vault 0.10.1 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 67e962a186f0ed717155a0bdd57111cc2dbb6044
-  data.tar.gz: '09fdeb8585d32bb6642f289a12afda06716a04e2'
+  metadata.gz: dcb5948ae3d3f53115a8e0aef77b70d18c042550
+  data.tar.gz: 143ffc1b71f99550e83548ba92f1edb0e7e4ef0a
 SHA512:
-  metadata.gz: 90f28655a32c55316aa9436abf4dee09aa36ab25db6b0277b43a48cb86385a8a758fbbb14dd634a94f3887637dfc3e40ecdff4ef1db8db510d6d6257a99b9dab
-  data.tar.gz: 75b038d03764889b0301b9ff318c59be6fa85fddc9931fdbbdd9f902daf1bb7e467bb77a70f6a06be2cc87951c269d57179ca3a4901a87d380ef983bf9cc2255
+  metadata.gz: a7473e4c1791e62f8814a677d0c71bce2ca9b51a32c534dfd11830bcbbd3a2b8e993dacf3df52bc747fc1473931801733731de5e3a00c1078a9e59f2cbaa75b8
+  data.tar.gz: 7c7a6793019c4f67a7927f01e839cbe9d0ac288dea9affe6e564d6482eedb4da5553cf01a823b9615c572e06a937bef532fd4a80777feb2488e5b3f41cd7e9a6

data/.travis.yml

@@ -4,13 +4,15 @@ language: ruby
 cache: bundler
 
 env:
-  - VAULT_VERSION=0.6.4
+  - VAULT_VERSION=0.8.3
+  - VAULT_VERSION=0.7.3
+  - VAULT_VERSION=0.6.5
   - VAULT_VERSION=0.5.3
 
 before_install:
   - curl -sLo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
   - unzip vault.zip
-  - mkdir ~/bin
+  - mkdir -p ~/bin
   - mv vault ~/bin
   - export PATH="~/bin:$PATH"
 

data/CHANGELOG.md

@@ -1,11 +1,21 @@
 # Vault Ruby Changelog
 
+## v0.11.0 (March 19, 2018)
+
+IMPROVEMENTS
+
+- Access to health has been added.
+- Added ability to handle a Base64 encoded PEM (useful for certs in environment variables)
+- Added IAM EC2 authentication support
+- Add custom mount path support to TLS authentication
+
 ## v0.10.1 (May 8, 2017)
 
 IMPROVEMENTS
 
 - `vault-ruby` is licensed under Mozilla Public License 2.0, and has been for over 2 years. This patch release updates the gemspec to use the correct SPDX ID string for reporting this license, but **no change to the licensing of this gem has occurred**.
 
+
 ## v0.10.0 (April 19, 2017)
 
 IMPROVEMENTS

data/README.md

@@ -53,6 +53,10 @@ Vault.configure do |config|
   # Custom SSL PEM, also read as ENV["VAULT_SSL_CERT"]
   config.ssl_pem_file = "/path/on/disk.pem"
 
+  # As an alternative to a pem file, you can provide the raw PEM string, also read in the following order of preference:
+  # ENV["VAULT_SSL_PEM_CONTENTS_BASE64"] then ENV["VAULT_SSL_PEM_CONTENTS"]
+  config.ssl_pem_contents = "-----BEGIN ENCRYPTED..."
+
   # Use SSL verification, also read as ENV["VAULT_SSL_VERIFY"]
   config.ssl_verify = false
 
