vault 0.14.0 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd39dd364209eee99a269200710d73fbdd4d9fe7007b5b8db78d1861b5671c53
-  data.tar.gz: 3b9cd61321644f7a45d87e7f08dadd7cb6c20da6537e46a01f82b2975d302852
+  metadata.gz: 9cd81591af963bbdfe3d167fa31b00a9d503e3ad0dfcdf242cadce97ddc19281
+  data.tar.gz: de55b77ff05e80aeecf8f648d66916d9662605083fbfc0c36222368f85de0a2a
 SHA512:
-  metadata.gz: 9a5e084c51cf4528095d4911acf8b983e1b61673441862fee7a58c640faae85bd81157a2a53d64db3fe8387136f8ceff7da2ea33e295ad6c8813b1e9fd3ff4a0
-  data.tar.gz: '0256808c555dece8ff08124fbdfad7a92b054db0c85f3e0e3d907d28b30c9d3f5d4b9e9a96287c1f2b8697e06dfdab57f8ddc0ee66a0947e780b7833e196bbc2'
+  metadata.gz: 0e0fa430df19981f84399ea639c69bb503d4f553bbd943b32bb0cb58ccf74f1f75f1d7c9558de92da372cf9f4d6e2dcd9b40f7a311956ee1c29310ee2701e5aa
+  data.tar.gz: 67395eb83e5586ef4232fac94ca5be1c9e408c3592a0fcfc26ee4cae1e81c0017b9a8e96ad39b24a256e61712b1ea001e9ab645ea79fabe918fdf0d377e58f89

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Vault Ruby Changelog
 
+## v?.??.? (Unreleased)
+
+## v0.17.0 (May 11, 2022)
+
+IMPROVEMENTS
+
+- Added MissingRequiredStateErr error type to refer to 412s returned by Vault 1.10 when the WAL index on the node does not match the index in the Server-Side Consistent Token. This error type can be passed as a parameter to `#with_retries`, and will also be retried automatically when `#with_retries` is used with no parameters.
+
+## v0.16.0 (March 17, 2021)
+
+IMPROVEMENTS
+
+- The timeout used to get a connection from the connection pool that talks with vault is now configurable. Using `Vault.pool_timeout` or the env var `VAULT_POOL_TIMEOUT`.
+
+## v0.15.0 (July 29, 2020)
+
+IMPROVEMENTS
+
+- Added support for Resource Quotas
+
 ## v0.14.0 (May 28, 2020)
 
 IMPROVEMENTS

data/README.md

@@ -1,15 +1,17 @@
-Vault Ruby Client [![Build Status](https://secure.travis-ci.org/hashicorp/vault-ruby.svg)](http://travis-ci.org/hashicorp/vault-ruby)
+Vault Ruby Client [![Build Status](https://circleci.com/gh/hashicorp/vault-ruby.svg?style=shield)](https://circleci.com/gh/hashicorp/vault-ruby)
 =================
 
 Vault is the official Ruby client for interacting with [Vault](https://vaultproject.io) by HashiCorp.
 
-**The documentation in this README corresponds to the master branch of the Vault Ruby client. It may contain unreleased features or different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the Vault Ruby client for the proper documentation.**
+**If you're viewing this README from GitHub on the `master` branch, know that it may contain unreleased features or
+different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the
+Vault Ruby client for the proper documentation.**
 
 Quick Start
 -----------
 Install Ruby 2.0+: [Guide](https://www.ruby-lang.org/en/documentation/installation/).
 
-> Please note that Vault Ruby may work on older Ruby installations like Ruby 1.9, but you **should not** use these versions of Ruby when communicating with a Vault server. Ruby 1.9 has [reached EOL](https://www.ruby-lang.org/en/news/2014/01/10/ruby-1-9-3-will-end-on-2015/) and will no longer receive important security patches or maintenance updates. There _are known security vulnerabilities_ specifically around SSL ciphers, which this library uses to communicate with a Vault server. While many distros still ship with Ruby 1.9 as the default, you are **highly discouraged** from using this library on any version of Ruby lower than Ruby 2.0.
+> Please note that as of Vault Ruby version 0.14.0 versions of Ruby prior to 2.0 are no longer supported.
 
