vault 0.12.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5eeb054b599872ef7a225999772c0b486554f339
-  data.tar.gz: b1524f9c83ea5c2e5c3c74f66fafaa69e47b8c94
+SHA256:
+  metadata.gz: 267c85a379172af5c24fd3c3d4e14b9f07991e058f64933b3c56cc07036b053e
+  data.tar.gz: 847ead8ea9965e449dfbf11e3447b240e5c016fbe90e177f1ba6adca0615ee18
 SHA512:
-  metadata.gz: d49f63c294a4165babfa3c6f2d2dfd90baabff86a964b895eb16b4ab08bd493fb07266c53f95fe2a255e2435df6f2ba42a921a97dfa1b94fe235a8c43e6aa77f
-  data.tar.gz: c4aa7afc3b28a1aa5912ee184c7a24d07d6c19d61ae922c409cd0c0aaf6cf3efff3c5dd2269ab1d65251a7f1ce35f8cd8810c7b4d516bfd83fff93153ad39ed1
+  metadata.gz: 744df9d7282b0f873f008667fbd9c5bd943eea362535cdf872598c5eb5cb9fa36bb91d182a2b3ad0a2877294c16e345d371b33998a83645ba4e6880b13980e0e
+  data.tar.gz: 64ac03ddf3a2c5609e2224548353be0d9e640bfba1ec0ec0e215f541f2802db830238373a5b38fb15f77675d75717847468b8e5c2a1331cf609e87ca497e812a

data/.circleci/config.yml

@@ -0,0 +1,85 @@
+version: 2.1
+
+orbs:
+  gem: zfhui/ruby-gem@0.2.1
+
+references:
+  images:
+    ubuntu: &UBUNTU_IMAGE ubuntu-1604:201903-01
+
+jobs:
+  test:
+    machine:
+      image: *UBUNTU_IMAGE
+    parameters:
+      ruby-version:
+        type: string
+      vault-version:
+        type: string
+    steps:
+      - checkout
+            # Restore bundle cache
+      - restore_cache:
+          keys:
+            - v1-dependencies-bundler-<< parameters.ruby-version >>-{{ checksum "vault.gemspec" }}
+            # fallback to using the latest cache if no exact match is found
+            - v1-dependencies-bundler-
+      - run:
+          name: Install vault
+          command: |
+            curl -sLo vault.zip https://releases.hashicorp.com/vault/<< parameters.vault-version >>/vault_<< parameters.vault-version >>_linux_amd64.zip
+            unzip vault.zip
+            mkdir -p ~/bin
+            mv vault ~/bin
+            export PATH="~/bin:$PATH"
+      - run:
+          name: Set ruby version
+          command: |
+            rvm install << parameters.ruby-version >>
+            echo . $(rvm << parameters.ruby-version >> do rvm env --path) >> $BASH_ENV
+      - run:
+          name: Run tests
+          command: |
+            export VAULT_VERSION=<< parameters.vault-version >>
+            ruby --version
+            gem install bundler
+            bundle -v
+            bundle install --jobs=3 --retry=3 --path=vendor/bundle
+            bundle exec rake
+      # Store bundle cache
+      - save_cache:
+          key: v1-dependencies-bundler-<< parameters.ruby-version >>-{{ checksum "vault.gemspec" }}
+          paths:
+            - vendor/bundle
+
+  build-release:
+    working_directory: ~/repo
+    executor: gem/default
+    steps:
+      - gem/build:
+          gem-name: vault
+      - gem/release:
+          gem-name: vault
+          gem-credentials-env-name: $RUBYGEMS_API_KEY
+
+workflows:
+  run-tests:
+    jobs:
+      - test:
+          filters:
+            tags:
+              only: /^v[0-9]+\.[0-9]+\.[0-9]+.*/
+          matrix:
+            parameters:
+              ruby-version: ["2.7.1", "2.6", "2.5"]
+              vault-version: ["1.5.0", "1.4.2", "1.4.1", "1.4.0", "1.3.6"]
+          name: test-ruby-<< matrix.ruby-version >>-vault-<< matrix.vault-version >>
+      - build-release:
+          requires:
+            - test
+          context: vault-gem-release
+          filters:
+            tags:
+              only: /^v[0-9]+\.[0-9]+\.[0-9]+.*/ 
+            branches:
+              ignore: /.*/

data/CHANGELOG.md

@@ -1,5 +1,37 @@
 # Vault Ruby Changelog
 
+## v0.15.0 (July 29, 2020)
+
+IMPROVEMENTS
+
+- Added support for Resource Quotas
+
+## v0.14.0 (May 28, 2020)
+
+IMPROVEMENTS
+
+- Added support for the Transform Secrets Engine
+
+## v0.13.2 (May 7, 2020)
+
+BUG FIXES
+
+- Fixed the ability to use namespace as an option for each request. Previously, that option was ignored.
