vault 0.6.0 → 0.7.0

data/lib/vault/api/sys/leader.rb

@@ -39,5 +39,10 @@ module Vault
       json = client.get("/v1/sys/leader")
       return LeaderStatus.decode(json)
     end
+
+    def step_down
+      client.put("/v1/sys/step-down", nil)
+      return true
+    end
   end
 end

data/lib/vault/api/sys/mount.rb

@@ -48,7 +48,7 @@ module Vault
       payload = { type: type }
       payload[:description] = description if !description.nil?
 
-      client.post("/v1/sys/mounts/#{CGI.escape(path)}", JSON.fast_generate(payload))
+      client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))
       return true
     end
 
@@ -62,7 +62,7 @@ module Vault
     # @param [Hash] data
     #   the data to write
     def mount_tune(path, data = {})
-      json = client.post("/v1/sys/mounts/#{CGI.escape(path)}/tune", JSON.fast_generate(data))
+      json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.fast_generate(data))
       return true
     end
 
@@ -77,7 +77,7 @@ module Vault
     #
     # @return [true]
     def unmount(path)
-      client.delete("/v1/sys/mounts/#{CGI.escape(path)}")
+      client.delete("/v1/sys/mounts/#{encode_path(path)}")
       return true
     end
 

data/lib/vault/api/sys/policy.rb

@@ -40,7 +40,7 @@ module Vault
     #
     # @return [Policy, nil]
     def policy(name)
-      json = client.get("/v1/sys/policy/#{CGI.escape(name)}")
+      json = client.get("/v1/sys/policy/#{encode_path(name)}")
       return Policy.decode(json)
     rescue HTTPError => e
       return nil if e.code == 404
@@ -70,7 +70,7 @@ module Vault
     #
     # @return [true]
     def put_policy(name, rules)
-      client.put("/v1/sys/policy/#{CGI.escape(name)}", JSON.fast_generate(
+      client.put("/v1/sys/policy/#{encode_path(name)}", JSON.fast_generate(
         rules: rules,
       ))
       return true
@@ -85,7 +85,7 @@ module Vault
     # @param [String] name
     #   the name of the policy
     def delete_policy(name)
-      client.delete("/v1/sys/policy/#{CGI.escape(name)}")
+      client.delete("/v1/sys/policy/#{encode_path(name)}")
       return true
     end
   end

data/lib/vault/client.rb

@@ -1,12 +1,13 @@
 require "cgi"
 require "json"
-require "net/http"
-require "net/https"
 require "uri"
 
+require_relative "vendor/net/http/persistent"
+
 require_relative "configurable"
 require_relative "errors"
 require_relative "version"
+require_relative "encode"
 
 module Vault
   class Client
@@ -53,8 +54,15 @@ module Vault
       # only add them if they are defiend
       a << Net::ReadTimeout if defined?(Net::ReadTimeout)
       a << Net::OpenTimeout if defined?(Net::OpenTimeout)
+
+      a << Net::HTTP::Persistent::Error
     end.freeze
 
+    # Indicates a requested operation is not possible due to security
+    # concerns.
+    class SecurityError < RuntimeError
+    end
+
     include Vault::Configurable
 
     # Create a new Client with the given options. Any options given take
@@ -67,6 +75,71 @@ module Vault
         value = options.key?(key) ? options[key] : Defaults.public_send(key)
         instance_variable_set(:"@#{key}", value)
       end
+
+      @nhp = Net::HTTP::Persistent.new(name: "vault-ruby")
+
+      if proxy_address
+        proxy_uri = URI.parse "http://#{proxy_address}"
+
+        proxy_uri.port = proxy_port if proxy_port
+
+        if proxy_username
+          proxy_uri.user = proxy_username
+          proxy_uri.password = proxy_password
+        end
+
+        @nhp.proxy = proxy_uri
+      end
+
+      # Use a custom open timeout
+      if open_timeout || timeout
+        @nhp.open_timeout = (open_timeout || timeout).to_i
+      end
+
+      # Use a custom read timeout
+      if read_timeout || timeout
+        @nhp.read_timeout = (read_timeout || timeout).to_i
+      end
+
+      @nhp.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+      # Vault requires TLS1.2
+      @nhp.ssl_version = "TLSv1_2"
+
+      # Only use secure ciphers
+      @nhp.ciphers = ssl_ciphers
+
+      # Custom pem files, no problem!
+      pem = ssl_pem_contents || (ssl_pem_file ? File.read(ssl_pem_file) : nil)
+      if pem
+        @nhp.cert = OpenSSL::X509::Certificate.new(pem)
+        @nhp.key = OpenSSL::PKey::RSA.new(pem, ssl_pem_passphrase)
+      end
+
+      # Use custom CA cert for verification
+      if ssl_ca_cert
+        @nhp.ca_file = ssl_ca_cert
+      end
+
+      # Use custom CA path that contains CA certs
+      if ssl_ca_path
+        @nhp.ca_path = ssl_ca_path
+      end
+
+      if ssl_cert_store
+        @nhp.cert_store = ssl_cert_store
+      end
+
+      # Naughty, naughty, naughty! Don't blame me when someone hops in
+      # and executes a MITM attack!
+      if !ssl_verify
+        @nhp.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+
+      # Use custom timeout for connecting and verifying via SSL
+      if ssl_timeout || timeout
+        @nhp.ssl_timeout = (ssl_timeout || timeout).to_i
+      end
     end
 