 Install via Rubygems:
 
@@ -18,7 +20,7 @@ Install via Rubygems:
 or add it to your Gemfile if you're using Bundler:
 
 ```ruby
-gem "vault", "~> 0.1"
+gem "vault"
 ```
 
 and then run the `bundle` command to install.
@@ -214,7 +216,7 @@ Development
 Important Notes:
 
 - **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include integration tests as well.
-- **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
+- **The tests must be idempotent.** The HTTP calls made during a test should be able to be run over and over.
 - **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.
 - **Integration tests require Vault**  Vault must be available in the path for the integration tests to pass.
    - **In order to be considered an integration test:** The test MUST use the `vault_test_client` or `vault_redirect_test_client` as the client. This spawns a process, or uses an already existing process from another test, to run against.

data/lib/vault/api/auth.rb

@@ -286,12 +286,17 @@ module Vault
     # @param [String] path (default: 'cert')
     #   The path to the auth backend to use for the login procedure.
     #
+    # @param [String] name optional
+    #   The named certificate role provided to the login request. 
+    #
     # @return [Secret]
-    def tls(pem = nil, path = 'cert')
+    def tls(pem = nil, path = 'cert', name: nil)
       new_client = client.dup
       new_client.ssl_pem_contents = pem if !pem.nil?
 
-      json = new_client.post("/v1/auth/#{CGI.escape(path)}/login")
+      opts = {}
+      opts[:name] = name if name
+      json = new_client.post("/v1/auth/#{CGI.escape(path)}/login", opts)
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret

data/lib/vault/api/sys/mount.rb

@@ -23,6 +23,48 @@ module Vault
     field :options
   end
 
+  class MountTune < Response
+    # @!attribute [r] description
+    #   Specifies the description of the mount.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] default_lease_ttl
+    #   Specifies the default time-to-live.
+    #   @return [Fixnum]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   Specifies the maximum time-to-live.
+    #   @return [Fixnum]
+    field :max_lease_ttl
+
+    # @!attribute [r] audit_non_hmac_request_keys
+    #   Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the request data object.
+    #   @return [Array<String>]
+    field :audit_non_hmac_request_keys
+
+    # @!attribute [r] audit_non_hmac_response_keys
+    #   Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the response data object.
+    #   @return [Array<String>]
+    field :audit_non_hmac_response_keys
+
+    # @!attribute [r] listing_visibility
+    #   Specifies whether to show this mount in the UI-specific listing endpoint.
+    #   @return [String]
+    field :listing_visibility
+
+    # @!attribute [r] passthrough_request_headers
+    #   Comma-separated list of headers to whitelist and pass from the request to the plugin.
+    #   @return [Array<String>]
+    field :passthrough_request_headers
+
+    # @!attribute [r] allowed_response_headers
+    #   Comma-separated list of headers to whitelist, allowing a plugin to include them in the response.
+    #   @return [Array<String>]
+    field :allowed_response_headers
+  end
+
   class Sys < Request
     # List all mounts in the vault.
     #
@@ -57,6 +99,18 @@ module Vault
       return true
     end
 
+    # Get the mount tunings at a given path.
+    #
+    # @example
+    #   Vault.sys.get_mount_tune("pki") #=> { :pki => #<struct Vault::MountTune default_lease_ttl=2764800> }
+    #
+    # @return [MountTune]
+    def get_mount_tune(path)
+      json = client.get("/v1/sys/mounts/#{encode_path(path)}/tune")
+      json = json[:data] if json[:data]
+      return MountTune.decode(json)
+    end
+
     # Tune a mount at the given path.
     #
     # @example

data/lib/vault/api/sys/namespace.rb

@@ -18,8 +18,6 @@ module Vault
     #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
     #
     #   @return [Hash<Symbol, Namespace>]
-    #
-    #   NOTE: Due to a bug in Vault Enterprise, to be fixed soon, this method CAN return a pure JSON string if a scoping namespace is provided.
     def namespaces(scoped=nil)
       path = ["v1", scoped, "sys", "namespaces"].compact
       json = client.list(path.join("/"))

