vault 0.12.0 → 0.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5eeb054b599872ef7a225999772c0b486554f339
-  data.tar.gz: b1524f9c83ea5c2e5c3c74f66fafaa69e47b8c94
+SHA256:
+  metadata.gz: 46c570463a1aba190e789e5b2516b4140d48961611ff058235d3b9744e6a6b24
+  data.tar.gz: c84a96cf71d9f405281f56629e0fb68a6ce051740ea46da60e35cabf37d8b44e
 SHA512:
-  metadata.gz: d49f63c294a4165babfa3c6f2d2dfd90baabff86a964b895eb16b4ab08bd493fb07266c53f95fe2a255e2435df6f2ba42a921a97dfa1b94fe235a8c43e6aa77f
-  data.tar.gz: c4aa7afc3b28a1aa5912ee184c7a24d07d6c19d61ae922c409cd0c0aaf6cf3efff3c5dd2269ab1d65251a7f1ce35f8cd8810c7b4d516bfd83fff93153ad39ed1
+  metadata.gz: 98a20e963ec212e2269d1c28b581c24b356495789b4b37b20ebcb829c17904b518fc32f9cd2dadfcd59b957361410e7aa61f88e7ad419d72533d0ac1bd0ec68d
+  data.tar.gz: 35f0126a7e7ba6173662222a9006cd02bc2f78d6d674533546b68ad87420f99b1e26f1f160058b2a051c36a5faac219921ab24191f9165212ddc8f15c440e0a6

data/CHANGELOG.md

@@ -1,5 +1,43 @@
 # Vault Ruby Changelog
 
+## v0.16.0 (??? ??, 2021)
+
+IMPROVEMENTS
+
+- The timeout used to get a connection from the connection pool that talks with vault is now configurable. Using `Vault.pool_timeout` or the env var `VAULT_POOL_TIMEOUT`.
+
+## v0.15.0 (July 29, 2020)
+
+IMPROVEMENTS
+
+- Added support for Resource Quotas
+
+## v0.14.0 (May 28, 2020)
+
+IMPROVEMENTS
+
+- Added support for the Transform Secrets Engine
+
+## v0.13.2 (May 7, 2020)
+
+BUG FIXES
+
+- Fixed the ability to use namespace as an option for each request. Previously, that option was ignored.
+- aws-sigv4 gem was unlocked after a bug in 1.1.2 broke CI
+
+## v0.13.1 (April 28, 2020)
+
+IMPROVEMENTS
+
+- Added support for defining a namespace when initializing the client, as well as options for changing the namespace via method.
+- Added support for sys/namespaces API. Ability to Get, Create, Delete, and List namespaces has been provided.
+
+## v0.13.0 (October 1, 2019)
+
+IMPROVEMENTS
+
+- Add support for versioned KV secrets in the client
+
 ## v0.12.0 (August 14, 2018)
 
 IMPROVEMENTS

data/README.md

@@ -1,15 +1,17 @@
-Vault Ruby Client [![Build Status](https://secure.travis-ci.org/hashicorp/vault-ruby.svg)](http://travis-ci.org/hashicorp/vault-ruby)
+Vault Ruby Client [![Build Status](https://circleci.com/gh/hashicorp/vault-ruby.svg?style=shield)](https://circleci.com/gh/hashicorp/vault-ruby)
 =================
 
 Vault is the official Ruby client for interacting with [Vault](https://vaultproject.io) by HashiCorp.
 
-**The documentation in this README corresponds to the master branch of the Vault Ruby client. It may contain unreleased features or different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the Vault Ruby client for the proper documentation.**
+**If you're viewing this README from GitHub on the `master` branch, know that it may contain unreleased features or
+different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the
+Vault Ruby client for the proper documentation.**
 
 Quick Start
 -----------
 Install Ruby 2.0+: [Guide](https://www.ruby-lang.org/en/documentation/installation/).
 