+- aws-sigv4 gem was unlocked after a bug in 1.1.2 broke CI
+
+## v0.13.1 (April 28, 2020)
+
+IMPROVEMENTS
+
+- Added support for defining a namespace when initializing the client, as well as options for changing the namespace via method.
+- Added support for sys/namespaces API. Ability to Get, Create, Delete, and List namespaces has been provided.
+
+## v0.13.0 (October 1, 2019)
+
+IMPROVEMENTS
+
+- Add support for versioned KV secrets in the client
+
 ## v0.12.0 (August 14, 2018)
 
 IMPROVEMENTS

data/README.md

@@ -28,6 +28,8 @@ Start a Vault client:
 ```ruby
 Vault.address = "http://127.0.0.1:8200" # Also reads from ENV["VAULT_ADDR"]
 Vault.token   = "abcd-1234" # Also reads from ENV["VAULT_TOKEN"]
+# Optional - if using the Namespace enterprise feature
+# Vault.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
 Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
 ```
@@ -43,6 +45,8 @@ Vault.configure do |config|
 
   # The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"]
   config.token = "abcd-1234"
+  # Optional - if using the Namespace enterprise feature
+  # config.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
   # Proxy connection information, also read as ENV["VAULT_PROXY_(thing)"]
   config.proxy_address  = "..."
@@ -85,7 +89,8 @@ And if you want to authenticate with a `AWS EC2` :
     # Export VAULT_ADDR to ENV then
     # Get the pkcs7 value from AWS
     signature = `curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7`
-    vault_token = Vault.auth.aws_ec2(ENV['EC2_ROLE'], signature, nil)
+    iam_role = `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
+    vault_token = Vault.auth.aws_ec2(iam_role, signature, nil)
     vault_client = Vault::Client.new(address: ENV["VAULT_ADDR"], token: vault_token.auth.client_token)
 ```
 
@@ -117,7 +122,9 @@ For advanced users, the first argument of the block is the attempt number and th
 
 ```ruby
 Vault.with_retries(Vault::HTTPConnectionError, Vault::HTTPError) do |attempt, e|
-  log "Received exception #{e} from Vault - attempt #{attempt}"
+  if e
+    log "Received exception #{e} from Vault - attempt #{attempt}"
+  end
   Vault.logical.read("secret/bacon")
 end
 ```
@@ -206,7 +213,8 @@ Development
 
 Important Notes:
 
-- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include acceptance tests as well.
+- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include integration tests as well.
 - **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
 - **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.
 - **Integration tests require Vault**  Vault must be available in the path for the integration tests to pass.
+   - **In order to be considered an integration test:** The test MUST use the `vault_test_client` or `vault_redirect_test_client` as the client. This spawns a process, or uses an already existing process from another test, to run against.

