vault 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 12a80ba875f11be9224f21addf0e95de643e5748
-  data.tar.gz: f07616511bd7f411c2480be2974da8a0903a83cb
+  metadata.gz: 4e65904a28c46a6472dbbf09106bf0a195f9d291
+  data.tar.gz: 6ffa1d55b773e146db6292da052a8a05aa6e6ba4
 SHA512:
-  metadata.gz: 8742288bd182858eadde1bbba7281cc26c5f34cad4fcbb9311d93624f928752ca64a3c76683ca02d0b7d22caaa60ea386e81cfad6fd93557a1a5840dd3fb2510
-  data.tar.gz: 107c0be18482c2e8a399013dc3854418ab197e0da7c639edc1170f769ede69b050c40f6f046b77d334d6e3ba385869d49b8bd9351917ec092e8d7543ac816d4d
+  metadata.gz: ea8558f0ffc17e853c0042555add482dfbc4c43a8061df636dd8441602d5e2610ffe2c7c241074108eb6c8aae84ecd9e3175417fc636e5071a9f978771d292f4
+  data.tar.gz: d87e2b3784fc0c9ee8d701d8fbbebaa5ddd319ba907452bf4e44ecf0eb1137d32e48adaed433a93dff38fcbb427d2c7d43be4f958d220d679c4b8e128a670cef

data/.travis.yml

@@ -3,7 +3,7 @@ cache: bundler
 sudo: false
 
 before_install: |-
-  wget -O vault.zip -q https://dl.bintray.com/mitchellh/vault/vault_0.1.1_linux_amd64.zip
+  wget -O vault.zip -q https://dl.bintray.com/mitchellh/vault/vault_0.2.0_linux_amd64.zip
   unzip vault.zip
   mkdir ~/bin
   mv vault ~/bin
@@ -14,4 +14,7 @@ branches:
     - master
 
 rvm:
+  - 1.9.3
+  - 2.0
+  - 2.1
   - 2.2

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Vault Ruby Changelog
 
+## v0.1.4 (August 15, 2015)
+
+IMPROVEMENTS
+
+- Add support for using a custom CA cert [GH-8]
+- Allow clients to specify timeouts [GH-12, GH-14]
+- Show which error caused the HTTPConnectionError [GH-30]
+- Allow clients to specify which SSL cipher suites to use [GH-29]
+- Allow clients to specify the SSL pem password [GH-22, GH-31]
+
+BUG FIXES
+
+- Read local token (`~/.vault-token`) for token if present [GH-13]
+- Disable bad SSL cipher suites and force TLSv1.2 [GH-16]
+- Update to test against Vault 0.2.0 [GH-20]
+- Do not attempt a read on logical path write [GH-11, GH-32]
+
 ## v0.1.3 (May 14, 2015)
 
 BUG FIXES

data/Gemfile.lock

@@ -1,12 +1,18 @@
 PATH
   remote: .
   specs:
-    vault (0.1.3)
+    vault (0.1.4)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    coderay (1.1.0)
     diff-lcs (1.2.5)
+    method_source (0.8.2)
+    pry (0.10.1)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
     rake (10.4.2)
     rspec (3.2.0)
       rspec-core (~> 3.2.0)
@@ -21,12 +27,17 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.2.0)
     rspec-support (3.2.2)
+    slop (3.6.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   bundler (~> 1.9)
+  pry
   rake (~> 10.0)
   rspec (~> 3.2)
   vault!
+
+BUNDLED WITH
+   1.10.6

data/README.md

@@ -5,6 +5,10 @@ Vault is the official Ruby client for interacting with [Vault](https://vaultproj
 