-> Please note that Vault Ruby may work on older Ruby installations like Ruby 1.9, but you **should not** use these versions of Ruby when communicating with a Vault server. Ruby 1.9 has [reached EOL](https://www.ruby-lang.org/en/news/2014/01/10/ruby-1-9-3-will-end-on-2015/) and will no longer receive important security patches or maintenance updates. There _are known security vulnerabilities_ specifically around SSL ciphers, which this library uses to communicate with a Vault server. While many distros still ship with Ruby 1.9 as the default, you are **highly discouraged** from using this library on any version of Ruby lower than Ruby 2.0.
+> Please note that as of Vault Ruby version 0.14.0 versions of Ruby prior to 2.0 are no longer supported.
 
 Install via Rubygems:
 
@@ -18,7 +20,7 @@ Install via Rubygems:
 or add it to your Gemfile if you're using Bundler:
 
 ```ruby
-gem "vault", "~> 0.1"
+gem "vault"
 ```
 
 and then run the `bundle` command to install.
@@ -28,6 +30,8 @@ Start a Vault client:
 ```ruby
 Vault.address = "http://127.0.0.1:8200" # Also reads from ENV["VAULT_ADDR"]
 Vault.token   = "abcd-1234" # Also reads from ENV["VAULT_TOKEN"]
+# Optional - if using the Namespace enterprise feature
+# Vault.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
 Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
 ```
@@ -43,6 +47,8 @@ Vault.configure do |config|
 
   # The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"]
   config.token = "abcd-1234"
+  # Optional - if using the Namespace enterprise feature
+  # config.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
   # Proxy connection information, also read as ENV["VAULT_PROXY_(thing)"]
   config.proxy_address  = "..."
@@ -85,7 +91,8 @@ And if you want to authenticate with a `AWS EC2` :
     # Export VAULT_ADDR to ENV then
     # Get the pkcs7 value from AWS
     signature = `curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7`
-    vault_token = Vault.auth.aws_ec2(ENV['EC2_ROLE'], signature, nil)
+    iam_role = `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
+    vault_token = Vault.auth.aws_ec2(iam_role, signature, nil)
     vault_client = Vault::Client.new(address: ENV["VAULT_ADDR"], token: vault_token.auth.client_token)
 ```
 
@@ -117,7 +124,9 @@ For advanced users, the first argument of the block is the attempt number and th
 