data/lib/vault/api.rb

@@ -5,8 +5,10 @@ module Vault
     require_relative "api/auth_tls"
     require_relative "api/auth"
     require_relative "api/help"
+    require_relative "api/kv"
     require_relative "api/logical"
     require_relative "api/secret"
     require_relative "api/sys"
+    require_relative "api/transform"
   end
 end

data/lib/vault/api/kv.rb

@@ -0,0 +1,207 @@
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {KV} methods.
+    # @return [KV]
+    def kv(mount)
+      KV.new(self, mount)
+    end
+  end
+
+  class KV < Request
+    attr_reader :mount
+
+    def initialize(client, mount)
+      super client
+
+      @mount = mount
+    end
+
+    # List the names of secrets at the given path, if the path supports
+    # listing. If the the path does not exist, an empty array will be returned.
+    #
+    # @example
+    #   Vault.kv("secret").list("foo") #=> ["bar", "baz"]
+    #
+    # @param [String] path
+    #   the path to list
+    #
+    # @return [Array<String>]
+    def list(path = "", options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/#{mount}/metadata/#{encode_path(path)}", {}, headers)
+      json[:data][:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Read the secret at the given path. If the secret does not exist, +nil+
+    # will be returned. The latest version is returned by default, but you
+    # can request a specific version.
+    #
+    # @example
+    #   Vault.kv("secret").read("password") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to read
+    # @param [Integer] version
+    #   the version of the secret
+    #
+    # @return [Secret, nil]
+    def read(path, version = nil, options = {})
+      headers = extract_headers!(options)
+      params  = {}
+      params[:version] = version unless version.nil?
+
+      json = client.get("/v1/#{mount}/data/#{encode_path(path)}", params, headers)
+      return Secret.decode(json[:data])
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Read the metadata of a secret at the given path. If the secret does not
+    # exist, nil will be returned.
+    #
+    # @example
+    #    Vault.kv("secret").read_metadata("password") => {...}
+    #
+    # @param [String] path
+    #   the path to read
+    #
+    # @return [Hash, nil]
+    def read_metadata(path)
+      client.get("/v1/#{mount}/metadata/#{encode_path(path)}")[:data]
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the secret at the given path with the given data. Note that the
+    # data must be a {Hash}!
+    #
+    # @example
+    #   Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    #
+    # @return [Secret]
+    def write(path, data = {}, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/#{mount}/data/#{encode_path(path)}", JSON.fast_generate(:data => data), headers)
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+
+    # Write the metadata of a secret at the given path. Note that the data must
+    # be a {Hash}.
+    #
+    # @example
+    #    Vault.kv("secret").write_metadata("password", max_versions => 3)
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] metadata
+    #    the metadata to write
+    #
+    # @return [true]
+    def write_metadata(path, metadata = {})
+      client.post("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.fast_generate(metadata))
+
+      true
+    end
+
+    # Delete the secret at the given path. If the secret does not exist, vault
+    # will still return true.
+    #
+    # @example
+    #   Vault.logical.delete("secret/password") #=> true
+    #
+    # @param [String] path
+    #   the path to delete
+    #
+    # @return [true]
+    def delete(path)
+      client.delete("/v1/#{mount}/data/#{encode_path(path)}")
+
+      true
+    end
+
+    # Mark specific versions of a secret as deleted.
+    #
+    # @example
+    #   Vault.kv("secret").delete_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to remove versions from
+    # @param [Array<Integer>] versions
+    #   an array of versions to remove
+    #
+    # @return [true]
+    def delete_versions(path, versions)
+      client.post("/v1/#{mount}/delete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+
+    # Mark specific versions of a secret as active.
+    #
+    # @example
+    #   Vault.kv("secret").undelete_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to enable versions for
+    # @param [Array<Integer>] versions
+    #   an array of versions to mark as undeleted
+    #
+    # @return [true]
+    def undelete_versions(path, versions)
+      client.post("/v1/#{mount}/undelete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+
+    # Completely remove a secret and its metadata.
