.auth.approle(
|
83
|
+
# "db02de05-fa39-4855-059b-67221c5c2f63",
|
84
|
+
# "6a174c20-f6de-a53c-74d2-6018fcceff64",
|
85
|
+
# ) #=> #<Vault::Secret lease_id="">
|
86
|
+
#
|
87
|
+
# @param [String] role_id
|
88
|
+
# @param [String] secret_id (default: nil)
|
89
|
+
# It is required when `bind_secret_id` is enabled for the specified role_id
|
90
|
+
#
|
91
|
+
# @return [Secret]
|
92
|
+
def approle(role_id, secret_id=nil)
|
93
|
+
payload = { role_id: role_id }
|
94
|
+
payload[:secret_id] = secret_id if secret_id
|
95
|
+
json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
|
96
|
+
secret = Secret.decode(json)
|
97
|
+
client.token = secret.auth.client_token
|
98
|
+
return secret
|
99
|
+
end
|
100
|
+
|
101
|
+
# Authenticate via the "userpass" authentication method. If authentication
|
102
|
+
# is successful, the resulting token will be stored on the client and used
|
103
|
+
# for future requests.
|
104
|
+
#
|
105
|
+
# @example
|
106
|
+
# Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
|
107
|
+
#
|
108
|
+
# @example with a custom mount point
|
109
|
+
# Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">
|
110
|
+
#
|
111
|
+
# @param [String] username
|
112
|
+
# @param [String] password
|
113
|
+
# @param [Hash] options
|
114
|
+
# additional options to pass to the authentication call, such as a custom
|
115
|
+
# mount point
|
116
|
+
#
|
117
|
+
# @return [Secret]
|
118
|
+
def userpass(username, password, options = {})
|
119
|
+
payload = { password: password }.merge(options)
|
120
|
+
json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
|
121
|
+
secret = Secret.decode(json)
|
122
|
+
client.token = secret.auth.client_token
|
123
|
+
return secret
|
124
|
+
end
|
125
|
+
|
126
|
+
# Authenticate via the "ldap" authentication method. If authentication
|
127
|
+
# is successful, the resulting token will be stored on the client and used
|
128
|
+
# for future requests.
|
129
|
+
#
|
130
|
+
# @example
|
131
|
+
# Vault.auth.ldap("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
|
132
|
+
#
|
133
|
+
# @param [String] username
|
134
|
+
# @param [String] password
|
135
|
+
# @param [Hash] options
|
136
|
+
# additional options to pass to the authentication call, such as a custom
|
137
|
+
# mount point
|
138
|
+
#
|
139
|
+
# @return [Secret]
|
140
|
+
def ldap(username, password, options = {})
|
141
|
+
payload = { password: password }.merge(options)
|
142
|
+
json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
|
143
|
+
secret = Secret.decode(json)
|
144
|
+
client.token = secret.auth.client_token
|
145
|
+
return secret
|
146
|
+
end
|
147
|
+
|
148
|
+
# Authenticate via the GitHub authentication method. If authentication is
|
149
|
+
# successful, the resulting token will be stored on the client and used
|
150
|
+
# for future requests.
|
151
|
+
#
|
152
|
+
# @example
|
153
|
+
# Vault.auth.github("mypersonalgithubtoken") #=> #<Vault::Secret lease_id="">
|
154
|
+
#
|
155
|
+
# @param [String] github_token
|
156
|
+
#
|
157
|
+
# @return [Secret]
|
158
|
+
def github(github_token, path="/v1/auth/github/login")
|
159
|
+
payload = {token: github_token}
|
160
|
+
json = client.post(path, JSON.fast_generate(payload))
|
161
|
+
secret = Secret.decode(json)