 Quick Start
 -----------
+Install Ruby 2.0+: [Guide](https://www.ruby-lang.org/en/documentation/installation/).
+
+> Please note that Vault Ruby may work on older Ruby installations like Ruby 1.9, but you **should not** use these versions of Ruby when communicating with a Vault server. Ruby 1.9 has [reached EOL](https://www.ruby-lang.org/en/news/2014/01/10/ruby-1-9-3-will-end-on-2015/) and will no longer receive important security patches or maintenance updates. There _are known security vulnerabilities_ specifically around SSL ciphers, which this library uses to communicate with a Vault server. While many distros still ship with Ruby 1.9 as the default, you are **highly discouraged** from using this library on any version of Ruby lower than Ruby 2.0.
+
 Install via Rubygems:
 
     $ gem install vault
@@ -49,6 +53,16 @@ Vault::Client.configure do |config|
 
   # Use SSL verification, also read as ENV["VAULT_SSL_VERIFY"]
   config.ssl_verify = false
+
+  # Timeout the connection after a certain amount of time (seconds), also read
+  # as ENV["VAULT_TIMEOUT"]
+  config.timeout = 30
+
+  # It is also possible to have finer-grained controls over the timeouts, these
+  # may also be read as environment variables
+  config.ssl_timeout  = 5
+  config.open_timeout = 5
+  config.read_timeout = 30
 end
 ```
 

data/lib/vault.rb

@@ -8,31 +8,38 @@ module Vault
 
   require_relative "vault/api"
 
-  extend Vault::Configurable
-
-  # API client object based off the configured options in {Configurable}.
-  #
-  # @return [Vault::Client]
-  def self.client
-    if !defined?(@client) || !@client.same_options?(options)
-      @client = Vault::Client.new(options)
+  class << self
+    # API client object based off the configured options in {Configurable}.
+    #
+    # @return [Vault::Client]
+    attr_reader :client
+
+    def setup!
+      @client = Vault::Client.new
+
+      # Set secure SSL options
+      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_COMPRESSION
+      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2
+      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv3
+
+      self
     end
-    @client
-  end
 
-  # Delegate all methods to the client object, essentially making the module
-  # object behave like a {Client}.
-  def self.method_missing(m, *args, &block)
-    if client.respond_to?(m)
-      client.send(m, *args, &block)
-    else
-      super
+    # Delegate all methods to the client object, essentially making the module
+    # object behave like a {Client}.
+    def method_missing(m, *args, &block)
+      if client.respond_to?(m)
+        client.send(m, *args, &block)
+      else
+        super
+      end
     end
-  end
 
-  # Delegating +respond_to+ to the {Client}.
-  def self.respond_to_missing?(m, include_private = false)
-    client.respond_to?(m) || super
+    # Delegating +respond_to+ to the {Client}.
+    def respond_to_missing?(m, include_private = false)
+      client.respond_to?(m, include_private) || super
+    end
   end
 end
 

data/lib/vault/api.rb

@@ -1,6 +1,7 @@
 module Vault
   module API
     require_relative "api/auth_token"
+    require_relative "api/auth"
     require_relative "api/help"
     require_relative "api/logical"
     require_relative "api/secret"

data/lib/vault/api/auth.rb

@@ -0,0 +1,102 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+
+module Vault
+  class Client
+    # A proxy to the {Auth} methods.
+    # @return [Auth]
+    def auth
+      @auth ||= Authenticate.new(self)
+    end
+  end
+
+  class Authenticate < Request
+    # Authenticate via the "token" authentication method. This authentication
+    # method is a bit bizarre because you already have a token, but hey,
+    # whatever floats your boat.
+    #
+    # This method hits the `/v1/auth/token/lookup-self` endpoint after setting
+    # the Vault client's token to the given token parameter. If the self lookup
+    # succeeds, the token is persisted onto the client for future requests. If
+    # the lookup fails, the old token (which could be unset) is restored on the
+    # client.
+    #
+    # @example
+    #   Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
+    #   Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"
+    #
+    # @param [String] new_token
