vault-rails 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2372e9033c1ad9acaed9ba40d0a16ecaf9255389
-  data.tar.gz: 1ad8eba93c1e7214da702473a92729131902ccb5
+  metadata.gz: 7c8f664265ab1fa257f49bae1035a07ce66ab25c
+  data.tar.gz: 0afe845824aa882453dd07574e895b4a09e8fda1
 SHA512:
-  metadata.gz: 5fb7fc74a89248efa68c5dd0698fa08940b44d1cf129957b30922b19765b2d5a121f34c1aa821f9c9b944794a488d31ef97932d31c55aaab7867c2b382824fb8
-  data.tar.gz: 685d0b2d9a6ea88c0308defc8e7dd06f806b0dbf06d19bc3faf8d4e58353564cc37df8cf009063d5b6a61db35a4adf385e25c5140d711f0e3d92912fd41c67c2
+  metadata.gz: c7dd41623f7b78a7fe21aaaa0d53ff6be679dfc211d6f4da409216d58505663f71f615170a619eb9a5a1304903761ef7a46b754c90024b1d40d0a56cda8299b7
+  data.tar.gz: 0421c3b2d52fd8dd1355e5a9f4a41b4607c946ba5477d7d6c3c7592fc220ed6fc4ef7968dd05709d84dd93bb36fed31bb306c9b8bc1f6d2a918dca62137e08fd

data/lib/vault/rails.rb

@@ -11,8 +11,6 @@ require_relative "rails/version"
 
 module Vault
   module Rails
-    extend Vault::Rails::Configurable
-
     # The list of serializers.
     #
     # @return [Hash<Symbol, Module>]
@@ -29,199 +27,208 @@ module Vault
     DEV_WARNING = "[vault-rails] Using in-memory cipher - this is not secure " \
       "and should never be used in production-like environments!".freeze
 
-    # API client object based off the configured options in
-    # {Vault::Configurable}.
-    #
-    # @return [Vault::Client]
-    def self.client
-      if !defined?(@client) || !@client.same_options?(options)
-        @client = Vault::Client.new(options)
-      end
-      return @client
-    end
+    class << self
+      # API client object based off the configured options in {Configurable}.
+      #
+      # @return [Vault::Client]
+      attr_reader :client
 
-    # Delegate all methods to the client object, essentially making the module
-    # object behave like a {Vault::Client}.
-    def self.method_missing(m, *args, &block)
-      if client.respond_to?(m)
-        client.public_send(m, *args, &block)
-      else
-        super
-      end
-    end
+      def setup!
+        Vault.setup!
 
-    # Delegating `respond_to` to the {Vault::Client}.
-    def self.respond_to_missing?(m, include_private = false)
-      client.respond_to?(m) || super
-    end
+        @client = Vault.client
+        @client.class.instance_eval do
+          include Vault::Rails::Configurable
+        end
 
-    # Encrypt the given plaintext data using the provided mount and key.
-    #
-    # @param [String] path
-    #   the mount point
-    # @param [String] key
-    #   the key to encrypt at
-    # @param [String] plaintext
-    #   the plaintext to encrypt
-    # @param [Vault::Client] client
-    #   the Vault client to use
-    #
-    # @return [String]
-    #   the encrypted cipher text
-    def self.encrypt(path, key, plaintext, client = self.client)
-      if plaintext.blank?
-        return plaintext
+        self
       end
 
-      path = path.to_s if !path.is_a?(String)
-      key  = key.to_s if !key.is_a?(String)
-
-      with_retries do
-        if self.enabled?
-          result = self.vault_encrypt(path, key, plaintext, client)
+      # Delegate all methods to the client object, essentially making the module
+      # object behave like a {Vault::Client}.
+      def method_missing(m, *args, &block)
+        if client.respond_to?(m)
+          client.public_send(m, *args, &block)
         else
-          result = self.memory_encrypt(path, key, plaintext, client)
+          super
         end
-
-        return self.force_encoding(result)
       end
-    end
 
-    # Decrypt the given ciphertext data using the provided mount and key.
-    #
-    # @param [String] path
-    #   the mount point
-    # @param [String] key
-    #   the key to decrypt at
-    # @param [String] ciphertext
-    #   the ciphertext to decrypt
-    # @param [Vault::Client] client
-    #   the Vault client to use
-    #
-    # @return [String]
-    #   the decrypted plaintext text
-    def self.decrypt(path, key, ciphertext, client = self.client)
-      if ciphertext.blank?
-        return ciphertext
+      # Delegating `respond_to` to the {Vault::Client}.
+      def respond_to_missing?(m, include_private = false)
+        client.respond_to?(m, include_private) || super
       end
 
-      path = path.to_s if !path.is_a?(String)
-      key  = key.to_s if !key.is_a?(String)
+      # Encrypt the given plaintext data using the provided mount and key.
+      #
+      # @param [String] path
+      #   the mount point
+      # @param [String] key
+      #   the key to encrypt at
+      # @param [String] plaintext
+      #   the plaintext to encrypt
+      # @param [Vault::Client] client
+      #   the Vault client to use
+      #
+      # @return [String]
+      #   the encrypted cipher text
+      def encrypt(path, key, plaintext, client = self.client)
+        if plaintext.blank?
+          return plaintext
+        end
 
