vault 0.19.0 → 0.20.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f8cca2d8b21c19833848eb69819c8157663bcb8cde2320764640ab8c096bbdc9
-  data.tar.gz: 7d9789a8d34fd04b041e564c19a8a37b38c411941d3052b094a6e8316c6d3843
+  metadata.gz: 46acf59f9b079b96d8af544537fc4657b02a04c0fdf9bd613cb46027435a6148
+  data.tar.gz: 828e7e36228d6900e8c1be9e7b9d319fb03fe2cb541eabca81a8a5323989a313
 SHA512:
-  metadata.gz: 8e75e89576231aa7fb88b1ed0aef7772578afcb0ee68ef8b4f7e558950602be4ca1c6f88f699e7623e3931679f84256e312c7c6d27f04785dac3cdae077c70ff
-  data.tar.gz: cd00de0b622d9b4f792cdae6f2b7660470fa3a925447fe1a3979f2ca35b7255fa8dabfc6d723b723f8aea074e18ebb68f8ae37f41850539845873a17570d21bb
+  metadata.gz: 0cc19d71f9f16123ab02539691a932098c39cea39362dc4c5b5e46f42390df23ae367b0ce26fb0a33940daf1af178884982076cd2d0dc92f310e326d4dfb8b8c
+  data.tar.gz: 1072fd9dfec4dfab692455b6b06833cb5ce9f9b3bacff3d36773b5491c326b1683ec9b7aa6c55926bf73f08c74a88fbfd71dcf4d778ce6ddf3b2669d04ad527d

data/CHANGELOG.md

@@ -1,6 +1,27 @@
 # Vault Ruby Changelog
 
-## v?.??.? (Unreleased)
+## Unreleased
+
+## v0.20.1 (March 31, 2026)
+
+BUG FIXES
+
+- Removed explicit `connection_pool` runtime dependency to allow use of connection_pool 3.x for compatibility with sidekiq 8.1+. The gem is already managed as a transitive dependency by `net-http-persistent`, which supports connection_pool 2.2.4+ through 3.x. [GH-393]
+- Hardened STS endpoint parsing in AWS auth by replacing permissive matching with strict HTTPS URI and host validation, preserving supported global, regional, GovCloud, and China endpoints while rejecting malformed inputs. [GH-402]
+
+## v0.20.0 (February 4, 2026)
+
+IMPROVEMENTS
+
+- Added `cluster_address` field to `LeaderStatus` response from `sys/leader` endpoint [GH-204]
+- Updated AppRole `set_role` documentation to include modern parameters like `secret_id_bound_cidrs`, `token_bound_cidrs`, and `token_policies`. Added reference to official Vault API docs for complete parameter list. [GH-220]
+- Added support for custom mount paths in AppRole authentication via `mount:` option [GH-292]
+
+BUG FIXES
+
+- Fixed `encode_path` incorrectly encoding hyphens (`-`), which caused 403 errors on Vault 1.15+ [GH-350, GH-343]
+- Fixed `FrozenError` when loading the gem with OpenSSL 4.0.0+ by removing modification of `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS`. Modern Ruby (3.1+) already has secure SSL defaults. [GH-366, GH-381]
+- Fixed `Vault.logical.read` throwing `NoMethodError` when Vault responds with HTTP 204 (No Content). Now correctly returns `nil` for empty responses. [GH-241]
 
 ## v0.19.0 (December 3, 2025)
 
@@ -27,6 +48,12 @@ BUG FIXES
 
 - Fixed HTTP client shutdown to be lock-protected, ensuring thread-safe access to `@nhp` [GH-329]
 
+## v0.18.2 (November 27, 2023)
+
+BUG FIXES
+
+- Locked aws-sdk gem versions to support EOL Ruby versions [GH-314]
+
 ## v0.18.1 (September 14, 2023)
 
 BUG FIXES

data/README.md

@@ -63,9 +63,27 @@ Vault.configure do |config|
   # ENV["VAULT_SSL_PEM_CONTENTS_BASE64"] then ENV["VAULT_SSL_PEM_CONTENTS"]
   config.ssl_pem_contents = "-----BEGIN ENCRYPTED..."
 