data/lib/vault/api/sys/quota.rb

@@ -0,0 +1,107 @@
+module Vault
+  class Quota < Response
+    # @!attribute [r] name
+    #   Name of the quota rule.
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] path
+    #   Namespace/Path combination the quota applies to.
+    #   @return [String]
+    field :path
+
+    # @!attribute [r] type
+    #   Type of the quota rule, must be one of "lease-count" or "rate-limit"
+    #   @return [String]
+    field :type
+  end
+
+  class RateLimitQuota < Quota
+    # @!attribute [r] rate
+    #   The rate at which allowed requests are refilled per second by the quota
+    #   rule.
+    #   @return [Float]
+    field :rate
+
+    # @!attribute [r] burst
+    #   The maximum number of requests at any given second allowed by the quota
+    #   rule.
+    #   @return [Int]
+    field :burst
+  end
+
+  class LeaseCountQuota < Quota
+    # @!attribute [r] counter
+    #   Number of currently active leases for the quota.
+    #   @return [Int]
+    field :counter
+
+    # @!attribute [r] max_leases
+    #   The maximum number of allowed leases for this quota.
+    #   @return [Int]
+    field :max_leases
+  end
+
+  class Sys
+    def quotas(type)
+      path = generate_path(type)
+      json = client.list(path)
+      if data = json.dig(:data, :key_info)
+        data.map do |item|
+          type_class(type).decode(item)
+        end
+      else
+        json
+      end
+    end
+
+    def create_quota(type, name, opts={})
+      path = generate_path(type, name)
+      client.post(path, JSON.fast_generate(opts))
+      return true
+    end
+
+    def delete_quota(type, name)
+      path = generate_path(type, name)
+      client.delete(path)
+      return true
+    end
+
+    def get_quota(type, name)
+      path = generate_path(type, name)
+      response = client.get(path)
+      if data = response[:data]
+        type_class(type).decode(data)
+      end
+    end
+
+    def get_quota_config
+      client.get("v1/sys/quotas/config")
+    end
+    
+    def update_quota_config(opts={})
+      client.post("v1/sys/quotas/config", JSON.fast_generate(opts))
+      return true
+    end
+
+    private
+
+    def generate_path(type, name=nil)
+      verify_type(type)
+      path = ["v1", "sys", "quotas", type, name].compact
+      path.join("/")
+    end
+
+    def verify_type(type)
+      return if ["rate-limit", "lease-count"].include?(type)
+      raise ArgumentError, "type must be one of \"rate-limit\" or \"lease-count\""
+    end
+
+    def type_class(type)
+      case type
+      when "lease-count" then LeaseCountQuota
+      when "rate-limit" then RateLimitQuota
+      end
+    end
+  end
+end

data/lib/vault/api/sys.rb

@@ -23,4 +23,5 @@ require_relative "sys/lease"
 require_relative "sys/mount"
 require_relative "sys/namespace"
 require_relative "sys/policy"
+require_relative "sys/quota"
 require_relative "sys/seal"

data/lib/vault/client.rb

@@ -86,7 +86,7 @@ module Vault
       @lock.synchronize do
         return @nhp if @nhp
 
-        @nhp = PersistentHTTP.new("vault-ruby", nil, pool_size)
+        @nhp = PersistentHTTP.new("vault-ruby", nil, pool_size, pool_timeout)
 
         if proxy_address
           proxy_uri = URI.parse "http://#{proxy_address}"
@@ -392,6 +392,8 @@ module Vault
 
       # Use the correct exception class
       case response
+      when Net::HTTPPreconditionFailed
+        raise MissingRequiredStateError.new
       when Net::HTTPClientError
         klass = HTTPClientError
       when Net::HTTPServerError

data/lib/vault/configurable.rb

@@ -14,6 +14,7 @@ module Vault
         :proxy_port,
         :proxy_username,
         :pool_size,
+        :pool_timeout,
         :read_timeout,
         :ssl_ciphers,
         :ssl_pem_contents,

data/lib/vault/defaults.rb

@@ -30,9 +30,12 @@ module Vault
     # The default size of the connection pool
     DEFAULT_POOL_SIZE = 16
 