-      with_retries do
-        if self.enabled?
-          result = self.vault_decrypt(path, key, ciphertext, client)
-        else
-          result = self.memory_decrypt(path, key, ciphertext, client)
+        path = path.to_s if !path.is_a?(String)
+        key  = key.to_s if !key.is_a?(String)
+
+        with_retries do
+          if self.enabled?
+            result = self.vault_encrypt(path, key, plaintext, client)
+          else
+            result = self.memory_encrypt(path, key, plaintext, client)
+          end
+
+          return self.force_encoding(result)
+        end
+      end
+
+      # Decrypt the given ciphertext data using the provided mount and key.
+      #
+      # @param [String] path
+      #   the mount point
+      # @param [String] key
+      #   the key to decrypt at
+      # @param [String] ciphertext
+      #   the ciphertext to decrypt
+      # @param [Vault::Client] client
+      #   the Vault client to use
+      #
+      # @return [String]
+      #   the decrypted plaintext text
+      def decrypt(path, key, ciphertext, client = self.client)
+        if ciphertext.blank?
+          return ciphertext
         end
 
-        return self.force_encoding(result)
+        path = path.to_s if !path.is_a?(String)
+        key  = key.to_s if !key.is_a?(String)
+
+        with_retries do
+          if self.enabled?
+            result = self.vault_decrypt(path, key, ciphertext, client)
+          else
+            result = self.memory_decrypt(path, key, ciphertext, client)
+          end
+
+          return self.force_encoding(result)
+        end
       end
-    end
 
-    # Get the serializer that corresponds to the given key. If the key does not
-    # correspond to a known serializer, an exception will be raised.
-    #
-    # @param [#to_sym] key
-    #   the name of the serializer
-    #
-    # @return [~Serializer]
-    def self.serializer_for(key)
-      key = key.to_sym if !key.is_a?(Symbol)
-
-      if serializer = SERIALIZERS[key]
-        return serializer
-      else
-        raise Vault::Rails::UnknownSerializerError.new(key)
+      # Get the serializer that corresponds to the given key. If the key does not
+      # correspond to a known serializer, an exception will be raised.
+      #
+      # @param [#to_sym] key
+      #   the name of the serializer
+      #
+      # @return [~Serializer]
+      def serializer_for(key)
+        key = key.to_sym if !key.is_a?(Symbol)
+
+        if serializer = SERIALIZERS[key]
+          return serializer
+        else
+          raise Vault::Rails::UnknownSerializerError.new(key)
+        end
       end
-    end
 
-    private
+      protected
 
-    # Perform in-memory encryption. This is useful for testing and development.
-    def self.memory_encrypt(path, key, plaintext, client)
-      log_warning(DEV_WARNING)
+      # Perform in-memory encryption. This is useful for testing and development.
+      def memory_encrypt(path, key, plaintext, client)
+        log_warning(DEV_WARNING)
 
-      return nil if plaintext.nil?
+        return nil if plaintext.nil?
 
-      cipher = OpenSSL::Cipher::AES.new(128, :CBC)
-      cipher.encrypt
-      cipher.key = memory_key_for(path, key)
-      return Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
-    end
+        cipher = OpenSSL::Cipher::AES.new(128, :CBC)
+        cipher.encrypt
+        cipher.key = memory_key_for(path, key)
+        return Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
+      end
 
-    # Perform in-memory decryption. This is useful for testing and development.
-    def self.memory_decrypt(path, key, ciphertext, client)
-      log_warning(DEV_WARNING)
+      # Perform in-memory decryption. This is useful for testing and development.
+      def memory_decrypt(path, key, ciphertext, client)
+        log_warning(DEV_WARNING)
 
-      return nil if ciphertext.nil?
+        return nil if ciphertext.nil?
 
-      cipher = OpenSSL::Cipher::AES.new(128, :CBC)
-      cipher.decrypt
-      cipher.key = memory_key_for(path, key)
-      return cipher.update(Base64.strict_decode64(ciphertext)) + cipher.final
-    end
+        cipher = OpenSSL::Cipher::AES.new(128, :CBC)
+        cipher.decrypt
+        cipher.key = memory_key_for(path, key)
+        return cipher.update(Base64.strict_decode64(ciphertext)) + cipher.final
+      end
 
-    # Perform encryption using Vault. This will raise exceptions if Vault is
-    # unavailable.
-    def self.vault_encrypt(path, key, plaintext, client)
-      return nil if plaintext.nil?
+      # Perform encryption using Vault. This will raise exceptions if Vault is
+      # unavailable.
+      def vault_encrypt(path, key, plaintext, client)
+        return nil if plaintext.nil?
 