+  # Passphrase for encrypted PEM files
+  config.ssl_pem_passphrase = "my-passphrase"
+
+  # Custom SSL CA certificate for verification
+  config.ssl_ca_cert = "/path/to/ca.crt"
+
+  # Custom SSL CA certificate directory
+  config.ssl_ca_path = "/path/to/ca/directory"
+
+  # Custom SSL certificate store
+  config.ssl_cert_store = OpenSSL::X509::Store.new
+
+  # Specify SSL ciphers to use
+  config.ssl_ciphers = "TLSv1.2:!aNULL:!eNULL"
+
   # Use SSL verification, also read as ENV["VAULT_SSL_VERIFY"]
   config.ssl_verify = false
 
+  # SNI hostname to use for SSL connections
+  config.hostname = "vault.example.com"
+
   # Timeout the connection after a certain amount of time (seconds), also read
   # as ENV["VAULT_TIMEOUT"]
   config.timeout = 30
@@ -75,6 +93,10 @@ Vault.configure do |config|
   config.ssl_timeout  = 5
   config.open_timeout = 5
   config.read_timeout = 30
+
+  # Connection pool settings for persistent connections
+  config.pool_size = 5
+  config.pool_timeout = 5
 end
 ```
 
@@ -85,6 +107,27 @@ client_1 = Vault::Client.new(address: "https://vault.mycompany.com")
 client_2 = Vault::Client.new(address: "https://other-vault.mycompany.com")
 ```
 
+### Authentication
+
+Authenticate using various methods:
+
+```ruby
+# LDAP
+Vault.auth.ldap("username", "password")
+
+# Username/Password
+Vault.auth.userpass("username", "password")
+
+# AppRole
+Vault.auth.approle("role_id", "secret_id")
+
+# GitHub token
+Vault.auth.github("github_token")
+
+# AWS IAM
+Vault.auth.aws_iam("role_name", credentials_provider, "header_value")
+```
+
 And if you want to authenticate with a `AWS EC2` :
 
 ```ruby
@@ -156,28 +199,73 @@ Vault.with_retries(Exception) do
 end #=> #<Exception>
 ```
 
-#### Seal Status
+### KV Secrets Engine
+
+Vault's [KV secrets engine](https://developer.hashicorp.com/vault/docs/secrets/kv) has two versions: [v2](https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2) (versioned, default in Vault 0.10+) and [v1](https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1) (unversioned). Use `Vault.kv(mount)` for v2 and `Vault.logical` for v1.
+
 ```ruby
-Vault.sys.seal_status
-#=> #<Vault::SealStatus sealed=false, t=1, n=1, progress=0>
+# Check which version your mount uses
+mounts = Vault.sys.mounts
+mounts[:secret].options[:version] #=> "2" or "1"
 ```
 
-#### Create a Secret
+#### KV v2 (versioned secrets)
+
 ```ruby
-Vault.logical.write("secret/bacon", delicious: true, cooktime: "11")
-#=> #<Vault::Secret lease_id="">
+# Write and read
+Vault.kv("secret").write("db/creds", username: "admin", password: "secret123")
+secret = Vault.kv("secret").read("db/creds")
+secret.data[:data] #=> { :username => "admin", :password => "secret123" }
+
+# Read specific version
+secret = Vault.kv("secret").read("db/creds", 2)
+
+# List paths
+Vault.kv("secret").list("db") #=> ["creds"]
+
+# Soft delete (can be undeleted)
+Vault.kv("secret").delete("db/creds")
+Vault.kv("secret").delete_versions("db/creds", [1, 2])
+
+# Undelete
+Vault.kv("secret").undelete_versions("db/creds", [1])
+
+# Permanently destroy
+Vault.kv("secret").destroy_versions("db/creds", [1])
+Vault.kv("secret").destroy("db/creds") # destroys all versions and metadata
+
+# Metadata operations
+Vault.kv("secret").write_metadata("db/creds", max_versions: 5)
+metadata = Vault.kv("secret").read_metadata("db/creds")
 ```
 
-#### Retrieve a Secret
+#### KV v1 (unversioned secrets)
+
 ```ruby
-Vault.logical.read("secret/bacon")
-#=> #<Vault::Secret lease_id="">
+Vault.logical.write("secret/db/creds", username: "admin", password: "secret123")
+secret = Vault.logical.read("secret/db/creds")
+secret.data #=> { :username => "admin", :password => "secret123" }
+
+Vault.logical.list("secret/db") #=> ["creds"]
+Vault.logical.delete("secret/db/creds") #=> true
 ```
 