|
162
|
+
client.token = secret.auth.client_token
|
163
|
+
return secret
|
164
|
+
end
|
165
|
+
|
166
|
+
# Authenticate via the AWS EC2 authentication method. If authentication is
|
167
|
+
# successful, the resulting token will be stored on the client and used
|
168
|
+
# for future requests.
|
169
|
+
#
|
170
|
+
# @example
|
171
|
+
# Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">
|
172
|
+
#
|
173
|
+
# @param [String] role
|
174
|
+
# @param [String] pkcs7
|
175
|
+
# pkcs7 returned by the instance identity document (with line breaks removed)
|
176
|
+
# @param [String] nonce optional
|
177
|
+
# @param [String] route optional
|
178
|
+
#
|
179
|
+
# @return [Secret]
|
180
|
+
def aws_ec2(role, pkcs7, nonce = nil, route = nil)
|
181
|
+
route ||= '/v1/auth/aws-ec2/login'
|
182
|
+
payload = { role: role, pkcs7: pkcs7 }
|
183
|
+
# Set a custom nonce if client is providing one
|
184
|
+
payload[:nonce] = nonce if nonce
|
185
|
+
json = client.post(route, JSON.fast_generate(payload))
|
186
|
+
secret = Secret.decode(json)
|
187
|
+
client.token = secret.auth.client_token
|
188
|
+
return secret
|
189
|
+
end
|
190
|
+
|
191
|
+
# Authenticate via AWS IAM auth method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.)
|
192
|
+
# If authentication is successful, the resulting token will be stored on the client and used
|
193
|
+
# for future requests.
|
194
|
+
#
|
195
|
+
# @example
|
196
|
+
# Vault.auth.aws_iam("dev-role-iam", Aws::InstanceProfileCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id="">
|
197
|
+
#
|
198
|
+
# @param [String] role
|
199
|
+
# @param [CredentialProvider] credentials_provider
|
200
|
+
# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html
|
201
|
+
# @param [String] iam_auth_header_value optional
|
202
|
+
# As of Jan 2018, Vault will accept ANY or NO header if none is configured by the Vault server admin
|
203
|
+
# @param [String] sts_endpoint optional
|
204
|
+
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
|
205
|
+
# @param [String] route optional
|
206
|
+
# @return [Secret]
|
207
|
+
def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
|
208
|
+
require "aws-sigv4"
|
209
|
+
require "base64"
|
210
|
+
|
211
|
+
request_body = 'Action=GetCallerIdentity&Version=2011-06-15'
|
212
|
+
request_method = 'POST'
|
213
|
+
|
214
|
+
route ||= '/v1/auth/aws/login'
|
215
|
+
|
216
|
+
vault_headers = {
|
217
|
+
'User-Agent' => Vault::Client::USER_AGENT,
|
218
|
+
'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
|
219
|
+
}
|
220
|
+
|
221
|
+
vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value
|
222
|
+
|
223
|
+
sig4_headers = Aws::Sigv4::Signer.new(
|
224
|
+
service: 'sts',
|
225
|
+
region: region_from_sts_endpoint(sts_endpoint),
|
226
|
+
credentials_provider: credentials_provider
|
227
|
+
).sign_request(
|
228
|
+
http_method: request_method,
|
229
|
+
url: sts_endpoint,
|
230
|
+
headers: vault_headers,
|
231
|
+
body: request_body
|
232
|
+
).headers
|
233
|
+
|
234
|
+
payload = {
|
235
|
+
role: role,
|
236
|
+
iam_http_request_method: request_method,
|
237
|
+
iam_request_url: Base64.strict_encode64(sts_endpoint),
|
238
|
+
iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json),
|
239
|
+
iam_request_body: Base64.strict_encode64(request_body)
|
240
|
+
}
|
241
|
+
|
242
|
+
json = client.post(route, JSON.fast_generate(payload))
|
243
|
+
secret = Secret.decode(json)
|
244
|
+
client.token = secret.auth.client_token
|
245
|
+
return secret
|
246
|
+
end
|
247
|
+
|
248
|
+
# Authenticate via the GCP authentication method. If authentication is
|
249
|
+
# successful, the resulting token will be stored on the client and used
|
250
|
+
# for future requests.
|
251
|
+
#
|
252
|
+
# @example
|
253
|
+
# Vault.auth.gcp("read-only", "jwt", "gcp") #=> #<Vault::Secret lease_id="">
|
254
|
+
#
|
255
|
+
# @param [String] role
|
256
|
+
# @param [String] jwt
|
257
|
+
# jwt returned by the instance identity metadata, or iam api
|
258
|
+
# @param [String] path optional
|
259
|
+
# the path were the gcp auth backend is mounted
|
260
|
+
#
|
261
|
+
# @return [Secret]
|
262
|
+
def gcp(role, jwt, path = 'gcp')
|
263
|
+
payload = { role: role, jwt: jwt }
|
264
|
+
json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.fast_generate(payload))
|
265
|
+
secret = Secret.decode(json)