+    #   the new token to try to authenticate and store on the client
+    #
+    # @return [Secret]
+    def token(new_token)
+      old_token    = client.token
+      client.token = new_token
+      json = client.get("/v1/auth/token/lookup-self")
+      secret = Secret.decode(json)
+      return secret
+    rescue
+      client.token = old_token
+      raise
+    end
+
+    # Authenticate via the "app-id" authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used for
+    # future requests.
+    #
+    # @example
+    #   Vault.auth.app_id(
+    #     "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
+    #     "3b87be76-95cf-493a-a61b-7d5fc70870ad",
+    #   ) #=> #<Vault::Secret lease_id="">
+    #
+    # @example with a custom mount point
+    #   Vault.auth.app_id(
+    #     "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
+    #     "3b87be76-95cf-493a-a61b-7d5fc70870ad",
+    #     mount: "new-app-id",
+    #   )
+    #
+    # @param [String] app_id
+    # @param [String] user_id
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def app_id(app_id, user_id, options = {})
+      payload = { app_id: app_id, user_id: user_id }.merge(options)
+      json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
+    # Authenticate via the "userpass" authentication method. If authentication
+    # is successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
+    #
+    # @example with a custom mount point
+    #   Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] username
+    # @param [String] password
+    # @param [Hash] options
+    #   additional options to pass to the authentication call, such as a custom
+    #   mount point
+    #
+    # @return [Secret]
+    def userpass(username, password, options = {})
+      payload = { password: password }.merge(options)
+      json = client.post("/v1/auth/userpass/login/#{username}", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+  end
+end

data/lib/vault/api/logical.rb

@@ -45,7 +45,11 @@ module Vault
     # @return [Secret]
     def write(path, data = {})
       json = client.put("/v1/#{path}", JSON.fast_generate(data))
-      return json.nil? ? read(path) : Secret.decode(json)
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
     end
 
     # Delete the secret at the given path. If the secret does not exist, vault

data/lib/vault/client.rb

@@ -28,6 +28,25 @@ module Vault
       symbolize_names:  true,
     }.freeze
 
+    RESCUED_EXCEPTIONS = [].tap do |a|
+      # Failure to even open the socket (usually permissions)
+      a << SocketError
+
+      # Failed to reach the server (aka bad URL)
+      a << Errno::ECONNREFUSED
+
+      # Failed to read body or no response body given
+      a << EOFError
+
+      # Timeout (Ruby 1.9-)
+      a << Timeout::Error
+
+      # Timeout (Ruby 1.9+) - Ruby 1.9 does not define these constants so we
+      # only add them if they are defiend
+      a << Net::ReadTimeout if defined?(Net::ReadTimeout)
+      a << Net::OpenTimeout if defined?(Net::OpenTimeout)
+    end.freeze
+
     include Vault::Configurable
 
     # Create a new Client with the given options. Any options given take
@@ -37,12 +56,7 @@ module Vault
     def initialize(options = {})
       # Use any options given, but fall back to the defaults set on the module
       Vault::Configurable.keys.each do |key|
-        value = if options[key].nil?
-          Vault.instance_variable_get(:"@#{key}")
-        else
-          options[key]
-        end
-
+        value = options.key?(key) ? options[key] : Defaults.public_send(key)
         instance_variable_set(:"@#{key}", value)
       end
     end
@@ -103,10 +117,6 @@ module Vault
     # @return [String, Hash]
     #   the response body
     def request(verb, path, data = {}, headers = {})
-      # All requests to vault require a token, so we should error without even
-      # trying if there is no token set
-      raise MissingTokenError if token.nil?
-
       # Build the URI and request object from the given information
       uri = build_uri(verb, path, data)
       request = class_for_request(verb).new(uri.request_uri)
@@ -135,18 +145,34 @@ module Vault
       connection = Net::HTTP.new(uri.host, uri.port,
         proxy_address, proxy_port, proxy_username, proxy_password)
 
