vault-kv 0.12.0

data/lib/vault/api/auth.rb

@@ -0,0 +1,316 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+
+module Vault
+  class Client
+    # A proxy to the {Auth} methods.
+    # @return [Auth]
+    def auth
+      @auth ||= Authenticate.new(self)
+    end
+  end
+
+  class Authenticate < Request
+    # Authenticate via the "token" authentication method. This authentication
+    # method is a bit bizarre because you already have a token, but hey,
+    # whatever floats your boat.
+    #
+    # This method hits the `/v1/auth/token/lookup-self` endpoint after setting
+    # the Vault client's token to the given token parameter. If the self lookup
+    # succeeds, the token is persisted onto the client for future requests. If
+    # the lookup fails, the old token (which could be unset) is restored on the
+    # client.
+    #
+    # @example
+    #   Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
+    #   Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"
+    #
+    # @param [String] new_token
+    #   the new token to try to authenticate and store on the client
+    #
+    # @return [Secret]
+    def token(new_token)
+      old_token    = client.token
+      client.token = new_token
+      json = client.get("/v1/auth/token/lookup-self")
+      secret = Secret.decode(json)
+      return secret
+    rescue
+      client.token = old_token
+      raise
+    end
+
+    # Authenticate via the "app-id" authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used for
+    # future requests.
+    #
+    # @example
+    #   Vault.auth.app_id(
+    #     "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
+    #     "3b87be76-95cf-493a-a61b-7d5fc70870ad",
+    #   ) #=> #<Vault::Secret lease_id="">
+    #
+    # @example with a custom mount point
+    #   Vault.auth.app_id(
+    #     "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
+    #     "3b87be76-95cf-493a-a61b-7d5fc70870ad",
+    #     mount: "new-app-id",
+    #   )
+    #
+    # @param [String] app_id
+    # @param [String] user_id
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def app_id(app_id, user_id, options = {})
+      payload = { app_id: app_id, user_id: user_id }.merge(options)
+      json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the "approle" authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used for
+    # future requests.
+    #
+    # @example
+    #   Vault.auth.approle(
+    #     "db02de05-fa39-4855-059b-67221c5c2f63",
+    #     "6a174c20-f6de-a53c-74d2-6018fcceff64",
+    #   ) #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role_id
+    # @param [String] secret_id (default: nil)
+    #   It is required when `bind_secret_id` is enabled for the specified role_id
+    #
+    # @return [Secret]
+    def approle(role_id, secret_id=nil)
+      payload = { role_id: role_id }
+      payload[:secret_id] = secret_id if secret_id
+      json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the "userpass" authentication method. If authentication
+    # is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
+    #
+    # @example with a custom mount point
+    #   Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] username
+    # @param [String] password
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def userpass(username, password, options = {})
+      payload = { password: password }.merge(options)
+      json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the "ldap" authentication method. If authentication
+    # is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.ldap("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] username
+    # @param [String] password
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def ldap(username, password, options = {})
+      payload = { password: password }.merge(options)
+      json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the GitHub authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.github("mypersonalgithubtoken") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] github_token
+    #
+    # @return [Secret]
+    def github(github_token, path="/v1/auth/github/login")
+      payload = {token: github_token}
+      json = client.post(path, JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the AWS EC2 authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [String] pkcs7
+    #   pkcs7 returned by the instance identity document (with line breaks removed)
+    # @param [String] nonce optional
+    # @param [String] route optional
+    #
+    # @return [Secret]
+    def aws_ec2(role, pkcs7, nonce = nil, route = nil)
+      route ||= '/v1/auth/aws-ec2/login'
+      payload = { role: role, pkcs7: pkcs7 }
+      # Set a custom nonce if client is providing one
+      payload[:nonce] = nonce if nonce
+      json = client.post(route, JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via AWS IAM auth method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.)