|
266
|
+
client.token = secret.auth.client_token
|
267
|
+
return secret
|
268
|
+
end
|
269
|
+
|
270
|
+
# Authenticate via a TLS authentication method. If authentication is
|
271
|
+
# successful, the resulting token will be stored on the client and used
|
272
|
+
# for future requests.
|
273
|
+
#
|
274
|
+
# @example Sending raw pem contents
|
275
|
+
# Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">
|
276
|
+
#
|
277
|
+
# @example Reading a pem from disk
|
278
|
+
# Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">
|
279
|
+
#
|
280
|
+
# @example Sending to a cert authentication backend mounted at a custom location
|
281
|
+
# Vault.auth.tls(pem_contents, 'custom/location') #=> #<Vault::Secret lease_id="">
|
282
|
+
#
|
283
|
+
# @param [String] pem (default: the configured SSL pem file or contents)
|
284
|
+
# The raw pem contents to use for the login procedure.
|
285
|
+
#
|
286
|
+
# @param [String] path (default: 'cert')
|
287
|
+
# The path to the auth backend to use for the login procedure.
|
288
|
+
#
|
289
|
+
# @return [Secret]
|
290
|
+
def tls(pem = nil, path = 'cert')
|
291
|
+
new_client = client.dup
|
292
|
+
new_client.ssl_pem_contents = pem if !pem.nil?
|
293
|
+
|
294
|
+
json = new_client.post("/v1/auth/#{CGI.escape(path)}/login")
|
295
|
+
secret = Secret.decode(json)
|
296
|
+
client.token = secret.auth.client_token
|
297
|
+
return secret
|
298
|
+
end
|
299
|
+
|
300
|
+
private
|
301
|
+
|
302
|
+
# Parse an AWS region from a STS endpoint
|
303
|
+
# STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
|
304
|
+
# Take care changing below regex with that edge case in mind
|
305
|
+
#
|
306
|
+
# @param [String] sts_endpoint
|
307
|
+
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
|
308
|
+
#
|
309
|
+
# @return [String] aws region
|
310
|
+
def region_from_sts_endpoint(sts_endpoint)
|
311
|
+
valid_sts_endpoint = %r{https:\/\/sts\.?(.*).amazonaws.com}.match(sts_endpoint)
|
312
|
+
raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
|
313
|
+
valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
|
314
|
+
end
|
315
|
+
end
|
316
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require "json"
|
2
|
+
|
3
|
+
require_relative "secret"
|
4
|
+
require_relative "../client"
|
5
|
+
require_relative "../request"
|
6
|
+
require_relative "../response"
|
7
|
+
|
8
|
+
module Vault
|
9
|
+
class Client
|
10
|
+
# A proxy to the {AuthTLS} methods.
|
11
|
+
# @return [AuthTLS]
|
12
|
+
def auth_tls
|
13
|
+
@auth_tls ||= AuthTLS.new(self)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
class AuthTLS < Request
|
18
|
+
# Saves a certificate with the given name and attributes. The certificate
|
19
|
+
# with the given name must already exist.
|
20
|
+
#
|
21
|
+
# @example
|
22
|
+
# Vault.auth_tls.set_certificate("web", {
|
23
|
+
# display_name: "web-cert",
|
24
|
+
# certificate: "-----BEGIN CERTIFICATE...",
|
25
|
+
# policies: "default",
|
26
|
+
# ttl: 3600,
|
27
|
+
# }) #=> true
|
28
|
+
#
|
29
|
+
# @param [String] name
|
30
|
+
# the name of the certificate
|
31
|
+
# @param [Hash] options
|
32
|
+
# @option options [String] :certificate
|
33
|
+
# The PEM-formatted CA certificate.
|
34
|
+
# @option options [String] :policies
|
35
|
+
# A comma-separated list of policies issued when authenticating with this
|
36
|
+
# CA.
|
37
|
+
# @option options [String] :display_name
|
38
|
+
# The name to display on tokens issued against this CA.
|
39
|
+
# @option options [Fixnum] :ttl
|
40
|
+
# The TTL period of the token, provided as a number of seconds.
|
41
|
+
#
|
42
|
+
# @return [true]
|
43
|
+
def set_certificate(name, options = {})
|
44
|
+
headers = extract_headers!(options)
|
45
|
+
client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.fast_generate(options), headers)