-#### Retrieve the Contents of a Secret
+#### Seal Status
 ```ruby
-secret = Vault.logical.read("secret/bacon")
-secret.data #=> { :cooktime = >"11", :delicious => true }
+Vault.sys.seal_status
+#=> #<Vault::SealStatus sealed=false, t=1, n=1, progress=0>
+```
+
+### Tokens
+
+See the [Token Auth API docs](https://developer.hashicorp.com/vault/api-docs/auth/token) for details.
+
+```ruby
+# Create, lookup, renew, and revoke
+token = Vault.auth_token.create(policies: ["app-read"], ttl: "1h", renewable: true)
+info = Vault.auth_token.lookup_self
+Vault.auth_token.renew_self(3600)
+Vault.auth_token.revoke("hvs.CAESI...")
 ```
 
 ### Response wrapping
@@ -206,6 +294,21 @@ wrapped = Vault.auth_token.create(wrap_ttl: "5s")
 token = Vault.logical.unwrap_token(wrapped)
 ```
 
+### API Coverage
+
+Available Ruby clients:
+
+- `Vault.kv(mount)` - [KV v2 secrets engine](https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2)
+- `Vault.logical` - [KV v1](https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1) and generic logical operations
+- `Vault.sys` - [System backend](https://developer.hashicorp.com/vault/api-docs/system) (mounts, policies, seal status, etc.)
+- `Vault.auth` - [Authentication methods](https://developer.hashicorp.com/vault/api-docs/auth) (AWS, AppRole, GitHub, etc.)
+- `Vault.auth_token` - [Token auth](https://developer.hashicorp.com/vault/api-docs/auth/token)
+- `Vault.approle` - [AppRole auth configuration](https://developer.hashicorp.com/vault/api-docs/auth/approle)
+- `Vault.transform` - [Transform secrets engine](https://developer.hashicorp.com/vault/api-docs/secret/transform)
+- `Vault.help` - Interactive help
+
+For full API documentation, see [rubydoc.info/gems/vault](https://www.rubydoc.info/gems/vault) or check `spec/integration` for examples
+
 
 Development
 -----------

data/lib/vault/api/approle.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"
@@ -24,9 +24,10 @@ module Vault
     # @example
     #   Vault.approle.set_role("testrole", {
     #     secret_id_ttl: "10m",
+    #     secret_id_bound_cidrs: ["10.0.0.0/8"],
     #     token_ttl:     "20m",
-    #     policies:      "default",
-    #     period:        3600,
+    #     token_policies: ["default", "app-policy"],
+    #     token_bound_cidrs: ["10.0.0.0/8"],
     #   }) #=> true
     #
     # @param [String] name
@@ -34,29 +35,41 @@ module Vault
     # @param [Hash] options
     # @option options [Boolean] :bind_secret_id
     #   Require secret_id to be presented when logging in using this AppRole.
-    # @option options [String] :bound_cidr_list
-    #   Comma-separated list of CIDR blocks. Specifies blocks of IP addresses
-    #   which can perform the login operation.
-    # @option options [String] :policies
-    #   Comma-separated list of policies set on tokens issued via this AppRole.
+    # @option options [Array<String>] :secret_id_bound_cidrs
+    #   Array of CIDR blocks. If set, specifies blocks of IP addresses which
+    #   can perform the login operation.
     # @option options [String] :secret_id_num_uses
     #   Number of times any particular SecretID can be used to fetch a token
     #   from this AppRole, after which the SecretID will expire.
     # @option options [Fixnum, String] :secret_id_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" after
     #   which any SecretID expires.
+    # @option options [Boolean] :local_secret_ids
+    #   If set, the secret IDs generated using this role will be cluster local.
+    # @option options [Array<String>] :token_policies
+    #   Array of policies to be set on tokens issued using this AppRole.
+    # @option options [Array<String>] :token_bound_cidrs
+    #   Array of CIDR blocks. If set, specifies blocks of IP addresses which
+    #   can authenticate using tokens generated by this AppRole.
     # @option options [Fixnum, String] :token_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" to set
     #   as the TTL for issued tokens and at renewal time.
     # @option options [Fixnum, String] :token_max_ttl
     #   The number of seconds or a golang-formatted timestamp like "60m" after
     #   which the issued token can no longer be renewed.
-    # @option options [Fixnum, String] :period
-    #   The number of seconds or a golang-formatted timestamp like "60m".
-    #   If set, the token generated using this AppRole is a periodic token.
-    #   So long as it is renewed it never expires, but the TTL set on the token
-    #   at each renewal is fixed to the value specified here. If this value is
-    #   modified, the token will pick up the new value at its next renewal.
+    # @option options [Fixnum, String] :token_explicit_max_ttl
+    #   If set, tokens created via this role carry an explicit maximum TTL.
+    # @option options [Boolean] :token_no_default_policy
