vault 0.10.0 → 0.16.0

data/lib/vault/api/secret.rb

@@ -32,6 +32,18 @@ module Vault
     #   @return [Hash<Symbol, Object>]
     field :data, freeze: true
 
+    # @!attribute [r] metadata
+    #   Read-only metadata information related to the secret.
+    #
+    #   @example Reading metadata
+    #     secret = Vault.logical(:versioned).read("secret", "foo")
+    #     secret.metadata[:created_time] #=> "2018-12-08T04:22:54.168065Z"
+    #     secret.metadata[:version]      #=> 1
+    #     secret.metadata[:destroyed]    #=> false
+    #
+    #   @return [Hash<Symbol, Object>]
+    field :metadata, freeze: true
+
     # @!attribute [r] lease_duration
     #   The number of seconds this lease is valid. If this number is 0 or nil,
     #   the secret does not expire.

data/lib/vault/api/sys.rb

@@ -16,9 +16,12 @@ end
 
 require_relative "sys/audit"
 require_relative "sys/auth"
+require_relative "sys/health"
 require_relative "sys/init"
 require_relative "sys/leader"
 require_relative "sys/lease"
 require_relative "sys/mount"
+require_relative "sys/namespace"
 require_relative "sys/policy"
+require_relative "sys/quota"
 require_relative "sys/seal"

data/lib/vault/api/sys/audit.rb

@@ -19,7 +19,7 @@ module Vault
   end
 
   class Sys
-    # List all audis for the vault.
+    # List all audits for the vault.
     #
     # @example
     #   Vault.sys.audits #=> { :file => #<Audit> }
@@ -70,5 +70,22 @@ module Vault
       client.delete("/v1/sys/audit/#{encode_path(path)}")
       return true
     end
+
+    # Generates a HMAC verifier for a given input.
+    #
+    # @example
+    #   Vault.sys.audit_hash("file-audit", "my input") #=> "hmac-sha256:30aa7de18a5e90bbc1063db91e7c387b32b9fa895977eb8c177bbc91e7d7c542"
+    #
+    # @param [String] path
+    #   the path of the audit backend
+    # @param [String] input
+    #   the input to generate a HMAC for
+    #
+    # @return [String]
+    def audit_hash(path, input)
+      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input))
+      json = json[:data] if json[:data]
+      json[:hash]
+    end
   end
 end

data/lib/vault/api/sys/health.rb

@@ -0,0 +1,63 @@
+require "json"
+
+module Vault
+  class HealthStatus < Response
+    # @!attribute [r] initialized
+    #   Whether the Vault server is Initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+
+    # @!attribute [r] sealed
+    #   Whether the Vault server is Sealed.
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute [r] standby
+    #   Whether the Vault server is in Standby mode.
+    #   @return [Boolean]
+    field :standby, as: :standby?
+
+    # @!attribute [r] replication_performance_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_performance_mode
+
+    # @!attribute [r] replication_dr_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_dr_mode
+
+    # @!attribute [r] server_time_utc
+    #   Server time in Unix seconds, UTC
+    #   @return [Fixnum]
+    field :server_time_utc
+
+    # @!attribute [r] version
+    #   Server Vault version string (added in 0.6.1)
+    #   @return [String]
+    field :version
+
+    # @!attribute [r] cluster_name
+    #   Server cluster name
+    #   @return [String]
+    field :cluster_name
+
+    # @!attribute [r] cluster_id
+    #   Server cluster UUID
+    #   @return [String]
+    field :cluster_id
+  end
+
+  class Sys
+    # Show the health status for this vault.
+    #
+    # @example
+    #   Vault.sys.health_status #=> #Vault::HealthStatus @initialized=true, @sealed=false, @standby=false, @replication_performance_mode="disabled", @replication_dr_mode="disabled", @server_time_utc=1519776728, @version="0.9.3", @cluster_name="vault-cluster-997f514e", @cluster_id="c2dad70a-6d88-a06d-69f6-9ae7f5485998">
+    #
+    # @return [HealthStatus]
+    def health_status
+      json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200})
+      return HealthStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/mount.rb

@@ -16,6 +16,11 @@ module Vault
     #   Type of the mount.
     #   @return [String]
     field :type
+
+    # @!attribute [r] type
+    #   Options given to the mount.
+    #   @return [Hash<Symbol, Object>]
+    field :options
   end
 
   class Sys < Request
@@ -44,8 +49,8 @@ module Vault
     #   the type of mount
     # @param [String] description
     #   a human-friendly description (optional)
-    def mount(path, type, description = nil)
-      payload = { type: type }
+    def mount(path, type, description = nil, options = {})
+      payload = options.merge type: type
       payload[:description] = description if !description.nil?
 
       client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))