 ```ruby
 Vault.with_retries(Vault::HTTPConnectionError, Vault::HTTPError) do |attempt, e|
-  log "Received exception #{e} from Vault - attempt #{attempt}"
+  if e
+    log "Received exception #{e} from Vault - attempt #{attempt}"
+  end
   Vault.logical.read("secret/bacon")
 end
 ```
@@ -206,7 +215,8 @@ Development
 
 Important Notes:
 
-- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include acceptance tests as well.
-- **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
+- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include integration tests as well.
+- **The tests must be idempotent.** The HTTP calls made during a test should be able to be run over and over.
 - **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.
 - **Integration tests require Vault**  Vault must be available in the path for the integration tests to pass.
+   - **In order to be considered an integration test:** The test MUST use the `vault_test_client` or `vault_redirect_test_client` as the client. This spawns a process, or uses an already existing process from another test, to run against.

data/lib/vault/api.rb

@@ -5,8 +5,10 @@ module Vault
     require_relative "api/auth_tls"
     require_relative "api/auth"
     require_relative "api/help"
+    require_relative "api/kv"
     require_relative "api/logical"
     require_relative "api/secret"
     require_relative "api/sys"
+    require_relative "api/transform"
   end
 end

data/lib/vault/api/kv.rb

@@ -0,0 +1,207 @@
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {KV} methods.
+    # @return [KV]
+    def kv(mount)
+      KV.new(self, mount)
+    end
+  end
+
+  class KV < Request
+    attr_reader :mount
+
+    def initialize(client, mount)
+      super client
+
+      @mount = mount
+    end
+
+    # List the names of secrets at the given path, if the path supports
+    # listing. If the the path does not exist, an empty array will be returned.
+    #
+    # @example
+    #   Vault.kv("secret").list("foo") #=> ["bar", "baz"]
+    #
+    # @param [String] path
+    #   the path to list
+    #
+    # @return [Array<String>]
+    def list(path = "", options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/#{mount}/metadata/#{encode_path(path)}", {}, headers)
+      json[:data][:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Read the secret at the given path. If the secret does not exist, +nil+
+    # will be returned. The latest version is returned by default, but you
+    # can request a specific version.
+    #
+    # @example
+    #   Vault.kv("secret").read("password") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to read
+    # @param [Integer] version
+    #   the version of the secret
+    #
+    # @return [Secret, nil]
+    def read(path, version = nil, options = {})
+      headers = extract_headers!(options)
+      params  = {}
+      params[:version] = version unless version.nil?
+
+      json = client.get("/v1/#{mount}/data/#{encode_path(path)}", params, headers)
+      return Secret.decode(json[:data])
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Read the metadata of a secret at the given path. If the secret does not
+    # exist, nil will be returned.
+    #
+    # @example
+    #    Vault.kv("secret").read_metadata("password") => {...}
+    #
+    # @param [String] path
+    #   the path to read
+    #
+    # @return [Hash, nil]
+    def read_metadata(path)
+      client.get("/v1/#{mount}/metadata/#{encode_path(path)}")[:data]
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the secret at the given path with the given data. Note that the
+    # data must be a {Hash}!
+    #
+    # @example
+    #   Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    #
+    # @return [Secret]
+    def write(path, data = {}, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/#{mount}/data/#{encode_path(path)}", JSON.fast_generate(:data => data), headers)
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+
+    # Write the metadata of a secret at the given path. Note that the data must
+    # be a {Hash}.
+    #
+    # @example
+    #    Vault.kv("secret").write_metadata("password", max_versions => 3)
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] metadata
+    #    the metadata to write
+    #
+    # @return [true]
+    def write_metadata(path, metadata = {})
+      client.post("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.fast_generate(metadata))
+
+      true
+    end
+
+    # Delete the secret at the given path. If the secret does not exist, vault
+    # will still return true.
