vault 0.18.2 → 0.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 476b00af55107f31b54a20b77e1f451aef3d463908a457d7026fe669d0948547
-  data.tar.gz: 0072055306b85967a9a49abc230f2b1d5ed67521378825bfa2d7c849948cbc29
+  metadata.gz: f8cca2d8b21c19833848eb69819c8157663bcb8cde2320764640ab8c096bbdc9
+  data.tar.gz: 7d9789a8d34fd04b041e564c19a8a37b38c411941d3052b094a6e8316c6d3843
 SHA512:
-  metadata.gz: 7d0619e6569b4f7ca9543f04545be9aa2bd0fe89c531eac135458b80b51d0d55a2667eae79290a7aecb389a4893d9fb6841505faffe623e056ff50889633490e
-  data.tar.gz: ef620f96b924e63b51deab4021c97d3f1f548722028b41a55a8c9b3f5beca930369b2a7c6f7f3c5b561f4dfc98fd6c4b5e3ed66660bdc053aa8b2c4af316a439
+  metadata.gz: 8e75e89576231aa7fb88b1ed0aef7772578afcb0ee68ef8b4f7e558950602be4ca1c6f88f699e7623e3931679f84256e312c7c6d27f04785dac3cdae077c70ff
+  data.tar.gz: cd00de0b622d9b4f792cdae6f2b7660470fa3a925447fe1a3979f2ca35b7255fa8dabfc6d723b723f8aea074e18ebb68f8ae37f41850539845873a17570d21bb

data/CHANGELOG.md

@@ -2,6 +2,31 @@
 
 ## v?.??.? (Unreleased)
 
+## v0.19.0 (December 3, 2025)
+
+BREAKING CHANGES
+
+- Set minimum Ruby version to 3.1. All EOL Ruby versions are no longer supported. [GH-352]
+
+IMPROVEMENTS
+
+- Upgraded vendored `net-http-persistent` from 3.0.0 to upstream gem 4.0.2+, which includes:
+  - Fixes compatibility with `connection-pool` 2.4
+  - Supports TLS min/max and IPv6
+  - Fixes a memory leak in connection pooling
+  - Many bugfixes [GH-345]
+- Upgraded vendored `connection-pool` from 2.2.0 to upstream gem 2.4+, which includes:
+  - Fixes argument forwarding for Ruby 2.7+
+  - Automatically drops all connections after fork [GH-345]
+- Added dependency on `base64` gem for Ruby 3.4 compatibility [GH-352]
+- Added Ruby 3.3 and 3.4 to CI matrix [GH-352]
+- Added modern Vault versions (1.16, 1.19, 1.20, 1.21) to CI matrix [GH-352]
+- Replaced deprecated `JSON.fast_generate` with `JSON.generate` [GH-349]
+
+BUG FIXES
+
+- Fixed HTTP client shutdown to be lock-protected, ensuring thread-safe access to `@nhp` [GH-329]
+
 ## v0.18.1 (September 14, 2023)
 
 BUG FIXES

data/README.md

@@ -1,4 +1,4 @@
-Vault Ruby Client [![Build Status](https://circleci.com/gh/hashicorp/vault-ruby.svg?style=shield)](https://circleci.com/gh/hashicorp/vault-ruby)
+Vault Ruby Client [![Build Status](https://github.com/hashicorp/vault-ruby/actions/workflows/run-tests.yml/badge.svg?branch=master)](https://github.com/hashicorp/vault-ruby/actions/workflows/run-tests.yml)
 =================
 
 Vault is the official Ruby client for interacting with [Vault](https://vaultproject.io) by HashiCorp.
@@ -9,9 +9,9 @@ Vault Ruby client for the proper documentation.**
 
 Quick Start
 -----------
-Install Ruby 2.0+: [Guide](https://www.ruby-lang.org/en/documentation/installation/).
+Install Ruby 3.1+: [Guide](https://www.ruby-lang.org/en/documentation/installation/).
 
-> Please note that as of Vault Ruby version 0.14.0 versions of Ruby prior to 2.0 are no longer supported.
+> Please note that as of Vault Ruby version 0.19.0, the minimum required Ruby version is 3.1. All EOL Ruby versions are no longer supported.
 