+    # If authentication is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.aws_iam("dev-role-iam", Aws::InstanceProfileCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [CredentialProvider] credentials_provider
+    #   https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html
+    # @param [String] iam_auth_header_value optional
+    #   As of Jan 2018, Vault will accept ANY or NO header if none is configured by the Vault server admin
+    # @param [String] sts_endpoint optional
+    #   https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    # @param [String] route optional
+    # @return [Secret]
+    def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
+      require "aws-sigv4"
+      require "base64"
+
+      request_body   = 'Action=GetCallerIdentity&Version=2011-06-15'
+      request_method = 'POST'
+
+      route ||= '/v1/auth/aws/login'
+
+      vault_headers = {
+        'User-Agent' => Vault::Client::USER_AGENT,
+        'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
+      }
+
+      vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value
+
+      sig4_headers = Aws::Sigv4::Signer.new(
+        service: 'sts',
+        region: region_from_sts_endpoint(sts_endpoint),
+        credentials_provider: credentials_provider
+      ).sign_request(
+        http_method: request_method,
+        url: sts_endpoint,
+        headers: vault_headers,
+        body: request_body
+      ).headers
+
+      payload = {
+        role: role,
+        iam_http_request_method: request_method,
+        iam_request_url: Base64.strict_encode64(sts_endpoint),
+        iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json),
+        iam_request_body: Base64.strict_encode64(request_body)
+      }
+
+      json = client.post(route, JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the GCP authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.gcp("read-only", "jwt", "gcp") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [String] jwt
+    #   jwt returned by the instance identity metadata, or iam api
+    # @param [String] path optional
+    #   the path were the gcp auth backend is mounted
+    #
+    # @return [Secret]
+    def gcp(role, jwt, path = 'gcp')
+      payload = { role: role, jwt: jwt }
+      json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via a TLS authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example Sending raw pem contents
+    #   Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">
+    #
+    # @example Reading a pem from disk
+    #   Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">
+    #
+    # @example Sending to a cert authentication backend mounted at a custom location
+    #   Vault.auth.tls(pem_contents, 'custom/location') #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] pem (default: the configured SSL pem file or contents)
+    #   The raw pem contents to use for the login procedure.
+    #
+    # @param [String] path (default: 'cert')
+    #   The path to the auth backend to use for the login procedure.
+    #
+    # @return [Secret]
+    def tls(pem = nil, path = 'cert')
+      new_client = client.dup
+      new_client.ssl_pem_contents = pem if !pem.nil?
+
+      json = new_client.post("/v1/auth/#{CGI.escape(path)}/login")
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    private
+
+    # Parse an AWS region from a STS endpoint
+    # STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
+    # Take care changing below regex with that edge case in mind
+    #
+    # @param [String] sts_endpoint
+    #   https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    #
+    # @return [String] aws region
+    def region_from_sts_endpoint(sts_endpoint)
+      valid_sts_endpoint = %r{https:\/\/sts\.?(.*).amazonaws.com}.match(sts_endpoint)
+      raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
+      valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
+    end
+  end
+end

data/lib/vault/api/auth_tls.rb

@@ -0,0 +1,92 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {AuthTLS} methods.
+    # @return [AuthTLS]
+    def auth_tls
+      @auth_tls ||= AuthTLS.new(self)
+    end
+  end
+
+  class AuthTLS < Request
+    # Saves a certificate with the given name and attributes. The certificate
+    # with the given name must already exist.
+    #
+    # @example
+    #   Vault.auth_tls.set_certificate("web", {
+    #     display_name: "web-cert",
+    #     certificate:  "-----BEGIN CERTIFICATE...",
+    #     policies:     "default",
+    #     ttl:          3600,
+    #   }) #=> true
+    #
+    # @param [String] name
+    #   the name of the certificate
+    # @param [Hash] options
+    # @option options [String] :certificate
+    #   The PEM-formatted CA certificate.
+    # @option options [String] :policies
+    #   A comma-separated list of policies issued when authenticating with this
+    #   CA.