+    #
+    # @example
+    #   Vault.logical.delete("secret/password") #=> true
+    #
+    # @param [String] path
+    #   the path to delete
+    #
+    # @return [true]
+    def delete(path)
+      client.delete("/v1/#{mount}/data/#{encode_path(path)}")
+
+      true
+    end
+
+    # Mark specific versions of a secret as deleted.
+    #
+    # @example
+    #   Vault.kv("secret").delete_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to remove versions from
+    # @param [Array<Integer>] versions
+    #   an array of versions to remove
+    #
+    # @return [true]
+    def delete_versions(path, versions)
+      client.post("/v1/#{mount}/delete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+
+    # Mark specific versions of a secret as active.
+    #
+    # @example
+    #   Vault.kv("secret").undelete_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to enable versions for
+    # @param [Array<Integer>] versions
+    #   an array of versions to mark as undeleted
+    #
+    # @return [true]
+    def undelete_versions(path, versions)
+      client.post("/v1/#{mount}/undelete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+
+    # Completely remove a secret and its metadata.
+    #
+    # @example
+    #   Vault.kv("secret").destroy("password")
+    #
+    # @param [String] path
+    #   the path to remove
+    #
+    # @return [true]
+    def destroy(path)
+      client.delete("/v1/#{mount}/metadata/#{encode_path(path)}")
+
+      true
+    end
+
+    # Completely remove specific versions of a secret.
+    #
+    # @example
+    #   Vault.kv("secret").destroy_versions("password", [1, 2])
+    #
+    # @param [String] path
+    #   the path to remove versions from
+    # @param [Array<Integer>] versions
+    #   an array of versions to destroy
+    #
+    # @return [true]
+    def destroy_versions(path, versions)
+      client.post("/v1/#{mount}/destroy/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+
+      true
+    end
+  end
+end

data/lib/vault/api/secret.rb

@@ -32,6 +32,18 @@ module Vault
     #   @return [Hash<Symbol, Object>]
     field :data, freeze: true
 
+    # @!attribute [r] metadata
+    #   Read-only metadata information related to the secret.
+    #
+    #   @example Reading metadata
+    #     secret = Vault.logical(:versioned).read("secret", "foo")
+    #     secret.metadata[:created_time] #=> "2018-12-08T04:22:54.168065Z"
+    #     secret.metadata[:version]      #=> 1
+    #     secret.metadata[:destroyed]    #=> false
+    #
+    #   @return [Hash<Symbol, Object>]
+    field :metadata, freeze: true
+
     # @!attribute [r] lease_duration
     #   The number of seconds this lease is valid. If this number is 0 or nil,
     #   the secret does not expire.

data/lib/vault/api/sys.rb

@@ -21,5 +21,7 @@ require_relative "sys/init"
 require_relative "sys/leader"
 require_relative "sys/lease"
 require_relative "sys/mount"
+require_relative "sys/namespace"
 require_relative "sys/policy"
+require_relative "sys/quota"
 require_relative "sys/seal"

data/lib/vault/api/sys/mount.rb

@@ -16,6 +16,11 @@ module Vault
     #   Type of the mount.
     #   @return [String]
     field :type
+
+    # @!attribute [r] type
+    #   Options given to the mount.
+    #   @return [Hash<Symbol, Object>]
+    field :options
   end
 
   class Sys < Request
@@ -44,8 +49,8 @@ module Vault
     #   the type of mount
     # @param [String] description
     #   a human-friendly description (optional)
-    def mount(path, type, description = nil)
-      payload = { type: type }
+    def mount(path, type, description = nil, options = {})
+      payload = options.merge type: type
       payload[:description] = description if !description.nil?
 
       client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))

data/lib/vault/api/sys/namespace.rb

@@ -0,0 +1,83 @@
+module Vault
+  class Namespace < Response
+    # @!attribute [r] id
+    #   ID of the namespace
+    #   @return [String]
+    field :id
+
+    # @!attribute [r] path
+    #   Path of the namespace, includes parent paths if nested.
+    #   @return [String]
+    field :path
+  end
+
+  class Sys
+    # List all namespaces in a given scope. Ignores nested namespaces.
+    #
+    # @example
+    #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
+    #
+    #   @return [Hash<Symbol, Namespace>]
+    def namespaces(scoped=nil)
+      path = ["v1", scoped, "sys", "namespaces"].compact
+      json = client.list(path.join("/"))
+      json = json[:data] if json[:data]
+      if json[:key_info]