 Install via Rubygems:
 

data/lib/vault/api/approle.rb

@@ -61,7 +61,7 @@ module Vault
     # @return [true]
     def set_role(name, options = {})
       headers = extract_headers!(options)
-      client.post("/v1/auth/approle/role/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      client.post("/v1/auth/approle/role/#{encode_path(name)}", JSON.generate(options), headers)
       return true
     end
 
@@ -118,7 +118,7 @@ module Vault
     # @return [true]
     def set_role_id(name, role_id)
       options = { role_id: role_id }
-      client.post("/v1/auth/approle/role/#{encode_path(name)}/role-id", JSON.fast_generate(options))
+      client.post("/v1/auth/approle/role/#{encode_path(name)}/role-id", JSON.generate(options))
       return true
     end
 
@@ -163,9 +163,9 @@ module Vault
     def create_secret_id(role_name, options = {})
       headers = extract_headers!(options)
       if options[:secret_id]
-        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/custom-secret-id", JSON.fast_generate(options), headers)
+        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/custom-secret-id", JSON.generate(options), headers)
       else
-        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", JSON.fast_generate(options), headers)
+        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", JSON.generate(options), headers)
       end
       return Secret.decode(json)
     end
@@ -184,7 +184,7 @@ module Vault
     # @return [Secret, nil]
     def secret_id(role_name, secret_id)
       opts = { secret_id: secret_id }
-      json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/lookup", JSON.fast_generate(opts), {})
+      json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/lookup", JSON.generate(opts), {})
       return nil unless json
       return Secret.decode(json)
     rescue HTTPError => e

data/lib/vault/api/auth.rb

@@ -71,7 +71,7 @@ module Vault
     # @return [Secret]
     def app_id(app_id, user_id, options = {})
       payload = { app_id: app_id, user_id: user_id }.merge(options)
-      json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/app-id/login", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -95,7 +95,7 @@ module Vault
     def approle(role_id, secret_id=nil)
       payload = { role_id: role_id }
       payload[:secret_id] = secret_id if secret_id
-      json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/approle/login", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -120,7 +120,7 @@ module Vault
     # @return [Secret]
     def userpass(username, password, options = {})
       payload = { password: password }.merge(options)
-      json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -142,7 +142,7 @@ module Vault
     # @return [Secret]
     def ldap(username, password, options = {})
       payload = { password: password }.merge(options)
-      json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -160,7 +160,7 @@ module Vault
     # @return [Secret]
     def github(github_token, path="/v1/auth/github/login")
       payload = {token: github_token}
-      json = client.post(path, JSON.fast_generate(payload))
+      json = client.post(path, JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -185,7 +185,7 @@ module Vault
       payload = { role: role, pkcs7: pkcs7 }
       # Set a custom nonce if client is providing one
       payload[:nonce] = nonce if nonce
-      json = client.post(route, JSON.fast_generate(payload))
+      json = client.post(route, JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -242,7 +242,7 @@ module Vault
         iam_request_body: Base64.strict_encode64(request_body)
       }
 
-      json = client.post(route, JSON.fast_generate(payload))
+      json = client.post(route, JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -264,7 +264,7 @@ module Vault
     # @return [Secret]
     def gcp(role, jwt, path = 'gcp')
       payload = { role: role, jwt: jwt }
-      json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret

data/lib/vault/api/auth_tls.rb

@@ -45,7 +45,7 @@ module Vault
     # @return [true]
     def set_certificate(name, options = {})
       headers = extract_headers!(options)
-      client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.generate(options), headers)
       return true
     end
 

