vault 0.7.3 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 49716b95ff7c1b7e1a0a8a2d453ead50ff87c958
-  data.tar.gz: feaa17a437a8b90822902c3242bd0cd1d6ad9e82
+  metadata.gz: e3e7e070730fb59b0a4378801579c6740b9bbc5c
+  data.tar.gz: f1f6131919b6a9d7a8ed7243b5e68634d9c11eaa
 SHA512:
-  metadata.gz: 92a96b4abdfd34d4c9432d4ef1e04a4619b855d10c5432d89620f3095b958f4982d188e9251697683cabcf803c112608e645919819068fcd7cb0508474dd01ff
-  data.tar.gz: 2757bdad26d92299f73ded6cefca605f4f28c528737f6ab790303c61634e15000c1d8ed08fee299bfb5ec5ffcf245884814acd87c91e22d5b85033ded005ea41
+  metadata.gz: bfe1a015d324db102786bcc8ccc39c46f88b09bf6316071d1e60c259f901e7624e90c5aac3504fa6be2568721667a9819c78aec65663a61df3a0f6ecd7daf375
+  data.tar.gz: 41f677359df9bd70d0e2162108164d334d202a33cd0487e9e828444b713f1f315b283761515282926f2febf2b26e6597632c216b246fc654a018947baae40da9

data/.travis.yml

@@ -1,15 +1,14 @@
+dist: trusty
+sudo: false
 language: ruby
 cache: bundler
-sudo: false
 
 env:
-  - VAULT_VERSION=0.6.2
-  - VAULT_VERSION=0.6.1
-  - VAULT_VERSION=0.6.0
+  - VAULT_VERSION=0.6.4
   - VAULT_VERSION=0.5.3
 
 before_install:
-  - wget -O vault.zip -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
+  - curl -sLo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
   - unzip vault.zip
   - mkdir ~/bin
   - mv vault ~/bin
@@ -20,6 +19,6 @@ branches:
     - master
 
 rvm:
-  - 2.1
-  - 2.2.5
-  - 2.3.1
+  - 2.2
+  - 2.3
+  - 2.4

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Vault Ruby Changelog
 
+## v0.8.0 (March 3, 2017)
+
+BREAKING CHANGES
+
+- Use PUT/POST for all functions that involve tokens [GH-117]. For Vault 0.6+,
+  this will work as-expected. For older Vault versions, you will need to use an
+  older client library which uses the URL instead. This is deprecated in Vault
+  because the URL would include the token, thus revealing it in request logs.
+  These new methods place the token in the body instead.
+
+BUG FIXES
+
+- Do not convert arrays in #to_h [GH-125]
+- Prevent mismatched checkout/checkin from the connection pool; this will avoid masking errors that occur on pool checkout.
+
+IMPROVEMENTS
+
+- Support new init API options [GH-127]
+- Return base64-encoded keys in init response [GH-128]
+- Add support for `#hostname` for specifying SNI hostname to validate [GH-112]
+
 ## v0.7.3 (October 25, 2016)
 
 BUG FIXES

data/lib/vault/api/auth.rb

@@ -163,6 +163,27 @@ module Vault
       return secret
     end
 
+    # Authenticate via the AWS EC2 authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [String] pkcs7
+    #   pkcs7 returned by the instance identity document (with line breaks removed)
+    # @param [String] nonce
+    #
+    # @return [Secret]
+    def aws_ec2(role, pkcs7, nonce)
+      payload = { role: role, pkcs7: pkcs7, nonce: nonce }
+      json = client.post('/v1/auth/aws-ec2/login', JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
     # Authenticate via a TLS authentication method. If authentication is
     # successful, the resulting token will be stored on the client and used
     # for future requests.

data/lib/vault/api/auth_token.rb

@@ -105,10 +105,14 @@ module Vault
     #   Vault.auth_token.lookup_self("abcd-...") #=> #<Vault::Secret lease_id="">
     #
     # @param [String] token
+    # @param [Hash] options
     #
     # @return [Secret]
-    def lookup(token)
-      json = client.get("/v1/auth/token/lookup/#{encode_path(token)}")
+    def lookup(token, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/lookup", JSON.fast_generate(
+        token: token,
+      ), headers)
       return Secret.decode(json)
     end
 