     # Creates and yields a new client object with the given token. This may be
@@ -148,6 +221,10 @@ module Vault
       uri = build_uri(verb, path, data)
       request = class_for_request(verb).new(uri.request_uri)
 
+      if proxy_address and uri.scheme.downcase == "https"
+        raise SecurityError, "no direct https connection to vault"
+      end
+
       # Get a list of headers
       headers = DEFAULT_HEADERS.merge(headers)
 
@@ -174,82 +251,23 @@ module Vault
         end
       end
 
-      # Create the HTTP connection object - since the proxy information defaults
-      # to +nil+, we can just pass it to the initializer method instead of doing
-      # crazy strange conditionals.
-      connection = Net::HTTP.new(uri.host, uri.port,
-        proxy_address, proxy_port, proxy_username, proxy_password)
-
-      # Use a custom open timeout
-      if open_timeout || timeout
-        connection.open_timeout = (open_timeout || timeout).to_i
-      end
-
-      # Use a custom read timeout
-      if read_timeout || timeout
-        connection.read_timeout = (read_timeout || timeout).to_i
-      end
-
-      # Apply SSL, if applicable
-      if uri.scheme == "https"
-        # Turn on SSL
-        connection.use_ssl = true
-
-        # Vault requires TLS1.2
-        connection.ssl_version = "TLSv1_2"
-
-        # Only use secure ciphers
-        connection.ciphers = ssl_ciphers
-
-        # Custom pem files, no problem!
-        pem = ssl_pem_contents || ssl_pem_file ? File.read(ssl_pem_file) : nil
-        if pem
-          connection.cert = OpenSSL::X509::Certificate.new(pem)
-          connection.key = OpenSSL::PKey::RSA.new(pem, ssl_pem_passphrase)
-          connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
-        end
-
-        # Use custom CA cert for verification
-        if ssl_ca_cert
-          connection.ca_file = ssl_ca_cert
-        end
-
-        # Use custom CA path that contains CA certs
-        if ssl_ca_path
-          connection.ca_path = ssl_ca_path
-        end
-
-        # Naughty, naughty, naughty! Don't blame me when someone hops in
-        # and executes a MITM attack!
-        if !ssl_verify
-          connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
-        end
-
-        # Use custom timeout for connecting and verifying via SSL
-        if ssl_timeout || timeout
-          connection.ssl_timeout = (ssl_timeout || timeout).to_i
-        end
-      end
-
       begin
         # Create a connection using the block form, which will ensure the socket
         # is properly closed in the event of an error.
-        connection.start do |http|
-          response = http.request(request)
-
-          case response
-          when Net::HTTPRedirection
-            # On a redirect of a GET or HEAD request, the URL already contains
-            # the data as query string parameters.
-            if [:head, :get].include?(verb)
-              data = {}
-            end
-            request(verb, response[LOCATION_HEADER], data, headers)
-          when Net::HTTPSuccess
-            success(response)
-          else
-            error(response)
+        response = @nhp.request(uri, request)
+
+        case response
+        when Net::HTTPRedirection
+          # On a redirect of a GET or HEAD request, the URL already contains
+          # the data as query string parameters.
+          if [:head, :get].include?(verb)
+            data = {}
           end
+          request(verb, response[LOCATION_HEADER], data, headers)
+        when Net::HTTPSuccess
+          success(response)
+        else
+          error(response)
         end
       rescue *RESCUED_EXCEPTIONS => e
         raise HTTPConnectionError.new(address, e)

data/lib/vault/configurable.rb

@@ -18,6 +18,7 @@ module Vault
         :ssl_pem_passphrase,
         :ssl_ca_cert,
         :ssl_ca_path,
+        :ssl_cert_store,
         :ssl_verify,
         :ssl_timeout,
         :timeout,

data/lib/vault/defaults.rb

@@ -123,7 +123,13 @@ module Vault
       def ssl_ca_cert
         ENV["VAULT_CACERT"]
       end
-      #
+
+      # The CA cert store to use for certificate verification
+      # @return [OpenSSL::X509::Store, nil]
+      def ssl_cert_store
+        nil
+      end
+
       # The path to the directory on disk holding CA certs to use
       # for certificate verification
       # @return [String, nil]