+    #
+    # @example
+    #   Vault.kv("secret").destroy("password")
+    #
+    # @param [String] path
+    #   the path to remove
+    #
+    # @return [true]
+    def destroy(path)
+      client.delete("/v1/#{mount}/metadata/#{encode_path(path)}")
+
+      true
+    end
+
+    # Completely remove specific versions of a secret.
+    #
+    # @example
+    #   Vault.kv("secret").destroy_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to remove versions from
+    # @param [Array<Integer>] versions
+    #   an array of versions to destroy
+    #
+    # @return [true]
+    def destroy_versions(path, versions)
+      client.post("/v1/#{mount}/destroy/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+  end
+end

data/lib/vault/api/secret.rb

@@ -32,6 +32,18 @@ module Vault
     #   @return [Hash<Symbol, Object>]
     field :data, freeze: true
 
+    # @!attribute [r] metadata
+    #   Read-only metadata information related to the secret.
+    #
+    #   @example Reading metadata
+    #     secret = Vault.logical(:versioned).read("secret", "foo")
+    #     secret.metadata[:created_time] #=> "2018-12-08T04:22:54.168065Z"
+    #     secret.metadata[:version]      #=> 1
+    #     secret.metadata[:destroyed]    #=> false
+    #
+    #   @return [Hash<Symbol, Object>]
+    field :metadata, freeze: true
+
     # @!attribute [r] lease_duration
     #   The number of seconds this lease is valid. If this number is 0 or nil,
     #   the secret does not expire.

data/lib/vault/api/sys.rb

@@ -21,5 +21,7 @@ require_relative "sys/init"
 require_relative "sys/leader"
 require_relative "sys/lease"
 require_relative "sys/mount"
+require_relative "sys/namespace"
 require_relative "sys/policy"
+require_relative "sys/quota"
 require_relative "sys/seal"

data/lib/vault/api/sys/mount.rb

@@ -16,6 +16,11 @@ module Vault
     #   Type of the mount.
     #   @return [String]
     field :type
+
+    # @!attribute [r] type
+    #   Options given to the mount.
+    #   @return [Hash<Symbol, Object>]
+    field :options
   end
 
   class Sys < Request
@@ -44,8 +49,8 @@ module Vault
     #   the type of mount
     # @param [String] description
     #   a human-friendly description (optional)
-    def mount(path, type, description = nil)
-      payload = { type: type }
+    def mount(path, type, description = nil, options = {})
+      payload = options.merge type: type
       payload[:description] = description if !description.nil?
 
       client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))

data/lib/vault/api/sys/namespace.rb

@@ -0,0 +1,83 @@
+module Vault
+  class Namespace < Response
+    # @!attribute [r] id
+    #   ID of the namespace
+    #   @return [String]
+    field :id
+
+    # @!attribute [r] path
+    #   Path of the namespace, includes parent paths if nested.
+    #   @return [String]
+    field :path
+  end
+
+  class Sys
+    # List all namespaces in a given scope. Ignores nested namespaces.
+    #
+    # @example
+    #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
+    #
+    #   @return [Hash<Symbol, Namespace>]
+    def namespaces(scoped=nil)
+      path = ["v1", scoped, "sys", "namespaces"].compact
+      json = client.list(path.join("/"))
+      json = json[:data] if json[:data]
+      if json[:key_info]
+        json = json[:key_info]
+        hash = {}
+        json.each do |k,v|
+          hash[k.to_s.chomp("/").to_sym] = Namespace.decode(v)
+        end
+        hash
+      else
+        json
+      end
+    end
+
+    # Create a namespace. Nests the namespace if a namespace header is provided.
+    #
+    # @example
+    #   Vault.sys.create_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the potential path of the namespace, without any parent path provided
+    #
+    # @return [true]
+    def create_namespace(namespace)
+      client.put("/v1/sys/namespaces/#{namespace}", {})
+      return true
+    end
+
+    # Delete a namespace. Raises an error if the namespace provided is not empty.