data/lib/vault/api/auth_token.rb

@@ -69,7 +69,7 @@ module Vault
     # @return [Secret]
     def create(options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/create", JSON.fast_generate(options), headers)
+      json = client.post("/v1/auth/token/create", JSON.generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -84,7 +84,7 @@ module Vault
     # @return [Secret]
     def create_orphan(options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options), headers)
+      json = client.post("/v1/auth/token/create-orphan", JSON.generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -98,7 +98,7 @@ module Vault
     # @return [Secret]
     def create_with_role(name, options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -113,7 +113,7 @@ module Vault
     # @return [Secret]
     def lookup(token, options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/lookup", JSON.fast_generate(
+      json = client.post("/v1/auth/token/lookup", JSON.generate(
         token: token,
       ), headers)
       return Secret.decode(json)
@@ -128,7 +128,7 @@ module Vault
     # @param [Hash] options
     def lookup_accessor(accessor, options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
+      json = client.post("/v1/auth/token/lookup-accessor", JSON.generate(
         accessor: accessor,
       ), headers)
       return Secret.decode(json)
@@ -157,7 +157,7 @@ module Vault
     # @return [Secret]
     def renew(token, increment = 0, options = {})
       headers = extract_headers!(options)
-      json = client.put("/v1/auth/token/renew", JSON.fast_generate(
+      json = client.put("/v1/auth/token/renew", JSON.generate(
         token: token,
         increment: increment,
       ), headers)
@@ -174,7 +174,7 @@ module Vault
     # @return [Secret]
     def renew_self(increment = 0, options = {})
       headers = extract_headers!(options)
-      json = client.put("/v1/auth/token/renew-self", JSON.fast_generate(
+      json = client.put("/v1/auth/token/renew-self", JSON.generate(
         increment: increment,
       ), headers)
       return Secret.decode(json)
@@ -201,7 +201,7 @@ module Vault
     # @return [true]
     def revoke_orphan(token, options = {})
       headers = extract_headers!(options)
-      client.put("/v1/auth/token/revoke-orphan", JSON.fast_generate(
+      client.put("/v1/auth/token/revoke-orphan", JSON.generate(
         token: token,
       ), headers)
       return true
@@ -218,7 +218,7 @@ module Vault
     # @return [true]
     def revoke_accessor(accessor, options = {})
       headers = extract_headers!(options)
-      client.put("/v1/auth/token/revoke-accessor", JSON.fast_generate(
+      client.put("/v1/auth/token/revoke-accessor", JSON.generate(
         accessor: accessor,
       ), headers)
       return true
@@ -235,7 +235,7 @@ module Vault
     # @return [true]
     def revoke(token, options = {})
       headers = extract_headers!(options)
-      client.put("/v1/auth/token/revoke", JSON.fast_generate(
+      client.put("/v1/auth/token/revoke", JSON.generate(
         token: token,
       ), headers)
       return true

data/lib/vault/api/kv.rb

@@ -99,7 +99,7 @@ module Vault
     # @return [Secret]
     def write(path, data = {}, options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/#{mount}/data/#{encode_path(path)}", JSON.fast_generate(:data => data), headers)
+      json = client.post("/v1/#{mount}/data/#{encode_path(path)}", JSON.generate(:data => data), headers)
       if json.nil?
         return true
       else
@@ -120,7 +120,27 @@ module Vault
     #
     # @return [true]
     def write_metadata(path, metadata = {})
-      client.post("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.fast_generate(metadata))
+      client.post("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.generate(metadata))
+
+      true
+    end
+
+    # Patch the metadata of a secret at the given path. Note that the data must
+    # be a {Hash}.
+    #
+    # @example
+    #    Vault.kv("secret").patch_metadata("password", custom_metadata: { my_custom_key: "my_value" }, max_versions: 3)
+    #
+    # @param [String] path
+    #   the path to patch
+    # @param [Hash] metadata
+    #    the metadata to patch
+    #
+    # @return [true]
+    def patch_metadata(path, metadata = {}, options = {})
+      headers = extract_headers!(options)
+      headers["Content-Type"] = "application/merge-patch+json"
+      client.patch("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.generate(metadata), headers)
 
       true
     end
@@ -153,7 +173,7 @@ module Vault
     #
     # @return [true]
     def delete_versions(path, versions)
-      client.post("/v1/#{mount}/delete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+      client.post("/v1/#{mount}/delete/#{encode_path(path)}", JSON.generate(versions: versions))
 
       true
     end
@@ -170,7 +190,7 @@ module Vault
     #
     # @return [true]
     def undelete_versions(path, versions)
-      client.post("/v1/#{mount}/undelete/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+      client.post("/v1/#{mount}/undelete/#{encode_path(path)}", JSON.generate(versions: versions))
 
       true
     end
@@ -202,7 +222,7 @@ module Vault
     #
     # @return [true]
     def destroy_versions(path, versions)
-      client.post("/v1/#{mount}/destroy/#{encode_path(path)}", JSON.fast_generate(versions: versions))
+      client.post("/v1/#{mount}/destroy/#{encode_path(path)}", JSON.generate(versions: versions))
 
       true
     end

data/lib/vault/api/logical.rb

@@ -68,7 +68,7 @@ module Vault
     # @return [Secret]
     def write(path, data = {}, options = {})
       headers = extract_headers!(options)
-      json = client.put("/v1/#{encode_path(path)}", JSON.fast_generate(data), headers)
+      json = client.put("/v1/#{encode_path(path)}", JSON.generate(data), headers)
       if json.nil?
         return true
       else

data/lib/vault/api/sys/audit.rb

@@ -54,7 +54,7 @@ module Vault
     #
     # @return [true]
     def enable_audit(path, type, description, options = {})
-      client.put("/v1/sys/audit/#{encode_path(path)}", JSON.fast_generate(
+      client.put("/v1/sys/audit/#{encode_path(path)}", JSON.generate(
         type:        type,
         description: description,
         options:     options,
@@ -86,7 +86,7 @@ module Vault
     #
     # @return [String]
     def audit_hash(path, input)
-      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input))
+      json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.generate(input: input))
       json = json[:data] if json[:data]
       json[:hash]
     end

data/lib/vault/api/sys/auth.rb

@@ -60,7 +60,7 @@ module Vault
       payload = { type: type }
       payload[:description] = description if !description.nil?
 