+        json = json[:key_info]
+        hash = {}
+        json.each do |k,v|
+          hash[k.to_s.chomp("/").to_sym] = Namespace.decode(v)
+        end
+        hash
+      else
+        json
+      end
+    end
+
+    # Create a namespace. Nests the namespace if a namespace header is provided.
+    #
+    # @example
+    #   Vault.sys.create_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the potential path of the namespace, without any parent path provided
+    #
+    # @return [true]
+    def create_namespace(namespace)
+      client.put("/v1/sys/namespaces/#{namespace}", {})
+      return true
+    end
+
+    # Delete a namespace. Raises an error if the namespace provided is not empty.
+    #
+    # @example
+    #   Vault.sys.delete_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace to be deleted
+    #
+    # @return [true]
+    def delete_namespace(namespace)
+      client.delete("/v1/sys/namespaces/#{namespace}")
+      return true
+    end
+
+    # Retrieve a namespace by path.
+    #
+    # @example
+    #   Vault.sys.get_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace ot be retrieved
+    #
+    # @return [Namespace]
+    def get_namespace(namespace)
+      json = client.get("/v1/sys/namespaces/#{namespace}")
+      if data = json.dig(:data)
+        Namespace.decode(data)
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/sys/quota.rb

@@ -0,0 +1,107 @@
+module Vault
+  class Quota < Response
+    # @!attribute [r] name
+    #   Name of the quota rule.
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] path
+    #   Namespace/Path combination the quota applies to.
+    #   @return [String]
+    field :path
+
+    # @!attribute [r] type
+    #   Type of the quota rule, must be one of "lease-count" or "rate-limit"
+    #   @return [String]
+    field :type
+  end
+
+  class RateLimitQuota < Quota
+    # @!attribute [r] rate
+    #   The rate at which allowed requests are refilled per second by the quota
+    #   rule.
+    #   @return [Float]
+    field :rate
+
+    # @!attribute [r] burst
+    #   The maximum number of requests at any given second allowed by the quota
+    #   rule.
+    #   @return [Int]
+    field :burst
+  end
+
+  class LeaseCountQuota < Quota
+    # @!attribute [r] counter
+    #   Number of currently active leases for the quota.
+    #   @return [Int]
+    field :counter
+
+    # @!attribute [r] max_leases
+    #   The maximum number of allowed leases for this quota.
+    #   @return [Int]
+    field :max_leases
+  end
+
+  class Sys
+    def quotas(type)
+      path = generate_path(type)
+      json = client.list(path)
+      if data = json.dig(:data, :key_info)
+        data.map do |item|
+          type_class(type).decode(item)
+        end
+      else
+        json
+      end
+    end
+
+    def create_quota(type, name, opts={})
+      path = generate_path(type, name)
+      client.post(path, JSON.fast_generate(opts))
+      return true
+    end
+
+    def delete_quota(type, name)
+      path = generate_path(type, name)
+      client.delete(path)
+      return true
+    end
+
+    def get_quota(type, name)
+      path = generate_path(type, name)
+      response = client.get(path)
+      if data = response[:data]
+        type_class(type).decode(data)
+      end
+    end
+
+    def get_quota_config
+      client.get("v1/sys/quotas/config")
+    end
+    
+    def update_quota_config(opts={})
+      client.post("v1/sys/quotas/config", JSON.fast_generate(opts))
+      return true
+    end
+
+    private
+
+    def generate_path(type, name=nil)
+      verify_type(type)
+      path = ["v1", "sys", "quotas", type, name].compact
+      path.join("/")
+    end
+
+    def verify_type(type)
+      return if ["rate-limit", "lease-count"].include?(type)
+      raise ArgumentError, "type must be one of \"rate-limit\" or \"lease-count\""
+    end
+
+    def type_class(type)
+      case type
+      when "lease-count" then LeaseCountQuota
+      when "rate-limit" then RateLimitQuota
+      end
+    end
+  end
+end

data/lib/vault/api/transform.rb

@@ -0,0 +1,29 @@
+require_relative '../client'
+require_relative '../request'
+
+module Vault
+  class Client
+    # A proxy to the {Transform} methods.
+    # @return [Transform]
+    def transform
+      @transform ||= Transform.new(self)
+    end
+  end
+
+  class Transform < Request
+    def encode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/encode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+
+    def decode(role_name:, **opts)
+      opts ||= {}