data/lib/vault/encode.rb

@@ -0,0 +1,19 @@
+module Vault
+  module EncodePath
+
+    # Encodes a string according to the rules for URL paths. This is
+    # used as opposed to CGI.escape because in a URL path, space
+    # needs to be escaped as %20 and CGI.escapes a space as +.
+    #
+    # @param [String]
+    #
+    # @return [String]
+    def encode_path(path)
+      path.b.gsub(%r!([^a-zA-Z0-9_.-/]+)!) { |m|
+        '%' + m.unpack('H2' * m.bytesize).join('%').upcase
+      }
+    end
+
+    module_function :encode_path
+  end
+end

data/lib/vault/request.rb

@@ -18,6 +18,8 @@ module Vault
 
     private
 
+    include EncodePath
+
     # Removes the given header fields from options and returns the result. This
     # modifies the given options in place.
     #

data/lib/vault/vendor/connection_pool.rb

@@ -0,0 +1,150 @@
+require_relative 'connection_pool/version'
+require_relative 'connection_pool/timed_stack'
+
+
+# Generic connection pool class for e.g. sharing a limited number of network connections
+# among many threads.  Note: Connections are lazily created.
+#
+# Example usage with block (faster):
+#
+#    @pool = ConnectionPool.new { Redis.new }
+#
+#    @pool.with do |redis|
+#      redis.lpop('my-list') if redis.llen('my-list') > 0
+#    end
+#
+# Using optional timeout override (for that single invocation)
+#
+#    @pool.with(:timeout => 2.0) do |redis|
+#      redis.lpop('my-list') if redis.llen('my-list') > 0
+#    end
+#
+# Example usage replacing an existing connection (slower):
+#
+#    $redis = ConnectionPool.wrap { Redis.new }
+#
+#    def do_work
+#      $redis.lpop('my-list') if $redis.llen('my-list') > 0
+#    end
+#
+# Accepts the following options:
+# - :size - number of connections to pool, defaults to 5
+# - :timeout - amount of time to wait for a connection if none currently available, defaults to 5 seconds
+#
+module Vault
+class ConnectionPool
+  DEFAULTS = {size: 5, timeout: 5}
+
+  class Error < RuntimeError
+  end
+
+  def self.wrap(options, &block)
+    Wrapper.new(options, &block)
+  end
+
+  def initialize(options = {}, &block)
+    raise ArgumentError, 'Connection pool requires a block' unless block
+
+    options = DEFAULTS.merge(options)
+
+    @size = options.fetch(:size)
+    @timeout = options.fetch(:timeout)
+
+    @available = TimedStack.new(@size, &block)
+    @key = :"current-#{@available.object_id}"
+  end
+
+if Thread.respond_to?(:handle_interrupt)
+
+  # MRI
+  def with(options = {})
+    Thread.handle_interrupt(Exception => :never) do
+      conn = checkout(options)
+      begin
+        Thread.handle_interrupt(Exception => :immediate) do
+          yield conn
+        end
+      ensure
+        checkin
+      end
+    end
+  end
+
+else
+
+  # jruby 1.7.x
+  def with(options = {})
+    conn = checkout(options)
+    begin
+      yield conn
+    ensure
+      checkin
+    end
+  end
+
+end
+
+  def checkout(options = {})
+    conn = if stack.empty?
+      timeout = options[:timeout] || @timeout
+      @available.pop(timeout: timeout)
+    else
+      stack.last
+    end
+
+    stack.push conn
+    conn
+  end
+
+  def checkin
+    conn = pop_connection # mutates stack, must be on its own line
+    @available.push(conn) if stack.empty?
+
+    nil
+  end
+
+  def shutdown(&block)
+    @available.shutdown(&block)
+  end
+
+  private
+
+  def pop_connection
+    if stack.empty?
+      raise ConnectionPool::Error, 'no connections are checked out'
+    else
+      stack.pop
+    end
+  end
+
+  def stack
+    ::Thread.current[@key] ||= []
+  end
+
+  class Wrapper < ::BasicObject
+    METHODS = [:with, :pool_shutdown]
+
+    def initialize(options = {}, &block)
+      @pool = ::ConnectionPool.new(options, &block)
+    end
+
+    def with(&block)
+      @pool.with(&block)
+    end
+
+    def pool_shutdown(&block)
+      @pool.shutdown(&block)
+    end
+
+    def respond_to?(id, *args)
+      METHODS.include?(id) || with { |c| c.respond_to?(id, *args) }
+    end
+
+    def method_missing(name, *args, &block)
+      with do |connection|
+        connection.send(name, *args, &block)
+      end
+    end
+  end
+end
+end