+    # @option options [String] :display_name
+    #   The name to display on tokens issued against this CA.
+    # @option options [Fixnum] :ttl
+    #   The TTL period of the token, provided as a number of seconds.
+    #
+    # @return [true]
+    def set_certificate(name, options = {})
+      headers = extract_headers!(options)
+      client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      return true
+    end
+
+    # Get the certificate by the given name. If a certificate does not exist by that name,
+    # +nil+ is returned.
+    #
+    # @example
+    #   Vault.auth_tls.certificate("web") #=> #<Vault::Secret lease_id="...">
+    #
+    # @return [Secret, nil]
+    def certificate(name)
+      json = client.get("/v1/auth/cert/certs/#{encode_path(name)}")
+      return Secret.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # The list of certificates in vault auth backend.
+    #
+    # @example
+    #   Vault.auth_tls.certificates #=> ["web"]
+    #
+    # @return [Array<String>]
+    def certificates(options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/cert/certs", options, headers)
+      return Secret.decode(json).data[:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Delete the certificate with the given name. If a certificate does not exist, vault
+    # will not return an error.
+    #
+    # @example
+    #   Vault.auth_tls.delete_certificate("web") #=> true
+    #
+    # @param [String] name
+    #   the name of the certificate
+    def delete_certificate(name)
+      client.delete("/v1/auth/cert/certs/#{encode_path(name)}")
+      return true
+    end
+  end
+end

data/lib/vault/api/auth_token.rb

@@ -0,0 +1,242 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {AuthToken} methods.
+    # @return [AuthToken]
+    def auth_token
+      @auth_token ||= AuthToken.new(self)
+    end
+  end
+
+  class AuthToken < Request
+    # Lists all token accessors.
+    #
+    # @example Listing token accessors
+    #   result = Vault.auth_token.accessors #=> #<Vault::Secret>
+    #   result.data[:keys] #=> ["476ea048-ded5-4d07-eeea-938c6b4e43ec", "bb00c093-b7d3-b0e9-69cc-c4d85081165b"]
+    #
+    # @return [Array<Secret>]
+    def accessors(options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/token/accessors", options, headers)
+      return Secret.decode(json)
+    end
+
+    # Create an authentication token. Note that the parameters specified below
+    # are not validated and passed directly to the Vault server. Depending on
+    # the version of Vault in operation, some of these options may not work, and
+    # newer options may be available that are not listed here.
+    #
+    # @example Creating a token
+    #   Vault.auth_token.create #=> #<Vault::Secret lease_id="">
+    #
+    # @example Creating a token assigned to policies with a wrap TTL
+    #   Vault.auth_token.create(
+    #     policies: ["myapp"],
+    #     wrap_ttl: 500,
+    #   )
+    #
+    # @param [Hash] options
+    # @option options [String] :id
+    #   The ID of the client token - this can only be specified for root tokens
+    # @option options [Array<String>] :policies
+    #   List of policies to apply to the token
+    # @option options [Fixnum, String] :wrap_ttl
+    #   The number of seconds or a golang-formatted timestamp like "5s" or "10m"
+    #   for the TTL on the wrapped response
+    # @option options [Hash<String, String>] :meta
+    #   A map of metadata that is passed to audit backends
+    # @option options [Boolean] :no_parent
+    #   Create a token without a parent - see also {#create_orphan}
+    # @option options [Boolean] :no_default_policy
+    #   Create a token without the default policy attached
+    # @option options [Boolean] :renewable
+    #   Set whether this token is renewable or not
+    # @option options [String] :display_name
+    #   Name of the token
+    # @option options [Fixnum] :num_uses
+    #   Maximum number of uses for the token
+    #
+    # @return [Secret]
+    def create(options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create", JSON.fast_generate(options), headers)
+      return Secret.decode(json)
+    end
+
+    # Create an orphaned authentication token.
