vault 0.1.0 → 0.1.1

data/README.md

@@ -1,73 +1,99 @@
-Vault, a lightweight Object Document Mapper
-===========================================
+Vault Ruby Client
+=================
+[![Build Status](https://secure.travis-ci.org/hashicorp/vault-ruby.png?branch=master)](http://travis-ci.org/hashicorp/vault-ruby)
 
-    class User
-      include Vault
+Vault is the official Ruby client for interacting with [Vault](https://vaultproject.io) by HashiCorp.
 
-      key      :id
-      property :name
-      property :email
-    end
+Quick Start
+-----------
+Install via Rubygems:
 
-    user = User.new(:id => 1, :name => "John", :email => "john@example.org")
-    user.save
+    $ gem install vault
 
-    User.find(1) #=> user
-    User.all     #=> [user]
-    User.size    #=> 1
+or add it to your Gemfile if you're using Bundler:
 
-Storage
--------
+```ruby
+gem "vault", "~> 0.1"
+```
 
-By default Vault stores everything in an in-memory hash. Each model (class in
-which you included the `Vault` module) has its own, independent storage.
+and then run the `bundle` command to install.
 
-Subclasses of a model share their storage with their parent.
+Start a Vault client:
 
-To change the storage you can call `store_objects_in(store)` in the class
-definition. A store is any object that implements this API:
+```ruby
+Vault.address = "http://127.0.0.1:8200" # Also reads from ENV["VAULT_ADDR"]
+Vault.token   = "abcd-1234" # Also reads from ENV["VAULT_TOKEN"]
 
-* `Store#size` returns an integer with the total amount of elements in the store
-* `Store#each(&block)` a store must implement `each` and include Enumerable
-* `Store#[](key)` receiving the key it should return a hash of all attributes
-**except for the key**.
-* `Store#[]=(key, attributes)` attributes will be a hash with the attributes
-**except** for the key.
-* `Store#delete(key)` shall delete the item without the given key.
-* `Store#filter(hash)` should return a new object of the same class as the
-  original store, but only with objects whose properties match those of the
-  argument.
+Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
+```
 
-This library provides two storage mechanisms out of the box:
+Usage
+-----
+The following configuration options are available:
 
-* `Vault::Storage::InMemoryStore` is a simple hash storage (and the default)
-* `Vault::Storage::YamlStore` serializes the contents to disk as a YAML file
+```ruby
+Vault::Client.configure do |config|
+  # The address of the Vault server, also read as ENV["VAULT_TOKEN"]
+  config.address = "https://127.0.0.1:8200"
 
-TODO
-----
+  # The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"]
+  config.token = "abcd-1234"
 
-* Relationships/Associations
+  # Proxy connection information, also read as ENV["VAULT_PROXY_(thing)"]
+  config.proxy_address  = "..."
+  config.proxy_port     = "..."
+  config.proxy_username = "..."
+  config.proxy_password = "..."
 
-More docs?
-----------
+  # Custom SSL PEM, also read as ENV["VAULT_SSL_CERT"]
+  config.ssl_pem_file = "/path/on/disk.pem"
 
-I will get to it eventually. For now, read the specs and the source—it is a
-small library. Or help and write some docs :)
+  # Use SSL verification, also read as ENV["VAULT_SSL_VERIFY"]
+  config.ssl_verify = false
+end
+```
 
-Note on Patches/Pull Requests
------------------------------
+If you do not want the Vault singleton, of if you need to communicate with multiple Vault servers at once, you can create indepenent client objects:
 
-* Fork the project.
-* Make your feature addition or bug fix.
-* Add tests for it. This is important so I don’t break it in a future version
-  unintentionally.
-* Commit, do not mess with Rakefile, version, or history. (if you want to have
-  your own version, that is fine but bump version in a commit by itself I can
-  ignore when I pull.)
-* Send me a pull request. Bonus points for topic branches.
+```ruby
+client_1 = Vault::Client.new(address: "https://vault.mycompany.com")
+client_2 = Vault::Client.new(address: "https://other-vault.mycompany.com")
+```
 
-Copyright
----------
+### Making requests
+All of the methods and API calls are heavily documented with examples inline using YARD. In order to keep the examples versioned with the code, the README only lists a few examples for using the Vault gem. Please see the inline documentation for the full API documentation. The tests in the 'spec' directory are an additional source of examples.
 
