vault-kv 0.12.0

data/lib/vault/api/sys.rb

@@ -0,0 +1,25 @@
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {Sys} methods.
+    # @return [Sys]
+    def sys
+      @sys ||= Sys.new(self)
+    end
+  end
+
+  class Sys < Request; end
+end
+
+require_relative "sys/audit"
+require_relative "sys/auth"
+require_relative "sys/health"
+require_relative "sys/init"
+require_relative "sys/leader"
+require_relative "sys/lease"
+require_relative "sys/mount"
+require_relative "sys/policy"
+require_relative "sys/seal"

data/lib/vault/api/sys/audit.rb

@@ -0,0 +1,91 @@
+require "json"
+
+module Vault
+  class Audit < Response
+    # @!attribute [r] description
+    #   Description of the audit backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] options
+    #   Map of options configured to the audit backend.
+    #   @return [Hash<Symbol, Object>]
+    field :options
+
+    # @!attribute [r] type
+    #   Name of the audit backend.
+    #   @return [String]
+    field :type
+  end
+
+  class Sys
+    # List all audits for the vault.
+    #
+    # @example
+    #   Vault.sys.audits #=> { :file => #<Audit> }
+    #
+    # @return [Hash<Symbol, Audit>]
+    def audits
+      json = client.get("/v1/sys/audit")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Audit.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular audit. Note: the +options+ depend heavily on the
+    # type of audit being enabled. Please refer to audit-specific documentation
+    # for which need to be enabled.
+    #
+    # @example
+    #   Vault.sys.enable_audit("/file-audit", "file", "File audit", path: "/path/on/disk") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the audit
+    # @param [String] type
+    #   the type of audit to enable
+    # @param [String] description
+    #   a human-friendly description of the audit backend
+    # @param [Hash] options
+    #   audit-specific options
+    #
+    # @return [true]
+    def enable_audit(path, type, description, options = {})
+      client.put("/v1/sys/audit/#{encode_path(path)}", JSON.fast_generate(
+        type:        type,
+        description: description,
+        options:     options,
+      ))
+      return true
+    end
+
+    # Disable a particular audit. If an audit does not exist, and error will be
+    # raised.
+    #
+    # @param [String] path
+    #   the path of the audit to disable
+    #
+    # @return [true]
+    def disable_audit(path)
+      client.delete("/v1/sys/audit/#{encode_path(path)}")
+      return true
+    end
+
+    # Generates a HMAC verifier for a given input.
+    #
+    # @example
+    #   Vault.sys.audit_hash("file-audit", "my input") #=> "hmac-sha256:30aa7de18a5e90bbc1063db91e7c387b32b9fa895977eb8c177bbc91e7d7c542"
+    #
+    # @param [String] path
+    #   the path of the audit backend
+    # @param [String] input
+    #   the input to generate a HMAC for
+    #
+    # @return [String]
+    def audit_hash(path, input)
+      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input))
+      json = json[:data] if json[:data]
+      json[:hash]
+    end
+  end
+end