+      client.post("/v1/transform/decode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+    end
+  end
+end
+
+require_relative 'transform/alphabet'
+require_relative 'transform/role'
+require_relative 'transform/template'
+require_relative 'transform/transformation'

data/lib/vault/api/transform/alphabet.rb

@@ -0,0 +1,43 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Alphabet < Response
+      # @!attribute [r] id
+      #   String listing all possible characters of the alphabet
+      #   @return [String]
+      field :alphabet
+    end
+
+    def create_alphabet(name, alphabet:, **opts)
+      opts ||= {}
+      opts[:alphabet] = alphabet
+      client.post("/v1/transform/alphabet/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_alphabet(name)
+      json = client.get("/v1/transform/alphabet/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Alphabet.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_alphabet(name)
+      client.delete("/v1/transform/alphabet/#{encode_path(name)}")
+      true
+    end
+
+    def alphabets
+      json = client.list("/v1/transform/alphabet")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/role.rb

@@ -0,0 +1,42 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Role < Response
+      # @!attribute [r] transformations
+      #   Array of all transformations the role has access to
+      #   @return [Array<String>]
+      field :transformations
+    end
+
+    def create_role(name, **opts)
+      opts ||= {}
+      client.post("/v1/transform/role/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_role(name)
+      json = client.get("/v1/transform/role/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Role.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_role(name)
+      client.delete("/v1/transform/role/#{encode_path(name)}")
+      true
+    end
+
+    def roles
+      json = client.list("/v1/transform/role")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/template.rb

@@ -0,0 +1,54 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Template < Response
+      # @!attribute [r] alphabet
+      #   Name of the alphabet to be used in the template
+      #   @return [String]
+      field :alphabet
+
+      # @!attribute [r] pattern
+      #   Regex string to detect and match for the template
+      #   @return [String]
+      field :pattern
+
+      # @!attribute [r] type
+      #   Type of the template, currently, only "regex" is supported
+      #   @return [String]
+      field :type
+    end
+
+    def create_template(name, type:, pattern:, **opts)
+      opts ||= {}
+      opts[:type] = type
+      opts[:pattern] = pattern
+      client.post("/v1/transform/template/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_template(name)
+      json = client.get("/v1/transform/template/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Template.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_template(name)
+      client.delete("/v1/transform/template/#{encode_path(name)}")
+      true
+    end
+
+    def templates
+      json = client.list("/v1/transform/template")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/api/transform/transformation.rb

@@ -0,0 +1,61 @@
+require_relative '../../request'
+require_relative '../../response'
+
+module Vault
+  class Transform < Request
+    class Transformation < Response
+      # @!attribute [r] allowed_roles
+      #   Array of role names that are allowed to use this transformation
+      #   @return [Array<String>]
+      field :allowed_roles
+
+      # @!attribute [r] templates
+      #   Array of template names accessible to this transformation
+      #   @return [Array<String>]
+      field :templates
+
+      # @!attribute [r] tweak_source
+      #   String representing how a tweak is provided for this transformation.
+      #   Available tweaks are "supplied", "generated", and "internal"
+      #   @return [String]
+      field :tweak_source
+
+      # @!attribute [r] type
+      #   String representing the type of transformation this is.
+      #   Available types are "fpe", and "masking"
+      #   @return [String]
+      field :type
+    end
+
+    def create_transformation(name, type:, template:, **opts)
+      opts ||= {}
+      opts[:type] = type
+      opts[:template] = template
+      client.post("/v1/transform/transformation/#{encode_path(name)}", JSON.fast_generate(opts))
+      return true
+    end
+
+    def get_transformation(name)
+      json = client.get("/v1/transform/transformation/#{encode_path(name)}")
+      if data = json.dig(:data)