|
46
|
+
return true
|
47
|
+
end
|
48
|
+
|
49
|
+
# Get the certificate by the given name. If a certificate does not exist by that name,
|
50
|
+
# +nil+ is returned.
|
51
|
+
#
|
52
|
+
# @example
|
53
|
+
# Vault.auth_tls.certificate("web") #=> #<Vault::Secret lease_id="...">
|
54
|
+
#
|
55
|
+
# @return [Secret, nil]
|
56
|
+
def certificate(name)
|
57
|
+
json = client.get("/v1/auth/cert/certs/#{encode_path(name)}")
|
58
|
+
return Secret.decode(json)
|
59
|
+
rescue HTTPError => e
|
60
|
+
return nil if e.code == 404
|
61
|
+
raise
|
62
|
+
end
|
63
|
+
|
64
|
+
# The list of certificates in vault auth backend.
|
65
|
+
#
|
66
|
+
# @example
|
67
|
+
# Vault.auth_tls.certificates #=> ["web"]
|
68
|
+
#
|
69
|
+
# @return [Array<String>]
|
70
|
+
def certificates(options = {})
|
71
|
+
headers = extract_headers!(options)
|
72
|
+
json = client.list("/v1/auth/cert/certs", options, headers)
|
73
|
+
return Secret.decode(json).data[:keys] || []
|
74
|
+
rescue HTTPError => e
|
75
|
+
return [] if e.code == 404
|
76
|
+
raise
|
77
|
+
end
|
78
|
+
|
79
|
+
# Delete the certificate with the given name. If a certificate does not exist, vault
|
80
|
+
# will not return an error.
|
81
|
+
#
|
82
|
+
# @example
|
83
|
+
# Vault.auth_tls.delete_certificate("web") #=> true
|
84
|
+
#
|
85
|
+
# @param [String] name
|
86
|
+
# the name of the certificate
|
87
|
+
def delete_certificate(name)
|
88
|
+
client.delete("/v1/auth/cert/certs/#{encode_path(name)}")
|
89
|
+
return true
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,242 @@
|
|
1
|
+
require "json"
|
2
|
+
|
3
|
+
require_relative "secret"
|
4
|
+
require_relative "../client"
|
5
|
+
require_relative "../request"
|
6
|
+
require_relative "../response"
|
7
|
+
|
8
|
+
module Vault
|
9
|
+
class Client
|
10
|
+
# A proxy to the {AuthToken} methods.
|
11
|
+
# @return [AuthToken]
|
12
|
+
def auth_token
|
13
|
+
@auth_token ||= AuthToken.new(self)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
class AuthToken < Request
|
18
|
+
# Lists all token accessors.
|
19
|
+
#
|
20
|
+
# @example Listing token accessors
|
21
|
+
# result = Vault.auth_token.accessors #=> #<Vault::Secret>
|
22
|
+
# result.data[:keys] #=> ["476ea048-ded5-4d07-eeea-938c6b4e43ec", "bb00c093-b7d3-b0e9-69cc-c4d85081165b"]
|
23
|
+
#
|
24
|
+
# @return [Array<Secret>]
|
25
|
+
def accessors(options = {})
|
26
|
+
headers = extract_headers!(options)
|
27
|
+
json = client.list("/v1/auth/token/accessors", options, headers)
|
28
|
+
return Secret.decode(json)