data/lib/vault/api/sys/auth.rb

@@ -0,0 +1,116 @@
+require "json"
+
+module Vault
+  class Auth < Response
+    # @!attribute [r] description
+    #   Description of the auth backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Name of the auth backend.
+    #   @return [String]
+    field :type
+  end
+
+  class AuthConfig < Response
+    # @!attribute [r] default_lease_ttl
+    #   The default time-to-live.
+    #   @return [String]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   The maximum time-to-live.
+    #   @return [String]
+    field :max_lease_ttl
+  end
+
+  class Sys
+    # List all auths in Vault.
+    #
+    # @example
+    #   Vault.sys.auths #=> {:token => #<Vault::Auth type="token", description="token based credentials">}
+    #
+    # @return [Hash<Symbol, Auth>]
+    def auths
+      json = client.get("/v1/sys/auth")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Auth.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular authentication at the given path.
+    #
+    # @example
+    #   Vault.sys.enable_auth("github", "github") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the auth
+    # @param [String] type
+    #   the type of authentication
+    # @param [String] description
+    #   a human-friendly description (optional)
+    #
+    # @return [true]
+    def enable_auth(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Disable a particular authentication at the given path. If not auth
+    # exists at that path, an error will be raised.
+    #
+    # @example
+    #   Vault.sys.disable_auth("github") #=> true
+    #
+    # @param [String] path
+    #   the path to disable
+    #
+    # @return [true]
+    def disable_auth(path)
+      client.delete("/v1/sys/auth/#{encode_path(path)}")
+      return true
+    end
+
+    # Read the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github") #=> #<Vault::AuthConfig "default_lease_ttl"=3600, "max_lease_ttl"=7200>
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def auth_tune(path)
+      json = client.get("/v1/sys/auth/#{encode_path(path)}/tune")
+      return AuthConfig.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github", "default_lease_ttl" => 600, "max_lease_ttl" => 1200 ) #=>  true
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def put_auth_tune(path, config = {})
+      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config))
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+  end
+end

data/lib/vault/api/sys/health.rb

@@ -0,0 +1,63 @@
+require "json"
+
+module Vault
+  class HealthStatus < Response
+    # @!attribute [r] initialized
+    #   Whether the Vault server is Initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+
+    # @!attribute [r] sealed
+    #   Whether the Vault server is Sealed.
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute [r] standby
+    #   Whether the Vault server is in Standby mode.
+    #   @return [Boolean]
+    field :standby, as: :standby?
+
+    # @!attribute [r] replication_performance_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_performance_mode
+
+    # @!attribute [r] replication_dr_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_dr_mode
+
+    # @!attribute [r] server_time_utc
+    #   Server time in Unix seconds, UTC
+    #   @return [Fixnum]
+    field :server_time_utc
+
+    # @!attribute [r] version
+    #   Server Vault version string (added in 0.6.1)
+    #   @return [String]
+    field :version
+
+    # @!attribute [r] cluster_name
+    #   Server cluster name
+    #   @return [String]
+    field :cluster_name
+
+    # @!attribute [r] cluster_id
+    #   Server cluster UUID
+    #   @return [String]
+    field :cluster_id
+  end
+
+  class Sys
+    # Show the health status for this vault.
+    #
+    # @example
+    #   Vault.sys.health_status #=> #Vault::HealthStatus @initialized=true, @sealed=false, @standby=false, @replication_performance_mode="disabled", @replication_dr_mode="disabled", @server_time_utc=1519776728, @version="0.9.3", @cluster_name="vault-cluster-997f514e", @cluster_id="c2dad70a-6d88-a06d-69f6-9ae7f5485998">
+    #
+    # @return [HealthStatus]
+    def health_status
+      json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200})
+      return HealthStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/init.rb