-      route  = File.join(path, "encrypt", key)
-      secret = client.logical.write(route,
-        plaintext: Base64.strict_encode64(plaintext),
-      )
-      return secret.data[:ciphertext]
-    end
+        route  = File.join(path, "encrypt", key)
+        secret = client.logical.write(route,
+          plaintext: Base64.strict_encode64(plaintext),
+        )
+        return secret.data[:ciphertext]
+      end
 
-    # Perform decryption using Vault. This will raise exceptions if Vault is
-    # unavailable.
-    def self.vault_decrypt(path, key, ciphertext, client)
-      return nil if ciphertext.nil?
+      # Perform decryption using Vault. This will raise exceptions if Vault is
+      # unavailable.
+      def vault_decrypt(path, key, ciphertext, client)
+        return nil if ciphertext.nil?
 
-      route  = File.join(path, "decrypt", key)
-      secret = client.logical.write(route, ciphertext: ciphertext)
-      return Base64.strict_decode64(secret.data[:plaintext])
-    end
+        route  = File.join(path, "decrypt", key)
+        secret = client.logical.write(route, ciphertext: ciphertext)
+        return Base64.strict_decode64(secret.data[:plaintext])
+      end
 
-    # The symmetric key for the given params.
-    # @return [String]
-    def self.memory_key_for(path, key)
-      return Base64.strict_encode64("#{path}/#{key}".ljust(32, "x"))
-    end
+      # The symmetric key for the given params.
+      # @return [String]
+      def memory_key_for(path, key)
+        return Base64.strict_encode64("#{path}/#{key}".ljust(32, "x"))
+      end
 
-    # Forces the encoding into the default Rails encoding and returns the
-    # newly encoded string.
-    # @return [String]
-    def self.force_encoding(str)
-      encoding = ::Rails.application.config.encoding || DEFAULT_ENCODING
-      str.force_encoding(encoding).encode(encoding)
-    end
+      # Forces the encoding into the default Rails encoding and returns the
+      # newly encoded string.
+      # @return [String]
+      def force_encoding(str)
+        encoding = ::Rails.application.config.encoding || DEFAULT_ENCODING
+        str.force_encoding(encoding).encode(encoding)
+      end
 
-    private
+      private
 
-    def self.with_retries(client = self.client, &block)
-      exceptions = [Vault::HTTPConnectionError, Vault::HTTPServerError]
-      options = {
-        attempts: self.retry_attempts,
-        base:     self.retry_base,
-        max_wait: self.retry_max_wait,
-      }
+      def with_retries(client = self.client, &block)
+        exceptions = [Vault::HTTPConnectionError, Vault::HTTPServerError]
+        options = {
+          attempts: self.retry_attempts,
+          base:     self.retry_base,
+          max_wait: self.retry_max_wait,
+        }
 
-      client.with_retries(exceptions, options) do |i, e|
-        if !e.nil?
-          log_warning "[vault-rails] (#{i}) An error occurred when trying to " \
-            "communicate with Vault: #{e.message}"
-        end
+        client.with_retries(*exceptions, options) do |i, e|
+          if !e.nil?
+            log_warning "[vault-rails] (#{i}) An error occurred when trying to " \
+              "communicate with Vault: #{e.message}"
+          end
 
-        yield
+          yield
+        end
       end
-    end
 
-    def self.log_warning(msg)
-      if defined?(::Rails) && ::Rails.logger != nil
-        ::Rails.logger.warn { msg }
+      def log_warning(msg)
+        if defined?(::Rails) && ::Rails.logger != nil
+          ::Rails.logger.warn { msg }
+        end
       end
     end
   end
 end
+
+Vault::Rails.setup!

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/spec/dummy/config/environments/development.rb

@@ -22,15 +22,17 @@ Rails.application.configure do
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
-  # Debug mode disables concatenation and preprocessing of assets.
-  # This option may cause significant delays in view rendering with a large
-  # number of complex assets.
-  config.assets.debug = true
-
-  # Adds additional error checking when serving assets at runtime.
-  # Checks for improperly declared sprockets dependencies.
-  # Raises helpful error messages.
-  config.assets.raise_runtime_errors = true
+  if config.respond_to?(:assets)
+    # Debug mode disables concatenation and preprocessing of assets.
+    # This option may cause significant delays in view rendering with a large
+    # number of complex assets.
+    config.assets.debug = true
+
+    # Adds additional error checking when serving assets at runtime.
+    # Checks for improperly declared sprockets dependencies.
+    # Raises helpful error messages.
+    config.assets.raise_runtime_errors = true
+  end
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true

data/spec/dummy/config/environments/test.rb

@@ -13,8 +13,13 @@ Rails.application.configure do
   config.eager_load = false
 
   # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_files  = true
-  config.static_cache_control = 'public, max-age=3600'
+  if config.respond_to?(:public_file_server)
+    config.public_file_server.enabled = true
+    config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
+  else
+    config.serve_static_files   = true
+    config.static_cache_control = 'public, max-age=3600'
+  end
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true

data/spec/dummy/config/initializers/assets.rb

@@ -1,7 +1,9 @@
 # Be sure to restart your server when you modify this file.
 
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = '1.0'
+if Rails.application.config.respond_to?(:assets)
+  Rails.application.config.assets.version = '1.0'
+end
 
 # Precompile additional assets.
 # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.