|
29
|
+
end
|
30
|
+
|
31
|
+
# Create an authentication token. Note that the parameters specified below
|
32
|
+
# are not validated and passed directly to the Vault server. Depending on
|
33
|
+
# the version of Vault in operation, some of these options may not work, and
|
34
|
+
# newer options may be available that are not listed here.
|
35
|
+
#
|
36
|
+
# @example Creating a token
|
37
|
+
# Vault.auth_token.create #=> #<Vault::Secret lease_id="">
|
38
|
+
#
|
39
|
+
# @example Creating a token assigned to policies with a wrap TTL
|
40
|
+
# Vault.auth_token.create(
|
41
|
+
# policies: ["myapp"],
|
42
|
+
# wrap_ttl: 500,
|
43
|
+
# )
|
44
|
+
#
|
45
|
+
# @param [Hash] options
|
46
|
+
# @option options [String] :id
|
47
|
+
# The ID of the client token - this can only be specified for root tokens
|
48
|
+
# @option options [Array<String>] :policies
|
49
|
+
# List of policies to apply to the token
|
50
|
+
# @option options [Fixnum, String] :wrap_ttl
|
51
|
+
# The number of seconds or a golang-formatted timestamp like "5s" or "10m"
|
52
|
+
# for the TTL on the wrapped response
|
53
|
+
# @option options [Hash<String, String>] :meta
|
54
|
+
# A map of metadata that is passed to audit backends
|
55
|
+
# @option options [Boolean] :no_parent
|
56
|
+
# Create a token without a parent - see also {#create_orphan}
|
57
|
+
# @option options [Boolean] :no_default_policy
|
58
|
+
# Create a token without the default policy attached
|
59
|
+
# @option options [Boolean] :renewable
|
60
|
+
# Set whether this token is renewable or not
|
61
|
+
# @option options [String] :display_name
|
62
|
+
# Name of the token
|
63
|
+
# @option options [Fixnum] :num_uses
|
64
|
+
# Maximum number of uses for the token
|
65
|
+
#
|
66
|
+
# @return [Secret]
|
67
|
+
def create(options = {})
|
68
|
+
headers = extract_headers!(options)
|
69
|
+
json = client.post("/v1/auth/token/create", JSON.fast_generate(options), headers)
|
70
|
+
return Secret.decode(json)
|
71
|
+
end
|
72
|
+
|
73
|
+
# Create an orphaned authentication token.
|
74
|
+
#
|
75
|
+
# @example
|
76
|
+
# Vault.auth_token.create_orphan #=> #<Vault::Secret lease_id="">
|
77
|
+
#
|
78
|
+
# @param (see #create)
|
79
|
+
# @option (see #create)
|
80
|
+
#
|
81
|
+
# @return [Secret]
|
82
|
+
def create_orphan(options = {})
|
83
|
+
headers = extract_headers!(options)
|
84
|
+
json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options), headers)
|
85
|
+
return Secret.decode(json)
|
86
|
+
end
|
87
|
+
|
88
|
+
# Create an orphaned authentication token.
|
89
|
+
#
|
90
|
+
# @example
|
91
|
+
# Vault.auth_token.create_with_role("developer") #=> #<Vault::Secret lease_id="">
|
92
|
+
#
|
93
|
+
# @param [Hash] options
|
94
|
+
#
|
95
|
+
# @return [Secret]
|
96
|
+
def create_with_role(name, options = {})
|
97
|
+
headers = extract_headers!(options)
|
98
|
+
json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.fast_generate(options), headers)
|
99
|
+
return Secret.decode(json)
|
100
|
+
end
|
101
|
+
|
102
|
+
# Lookup information about the current token.
|
103
|
+
#
|
104
|
+
# @example
|
105
|
+
# Vault.auth_token.lookup("abcd-...") #=> #<Vault::Secret lease_id="">
|
106
|
+
#
|
107
|
+
# @param [String] token
|
108
|
+
# @param [Hash] options
|
109
|
+
#
|
110
|
+
# @return [Secret]
|
111
|
+
def lookup(token, options = {})
|
112
|
+
headers = extract_headers!(options)
|
113
|
+
json = client.post("/v1/auth/token/lookup", JSON.fast_generate(
|
114
|
+
token: token,
|
115
|
+
), headers)
|
116
|
+
return Secret.decode(json)
|
117
|
+
end
|
118
|
+
|
119
|
+
# Lookup information about the given token accessor.
|
120
|
+
#
|
121
|
+
# @example
|
122
|
+
# Vault.auth_token.lookup_accessor("acbd-...") #=> #<Vault::Secret lease_id="">
|
123
|
+
#
|
124
|
+
# @param [String] accessor
|
125
|
+
# @param [Hash] options
|
126
|
+
def lookup_accessor(accessor, options = {})
|
127
|
+
headers = extract_headers!(options)
|
128
|
+
json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
|
129
|
+
accessor: accessor,
|
130
|
+
), headers)
|
131
|
+
return Secret.decode(json)
|
132
|
+
end
|
133
|
+
|
134
|
+
# Lookup information about the given token.
|
135
|
+
#
|
136
|
+
# @example
|
137
|
+
# Vault.auth_token.lookup_self #=> #<Vault::Secret lease_id="">
|
138
|
+
#
|
139
|
+
# @return [Secret]
|
140
|
+
def lookup_self
|
141
|
+
json = client.get("/v1/auth/token/lookup-self")
|
142
|
+
return Secret.decode(json)