+        Transformation.decode(data)
+      else
+        json
+      end
+    end
+
+    def delete_transformation(name)
+      client.delete("/v1/transform/transformation/#{encode_path(name)}")
+      true
+    end
+
+    def transformations
+      json = client.list("/v1/transform/transformation")
+      if keys = json.dig(:data, :keys)
+        keys
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/client.rb

@@ -16,6 +16,9 @@ module Vault
     # The name of the header used to hold the Vault token.
     TOKEN_HEADER = "X-Vault-Token".freeze
 
+    # The name of the header used to hold the Namespace.
+    NAMESPACE_HEADER = "X-Vault-Namespace".freeze
+
     # The name of the header used to hold the wrapped request ttl.
     WRAP_TTL_HEADER = "X-Vault-Wrap-TTL".freeze
 
@@ -83,7 +86,7 @@ module Vault
       @lock.synchronize do
         return @nhp if @nhp
 
-        @nhp = PersistentHTTP.new("vault-ruby", nil, pool_size)
+        @nhp = PersistentHTTP.new("vault-ruby", nil, pool_size, pool_timeout)
 
         if proxy_address
           proxy_uri = URI.parse "http://#{proxy_address}"
@@ -255,6 +258,12 @@ module Vault
         headers[TOKEN_HEADER] ||= token
       end
 
+      # Add the Vault Namespace header - users could still override this on a
+      # per-request basis
+      if !namespace.nil?
+        headers[NAMESPACE_HEADER] ||= namespace
+      end
+
       # Add headers
       headers.each do |key, value|
         request.add_field(key, value)

data/lib/vault/configurable.rb

@@ -7,12 +7,14 @@ module Vault
         :address,
         :token,
         :hostname,
+        :namespace,
         :open_timeout,
         :proxy_address,
         :proxy_password,
         :proxy_port,
         :proxy_username,
         :pool_size,
+        :pool_timeout,
         :read_timeout,
         :ssl_ciphers,
         :ssl_pem_contents,

data/lib/vault/defaults.rb

@@ -30,6 +30,9 @@ module Vault
     # The default size of the connection pool
     DEFAULT_POOL_SIZE = 16
 
+    # The default timeout in seconds for retrieving a connection from the connection pool
+    DEFAULT_POOL_TIMEOUT = 0.5
+
     # The set of exceptions that are detect and retried by default
     # with `with_retries`
     RETRIED_EXCEPTIONS = [HTTPServerError]
@@ -61,6 +64,13 @@ module Vault
         nil
       end
 
+
+      # Vault Namespace, if any.
+      # @return [String, nil]
+      def namespace
+        ENV["VAULT_NAMESPACE"]
+      end
+
       # The SNI host to use when connecting to Vault via TLS.
       # @return [String, nil]
       def hostname
@@ -78,12 +88,22 @@ module Vault
       # @return Integer
       def pool_size
         if var = ENV["VAULT_POOL_SIZE"]
-          return var.to_i
+          var.to_i
         else
           DEFAULT_POOL_SIZE
         end
       end
 
+      # The timeout for getting a connection from the connection pool that communicates with Vault
+      # @return Float
+      def pool_timeout
+        if var = ENV["VAULT_POOL_TIMEOUT"]
+          var.to_f
+        else
+          DEFAULT_POOL_TIMEOUT
+        end
+      end
+
       # The HTTP Proxy server address as a string
       # @return [String, nil]
       def proxy_address

data/lib/vault/persistent.rb

@@ -202,11 +202,6 @@ class PersistentHTTP
 
   HAVE_OPENSSL = defined? OpenSSL::SSL # :nodoc:
 
-  ##
-  # The default connection pool size is 1/4 the allowed open files.
-
-  DEFAULT_POOL_SIZE = 16
-
   ##
   # The version of PersistentHTTP you are using
 
@@ -505,7 +500,7 @@ class PersistentHTTP
   # Defaults to 1/4 the number of allowed file handles.  You can have no more
   # than this many threads with active HTTP transactions.
 
-  def initialize name=nil, proxy=nil, pool_size=DEFAULT_POOL_SIZE
+  def initialize name=nil, proxy=nil, pool_size=Vault::Defaults::DEFAULT_POOL_SIZE, pool_timeout=Vault::Defaults::DEFAULT_POOL_TIMEOUT
     @name = name
 
     @debug_output     = nil
@@ -525,7 +520,7 @@ class PersistentHTTP
     @socket_options << [Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1] if
       Socket.const_defined? :TCP_NODELAY
 
-    @pool = PersistentHTTP::Pool.new size: pool_size do |http_args|
+    @pool = PersistentHTTP::Pool.new size: pool_size, timeout: pool_timeout do |http_args|
       PersistentHTTP::Connection.new Net::HTTP, http_args, @ssl_generation
     end
 

data/lib/vault/persistent/pool.rb

@@ -31,7 +31,7 @@ class PersistentHTTP::Pool < Vault::ConnectionPool # :nodoc:
     stack  = stacks[net_http_args]
 
     if stack.empty? then
-      conn = @available.pop connection_args: net_http_args