@@ -116,10 +120,14 @@ module Vault
     #
     # @example
     #   Vault.auth_token.lookup_accessor("acbd-...") #=> #<Vault::Secret lease_id="">
-    def lookup_accessor(accessor)
+    #
+    # @param [String] accessor
+    # @param [Hash] options
+    def lookup_accessor(accessor, options = {})
+      headers = extract_headers!(options)
       json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
         accessor: accessor,
-      ))
+      ), headers)
       return Secret.decode(json)
     end
 
@@ -139,19 +147,21 @@ module Vault
     # @example
     #   Vault.auth_token.renew("abcd-1234") #=> #<Vault::Secret lease_id="">
     #
-    # @param [String] id
-    #   the auth id
+    # @param [String] token
+    #   the auth token
     # @param [Fixnum] increment
     #
     # @return [Secret]
-    def renew(id, increment = 0)
-      json = client.put("/v1/auth/token/renew/#{id}", JSON.fast_generate(
+    def renew(token, increment = 0, options = {})
+      headers = extract_headers!(options)
+      json = client.put("/v1/auth/token/renew", JSON.fast_generate(
+        token: token,
         increment: increment,
-      ))
+      ), headers)
       return Secret.decode(json)
     end
 
-    # Renews a lease associated with the callign token.
+    # Renews a lease associated with the calling token.
     #
     # @example
     #   Vault.auth_token.renew_self #=> #<Vault::Secret lease_id="">
@@ -159,10 +169,11 @@ module Vault
     # @param [Fixnum] increment
     #
     # @return [Secret]
-    def renew_self(increment = 0)
+    def renew_self(increment = 0, options = {})
+      headers = extract_headers!(options)
       json = client.put("/v1/auth/token/renew-self", JSON.fast_generate(
         increment: increment,
-      ))
+      ), headers)
       return Secret.decode(json)
     end
 
@@ -181,41 +192,51 @@ module Vault
     # @example
     #   Vault.auth_token.revoke_orphan("abcd-1234") #=> true
     #
-    # @param [String] id
-    #   the auth id
+    # @param [String] token
+    #   the token to revoke
     #
     # @return [true]
-    def revoke_orphan(id)
-      client.put("/v1/auth/token/revoke-orphan/#{id}", nil)
+    def revoke_orphan(token, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/token/revoke-orphan", JSON.fast_generate(
+        token: token,
+      ), headers)
       return true
     end
 
-    # Revoke all auth at the given prefix.
+    # Revoke exactly the orphans at the id.
     #
     # @example
-    #   Vault.auth_token.revoke_prefix("abcd-1234") #=> true
+    #   Vault.auth_token.revoke_accessor("abcd-1234") #=> true
     #
-    # @param [String] prefix
-    #   the prefix to revoke
+    # @param [String] accessor
+    #   the accessor to revoke
     #
     # @return [true]
-    def revoke_prefix(prefix)
-      client.put("/v1/auth/token/revoke-prefix/#{prefix}", nil)
+    def revoke_accessor(accessor, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/accessor/revoke-accessor", JSON.fast_generate(
+        accessor: accessor,
+      ), headers)
       return true
     end
 
-    # Revoke all auths in the tree.
+    # Revoke the token and all its children.
     #
     # @example
-    #   Vault.auth_token.revoke_tree("abcd-1234") #=> true
+    #   Vault.auth_token.revoke("abcd-1234") #=> true
     #
-    # @param [String] id
-    #   the auth id
+    # @param [String] token
+    #   the auth token
     #
     # @return [true]
-    def revoke_tree(id)
-      client.put("/v1/auth/token/revoke/#{id}", nil)
+    def revoke(token, options = {})
+      headers = extract_headers!(options)
+      client.put("/v1/auth/token/revoke", JSON.fast_generate(
+        token: token,
+      ), headers)
       return true
     end
+    alias_method :revoke_tree, :revoke
   end
 end

