vault 0.1.0 → 0.1.1

data/lib/vault/api/secret.rb

@@ -0,0 +1,23 @@
+require_relative "../response"
+
+module Vault
+  # Secret is a representation of a secret.
+  class Secret < Response.new(:lease_id, :lease_duration, :renewable, :data, :auth)
+    alias_method :renewable?, :renewable
+
+    alias_method :raw_auth, :auth
+    def auth
+      return @auth if defined?(@auth)
+      if raw_auth.nil?
+        @auth = nil
+      else
+        @auth = SecretAuth.decode(raw_auth)
+      end
+    end
+  end
+
+  # SecretAuth is a struct that contains the information about auth data if present.
+  class SecretAuth < Response.new(:client_token, :policies, :metadata, :lease_duration, :renewable)
+    alias_method :renewable?, :renewable
+  end
+end

data/lib/vault/api/sys.rb

@@ -0,0 +1,24 @@
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {Sys} methods.
+    # @return [Sys]
+    def sys
+      @sys ||= Sys.new(self)
+    end
+  end
+
+  class Sys < Request; end
+end
+
+require_relative "sys/audit"
+require_relative "sys/auth"
+require_relative "sys/init"
+require_relative "sys/leader"
+require_relative "sys/lease"
+require_relative "sys/mount"
+require_relative "sys/policy"
+require_relative "sys/seal"

data/lib/vault/api/sys/audit.rb

@@ -0,0 +1,60 @@
+require "json"
+
+require_relative "../sys"
+
+module Vault
+  class Audit < Response.new(:type, :description, :options); end
+
+  class Sys
+    # List all audis for the vault.
+    #
+    # @example
+    #   Vault.sys.audits #=> { :file => #<Audit> }
+    #
+    # @return [Hash<Symbol, Audit>]
+    def audits
+      json = client.get("/v1/sys/audit")
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Audit.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular audit. Note: the +options+ depend heavily on the
+    # type of audit being enabled. Please refer to audit-specific documentation
+    # for which need to be enabled.
+    #
+    # @example
+    #   Vault.sys.enable_audit("/file-audit", "file", "File audit", path: "/path/on/disk") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the audit
+    # @param [String] type
+    #   the type of audit to enable
+    # @param [String] description
+    #   a human-friendly description of the audit backend
+    # @param [Hash] options
+    #   audit-specific options
+    #
+    # @return [true]
+    def enable_audit(path, type, description, options = {})
+      client.put("/v1/sys/audit/#{path}", JSON.fast_generate(
+        type:        type,
+        description: description,
+        options:     options,
+      ))
+      return true
+    end
+
+    # Disable a particular audit. If an audit does not exist, and error will be
+    # raised.
+    #
+    # @param [String] path
+    #   the path of the audit to disable
+    #
+    # @return [true]
+    def disable_audit(path)
+      client.delete("/v1/sys/audit/#{path}")
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/auth.rb

@@ -0,0 +1,58 @@
+require "json"
+
+require_relative "../sys"
+
+module Vault
+  class Auth < Response.new(:type, :description); end
+
+  class Sys
+    # List all auths in Vault.
+    #
+    # @example
+    #   Vault.sys.auths #=> {:token => #<Vault::Auth type="token", description="token based credentials">}
+    #
+    # @return [Hash<Symbol, Auth>]
+    def auths
+      json = client.get("/v1/sys/auth")
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Auth.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular authentication at the given path.
+    #
+    # @example
+    #   Vault.sys.enable_auth("github", "github") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the auth
+    # @param [String] type
+    #   the type of authentication
+    # @param [String] description
+    #   a human-friendly description (optional)
+    #
+    # @return [true]
+    def enable_auth(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/auth/#{path}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Disable a particular authentication at the given path. If not auth
+    # exists at that path, an error will be raised.
+    #
+    # @example
+    #   Vault.sys.disable_auth("github") #=> true
+    #
+    # @param [String] path
+    #   the path to disable
+    #
+    # @return [true]
+    def disable_auth(path)
+      client.delete("/v1/sys/auth/#{path}")
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/init.rb

@@ -0,0 +1,46 @@
+require "json"
+
+require_relative "../sys"
+
+module Vault
+  class InitResponse < Response.new(:keys, :root_token); end
+
+  class InitStatus < Response.new(:initialized)
+    alias_method :initialized?, :initialized
+  end
+
+  class Sys
+    # Show the initialization status for this vault.
+    #
+    # @example
+    #   Vault.sys.init_status #=> #<Vault::InitStatus initialized=true>
+    #
+    # @return [InitStatus]
+    def init_status
+      json = client.get("/v1/sys/init")
+      return InitStatus.decode(json)
+    end
+
+    # Initialize a new vault.
+    #
+    # @example
+    #   Vault.sys.init #=> #<Vault::InitResponse keys=["..."] root_token="...">
+    #
+    # @param [Hash] options
+    #   the list of init options
+    #
+    # @option options [Fixnum] :shares
+    #   the number of shares
+    # @option options [Fixnum] :threshold
+    #   the number of keys needed to unlock
+    #
+    # @return [InitResponse]
+    def init(options = {})
+      json = client.put("/v1/sys/init", JSON.fast_generate(
+        secret_shares:    options.fetch(:shares, 5),
+        secret_threshold: options.fetch(:threshold, 3),
+      ))
+      return InitResponse.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/leader.rb