-      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload))
+      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.generate(payload))
       return true
     end
 
@@ -108,7 +108,7 @@ module Vault
     # @return [AuthConfig]
     #   configuration of the given auth path
     def put_auth_tune(path, config = {})
-      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config))
+      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.generate(config))
       if json.nil?
         return true
       else

data/lib/vault/api/sys/init.rb

@@ -70,7 +70,7 @@ module Vault
     #
     # @return [InitResponse]
     def init(options = {})
-      json = client.put("/v1/sys/init", JSON.fast_generate(
+      json = client.put("/v1/sys/init", JSON.generate(
         root_token_pgp_key: options.fetch(:root_token_pgp_key, nil),
         secret_shares:      options.fetch(:secret_shares, options.fetch(:shares, 5)),
         secret_threshold:   options.fetch(:secret_threshold, options.fetch(:threshold, 3)),

data/lib/vault/api/sys/lease.rb

@@ -14,7 +14,7 @@ module Vault
     #
     # @return [Secret]
     def renew(id, increment = 0)
-      json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
+      json = client.put("/v1/sys/renew/#{id}", JSON.generate(
         increment: increment,
       ))
       return Secret.decode(json)

data/lib/vault/api/sys/mount.rb

@@ -98,7 +98,7 @@ module Vault
       payload = options.merge type: type
       payload[:description] = description if !description.nil?
 
-      client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))
+      client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.generate(payload))
       return true
     end
 
@@ -124,7 +124,7 @@ module Vault
     # @param [Hash] data
     #   the data to write
     def mount_tune(path, data = {})
-      json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.fast_generate(data))
+      json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.generate(data))
       return true
     end
 
@@ -155,7 +155,7 @@ module Vault
     #
     # @return [true]
     def remount(from, to)
-      client.post("/v1/sys/remount", JSON.fast_generate(
+      client.post("/v1/sys/remount", JSON.generate(
         from: from,
         to:   to,
       ))

data/lib/vault/api/sys/policy.rb

@@ -73,7 +73,7 @@ module Vault
     #
     # @return [true]
     def put_policy(name, rules)
-      client.put("/v1/sys/policy/#{encode_path(name)}", JSON.fast_generate(
+      client.put("/v1/sys/policy/#{encode_path(name)}", JSON.generate(
         rules: rules,
       ))
       return true

data/lib/vault/api/sys/quota.rb

@@ -60,7 +60,7 @@ module Vault
 
     def create_quota(type, name, opts={})
       path = generate_path(type, name)
-      client.post(path, JSON.fast_generate(opts))
+      client.post(path, JSON.generate(opts))
       return true
     end
 
@@ -83,7 +83,7 @@ module Vault
     end
     
     def update_quota_config(opts={})
-      client.post("v1/sys/quotas/config", JSON.fast_generate(opts))
+      client.post("v1/sys/quotas/config", JSON.generate(opts))
       return true
     end
 

data/lib/vault/api/sys/seal.rb

@@ -75,7 +75,7 @@ module Vault
     #
     # @return [SealStatus]
     def unseal(shard)
-      json = client.put("/v1/sys/unseal", JSON.fast_generate(
+      json = client.put("/v1/sys/unseal", JSON.generate(
         key: shard,
       ))
       return SealStatus.decode(json)

data/lib/vault/api/transform/alphabet.rb

@@ -16,7 +16,7 @@ module Vault
     def create_alphabet(name, alphabet:, **opts)
       opts ||= {}
       opts[:alphabet] = alphabet
-      client.post("/v1/transform/alphabet/#{encode_path(name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/alphabet/#{encode_path(name)}", JSON.generate(opts))
       return true
     end
 

data/lib/vault/api/transform/role.rb

@@ -15,7 +15,7 @@ module Vault
 
     def create_role(name, **opts)
       opts ||= {}
-      client.post("/v1/transform/role/#{encode_path(name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/role/#{encode_path(name)}", JSON.generate(opts))
       return true
     end
 