+    # The default timeout in seconds for retrieving a connection from the connection pool
+    DEFAULT_POOL_TIMEOUT = 0.5
+
     # The set of exceptions that are detect and retried by default
     # with `with_retries`
-    RETRIED_EXCEPTIONS = [HTTPServerError]
+    RETRIED_EXCEPTIONS = [HTTPServerError, MissingRequiredStateError]
 
     class << self
       # The list of calculated options for this configurable.
@@ -85,12 +88,22 @@ module Vault
       # @return Integer
       def pool_size
         if var = ENV["VAULT_POOL_SIZE"]
-          return var.to_i
+          var.to_i
         else
           DEFAULT_POOL_SIZE
         end
       end
 
+      # The timeout for getting a connection from the connection pool that communicates with Vault
+      # @return Float
+      def pool_timeout
+        if var = ENV["VAULT_POOL_TIMEOUT"]
+          var.to_f
+        else
+          DEFAULT_POOL_TIMEOUT
+        end
+      end
+
       # The HTTP Proxy server address as a string
       # @return [String, nil]
       def proxy_address

data/lib/vault/errors.rb

@@ -22,6 +22,18 @@ EOH
     end
   end
 
+  class MissingRequiredStateError < VaultError
+    def initialize
+      super <<-EOH
+The performance standby node does not yet have the 
+most recent index state required to authenticate 
+the request.
+
+Generally, the request should be retried with the with_retries clause.
+EOH
+    end
+  end
+
   class HTTPConnectionError < VaultError
     attr_reader :address
 

data/lib/vault/persistent/pool.rb

@@ -31,7 +31,7 @@ class PersistentHTTP::Pool < Vault::ConnectionPool # :nodoc:
     stack  = stacks[net_http_args]
 
     if stack.empty? then
-      conn = @available.pop connection_args: net_http_args
+      conn = @available.pop @timeout, connection_args: net_http_args
     else
       conn = stack.last
     end

data/lib/vault/persistent.rb

@@ -202,11 +202,6 @@ class PersistentHTTP
 
   HAVE_OPENSSL = defined? OpenSSL::SSL # :nodoc:
 
-  ##
-  # The default connection pool size is 1/4 the allowed open files.
-
-  DEFAULT_POOL_SIZE = 16
-
   ##
   # The version of PersistentHTTP you are using
 
@@ -505,7 +500,7 @@ class PersistentHTTP
   # Defaults to 1/4 the number of allowed file handles.  You can have no more
   # than this many threads with active HTTP transactions.
 
-  def initialize name=nil, proxy=nil, pool_size=DEFAULT_POOL_SIZE
+  def initialize name=nil, proxy=nil, pool_size=Vault::Defaults::DEFAULT_POOL_SIZE, pool_timeout=Vault::Defaults::DEFAULT_POOL_TIMEOUT
     @name = name
 
     @debug_output     = nil
@@ -525,7 +520,7 @@ class PersistentHTTP
     @socket_options << [Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1] if
       Socket.const_defined? :TCP_NODELAY
 
-    @pool = PersistentHTTP::Pool.new size: pool_size do |http_args|
+    @pool = PersistentHTTP::Pool.new size: pool_size, timeout: pool_timeout do |http_args|
       PersistentHTTP::Connection.new Net::HTTP, http_args, @ssl_generation
     end
 

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.14.0"
+  VERSION = "0.17.0"
 end

data/lib/vault.rb

@@ -18,12 +18,13 @@ module Vault
       @client = Vault::Client.new
 
       # Set secure SSL options
-      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options].tap do |opts|
-        opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
-        opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-        opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
-        opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.tap do |opts|
+        opts[:options] &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+        opts[:options] |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
       end
+      
 
       self
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.17.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-28 00:00:00.000000000 Z
+date: 2022-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
@@ -115,14 +115,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".circleci/config.yml"
-- ".gitignore"
-- ".rspec"
 - CHANGELOG.md
-- Gemfile
 - LICENSE
 - README.md
-- Rakefile
 - lib/vault.rb
 - lib/vault/api.rb
 - lib/vault/api/approle.rb
@@ -143,6 +138,7 @@ files:
 - lib/vault/api/sys/mount.rb
 - lib/vault/api/sys/namespace.rb
 - lib/vault/api/sys/policy.rb
+- lib/vault/api/sys/quota.rb
 - lib/vault/api/sys/seal.rb
 - lib/vault/api/transform.rb
 - lib/vault/api/transform/alphabet.rb
@@ -164,7 +160,6 @@ files:
 - lib/vault/vendor/connection_pool/timed_stack.rb
 - lib/vault/vendor/connection_pool/version.rb
 - lib/vault/version.rb
-- vault.gemspec
 homepage: https://github.com/hashicorp/vault-ruby
 licenses:
 - MPL-2.0
@@ -177,14 +172,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.

