vault-update 1.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 64568df3de6bce221ef106e106b16122acaa532b
+  data.tar.gz: 232e7b2384632d90d9d84e500214e4023dc864fa
+SHA512:
+  metadata.gz: 96ad1c2b7b6091ccc4ac8d662198bd724d47f4e19b6589330b7cf2a33945690349ae74db74c62e1bfbc606e09ad765532a2d6c07f18d37a856a74cdbe48b39a2
+  data.tar.gz: cbd564b8111d938cfb0f7bf445f45db1b2e332e2f249dcb9173bd8e302ab3e2276ebbfebf6a839f593b9cafd82fd8161362f6c52019898786c4602ef74b7edaf

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+LATEST_CHANGELOG.md

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,33 @@
+Metrics/LineLength:
+  Max: 100
+
+Metrics/MethodLength:
+  Max: 50
+
+Metrics/ClassLength:
+  Max: 300
+
+# Lining up the attributes of some methods is advantageous for readability
+Style/SpaceBeforeFirstArg:
+  Enabled: false
+
+Style/ExtraSpacing:
+  Enabled: false
+
+Style/SpaceAroundOperators:
+  Enabled: false
+
+Documentation:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Max: 12
+
+Metrics/PerceivedComplexity:
+  Max: 12
+
+Metrics/AbcSize:
+  Max: 50
+
+Style/FileName:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.13.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in vault-update.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Eric Herot
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,94 @@
+# VaultUpdate
+
+A tool to safely update Vault. Existing data is stored in history (which means rollbacks are supported). Diffs are printed. Individual keys can be updated at once.
+
+# Installation
+
+Install it yourself:
+
+```
+$ gem install vault-update
+```
+
+# Usage
+
+First, ensure that the `VAULT_ADDR` and `VAULT_TOKEN` environment variables are set, then...
+
+The basic summary:
+
+```
+$ vault-update --help
+Safely update Vault secrets (with rollbacks and history!)
+
+Usage:
+       vault-update [options] -p SECRET_PATH KEY VALUE
+
+Environment Variables:
+    VAULT_ADDR (required)
+    VAULT_TOKEN (required)
+
+Options:
+  -r, --rollback       Roll back to previous release
+  -p, --path=<s>       Secret path to update
+  -s, --history=<i>    Show the last N entries of history
+  -l, --last           Show the last value
+  -h, --help           Show this message
+```
+
+## Write a string value to a key
+
+```
+$ vault-update -p secret/example mykey myvalue
+Applying changes to secret/example:
+
+-null
++{
++  "mykey": "myvalue"
++}
+```
+
+## Roll the secret back to its previous value
+
+```
+$ vault-update -p secret/example -r
+Writing to secret/example:
+{"mykey":"myvalue"}
+```
+
+
+## Show the current contents of the secret
+
+```
+$ vault-update -p secret/example -c
+{
+  "mykey": "myvalue"
+}
+```
+
+## Show the previous value (but do not roll back)
+
+```
+$ vault-update -p secret/example -l
+{
+  "mykey": "oldvalue"
+}
+```
+
+## Show the last N history entries
+
+```
+$ vault-update -p secret/example -s 2
+2016-10-26 17:14:56 -0400:
+{
+  "mykey": "reallyoldvalue"
+}
+
+2016-10-26 17:15:03 -0400:
+{
+  "mykey": "oldvalue"
+}
+```
+
+# License
+
+The gem is available as open source under the terms of the Apache license.

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'vault/update'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require 'pry'
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/vault-update

@@ -0,0 +1,4 @@
+require 'vault-update/version'
+require 'vault-update'
+
+VaultUpdate.new.run