data/lib/vault/api/transform/template.rb

@@ -27,7 +27,7 @@ module Vault
       opts ||= {}
       opts[:type] = type
       opts[:pattern] = pattern
-      client.post("/v1/transform/template/#{encode_path(name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/template/#{encode_path(name)}", JSON.generate(opts))
       return true
     end
 

data/lib/vault/api/transform/transformation.rb

@@ -34,7 +34,7 @@ module Vault
       opts ||= {}
       opts[:type] = type
       opts[:template] = template
-      client.post("/v1/transform/transformation/#{encode_path(name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/transformation/#{encode_path(name)}", JSON.generate(opts))
       return true
     end
 

data/lib/vault/api/transform.rb

@@ -16,12 +16,12 @@ module Vault
   class Transform < Request
     def encode(role_name:, **opts)
       opts ||= {}
-      client.post("/v1/transform/encode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/encode/#{encode_path(role_name)}", JSON.generate(opts))
     end
 
     def decode(role_name:, **opts)
       opts ||= {}
-      client.post("/v1/transform/decode/#{encode_path(role_name)}", JSON.fast_generate(opts))
+      client.post("/v1/transform/decode/#{encode_path(role_name)}", JSON.generate(opts))
     end
   end
 end

data/lib/vault/client.rb

@@ -5,7 +5,8 @@ require "cgi"
 require "json"
 require "uri"
 
-require_relative "persistent"
+require "net/http/persistent"
+
 require_relative "configurable"
 require_relative "errors"
 require_relative "version"
@@ -50,6 +51,14 @@ module Vault
       a << Errno::ECONNREFUSED
       a << Errno::EADDRNOTAVAIL
 
+      # Broken connection errors
+      a << Errno::ECONNRESET
+      a << Errno::ECONNABORTED
+      a << Errno::EPIPE
+      a << Errno::ETIMEDOUT
+      a << OpenSSL::SSL::SSLError
+      a << IOError
+
       # Failed to read body or no response body given
       a << EOFError
 
@@ -61,7 +70,7 @@ module Vault
       a << Net::ReadTimeout if defined?(Net::ReadTimeout)
       a << Net::OpenTimeout if defined?(Net::OpenTimeout)
 
-      a << PersistentHTTP::Error
+      a << Net::HTTP::Persistent::Error
     end.freeze
 
     # Vault requires at least TLS1.2
@@ -92,7 +101,8 @@ module Vault
       @lock.synchronize do
         return @nhp if @nhp
 
-        @nhp = PersistentHTTP.new("vault-ruby", nil, pool_size, pool_timeout)
+        @nhp = Net::HTTP::Persistent.new(name: "vault-ruby", pool_size:)
+        @nhp.pool.instance_variable_set(:@timeout, pool_timeout)
 
         if proxy_address
           proxy_uri = URI.parse "http://#{proxy_address}"
@@ -164,8 +174,10 @@ module Vault
 
     # Shutdown any open pool connections. Pool will be recreated upon next request.
     def shutdown
-      @nhp.shutdown()
-      @nhp = nil
+      @lock.synchronize do
+        @nhp.shutdown()
+        @nhp = nil
+      end
     end
 
     # Creates and yields a new client object with the given token. This may be

data/lib/vault/defaults.rb

@@ -10,9 +10,9 @@ module Vault
     # @return [String]
     VAULT_ADDRESS = "https://127.0.0.1:8200".freeze
 
-    # The path to the vault token on disk.
+    # The default path to the vault token on disk.
     # @return [String]
-    VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze
+    DEFAULT_VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze
 
     # The list of SSL ciphers to allow. You should not change this value unless
     # you absolutely know what you are doing!
@@ -56,18 +56,16 @@ module Vault
       # The vault token to use for authentiation.
       # @return [String, nil]
       def token
-        if !ENV["VAULT_TOKEN"].nil?
-          return ENV["VAULT_TOKEN"]
-        end
+        ENV["VAULT_TOKEN"] || fetch_from_disk("VAULT_TOKEN_FILE")
+      end
 
-        if VAULT_DISK_TOKEN.exist? && VAULT_DISK_TOKEN.readable?
-          return VAULT_DISK_TOKEN.read.chomp
+      def fetch_from_disk(env_var)
+        path = ENV[env_var] ? Pathname.new(ENV[env_var]) : DEFAULT_VAULT_DISK_TOKEN
+        if path.exist? && path.readable?
+          path.read.chomp
         end
-
-        nil
       end
 
-
       # Vault Namespace, if any.
       # @return [String, nil]
       def namespace

data/lib/vault/version.rb

@@ -2,5 +2,5 @@
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault
-  VERSION = "0.18.2"
+  VERSION = "0.19.0"
 end