data/.circleci/config.yml

@@ -1,42 +0,0 @@
-version: 2.1
-
-references:
-  images:
-    ubuntu: &UBUNTU_IMAGE ubuntu-1604:201903-01
-
-jobs:
-  test:
-    machine:
-      image: *UBUNTU_IMAGE
-    parameters:
-      ruby-version:
-        type: string
-      vault-version:
-        type: string
-    steps:
-      - checkout
-      - run:
-          name: Install vault
-          command: |
-            curl -sLo vault.zip https://releases.hashicorp.com/vault/<< parameters.vault-version >>/vault_<< parameters.vault-version >>_linux_amd64.zip
-            unzip vault.zip
-            mkdir -p ~/bin
-            mv vault ~/bin
-            export PATH="~/bin:$PATH"
-      - run:
-          name: Run tests
-          command: |
-            export VAULT_VERSION=<< parameters.vault-version >>
-            rvm use << parameters.ruby-version >> --install --binary --fuzzy
-            bundle install --jobs=3 --retry=3 --path=vendor/bundle
-            bundle exec rake
-
-workflows:
-  run-tests:
-    jobs:
-      - test:
-          matrix:
-            parameters:
-              ruby-version: ["2.2", "2.3", "2.4"]
-              vault-version: ["1.0.3", "1.1.5", "1.2.4", "1.3.0"]
-          name: test-ruby-<< matrix.ruby-version >>-vault-<< matrix.vault-version >>

data/.gitignore

@@ -1,42 +0,0 @@
-### Ruby ###
-*.gem
-*.rbc
-/.config
-/.vscode
-/coverage/
-/InstalledFiles
-/pkg/
-/spec/reports/
-/test/tmp/
-/test/version_tmp/
-/tmp/
-/vendor/bundle/
-/vendor/ruby/
-
-## Specific to RubyMotion:
-.dat*
-.repl_history
-build/
-
-## Documentation cache and generated files:
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-
-## Environment normalisation:
-/.bundle/
-/vendor/bundle
-/lib/bundler/man/
-
-# for a library or gem, you might want to ignore these files since the code is
-# intended to run in multiple environments; otherwise, check them in:
-Gemfile.lock
-.ruby-version
-.ruby-gemset
-
-# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
-.rvmrc
-
-# Project-specific
-spec/tmp

data/.rspec

@@ -1,2 +0,0 @@
---format documentation
---color

data/Gemfile

@@ -1,3 +0,0 @@
-source "https://rubygems.org"
-
-gemspec

data/Rakefile

@@ -1,6 +0,0 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-
-RSpec::Core::RakeTask.new(:spec)
-
-task default: :spec

data/vault.gemspec

@@ -1,30 +0,0 @@
-# coding: utf-8
-lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "vault/version"
-
-Gem::Specification.new do |spec|
-  spec.name          = "vault"
-  spec.version       = Vault::VERSION
-  spec.authors       = ["Seth Vargo"]
-  spec.email         = ["sethvargo@gmail.com"]
-  spec.licenses      = ["MPL-2.0"]
-
-  spec.summary       = "Vault is a Ruby API client for interacting with a Vault server."
-  spec.description   = spec.summary
-  spec.homepage      = "https://github.com/hashicorp/vault-ruby"
-
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  spec.add_runtime_dependency "aws-sigv4"
-
-  spec.add_development_dependency "bundler", "~> 2"
-  spec.add_development_dependency "pry",     "~> 0.13.1"
-  spec.add_development_dependency "rake",    "~> 12.0"
-  spec.add_development_dependency "rspec",   "~> 3.5"
-  spec.add_development_dependency "yard",    "~> 0.9.24"
-  spec.add_development_dependency "webmock", "~> 3.8.3"
-end