|
143
|
+
end
|
144
|
+
|
145
|
+
# Renew the given authentication token.
|
146
|
+
#
|
147
|
+
# @example
|
148
|
+
# Vault.auth_token.renew("abcd-1234") #=> #<Vault::Secret lease_id="">
|
149
|
+
#
|
150
|
+
# @param [String] token
|
151
|
+
# the auth token
|
152
|
+
# @param [Fixnum] increment
|
153
|
+
#
|
154
|
+
# @return [Secret]
|
155
|
+
def renew(token, increment = 0, options = {})
|
156
|
+
headers = extract_headers!(options)
|
157
|
+
json = client.put("/v1/auth/token/renew", JSON.fast_generate(
|
158
|
+
token: token,
|
159
|
+
increment: increment,
|
160
|
+
), headers)
|
161
|
+
return Secret.decode(json)
|
162
|
+
end
|
163
|
+
|
164
|
+
# Renews a lease associated with the calling token.
|
165
|
+
#
|
166
|
+
# @example
|
167
|
+
# Vault.auth_token.renew_self #=> #<Vault::Secret lease_id="">
|
168
|
+
#
|
169
|
+
# @param [Fixnum] increment
|
170
|
+
#
|
171
|
+
# @return [Secret]
|
172
|
+
def renew_self(increment = 0, options = {})
|
173
|
+
headers = extract_headers!(options)
|
174
|
+
json = client.put("/v1/auth/token/renew-self", JSON.fast_generate(
|
175
|
+
increment: increment,
|
176
|
+
), headers)
|
177
|
+
return Secret.decode(json)
|
178
|
+
end
|
179
|
+
|
180
|
+
# Revokes the token used to call it.
|
181
|
+
#
|
182
|
+
# @example
|
183
|
+
# Vault.auth_token.revoke_self #=> 204
|
184
|
+
#
|
185
|
+
# @return response code.
|
186
|
+
def revoke_self
|
187
|
+
client.post("/v1/auth/token/revoke-self")
|
188
|
+
end
|
189
|
+
|
190
|
+
# Revoke exactly the orphans at the id.
|
191
|
+
#
|
192
|
+
# @example
|
193
|
+
# Vault.auth_token.revoke_orphan("abcd-1234") #=> true
|
194
|
+
#
|
195
|
+
# @param [String] token
|
196
|
+
# the token to revoke
|
197
|
+
#
|
198
|
+
# @return [true]
|
199
|
+
def revoke_orphan(token, options = {})
|
200
|
+
headers = extract_headers!(options)
|
201
|
+
client.put("/v1/auth/token/revoke-orphan", JSON.fast_generate(
|
202
|
+
token: token,
|
203
|
+
), headers)
|
204
|
+
return true
|
205
|
+
end
|
206
|
+
|
207
|
+
# Revoke exactly the orphans at the id.
|
208
|
+
#
|
209
|
+
# @example
|
210
|
+
# Vault.auth_token.revoke_accessor("abcd-1234") #=> true
|
211
|
+
#
|
212
|
+
# @param [String] accessor
|
213
|
+
# the accessor to revoke
|
214
|
+
#
|
215
|
+
# @return [true]
|
216
|
+
def revoke_accessor(accessor, options = {})
|
217
|
+
headers = extract_headers!(options)
|
218
|
+
client.put("/v1/auth/token/revoke-accessor", JSON.fast_generate(
|
219
|
+
accessor: accessor,
|
220
|
+
), headers)
|
221
|
+
return true
|
222
|
+
end
|
223
|
+
|
224
|
+
# Revoke the token and all its children.
|
225
|
+
#
|
226
|
+
# @example
|
227
|
+
# Vault.auth_token.revoke("abcd-1234") #=> true
|
228
|
+
#
|
229
|
+
# @param [String] token
|
230
|
+
# the auth token
|
231
|
+
#
|
232
|
+
# @return [true]
|
233
|
+
def revoke(token, options = {})
|
234
|
+
headers = extract_headers!(options)
|
235
|
+
client.put("/v1/auth/token/revoke", JSON.fast_generate(
|
236
|
+
token: token,
|
237
|
+
), headers)
|
238
|
+
return true
|
239
|
+
end
|
240
|
+
alias_method :revoke_tree, :revoke
|
241
|
+
end
|
242
|
+
end
|