@@ -75,6 +79,16 @@ client_1 = Vault::Client.new(address: "https://vault.mycompany.com")
 client_2 = Vault::Client.new(address: "https://other-vault.mycompany.com")
 ```
 
+And if you want to authenticate with a `AWS EC2` :
+
+```ruby
+    # Export VAULT_ADDR to ENV then
+    # Get the pkcs7 value from AWS
+    signature = `curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7`
+    vault_token = Vault.auth.aws_ec2(ENV['EC2_ROLE'], signature, nil)
+    vault_client = Vault::Client.new(address: ENV["VAULT_ADDR"], token: vault_token.auth.client_token)
+```
+
 ### Making requests
 All of the methods and API calls are heavily documented with examples inline using YARD. In order to keep the examples versioned with the code, the README only lists a few examples for using the Vault gem. Please see the inline documentation for the full API documentation. The tests in the 'spec' directory are an additional source of examples.
 

data/lib/vault/api/auth.rb

@@ -173,12 +173,70 @@ module Vault
     # @param [String] role
     # @param [String] pkcs7
     #   pkcs7 returned by the instance identity document (with line breaks removed)
-    # @param [String] nonce
+    # @param [String] nonce optional
+    # @param [String] route optional
     #
     # @return [Secret]
-    def aws_ec2(role, pkcs7, nonce)
-      payload = { role: role, pkcs7: pkcs7, nonce: nonce }
-      json = client.post('/v1/auth/aws-ec2/login', JSON.fast_generate(payload))
+    def aws_ec2(role, pkcs7, nonce = nil, route = nil)
+      route ||= '/v1/auth/aws-ec2/login'
+      payload = { role: role, pkcs7: pkcs7 }
+      # Set a custom nonce if client is providing one
+      payload[:nonce] = nonce if nonce
+      json = client.post(route, JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via AWS IAM auth method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.)
+    # If authentication is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.aws_iam("dev-role-iam", Aws::AssumeRoleCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [CredentialProvider] credentials_provider
+    #   https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html
+    # @param [String] iam_auth_header_value optional
+    #   As of Jan 2018, Vault will accept ANY or NO header if none is configured by the Vault server admin
+    # @param [String] sts_endpoint optional
+    #   https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    # @return [Secret]
+    def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com')
+      require "aws-sigv4"
+      require "base64"
+
+      request_body   = 'Action=GetCallerIdentity&Version=2011-06-15'
+      request_method = 'POST'
+
+      vault_headers = {
+        'User-Agent' => Vault::Client::USER_AGENT,
+        'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
+      }
+
+      vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value
+
+      sig4_headers = Aws::Sigv4::Signer.new(
+        service: 'sts',
+        region: region_from_sts_endpoint(sts_endpoint),
+        credentials_provider: credentials_provider
+      ).sign_request(
+        http_method: request_method,
+        url: sts_endpoint,
+        headers: vault_headers,
+        body: request_body
+      ).headers
+
+      payload = {
+        role: role,
+        iam_http_request_method: request_method,
+        iam_request_url: Base64.strict_encode64(sts_endpoint),
+        iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json),
+        iam_request_body: Base64.strict_encode64(request_body)
+      }
+
+      json = client.post('/v1/auth/aws/login', JSON.fast_generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -194,18 +252,40 @@ module Vault
     # @example Reading a pem from disk
     #   Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">
     #
+    # @example Sending to a cert authentication backend mounted at a custom location
+    #   Vault.auth.tls(pem_contents, 'custom/location') #=> #<Vault::Secret lease_id="">
+    #
     # @param [String] pem (default: the configured SSL pem file or contents)
     #   The raw pem contents to use for the login procedure.
     #
+    # @param [String] path (default: 'cert')
+    #   The path to the auth backend to use for the login procedure.
+    #
     # @return [Secret]
-    def tls(pem = nil)
+    def tls(pem = nil, path = 'cert')
       new_client = client.dup
       new_client.ssl_pem_contents = pem if !pem.nil?
 
-      json = new_client.post("/v1/auth/cert/login")
+      json = new_client.post("/v1/auth/#{CGI.escape(path)}/login")
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
     end
+
+    private
+
+    # Parse an AWS region from a STS endpoint
+    # STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
+    # Take care changing below regex with that edge case in mind
+    #
+    # @param [String] sts_endpoint
+    #   https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    #
+    # @return [String] aws region
+    def region_from_sts_endpoint(sts_endpoint)
+      valid_sts_endpoint = %r{https:\/\/sts\.?(.*).amazonaws.com}.match(sts_endpoint)
+      raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
+      valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