data/lib/vault-update.rb

@@ -0,0 +1,163 @@
+require 'vault-update/version'
+require 'vault'
+require 'trollop'
+require 'json'
+require 'diffy'
+
+class MissingInputError < StandardError; end
+class NoHistoryError < StandardError; end
+class NoUpdateError < StandardError; end
+
+class VaultUpdate
+  def run
+    if opts[:history]
+      secret_history.sort_by { |ts, _data| ts }[-history_fetch_size..-1].each do |ts, data|
+        puts "#{Time.at(ts.to_s.to_i)}:"
+        puts JSON.pretty_generate(data) + "\n\n"
+      end
+    elsif opts[:last]
+      puts JSON.pretty_generate(secret_history.sort_by { |ts, _data| ts }.last[1])
+    elsif opts[:rollback]
+      rollback_secret
+    elsif opts[:current]
+      puts JSON.pretty_generate(vault_read(opts[:path]))
+    else
+      update
+    end
+  rescue MissingInputError, TypeError => e
+    raise e unless e.class == TypeError && e.message == 'no implicit conversion of nil into String'
+    Trollop.die 'KEY and VALUE must be provided'
+  rescue NoUpdateError
+    puts 'Nothing to do'
+    exit 0
+  rescue NoHistoryError
+    puts "ERROR: There is no history for #{opts[:path]}"
+    exit 2
+  end
+
+  private
+
+  def history_fetch_size
+    opts[:history] > secret_history.count ? secret_history.count : opts[:history]
+  end
+
+  def update
+    update_value = ARGV.pop
+
+    # JSON is optional in the value field, so we have this funny business
+    update_value = (
+      begin
+        JSON.parse update_value
+      rescue JSON::ParserError
+        update_value
+      end
+    )
+
+    update_key = ARGV.pop
+
+    raise(MissingInputError) unless update_key && update_value
+
+    update_secret update_key.to_sym => update_value
+  end
+
+  def debug?
+    ENV['DEBUG']
+  end
+
+  def rollback_secret
+    raise NoHistoryError unless previous_update
+    current_secret_value = vault_read opts[:path]
+
+    # Update history with {} if empty now
+    secret_history[Time.now.to_i] = (current_secret_value || {})
+    vault_write "#{opts[:path]}_history", secret_history
+
+    puts "Writing to #{opts[:path]}:\n#{previous_update.to_json}" unless debug?
+    vault_write opts[:path], previous_update
+  end
+
+  def update_secret(update_hash)
+    data =
+      if (current_secret_value = vault_read opts[:path])
+        secret_history[Time.now.to_i] = current_secret_value
+        vault_write "#{opts[:path]}_history", secret_history
+        current_secret_value.merge(update_hash)
+      else
+        update_hash
+      end
+
+    if debug?
+      puts "current_secret_value: #{current_secret_value}"
+      puts "update_hash: #{update_hash}"
+    end
+
+    raise NoUpdateError if current_secret_value == data
+
+    puts "Applying changes to #{opts[:path]}:\n\n"
+    puts Diffy::Diff.new(
+      JSON.pretty_generate(current_secret_value) + "\n", # What to do if no existing content
+      JSON.pretty_generate(data) + "\n"
+    ).to_s(:color)
+
+    vault_write opts[:path], data
+  end
+
+  def previous_update
+    @previous_update ||= begin
+      return nil unless (r = secret_history).any?
+      r[r.keys.sort.last] # Return the value with the highest key
+    end
+  end
+
+  def secret_history
+    @secret_history ||= begin
+      r = vault_read("#{opts[:path]}_history")
+      r ? r.dup : {}
+    end
+  end
+
+  def opts
+    @opts ||= begin
+      opts = Trollop.options do
+        banner(
+          "Safely update Vault secrets (with rollbacks and history!)\n\n" \
+          "Usage:\n" \
+          "       vault-update [options] -p SECRET_PATH KEY VALUE\n" \
+          "\nEnvironment Variables:\n" \
+          "    VAULT_ADDR (required)\n" \
+          "    VAULT_TOKEN (required)\n" \
+          "\nOptions:"
+        )
+        opt :rollback, 'Roll back to previous release', short: 'r'
+        opt :path, 'Secret path to update', short: 'p', required: true, type: String
+        opt :history, 'Show the last N entries of history', short: 's', type: Integer
+        opt :last, 'Show the last value', short: 'l'
+        opt :current, 'Show the current contents of the secret', short: 'c'
+      end
+      raise 'VAULT_ADDR and VAULT_TOKEN must be set' unless ENV['VAULT_ADDR'] && ENV['VAULT_TOKEN']
+      opts
+    end
+  end
+
+  def vault_write(path, data)
+    puts "Writing to #{path}:\n#{data.inspect}" if debug?
+    vault.with_retries(Vault::HTTPConnectionError) do |attempt, e|
+      puts "Received exception #{e} from Vault - attempt #{attempt}" if e
+      vault.logical.write(path, data)
+    end
+  end
+
+  def vault_read(path)
+    r = vault.with_retries(Vault::HTTPConnectionError) do |attempt, e|
+      puts "Received exception #{e} from Vault - attempt #{attempt}" if e
+      vault.logical.read(path)
+    end
+    res = r ? r.data : nil
+    puts "Read from #{path}:\n#{res.to_json}" if debug?
+    res
+  end
+
+  def vault
+    @vault ||= Vault::Client.new
+  end
+end

data/lib/vault-update/version.rb

@@ -0,0 +1,3 @@
+class VaultUpdate
+  VERSION = '1.0.2'.freeze
+end

data/vault-update.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'vault-update/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'vault-update'
+  spec.version       = VaultUpdate::VERSION
+  spec.authors       = ['Eric Herot']
+  spec.email         = ['devops@evertrue.com']
+
+  spec.summary       = 'Safely updates a Vault secret while also keeping history.'
+  # spec.description   = 'TODO: Write a longer description or delete this line.'
+  spec.homepage      = 'https://evertrue.github.io'
+  spec.license       = 'Apache'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'diffy'
+  spec.add_dependency 'trollop'
+  spec.add_dependency 'vault'
+
+  spec.add_development_dependency 'bundler', '~> 1.13'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+end

metadata

@@ -0,0 +1,143 @@
+--- !ruby/object:Gem::Specification
+name: vault-update
+version: !ruby/object:Gem::Version
+  version: 1.0.2
+platform: ruby
+authors:
+- Eric Herot
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-10-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: diffy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- devops@evertrue.com
+executables:
+- vault-update
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/vault-update
+- lib/vault-update.rb
+- lib/vault-update/version.rb
+- vault-update.gemspec
+homepage: https://evertrue.github.io
+licenses:
+- Apache
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Safely updates a Vault secret while also keeping history.
+test_files: []