@@ -0,0 +1,83 @@
+require "json"
+
+module Vault
+  class InitResponse < Response
+    # @!attribute [r] keys
+    #   List of unseal keys.
+    #   @return [Array<String>]
+    field :keys
+
+    # @!attribute [r] keys_base64
+    #   List of unseal keys, base64-encoded
+    #   @return [Array<String>]
+    field :keys_base64
+
+    # @!attribute [r] root_token
+    #   Initial root token.
+    #   @return [String]
+    field :root_token
+  end
+
+  class InitStatus < Response
+    # @!method initialized?
+    #   Returns whether the Vault server is initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+  end
+
+  class Sys
+    # Show the initialization status for this vault.
+    #
+    # @example
+    #   Vault.sys.init_status #=> #<Vault::InitStatus initialized=true>
+    #
+    # @return [InitStatus]
+    def init_status
+      json = client.get("/v1/sys/init")
+      return InitStatus.decode(json)
+    end
+
+    # Initialize a new vault.
+    #
+    # @example
+    #   Vault.sys.init #=> #<Vault::InitResponse keys=["..."] root_token="...">
+    #
+    # @param [Hash] options
+    #   the list of init options
+    #
+    # @option options [String] :root_token_pgp_key
+    #   optional base64-encoded PGP public key used to encrypt the initial root
+    #   token.
+    # @option options [Fixnum] :secret_shares
+    #   the number of shares
+    # @option options [Fixnum] :secret_threshold
+    #   the number of keys needed to unlock
+    # @option options [Array<String>] :pgp_keys
+    #   an optional Array of base64-encoded PGP public keys to encrypt sharees
+    # @option options [Fixnum] :stored_shares
+    #   the number of shares that should be encrypted by the HSM for
+    #   auto-unsealing
+    # @option options [Fixnum] :recovery_shares
+    #   the number of shares to split the recovery key into
+    # @option options [Fixnum] :recovery_threshold
+    #   the number of shares required to reconstruct the recovery key
+    # @option options [Array<String>] :recovery_pgp_keys
+    #   an array of PGP public keys used to encrypt the output for the recovery
+    #   keys
+    #
+    # @return [InitResponse]
+    def init(options = {})
+      json = client.put("/v1/sys/init", JSON.fast_generate(
+        root_token_pgp_key: options.fetch(:root_token_pgp_key, nil),
+        secret_shares:      options.fetch(:secret_shares, options.fetch(:shares, 5)),
+        secret_threshold:   options.fetch(:secret_threshold, options.fetch(:threshold, 3)),
+        pgp_keys:           options.fetch(:pgp_keys, nil),
+        stored_shares:      options.fetch(:stored_shares, nil),
+        recovery_shares:    options.fetch(:recovery_shares, nil),
+        recovery_threshold: options.fetch(:recovery_threshold, nil),
+        recovery_pgp_keys:  options.fetch(:recovery_pgp_keys, nil),
+      ))
+      return InitResponse.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/leader.rb

@@ -0,0 +1,48 @@
+module Vault
+  class LeaderStatus < Response
+    # @!method ha_enabled?
+    #   Returns whether the high-availability mode is enabled.
+    #   @return [Boolean]
+    field :ha_enabled, as: :ha_enabled?
+
+    # @!method leader?
+    #   Returns whether the Vault server queried is the leader.
+    #   @return [Boolean]
+    field :is_self, as: :leader?
+
+    # @!attribute [r] address
+    #   URL where the server is running.
+    #   @return [String]
+    field :leader_address, as: :address
+
+    # @deprecated Use {#ha_enabled?} instead
+    def ha?; ha_enabled?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_leader?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_self?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def self?; leader?; end
+  end
+
+  class Sys
+    # Determine the leader status for this vault.
+    #
+    # @example
+    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">
+    #
+    # @return [LeaderStatus]
+    def leader
+      json = client.get("/v1/sys/leader")
+      return LeaderStatus.decode(json)
+    end
+
+    def step_down
+      client.put("/v1/sys/step-down", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/lease.rb

@@ -0,0 +1,49 @@
+module Vault
+  class Sys
+    # Renew a lease with the given ID.
+    #
+    # @example
+    #   Vault.sys.renew("aws/username") #=> #<Vault::Secret ...>
+    #
+    # @param [String] id
+    #   the lease ID
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(id, increment = 0)
+      json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
+        increment: increment,
+      ))
+      return Secret.decode(json)
+    end
+
+    # Revoke the secret at the given id. If the secret does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.revoke("aws/username") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke(id)
+      client.put("/v1/sys/revoke/#{id}", nil)
+      return true
+    end
+
+    # Revoke all secrets under the given prefix.
+    #
+    # @example
+    #   Vault.sys.revoke_prefix("aws") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke_prefix(id)
+      client.put("/v1/sys/revoke-prefix/#{id}", nil)
+      return true
+    end
+  end
+end