+    end
   end
 end

data/lib/vault/api/auth_token.rb

@@ -102,7 +102,7 @@ module Vault
     # Lookup information about the current token.
     #
     # @example
-    #   Vault.auth_token.lookup_self("abcd-...") #=> #<Vault::Secret lease_id="">
+    #   Vault.auth_token.lookup("abcd-...") #=> #<Vault::Secret lease_id="">
     #
     # @param [String] token
     # @param [Hash] options
@@ -215,7 +215,7 @@ module Vault
     # @return [true]
     def revoke_accessor(accessor, options = {})
       headers = extract_headers!(options)
-      client.put("/v1/auth/accessor/revoke-accessor", JSON.fast_generate(
+      client.put("/v1/auth/token/revoke-accessor", JSON.fast_generate(
         accessor: accessor,
       ), headers)
       return true

data/lib/vault/api/sys.rb

@@ -16,6 +16,7 @@ end
 
 require_relative "sys/audit"
 require_relative "sys/auth"
+require_relative "sys/health"
 require_relative "sys/init"
 require_relative "sys/leader"
 require_relative "sys/lease"

data/lib/vault/api/sys/audit.rb

@@ -19,7 +19,7 @@ module Vault
   end
 
   class Sys
-    # List all audis for the vault.
+    # List all audits for the vault.
     #
     # @example
     #   Vault.sys.audits #=> { :file => #<Audit> }
@@ -70,5 +70,22 @@ module Vault
       client.delete("/v1/sys/audit/#{encode_path(path)}")
       return true
     end
+
+    # Generates a HMAC verifier for a given input.
+    #
+    # @example
+    #   Vault.sys.audit_hash("file-audit", "my input") #=> "hmac-sha256:30aa7de18a5e90bbc1063db91e7c387b32b9fa895977eb8c177bbc91e7d7c542"
+    #
+    # @param [String] path
+    #   the path of the audit backend
+    # @param [String] input
+    #   the input to generate a HMAC for
+    #
+    # @return [String]
+    def audit_hash(path, input)
+      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input))
+      json = json[:data] if json[:data]
+      json[:hash]
+    end
   end
 end

data/lib/vault/api/sys/health.rb

@@ -0,0 +1,63 @@
+require "json"
+
+module Vault
+  class HealthStatus < Response
+    # @!attribute [r] initialized
+    #   Whether the Vault server is Initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+
+    # @!attribute [r] sealed
+    #   Whether the Vault server is Sealed.
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute [r] standby
+    #   Whether the Vault server is in Standby mode.
+    #   @return [Boolean]
+    field :standby, as: :standby?
+
+    # @!attribute [r] replication_performance_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_performance_mode
+
+    # @!attribute [r] replication_dr_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_dr_mode
+
+    # @!attribute [r] server_time_utc
+    #   Server time in Unix seconds, UTC
+    #   @return [Fixnum]
+    field :server_time_utc
+
+    # @!attribute [r] version
+    #   Server Vault version string (added in 0.6.1)
+    #   @return [String]
+    field :version
+
+    # @!attribute [r] cluster_name
+    #   Server cluster name
+    #   @return [String]
+    field :cluster_name
+
+    # @!attribute [r] cluster_id
+    #   Server cluster UUID
+    #   @return [String]
+    field :cluster_id
+  end
+
+  class Sys
+    # Show the health status for this vault.
+    #
+    # @example
+    #   Vault.sys.health_status #=> #Vault::HealthStatus @initialized=true, @sealed=false, @standby=false, @replication_performance_mode="disabled", @replication_dr_mode="disabled", @server_time_utc=1519776728, @version="0.9.3", @cluster_name="vault-cluster-997f514e", @cluster_id="c2dad70a-6d88-a06d-69f6-9ae7f5485998">
+    #
+    # @return [HealthStatus]
+    def health_status
+      json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200})
+      return HealthStatus.decode(json)
+    end
+  end
+end

data/lib/vault/defaults.rb

@@ -1,4 +1,5 @@
 require "pathname"
+require "base64"
 
 module Vault
   module Defaults
@@ -126,7 +127,11 @@ module Vault
       # the value for {#ssl_pem_file}, if set.
       # @return [String, nil]
       def ssl_pem_contents
-        ENV["VAULT_SSL_PEM_CONTENTS"]
+        if ENV["VAULT_SSL_PEM_CONTENTS_BASE64"]
+          Base64.decode64(ENV["VAULT_SSL_PEM_CONTENTS_BASE64"])
+        else
+          ENV["VAULT_SSL_PEM_CONTENTS"]
+        end
       end
 
       # The path to a pem on disk to use with custom SSL verification

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.10.1"
+  VERSION = "0.11.0"
 end

data/vault.gemspec

@@ -19,6 +19,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_runtime_dependency "aws-sigv4"
+
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "pry"
   spec.add_development_dependency "rake",    "~> 12.0"

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.10.1
+  version: 0.11.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-05-10 00:00:00.000000000 Z
+date: 2018-03-19 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sigv4
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -121,6 +135,7 @@ files:
 - lib/vault/api/sys.rb
 - lib/vault/api/sys/audit.rb
 - lib/vault/api/sys/auth.rb
+- lib/vault/api/sys/health.rb
 - lib/vault/api/sys/init.rb
 - lib/vault/api/sys/leader.rb
 - lib/vault/api/sys/lease.rb
@@ -163,7 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.