+    #
+    # @example
+    #   Vault.sys.delete_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace to be deleted
+    #
+    # @return [true]
+    def delete_namespace(namespace)
+      client.delete("/v1/sys/namespaces/#{namespace}")
+      return true
+    end
+
+    # Retrieve a namespace by path.
+    #
+    # @example
+    #   Vault.sys.get_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace ot be retrieved
+    #
+    # @return [Namespace]
+    def get_namespace(namespace)
+      json = client.get("/v1/sys/namespaces/#{namespace}")
+      if data = json.dig(:data)
+        Namespace.decode(data)
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/sys/quota.rb

@@ -0,0 +1,107 @@
+module Vault
+  class Quota < Response
+    # @!attribute [r] name
+    #   Name of the quota rule.
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] path
+    #   Namespace/Path combination the quota applies to.
+    #   @return [String]
+    field :path
+
+    # @!attribute [r] type
+    #   Type of the quota rule, must be one of "lease-count" or "rate-limit"
+    #   @return [String]
+    field :type
+  end
+
+  class RateLimitQuota < Quota
+    # @!attribute [r] rate
+    #   The rate at which allowed requests are refilled per second by the quota
+    #   rule.
+    #   @return [Float]
+    field :rate
+
+    # @!attribute [r] burst
+    #   The maximum number of requests at any given second allowed by the quota
+    #   rule.
+    #   @return [Int]
+    field :burst
+  end
+
+  class LeaseCountQuota < Quota
+    # @!attribute [r] counter
+    #   Number of currently active leases for the quota.
+    #   @return [Int]
+    field :counter
+
+    # @!attribute [r] max_leases
+    #   The maximum number of allowed leases for this quota.
+    #   @return [Int]
+    field :max_leases
+  end
+
+  class Sys
+    def quotas(type)
+      path = generate_path(type)
+      json = client.list(path)
+      if data = json.dig(:data, :key_info)
+        data.map do |item|
+          type_class(type).decode(item)
+        end
+      else
+        json
+      end
+    end
+
+    def create_quota(type, name, opts={})
+      path = generate_path(type, name)
+      client.post(path, JSON.fast_generate(opts))
+      return true
+    end
+
+    def delete_quota(type, name)
+      path = generate_path(type, name)
+      client.delete(path)
+      return true
+    end
+
+    def get_quota(type, name)
+      path = generate_path(type, name)
+      response = client.get(path)
+      if data = response[:data]
+        type_class(type).decode(data)
+      end
+    end
+
+    def get_quota_config
+      client.get("v1/sys/quotas/config")
+    end
+    
+    def update_quota_config(opts={})
+      client.post("v1/sys/quotas/config", JSON.fast_generate(opts))
+      return true
+    end
+
+    private
+
+    def generate_path(type, name=nil)
+      verify_type(type)
+      path = ["v1", "sys", "quotas", type, name].compact
+      path.join("/")
+    end
+
+    def verify_type(type)
+      return if ["rate-limit", "lease-count"].include?(type)
+      raise ArgumentError, "type must be one of \"rate-limit\" or \"lease-count\""
+    end
+
+    def type_class(type)
+      case type
+      when "lease-count" then LeaseCountQuota
+      when "rate-limit" then RateLimitQuota
+      end
+    end
+  end
+end

data/lib/vault/api/transform.rb

@@ -0,0 +1,29 @@
+require_relative '../client'
+require_relative '../request'
+
+module Vault
+  class Client
+    # A proxy to the {Transform} methods.