+    #   If set, the default policy will not be set on tokens issued via this role.
+    # @option options [Fixnum] :token_num_uses
+    #   The maximum number of times a generated token may be used.
+    # @option options [Fixnum, String] :token_period
+    #   The maximum allowed period value when a periodic token is requested.
+    # @option options [String] :token_type
+    #   The type of token that should be generated (service, batch, or default).
+    #
+    # For a complete list of parameters, see the Vault AppRole API documentation:
+    # https://developer.hashicorp.com/vault/api-docs/auth/approle
     #
     # @return [true]
     def set_role(name, options = {})

data/lib/vault/api/auth.rb

@@ -1,7 +1,8 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"
+require "uri"
 
 require_relative "secret"
 require_relative "../client"
@@ -81,21 +82,32 @@ module Vault
     # successful, the resulting token will be stored on the client and used for
     # future requests.
     #
-    # @example
+    # @example Default mount point
     #   Vault.auth.approle(
     #     "db02de05-fa39-4855-059b-67221c5c2f63",
     #     "6a174c20-f6de-a53c-74d2-6018fcceff64",
     #   ) #=> #<Vault::Secret lease_id="">
     #
+    # @example Custom mount point
+    #   Vault.auth.approle(
+    #     "db02de05-fa39-4855-059b-67221c5c2f63",
+    #     "6a174c20-f6de-a53c-74d2-6018fcceff64",
+    #     mount: "my-approle"
+    #   ) #=> #<Vault::Secret lease_id="">
+    #
     # @param [String] role_id
     # @param [String] secret_id (default: nil)
     #   It is required when `bind_secret_id` is enabled for the specified role_id
+    # @param [Hash] options
+    # @option options [String] :mount (default: "approle")
+    #   The path where the approle auth backend is mounted
     #
     # @return [Secret]
-    def approle(role_id, secret_id=nil)
+    def approle(role_id, secret_id=nil, options = {})
+      mount = options[:mount] || 'approle'
       payload = { role_id: role_id }
       payload[:secret_id] = secret_id if secret_id
-      json = client.post("/v1/auth/approle/login", JSON.generate(payload))
+      json = client.post("/v1/auth/#{CGI.escape(mount)}/login", JSON.generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -206,6 +218,7 @@ module Vault
     # @param [String] sts_endpoint optional
     #   https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
     # @param [String] route optional
+    #   The full api path to the auth method's login endpoint, ie `/v1/auth/aws/mycorp/myorg/login`
     # @return [Secret]
     def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
       require "aws-sigv4"
@@ -290,7 +303,7 @@ module Vault
     #   The path to the auth backend to use for the login procedure.
     #
     # @param [String] name optional
-    #   The named certificate role provided to the login request. 
+    #   The named certificate role provided to the login request.
     #
     # @return [Secret]
     def tls(pem = nil, path = 'cert', name: nil)
@@ -316,9 +329,23 @@ module Vault
     #
     # @return [String] aws region
     def region_from_sts_endpoint(sts_endpoint)
-      valid_sts_endpoint = %r{https:\/\/sts\.?(.*)\.amazonaws\.com}.match(sts_endpoint)
-      raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
-      valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
+      uri = URI.parse(sts_endpoint)
+
+      unless uri.is_a?(URI::HTTPS) && uri.userinfo.nil?
+        raise "Unable to parse STS endpoint #{sts_endpoint}"
+      end
+
+      case uri.host
+      when "sts.amazonaws.com"
+        "us-east-1"
+      when /\Asts\.([a-z0-9-]+)\.amazonaws\.com\z/,
+           /\Asts\.([a-z0-9-]+)\.amazonaws\.com\.cn\z/
+        Regexp.last_match(1)
+      else
+        raise "Unable to parse STS endpoint #{sts_endpoint}"
+      end
+    rescue URI::InvalidURIError
+      raise "Unable to parse STS endpoint #{sts_endpoint}"
     end
   end
 end

data/lib/vault/api/auth_tls.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/auth_token.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/help.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative "../client"

data/lib/vault/api/kv.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative "secret"

data/lib/vault/api/logical.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative "secret"
@@ -48,6 +48,7 @@ module Vault
     def read(path, options = {})
       headers = extract_headers!(options)
       json = client.get("/v1/#{encode_path(path)}", {}, headers)
+      return nil if json.nil?
       return Secret.decode(json)
     rescue HTTPError => e
       return nil if e.code == 404

data/lib/vault/api/secret.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "time"