+      conn = @available.pop @timeout, connection_args: net_http_args
     else
       conn = stack.last
     end

data/lib/vault/request.rb

@@ -29,6 +29,7 @@ module Vault
     def extract_headers!(options = {})
       extract = {
         wrap_ttl: Vault::Client::WRAP_TTL_HEADER,
+        namespace: Vault::Client::NAMESPACE_HEADER,
       }
 
       {}.tap do |h|

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.12.0"
+  VERSION = "0.16.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.16.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-14 00:00:00.000000000 Z
+date: 2021-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
@@ -28,30 +28,30 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -84,30 +84,30 @@ dependencies:
   name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
 description: Vault is a Ruby API client for interacting with a Vault server.
 email:
 - sethvargo@gmail.com
@@ -115,14 +115,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".rspec"
-- ".travis.yml"
 - CHANGELOG.md
-- Gemfile
 - LICENSE
 - README.md
-- Rakefile
 - lib/vault.rb
 - lib/vault/api.rb
 - lib/vault/api/approle.rb
@@ -130,6 +125,7 @@ files:
 - lib/vault/api/auth_tls.rb
 - lib/vault/api/auth_token.rb
 - lib/vault/api/help.rb
+- lib/vault/api/kv.rb
 - lib/vault/api/logical.rb
 - lib/vault/api/secret.rb
 - lib/vault/api/sys.rb
@@ -140,8 +136,15 @@ files:
 - lib/vault/api/sys/leader.rb
 - lib/vault/api/sys/lease.rb
 - lib/vault/api/sys/mount.rb
+- lib/vault/api/sys/namespace.rb
 - lib/vault/api/sys/policy.rb
+- lib/vault/api/sys/quota.rb
 - lib/vault/api/sys/seal.rb
+- lib/vault/api/transform.rb
+- lib/vault/api/transform/alphabet.rb
+- lib/vault/api/transform/role.rb
+- lib/vault/api/transform/template.rb
+- lib/vault/api/transform/transformation.rb
 - lib/vault/client.rb
 - lib/vault/configurable.rb
 - lib/vault/defaults.rb
@@ -157,7 +160,6 @@ files:
 - lib/vault/vendor/connection_pool/timed_stack.rb
 - lib/vault/vendor/connection_pool/version.rb
 - lib/vault/version.rb
-- vault.gemspec
 homepage: https://github.com/hashicorp/vault-ruby
 licenses:
 - MPL-2.0
@@ -170,15 +172,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.

data/.gitignore

@@ -1,42 +0,0 @@
-### Ruby ###
-*.gem
-*.rbc
-/.config
-/.vscode
-/coverage/
-/InstalledFiles
-/pkg/
-/spec/reports/
-/test/tmp/
-/test/version_tmp/
-/tmp/
-/vendor/bundle/
-/vendor/ruby/
-
-## Specific to RubyMotion:
-.dat*
-.repl_history
-build/
-
-## Documentation cache and generated files:
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-
-## Environment normalisation:
-/.bundle/
-/vendor/bundle
-/lib/bundler/man/
-
-# for a library or gem, you might want to ignore these files since the code is
-# intended to run in multiple environments; otherwise, check them in:
-Gemfile.lock
-.ruby-version
-.ruby-gemset
-
-# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
-.rvmrc
-
-# Project-specific
-spec/tmp

data/.rspec

@@ -1,2 +0,0 @@
---format documentation
---color

data/.travis.yml

@@ -1,26 +0,0 @@
-dist: trusty
-sudo: false
-language: ruby
-cache: bundler
-
-env:
-  - VAULT_VERSION=0.8.3
-  - VAULT_VERSION=0.7.3
-  - VAULT_VERSION=0.6.5
-  - VAULT_VERSION=0.5.3
-
-before_install:
-  - curl -sLo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
-  - unzip vault.zip
-  - mkdir -p ~/bin
-  - mv vault ~/bin
-  - export PATH="~/bin:$PATH"
-
-branches:
-  only:
-    - master
-
-rvm:
-  - 2.2
-  - 2.3
-  - 2.4

data/Gemfile

@@ -1,3 +0,0 @@
-source "https://rubygems.org"
-
-gemspec

data/Rakefile

@@ -1,6 +0,0 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-
-RSpec::Core::RakeTask.new(:spec)
-
-task default: :spec

data/vault.gemspec

@@ -1,30 +0,0 @@
-# coding: utf-8
-lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "vault/version"
-
-Gem::Specification.new do |spec|
-  spec.name          = "vault"
-  spec.version       = Vault::VERSION
-  spec.authors       = ["Seth Vargo"]
-  spec.email         = ["sethvargo@gmail.com"]
-  spec.licenses      = ["MPL-2.0"]
-
-  spec.summary       = "Vault is a Ruby API client for interacting with a Vault server."
-  spec.description   = spec.summary
-  spec.homepage      = "https://github.com/hashicorp/vault-ruby"
-
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  spec.add_runtime_dependency "aws-sigv4"
-
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "pry"
-  spec.add_development_dependency "rake",    "~> 12.0"
-  spec.add_development_dependency "rspec",   "~> 3.5"
-  spec.add_development_dependency "yard"
-  spec.add_development_dependency "webmock", "~> 2.3"
-end