+    # @return [Transform]
+    def transform
+      @transform ||= Transform.new(self)
+    end
+  end
+
+  class Transform < Request
+    def encode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/encode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+
+    def decode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/decode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+  end
+end
+
+require_relative 'transform/alphabet'
+require_relative 'transform/role'
+require_relative 'transform/template'
+require_relative 'transform/transformation'

data/lib/vault/api/transform/alphabet.rb

@@ -0,0 +1,43 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Alphabet < Response
+      # @!attribute [r] id
+      #   String listing all possible characters of the alphabet
+      #   @return [String]
+      field :alphabet
+    end
+
+    def create_alphabet(name, alphabet:, **opts)
+      opts ||= {}
+      opts[:alphabet] = alphabet
+      client.post("/v1/transform/alphabet/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_alphabet(name)
+      json = client.get("/v1/transform/alphabet/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Alphabet.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_alphabet(name)
+      client.delete("/v1/transform/alphabet/#{encode_path(name)}")
+      true
+    end
+
+    def alphabets
+      json = client.list("/v1/transform/alphabet")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/role.rb

@@ -0,0 +1,42 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Role < Response
+      # @!attribute [r] transformations
+      #   Array of all transformations the role has access to
+      #   @return [Array<String>]
+      field :transformations
+    end
+
+    def create_role(name, **opts)
+      opts ||= {}
+      client.post("/v1/transform/role/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_role(name)
+      json = client.get("/v1/transform/role/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Role.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_role(name)
+      client.delete("/v1/transform/role/#{encode_path(name)}")
+      true
+    end
+
+    def roles
+      json = client.list("/v1/transform/role")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/template.rb

@@ -0,0 +1,54 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Template < Response
+      # @!attribute [r] alphabet
+      #   Name of the alphabet to be used in the template
+      #   @return [String]
+      field :alphabet
+
+      # @!attribute [r] pattern
+      #   Regex string to detect and match for the template
+      #   @return [String]
+      field :pattern
+
+      # @!attribute [r] type
+      #   Type of the template, currently, only "regex" is supported
+      #   @return [String]
+      field :type
+    end
+
+    def create_template(name, type:, pattern:, **opts)
+      opts ||= {}
+      opts[:type] = type
+      opts[:pattern] = pattern
+      client.post("/v1/transform/template/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_template(name)
+      json = client.get("/v1/transform/template/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Template.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_template(name)
+      client.delete("/v1/transform/template/#{encode_path(name)}")
+      true
+    end
+
+    def templates
+      json = client.list("/v1/transform/template")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/transformation.rb

@@ -0,0 +1,61 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Transformation < Response
+      # @!attribute [r] allowed_roles
+      #   Array of role names that are allowed to use this transformation
+      #   @return [Array<String>]
+      field :allowed_roles
+
+      # @!attribute [r] templates
+      #   Array of template names accessible to this transformation
+      #   @return [Array<String>]
+      field :templates
+
+      # @!attribute [r] tweak_source
+      #   String representing how a tweak is provided for this transformation.
+      #   Available tweaks are "supplied", "generated", and "internal"
+      #   @return [String]
+      field :tweak_source
+
+      # @!attribute [r] type
+      #   String representing the type of transformation this is.
+      #   Available types are "fpe", and "masking"
+      #   @return [String]
+      field :type
+    end
+
+    def create_transformation(name, type:, template:, **opts)
+      opts ||= {}
+      opts[:type] = type
+      opts[:template] = template
+      client.post("/v1/transform/transformation/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_transformation(name)
+      json = client.get("/v1/transform/transformation/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Transformation.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_transformation(name)
+      client.delete("/v1/transform/transformation/#{encode_path(name)}")
+      true
+    end
+
+    def transformations
+      json = client.list("/v1/transform/transformation")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/client.rb

@@ -16,6 +16,9 @@ module Vault
     # The name of the header used to hold the Vault token.
     TOKEN_HEADER = "X-Vault-Token".freeze
 
+    # The name of the header used to hold the Namespace.
+    NAMESPACE_HEADER = "X-Vault-Namespace".freeze
+
     # The name of the header used to hold the wrapped request ttl.
     WRAP_TTL_HEADER = "X-Vault-Wrap-TTL".freeze
 
@@ -255,6 +258,12 @@ module Vault
         headers[TOKEN_HEADER] ||= token
       end
 
+      # Add the Vault Namespace header - users could still override this on a
+      # per-request basis
+      if !namespace.nil?