data/lib/vault/api/sys/namespace.rb

@@ -0,0 +1,83 @@
+module Vault
+  class Namespace < Response
+    # @!attribute [r] id
+    #   ID of the namespace
+    #   @return [String]
+    field :id
+
+    # @!attribute [r] path
+    #   Path of the namespace, includes parent paths if nested.
+    #   @return [String]
+    field :path
+  end
+
+  class Sys
+    # List all namespaces in a given scope. Ignores nested namespaces.
+    #
+    # @example
+    #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
+    #
+    #   @return [Hash<Symbol, Namespace>]
+    def namespaces(scoped=nil)
+      path = ["v1", scoped, "sys", "namespaces"].compact
+      json = client.list(path.join("/"))
+      json = json[:data] if json[:data]
+      if json[:key_info]
+        json = json[:key_info]
+        hash = {}
+        json.each do |k,v|
+          hash[k.to_s.chomp("/").to_sym] = Namespace.decode(v)
+        end
+        hash
+      else
+        json
+      end
+    end
+
+    # Create a namespace. Nests the namespace if a namespace header is provided.
+    #
+    # @example
+    #   Vault.sys.create_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the potential path of the namespace, without any parent path provided
+    #
+    # @return [true]
+    def create_namespace(namespace)
+      client.put("/v1/sys/namespaces/#{namespace}", {})
+      return true
+    end
+
+    # Delete a namespace. Raises an error if the namespace provided is not empty.
+    #
+    # @example
+    #   Vault.sys.delete_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace to be deleted
+    #
+    # @return [true]
+    def delete_namespace(namespace)
+      client.delete("/v1/sys/namespaces/#{namespace}")
+      return true
+    end
+
+    # Retrieve a namespace by path.
+    #
+    # @example
+    #   Vault.sys.get_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace ot be retrieved
+    #
+    # @return [Namespace]
+    def get_namespace(namespace)
+      json = client.get("/v1/sys/namespaces/#{namespace}")
+      if data = json.dig(:data)
+        Namespace.decode(data)
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/sys/quota.rb

@@ -0,0 +1,107 @@
+module Vault
+  class Quota < Response
+    # @!attribute [r] name
+    #   Name of the quota rule.
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] path
+    #   Namespace/Path combination the quota applies to.
+    #   @return [String]
+    field :path
+
+    # @!attribute [r] type
+    #   Type of the quota rule, must be one of "lease-count" or "rate-limit"
+    #   @return [String]
+    field :type
+  end
+
+  class RateLimitQuota < Quota
+    # @!attribute [r] rate
+    #   The rate at which allowed requests are refilled per second by the quota
+    #   rule.
+    #   @return [Float]
+    field :rate
+
+    # @!attribute [r] burst
+    #   The maximum number of requests at any given second allowed by the quota
+    #   rule.
+    #   @return [Int]
+    field :burst
+  end
+
+  class LeaseCountQuota < Quota
+    # @!attribute [r] counter
+    #   Number of currently active leases for the quota.
+    #   @return [Int]
+    field :counter
+
+    # @!attribute [r] max_leases
+    #   The maximum number of allowed leases for this quota.
+    #   @return [Int]
+    field :max_leases
+  end
+
+  class Sys
+    def quotas(type)
+      path = generate_path(type)
+      json = client.list(path)
+      if data = json.dig(:data, :key_info)
+        data.map do |item|
+          type_class(type).decode(item)
+        end
+      else
+        json
+      end
+    end
+
+    def create_quota(type, name, opts={})
+      path = generate_path(type, name)
+      client.post(path, JSON.fast_generate(opts))
+      return true
+    end
+
+    def delete_quota(type, name)
+      path = generate_path(type, name)
+      client.delete(path)
+      return true
+    end
+
+    def get_quota(type, name)
+      path = generate_path(type, name)
+      response = client.get(path)
+      if data = response[:data]
+        type_class(type).decode(data)
+      end
+    end
+
+    def get_quota_config
+      client.get("v1/sys/quotas/config")
+    end
+    
+    def update_quota_config(opts={})
+      client.post("v1/sys/quotas/config", JSON.fast_generate(opts))
+      return true
+    end
+
+    private
+
+    def generate_path(type, name=nil)
+      verify_type(type)
+      path = ["v1", "sys", "quotas", type, name].compact
+      path.join("/")
+    end
+
+    def verify_type(type)
+      return if ["rate-limit", "lease-count"].include?(type)
+      raise ArgumentError, "type must be one of \"rate-limit\" or \"lease-count\""
+    end
+
+    def type_class(type)
+      case type
+      when "lease-count" then LeaseCountQuota
+      when "rate-limit" then RateLimitQuota
+      end
+    end
+  end
+end

data/lib/vault/api/transform.rb

@@ -0,0 +1,29 @@
+require_relative '../client'
+require_relative '../request'
+
+module Vault
+  class Client
+    # A proxy to the {Transform} methods.
+    # @return [Transform]
+    def transform
+      @transform ||= Transform.new(self)
+    end
+  end
+
+  class Transform < Request
+    def encode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/encode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+
+    def decode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/decode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+  end
+end
+
+require_relative 'transform/alphabet'
+require_relative 'transform/role'
+require_relative 'transform/template'
+require_relative 'transform/transformation'

data/lib/vault/api/transform/alphabet.rb

@@ -0,0 +1,43 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Alphabet < Response
+      # @!attribute [r] id
+      #   String listing all possible characters of the alphabet
+      #   @return [String]
+      field :alphabet
+    end
+
+    def create_alphabet(name, alphabet:, **opts)
+      opts ||= {}
+      opts[:alphabet] = alphabet
+      client.post("/v1/transform/alphabet/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_alphabet(name)
+      json = client.get("/v1/transform/alphabet/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Alphabet.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_alphabet(name)
+      client.delete("/v1/transform/alphabet/#{encode_path(name)}")
+      true
+    end
+
+    def alphabets
+      json = client.list("/v1/transform/alphabet")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/role.rb

@@ -0,0 +1,42 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Role < Response
+      # @!attribute [r] transformations
+      #   Array of all transformations the role has access to
+      #   @return [Array<String>]
+      field :transformations
+    end
+
+    def create_role(name, **opts)
+      opts ||= {}
+      client.post("/v1/transform/role/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_role(name)
+      json = client.get("/v1/transform/role/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Role.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_role(name)
+      client.delete("/v1/transform/role/#{encode_path(name)}")
+      true
+    end
+
+    def roles
+      json = client.list("/v1/transform/role")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end