@@ -0,0 +1,25 @@
+require_relative "../sys"
+
+module Vault
+  class LeaderStatus < Response.new(:ha_enabled, :is_self, :leader_address)
+    alias_method :ha_enabled?, :ha_enabled
+    alias_method :ha?, :ha_enabled
+    alias_method :is_self?, :is_self
+    alias_method :is_leader?, :is_self
+    alias_method :leader?, :is_self
+    alias_method :address, :leader_address
+  end
+
+  class Sys
+    # Determine the leader status for this vault.
+    #
+    # @example
+    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">
+    #
+    # @return [LeaderStatus]
+    def leader
+      json = client.get("/v1/sys/leader")
+      return LeaderStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/lease.rb

@@ -0,0 +1,51 @@
+require_relative "../sys"
+
+module Vault
+  class Sys
+    # Renew a lease with the given ID.
+    #
+    # @example
+    #   Vault.sys.renew("aws/username") #=> #<Vault::Secret ...>
+    #
+    # @param [String] id
+    #   the lease ID
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(id, increment = 0)
+      json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
+        increment: increment,
+      ))
+      return Secret.decode(json)
+    end
+
+    # Revoke the secret at the given id. If the secret does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.revoke("aws/username") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke(id)
+      client.put("/v1/sys/revoke/#{id}", nil)
+      return true
+    end
+
+    # Revoke all secrets under the given prefix.
+    #
+    # @example
+    #   Vault.sys.revoke_prefix("aws") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke_prefix(id)
+      client.put("/v1/sys/revoke-prefix/#{id}", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/mount.rb

@@ -0,0 +1,75 @@
+require "json"
+
+require_relative "../sys"
+
+module Vault
+  class Mount < Response.new(:type, :description); end
+
+  class Sys < Request
+    # List all mounts in the vault.
+    #
+    # @example
+    #   Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
+    #
+    # @return [Hash<Symbol, Mount>]
+    def mounts
+      json = client.get("/v1/sys/mounts")
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Mount.decode(v)]
+      end.flatten]
+    end
+
+    # Create a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount("pg", "postgresql", "Postgres user management") #=> true
+    #
+    # @param [String] path
+    #   the path to mount at
+    # @param [String] type
+    #   the type of mount
+    # @param [String] description
+    #   a human-friendly description (optional)
+    def mount(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/mounts/#{path}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Unmount the thing at the given path. If the mount does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.unmount("pg") #=> true
+    #
+    # @param [String] path
+    #   the path to unmount
+    #
+    # @return [true]
+    def unmount(path)
+      client.delete("/v1/sys/mounts/#{path}")
+      return true
+    end
+
+    # Change the name of the mount
+    #
+    # @example
+    #   Vault.sys.remount("pg", "postgres") #=> true
+    #
+    # @param [String] from
+    #   the origin mount path
+    # @param [String] to
+    #   the new mount path
+    #
+    # @return [true]
+    def remount(from, to)
+      client.post("/v1/sys/remount", JSON.fast_generate(
+        from: from,
+        to:   to,
+      ))
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/policy.rb

@@ -0,0 +1,76 @@
+require "json"
+
+require_relative "../sys"
+
+module Vault
+  class Policy < Response.new(:rules); end
+
+  class Sys
+    # The list of policies in vault.
+    #
+    # @example
+    #   Vault.sys.policies #=> ["root"]
+    #
+    # @return [Array<String>]
+    def policies
+      client.get("/v1/sys/policy")[:policies]
+    end
+
+    # Get the policy by the given name. If a policy does not exist by that name,
+    # +nil+ is returned.
+    #
+    # @example
+    #   Vault.sys.policy("root") #=> #<Vault::Policy rules="">
+    #
+    # @return [Policy, nil]
+    def policy(name)
+      json = client.get("/v1/sys/policy/#{name}")
+      return Policy.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Create a new policy with the given name and rules.
+    #
+    # @example
+    #   policy = <<-EOH
+    #     path "sys" {
+    #       policy = "deny"
+    #     }
+    #   EOH
+    #   Vault.sys.put_policy("dev", policy) #=> true
+    #
+    # It is recommend that you load policy rules from a file:
+    #
+    # @example
+    #   policy = File.read("/path/to/my/policy.hcl")
+    #   Vault.sys.put_policy("dev", policy)
+    #
+    # @param [String] name
+    #   the name of the policy
+    # @param [String] rules
+    #   the policy rules
+    #
+    # @return [true]
+    def put_policy(name, rules)
+      client.put("/v1/sys/policy/#{name}", JSON.fast_generate(
+        rules: rules,
+      ))
+      return true
+    end
+
+    # Delete the policy with the given name. If a policy does not exist, vault
+    # will not return an error.
+    #
+    # @example
+    #   Vault.sys.delete_policy("dev") #=> true
+    #
+    # @param [String] name
+    #   the name of the policy
+    def delete_policy(name)
+      client.delete("/v1/sys/policy/#{name}")
+      return true
+    end
+  end
+end