data/lib/vault/api/sys/audit.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/auth.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/health.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/init.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/leader.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault
@@ -18,6 +18,11 @@ module Vault
     #   @return [String]
     field :leader_address, as: :address
 
+    # @!attribute [r] cluster_address
+    #   URL where the cluster leader is running.
+    #   @return [String]
+    field :leader_cluster_address, as: :cluster_address
+
     # @deprecated Use {#ha_enabled?} instead
     def ha?; ha_enabled?; end
 
@@ -35,7 +40,7 @@ module Vault
     # Determine the leader status for this vault.
     #
     # @example
-    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">
+    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="", leader_cluster_address="">
     #
     # @return [LeaderStatus]
     def leader

data/lib/vault/api/sys/lease.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/api/sys/mount.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/namespace.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/api/sys/policy.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys/quota.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/api/sys/seal.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "json"

data/lib/vault/api/sys.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative "../client"

data/lib/vault/api/transform/alphabet.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative '../../request'

data/lib/vault/api/transform/role.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative '../../request'

data/lib/vault/api/transform/template.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative '../../request'

data/lib/vault/api/transform/transformation.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative '../../request'

data/lib/vault/api/transform.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative '../client'

data/lib/vault/api.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/client.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "cgi"

data/lib/vault/configurable.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require_relative "defaults"

data/lib/vault/defaults.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 require "pathname"

data/lib/vault/encode.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault
@@ -12,7 +12,7 @@ module Vault
     #
     # @return [String]
     def encode_path(path)
-      path.b.gsub(%r!([^a-zA-Z0-9_.-/]+)!) { |m|
+      path.b.gsub(%r!([^a-zA-Z0-9_.\-/]+)!) { |m|
         '%' + m.unpack('H2' * m.bytesize).join('%').upcase
       }
     end

data/lib/vault/errors.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/request.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/response.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault

data/lib/vault/version.rb

@@ -1,6 +1,6 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault
-  VERSION = "0.19.0"
+  VERSION = "0.20.1"
 end

data/lib/vault.rb

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2015, 2025
 # SPDX-License-Identifier: MPL-2.0
 
 module Vault
@@ -20,15 +20,6 @@ module Vault
     def setup!
       @client = Vault::Client.new
 
-      # Set secure SSL options
-      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.tap do |opts|
-        opts[:options] &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
-        opts[:options] |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
-        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
-      end
-      
-
       self
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.20.1
 platform: ruby
 authors:
 - Seth Vargo
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-12-04 00:00:00.000000000 Z
+date: 2026-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
@@ -38,20 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: connection_pool
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
 - !ruby/object:Gem::Dependency
   name: net-http-persistent
   requirement: !ruby/object:Gem::Requirement
@@ -72,104 +58,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.0.2
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.13.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.13.1
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-- !ruby/object:Gem::Dependency
-  name: yard
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.9.24
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.9.24
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.8.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.8.3
-- !ruby/object:Gem::Dependency
-  name: webrick
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
 description: Vault is a Ruby API client for interacting with a Vault server.
 email:
 - team-vault-devex@hashicorp.com