+    #
+    # @example
+    #   Vault.auth_token.create_orphan #=> #<Vault::Secret lease_id="">
+    #
+    # @param (see #create)
+    # @option (see #create)
+    #
+    # @return [Secret]
+    def create_orphan(options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options), headers)
+      return Secret.decode(json)
+    end
+
+    # Create an orphaned authentication token.
+    #
+    # @example
+    #   Vault.auth_token.create_with_role("developer") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [Hash] options
+    #
+    # @return [Secret]
+    def create_with_role(name, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      return Secret.decode(json)
+    end
+
+    # Lookup information about the current token.
+    #
+    # @example
+    #   Vault.auth_token.lookup("abcd-...") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] token
+    # @param [Hash] options
+    #
+    # @return [Secret]
+    def lookup(token, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/lookup", JSON.fast_generate(
+        token: token,
+      ), headers)
+      return Secret.decode(json)
+    end
+
+    # Lookup information about the given token accessor.
+    #
+    # @example
+    #   Vault.auth_token.lookup_accessor("acbd-...") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] accessor
+    # @param [Hash] options
+    def lookup_accessor(accessor, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
+        accessor: accessor,
+      ), headers)
+      return Secret.decode(json)
+    end
+
+    # Lookup information about the given token.
+    #
+    # @example
+    #   Vault.auth_token.lookup_self #=> #<Vault::Secret lease_id="">
+    #
+    # @return [Secret]
+    def lookup_self
+      json = client.get("/v1/auth/token/lookup-self")
+      return Secret.decode(json)
+    end
+
+    # Renew the given authentication token.
+    #
+    # @example
+    #   Vault.auth_token.renew("abcd-1234") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] token
+    #   the auth token
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(token, increment = 0, options = {})
+      headers = extract_headers!(options)
+      json = client.put("/v1/auth/token/renew", JSON.fast_generate(
+        token: token,
+        increment: increment,
+      ), headers)
+      return Secret.decode(json)
+    end
+
+    # Renews a lease associated with the calling token.
+    #
+    # @example
+    #   Vault.auth_token.renew_self #=> #<Vault::Secret lease_id="">
+    #
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew_self(increment = 0, options = {})
+      headers = extract_headers!(options)
+      json = client.put("/v1/auth/token/renew-self", JSON.fast_generate(
+        increment: increment,
+      ), headers)
+      return Secret.decode(json)
+    end
+
+    # Revokes the token used to call it.
+    #
+    # @example
+    #   Vault.auth_token.revoke_self #=> 204
+    #
+    # @return response code.
+    def revoke_self
+      client.post("/v1/auth/token/revoke-self")
+    end
+
+    # Revoke exactly the orphans at the id.
+    #
+    # @example
+    #   Vault.auth_token.revoke_orphan("abcd-1234") #=> true
+    #
+    # @param [String] token
+    #   the token to revoke
+    #
+    # @return [true]
+    def revoke_orphan(token, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/token/revoke-orphan", JSON.fast_generate(
+        token: token,
+      ), headers)
+      return true
+    end
+
+    # Revoke exactly the orphans at the id.
+    #
+    # @example
+    #   Vault.auth_token.revoke_accessor("abcd-1234") #=> true
+    #
+    # @param [String] accessor
+    #   the accessor to revoke
+    #
+    # @return [true]
+    def revoke_accessor(accessor, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/token/revoke-accessor", JSON.fast_generate(
+        accessor: accessor,
+      ), headers)
+      return true
+    end
+
+    # Revoke the token and all its children.
+    #
+    # @example
+    #   Vault.auth_token.revoke("abcd-1234") #=> true
+    #
+    # @param [String] token
+    #   the auth token
+    #
+    # @return [true]
+    def revoke(token, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/token/revoke", JSON.fast_generate(
+        token: token,
+      ), headers)
+      return true
+    end
+    alias_method :revoke_tree, :revoke
+  end
+end