data/lib/vault/api/sys/init.rb

@@ -7,6 +7,11 @@ module Vault
     #   @return [Array<String>]
     field :keys
 
+    # @!attribute [r] keys_base64
+    #   List of unseal keys, base64-encoded
+    #   @return [Array<String>]
+    field :keys_base64
+
     # @!attribute [r] root_token
     #   Initial root token.
     #   @return [String]
@@ -40,19 +45,37 @@ module Vault
     # @param [Hash] options
     #   the list of init options
     #
-    # @option options [Fixnum] :shares
+    # @option options [String] :root_token_pgp_key
+    #   optional base64-encoded PGP public key used to encrypt the initial root
+    #   token.
+    # @option options [Fixnum] :secret_shares
     #   the number of shares
-    # @option options [Fixnum] :threshold
+    # @option options [Fixnum] :secret_threshold
     #   the number of keys needed to unlock
-    # @option options [Array] :pgp_keys
-    #   an optional Array of base64-encoded PGP public keys to encrypt shares with
+    # @option options [Array<String>] :pgp_keys
+    #   an optional Array of base64-encoded PGP public keys to encrypt sharees
+    # @option options [Fixnum] :stored_shares
+    #   the number of shares that should be encrypted by the HSM for
+    #   auto-unsealing
+    # @option options [Fixnum] :recovery_shares
+    #   the number of shares to split the recovery key into
+    # @option options [Fixnum] :recovery_threshold
+    #   the number of shares required to reconstruct the recovery key
+    # @option options [Array<String>] :recovery_pgp_keys
+    #   an array of PGP public keys used to encrypt the output for the recovery
+    #   keys
     #
     # @return [InitResponse]
     def init(options = {})
       json = client.put("/v1/sys/init", JSON.fast_generate(
-        secret_shares:    options.fetch(:shares, 5),
-        secret_threshold: options.fetch(:threshold, 3),
-        pgp_keys:         options.fetch(:pgp_keys, nil)
+        root_token_pgp_key: options.fetch(:root_token_pgp_key, nil),
+        secret_shares:      options.fetch(:secret_shares, options.fetch(:shares, 5)),
+        secret_threshold:   options.fetch(:secret_threshold, options.fetch(:threshold, 3)),
+        pgp_keys:           options.fetch(:pgp_keys, nil),
+        stored_shares:      options.fetch(:stored_shares, nil),
+        recovery_shares:    options.fetch(:recovery_shares, nil),
+        recovery_threshold: options.fetch(:recovery_threshold, nil),
+        recovery_pgp_keys:  options.fetch(:recovery_pgp_keys, nil),
       ))
       return InitResponse.decode(json)
     end

data/lib/vault/client.rb

@@ -85,6 +85,10 @@ module Vault
 
         @nhp = PersistentHTTP.new(name: "vault-ruby")
 
+        if hostname
+          @nhp.hostname = hostname
+        end
+
         if proxy_address
           proxy_uri = URI.parse "http://#{proxy_address}"
 

data/lib/vault/configurable.rb

@@ -6,6 +6,7 @@ module Vault
       @keys ||= [
         :address,
         :token,
+        :hostname,
         :open_timeout,
         :proxy_address,
         :proxy_password,

data/lib/vault/defaults.rb

@@ -53,6 +53,12 @@ module Vault
         nil
       end
 
+      # The SNI host to use when connecting to Vault via TLS.
+      # @return [String, nil]
+      def hostname
+        ENV["VAULT_TLS_SERVER_NAME"]
+      end
+
       # The number of seconds to wait when trying to open a connection before
       # timing out
       # @return [String, nil]

data/lib/vault/persistent.rb

@@ -642,7 +642,10 @@ class PersistentHTTP
 
     raise Error, "host down: #{address}:#{port}"
   ensure
-    @pool.checkin net_http_args
+    # Only perform checkin if we successfully checked a connection out
+    if connection
+      @pool.checkin net_http_args
+    end
   end
 
   ##

data/lib/vault/response.rb

@@ -74,7 +74,7 @@ module Vault
           h[k] = self.public_send(opts[:as])
         end
 
-        if !h[k].nil? && h[k].respond_to?(:to_h)
+        if !h[k].nil? && !h[k].is_a?(Array) && h[k].respond_to?(:to_h)
           h[k] = h[k].to_h
         end
 

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.7.3"
+  VERSION = "0.8.0"
 end

data/vault.gemspec

@@ -21,8 +21,8 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "pry"
-  spec.add_development_dependency "rake",    "~> 10.0"
+  spec.add_development_dependency "rake",    "~> 12.0"
   spec.add_development_dependency "rspec",   "~> 3.5"
   spec.add_development_dependency "yard"
-  spec.add_development_dependency "webmock", "~> 1.22"
+  spec.add_development_dependency "webmock", "~> 2.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.8.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-10-25 00:00:00.000000000 Z
+date: 2017-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.22'
+        version: '2.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.22'
+        version: '2.3'
 description: Vault is a Ruby API client for interacting with a Vault server.
 email:
 - sethvargo@gmail.com