-Copyright © 2010 [Nicolás Sanguinetti](http://github.com/foca), licensed under
-an MIT license. See MIT-LICENSE for details.
+#### Seal Status
+```ruby
+Vault.sys.seal_status
+#=> #<Vault::SealStatus sealed=false, t=1, n=1, progress=0>
+```
+
+#### Create a Secret
+```ruby
+Vault.logical.write("secret/bacon", delicious: true, cooktime: "11")
+#=> #<Vault::Secret lease_id="">
+```
+
+#### Retrieve a Secret
+```ruby
+Vault.logical.read("secret/bacon")
+#=> #<Vault::Secret lease_id="">
+```
+
+#### Seal the Vault
+```ruby
+Vault.sys.seal #=> true
+```
+
+Development
+-----------
+1. Clone the project on GitHub
+2. Create a feature branch
+3. Submit a Pull Request
+
+Important Notes:
+
+- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include acceptance tests as well.
+- **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
+- **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.

data/Rakefile

@@ -1,42 +1,6 @@
-$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
 
-require "rake"
-require "rake/gempackagetask"
-require "rake/rdoctask"
+RSpec::Core::RakeTask.new(:spec)
 
-require "vault/version"
-
-begin
-  require "spec/rake/spectask"
-
-  Spec::Rake::SpecTask.new(:spec) do |spec|
-    spec.pattern = "spec/**/*_spec.rb"
-    spec.spec_opts << "--color" << "--format specdoc"
-  end
-
-  task :default => ["spec"]
-rescue LoadError
-end
-
-spec = Gem::Specification.new do |s|
-  s.name              = "vault"
-  s.version           = Vault::Version::STRING
-  s.summary           = "Provides a very lightweight ODM"
-  s.author            = "Nicolás Sanguinetti"
-  s.email             = "hi@nicolassanguinetti.info"
-  s.homepage          = "http://github.com/foca/vault"
-
-  s.has_rdoc          = true
-  s.extra_rdoc_files  = %w(README.md MIT-LICENSE)
-
-  s.files             = Dir['Rakefile', '{bin,lib,man,test,spec}/**/*', 'README*', '*LICENSE*'] & `git ls-files -z`.split("\0")
-
-  s.require_paths     = ["lib"]
-
-  s.add_dependency("activemodel", "3.0.0.beta.3")
-  s.add_development_dependency("rspec", "~> 1.3")
-end
-
-Rake::GemPackageTask.new(spec) do |pkg|
-  pkg.gem_spec = spec
-end
+task default: :spec

data/lib/vault.rb

@@ -1,53 +1,40 @@
-require "set"
-require "active_model"
-require "active_support/core_ext/hash/except"
-require "active_support/core_ext/module/delegation"
-require "active_support/core_ext/class/attribute_accessors"
-
 module Vault
-  extend ActiveSupport::Concern
-  extend ActiveSupport::Autoload
-
-  autoload :Associations
-  autoload :AttributeAccessors
-  autoload :BulkAttributes
-  autoload :Dirty
-  autoload :Finders
-  autoload :Persistance
-  autoload :Properties
-  autoload :Scoping
-  autoload :Storage
-  autoload :Validations
-
-  module Storage
-    extend ActiveSupport::Autoload
-    autoload :InMemoryStore
-    autoload :YamlStore
-  end
-
-  included do
-    extend ActiveModel::Naming
-    extend Properties
-    extend Finders
-    extend Scoping
-    extend Associations
-
-    include BulkAttributes
-    include AttributeAccessors
-    include Persistance
-    include Dirty
-    include Validations
-
-    # Convenience methods to provide ActiveModel's API
-    include ActiveModel::Conversion
+  require_relative "vault/client"
+  require_relative "vault/configurable"
+  require_relative "vault/defaults"
+  require_relative "vault/errors"
+  require_relative "vault/response"
+  require_relative "vault/version"
+
+  require_relative "vault/api"
+
+  extend Vault::Configurable
+
+  # API client object based off the configured options in {Configurable}.
+  #
+  # @return [Vault::Client]
+  def self.client
+    if !defined?(@client) || !@client.same_options?(options)
+      @client = Vault::Client.new(options)
+    end
+    @client
   end
 
-  def key
-    send(self.class.key)
+  # Delegate all methods to the client object, essentially making the module
+  # object behave like a {Client}.
+  def self.method_missing(m, *args, &block)
+    if client.respond_to?(m)
+      client.send(m, *args, &block)
+    else
+      super
+    end
   end
-  alias_method :id, :key
 