+        headers[NAMESPACE_HEADER] ||= namespace
+      end
+
       # Add headers
       headers.each do |key, value|
         request.add_field(key, value)

data/lib/vault/configurable.rb

@@ -7,6 +7,7 @@ module Vault
         :address,
         :token,
         :hostname,
+        :namespace,
         :open_timeout,
         :proxy_address,
         :proxy_password,

data/lib/vault/defaults.rb

@@ -61,6 +61,13 @@ module Vault
         nil
       end
 
+
+      # Vault Namespace, if any.
+      # @return [String, nil]
+      def namespace
+        ENV["VAULT_NAMESPACE"]
+      end
+
       # The SNI host to use when connecting to Vault via TLS.
       # @return [String, nil]
       def hostname

data/lib/vault/request.rb

@@ -29,6 +29,7 @@ module Vault
     def extract_headers!(options = {})
       extract = {
         wrap_ttl: Vault::Client::WRAP_TTL_HEADER,
+        namespace: Vault::Client::NAMESPACE_HEADER,
       }
 
       {}.tap do |h|

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.12.0"
+  VERSION = "0.15.0"
 end

data/vault.gemspec

@@ -21,10 +21,10 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency "aws-sigv4"
 
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "pry"
+  spec.add_development_dependency "bundler", "~> 2"
+  spec.add_development_dependency "pry",     "~> 0.13.1"
   spec.add_development_dependency "rake",    "~> 12.0"
   spec.add_development_dependency "rspec",   "~> 3.5"
-  spec.add_development_dependency "yard"
-  spec.add_development_dependency "webmock", "~> 2.3"
+  spec.add_development_dependency "yard",    "~> 0.9.24"
+  spec.add_development_dependency "webmock", "~> 3.8.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.15.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-14 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
@@ -28,30 +28,30 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -84,30 +84,30 @@ dependencies:
   name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
 description: Vault is a Ruby API client for interacting with a Vault server.
 email:
 - sethvargo@gmail.com
@@ -115,9 +115,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -130,6 +130,7 @@ files:
 - lib/vault/api/auth_tls.rb
 - lib/vault/api/auth_token.rb
 - lib/vault/api/help.rb
+- lib/vault/api/kv.rb
 - lib/vault/api/logical.rb
 - lib/vault/api/secret.rb
 - lib/vault/api/sys.rb
@@ -140,8 +141,15 @@ files:
 - lib/vault/api/sys/leader.rb
 - lib/vault/api/sys/lease.rb
 - lib/vault/api/sys/mount.rb
+- lib/vault/api/sys/namespace.rb
 - lib/vault/api/sys/policy.rb
+- lib/vault/api/sys/quota.rb
 - lib/vault/api/sys/seal.rb
+- lib/vault/api/transform.rb
+- lib/vault/api/transform/alphabet.rb
+- lib/vault/api/transform/role.rb
+- lib/vault/api/transform/template.rb
+- lib/vault/api/transform/transformation.rb
 - lib/vault/client.rb
 - lib/vault/configurable.rb
 - lib/vault/defaults.rb
@@ -177,8 +185,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.

data/.travis.yml

@@ -1,26 +0,0 @@
-dist: trusty
-sudo: false
-language: ruby
-cache: bundler
-
-env:
-  - VAULT_VERSION=0.8.3
-  - VAULT_VERSION=0.7.3
-  - VAULT_VERSION=0.6.5
-  - VAULT_VERSION=0.5.3
-
-before_install:
-  - curl -sLo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
-  - unzip vault.zip
-  - mkdir -p ~/bin
-  - mv vault ~/bin
-  - export PATH="~/bin:$PATH"
-
-branches:
-  only:
-    - master
-
-rvm:
-  - 2.2
-  - 2.3
-  - 2.4