-  def ==(other)
-    key == other.key
+  # Delegating +respond_to+ to the {Client}.
+  def self.respond_to_missing?(m, include_private = false)
+    client.respond_to?(m) || super
   end
 end
+
+# Load the initial default values
+Vault.setup!

data/lib/vault/api.rb

@@ -0,0 +1,9 @@
+module Vault
+  module API
+    require_relative "api/auth_token"
+    require_relative "api/help"
+    require_relative "api/logical"
+    require_relative "api/secret"
+    require_relative "api/sys"
+  end
+end

data/lib/vault/api/auth_token.rb

@@ -0,0 +1,90 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {AuthToken} methods.
+    # @return [AuthToken]
+    def auth_token
+      @auth_token ||= AuthToken.new(self)
+    end
+  end
+
+  class AuthToken < Request
+    # Create an authentication token.
+    #
+    # @example
+    #   Vault.auth_token.create #=> #<Vault::Secret lease_id="">
+    #
+    # @param [Hash] options
+    #
+    # @return [Secret]
+    def create(options = {})
+      json = client.post("/v1/auth/token/create", JSON.fast_generate(options))
+      return Secret.decode(json)
+    end
+
+    # Renew the given authentication token.
+    #
+    # @example
+    #   Vault.auth_token.renew("abcd-1234") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] id
+    #   the auth id
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(id, increment = 0)
+      json = client.put("/v1/auth/token/renew/#{id}", JSON.fast_generate(
+        increment: increment,
+      ))
+      return Secret.decode(json)
+    end
+
+    # Revoke exactly the orphans at the id.
+    #
+    # @example
+    #   Vault.auth_token.revoke_orphan("abcd-1234") #=> true
+    #
+    # @param [String] id
+    #   the auth id
+    #
+    # @return [true]
+    def revoke_orphan(id)
+      client.put("/v1/auth/token/revoke-orphan/#{id}", nil)
+      return true
+    end
+
+    # Revoke all auth at the given prefix.
+    #
+    # @example
+    #   Vault.auth_token.revoke_prefix("abcd-1234") #=> true
+    #
+    # @param [String] id
+    #   the auth id
+    #
+    # @return [true]
+    def revoke_prefix(prefix)
+      client.put("/v1/auth/token/revoke-prefix/#{prefix}", nil)
+      return true
+    end
+
+    # Revoke all auths in the tree.
+    #
+    # @example
+    #   Vault.auth_token.revoke_tree("abcd-1234") #=> true
+    #
+    # @param [String] id
+    #   the auth id
+    #
+    # @return [true]
+    def revoke_tree(id)
+      client.put("/v1/auth/token/revoke/#{id}", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/help.rb

@@ -0,0 +1,23 @@
+require_relative "../client"
+require_relative "../response"
+
+module Vault
+  # Help is the response from a help query.
+  class Help < Response.new(:help, :see_also); end
+
+  class Client
+    # Gets help for the given path.
+    #
+    # @example
+    #   Vault.help #=> #<Vault::Help help="..." see_also="...">
+    #
+    # @param [String] path
+    #   the path to get help for
+    #
+    # @return [Help]
+    def help(path)
+      json = self.get("/v1/#{path}", help: 1)
+      return Help.decode(json)
+    end
+  end
+end

data/lib/vault/api/logical.rb

@@ -0,0 +1,66 @@
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {Logical} methods.
+    # @return [Logical]
+    def logical
+      @logical ||= Logical.new(self)
+    end
+  end
+
+  class Logical < Request
+    # Read the secret at the given path. If the secret does not exist, +nil+
+    # will be returned.
+    #
+    # @example
+    #   Vault.logical.read("secret/password") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to read
+    #
+    # @return [Secret, nil]
+    def read(path)
+      json = client.get("/v1/#{path}")
+      return Secret.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the secret at the given path with the given data. Note that the
+    # data must be a {Hash}!
+    #
+    # @example
+    #   Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    #
+    # @return [Secret]
+    def write(path, data = {})
+      client.put("/v1/#{path}", JSON.fast_generate(data))
+      return read(path)
+    end
+
+    # Delete the secret at the given path. If the secret does not exist, vault
+    # will still return true.
+    #
+    # @example
+    #   Vault.logical.delete("secret/password") #=> true
+    #
+    # @param [String] path
+    #   the path to delete
+    #
+    # @return [true]
+    def delete(path)
+      client.delete("/v1/#{path}")
+      return true
+    end
+  end
+end