+      # Use a custom open timeout
+      if open_timeout || timeout
+        connection.open_timeout = (open_timeout || timeout).to_i
+      end
+
+      # Use a custom read timeout
+      if read_timeout || timeout
+        connection.read_timeout = (read_timeout || timeout).to_i
+      end
+
       # Create the cookie for the request.
       cookie = CGI::Cookie.new
       cookie.name    = "token"
       cookie.value   = token
       cookie.path    = "/"
-      cookie.expires = Time.now + (60*60*24*376)
+      cookie.expires = Time.now + (60*60*24*365)
 
       # Apply SSL, if applicable
       if uri.scheme == "https"
         # Turn on SSL
         connection.use_ssl = true
 
+        # Vault requires TLS1.2
+        connection.ssl_version = "TLSv1_2"
+
+        # Only use secure ciphers
+        connection.ciphers = ssl_ciphers
+
         # Turn on secure cookies
         cookie.secure = true
 
@@ -154,37 +180,56 @@ module Vault
         if ssl_pem_file
           pem = File.read(ssl_pem_file)
           connection.cert = OpenSSL::X509::Certificate.new(pem)
-          connection.key = OpenSSL::PKey::RSA.new(pem)
+          connection.key = OpenSSL::PKey::RSA.new(pem, ssl_pem_passphrase)
           connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
         end
 
-        # Naughty, naughty, naughty! Don't blame when when someone hops in
+        # Use custom CA cert for verification
+        if ssl_ca_cert
+          connection.ca_file = ssl_ca_cert
+        end
+
+        # Use custom CA path that contains CA certs
+        if ssl_ca_path
+          connection.ca_path = ssl_ca_path
+        end
+
+        # Naughty, naughty, naughty! Don't blame me when someone hops in
         # and executes a MITM attack!
-        unless ssl_verify
+        if !ssl_verify
           connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
-      end
 
-      # Add the cookie to the request.
-      request["Cookie"] = cookie.to_s
+        # Use custom timeout for connecting and verifying via SSL
+        if ssl_timeout || timeout
+          connection.ssl_timeout = (ssl_timeout || timeout).to_i
+        end
+      end
 
-      # Create a connection using the block form, which will ensure the socket
-      # is properly closed in the event of an error.
-      connection.start do |http|
-        response = http.request(request)
+      # Add the cookie to the request if a token was given.
+      if !token.nil?
+        request["Cookie"] = cookie.to_s
+      end
 
-        case response
-        when Net::HTTPRedirection
-          redirect = URI.parse(response["location"])
-          request(verb, redirect, data, headers)
-        when Net::HTTPSuccess
-          success(response)
-        else
-          error(response)
+      begin
+        # Create a connection using the block form, which will ensure the socket
+        # is properly closed in the event of an error.
+        connection.start do |http|
+          response = http.request(request)
+
+          case response
+          when Net::HTTPRedirection
+            redirect = URI.parse(response["location"])
+            request(verb, redirect, data, headers)
+          when Net::HTTPSuccess
+            success(response)
+          else
+            error(response)
+          end
         end
+      rescue *RESCUED_EXCEPTIONS => e
+        raise HTTPConnectionError.new(address, e)
       end
-    rescue SocketError, Errno::ECONNREFUSED, EOFError
-      raise HTTPConnectionError.new(address)
     end
 
     # Construct a URL from the given verb and path. If the request is a GET or
@@ -269,6 +314,10 @@ module Vault
     # @param [HTTP::Message] response
     #   the response object from the request
     def error(response)
+      if response.body && response.body.match("missing client token")
+        raise MissingTokenError
+      end
+
       if (response.content_type || '').include?("json")
         # Attempt to parse the error as JSON
         begin

data/lib/vault/configurable.rb

@@ -6,12 +6,19 @@ module Vault
       @keys ||= [
         :address,
         :token,
+        :open_timeout,
         :proxy_address,
         :proxy_password,
         :proxy_port,
         :proxy_username,
+        :read_timeout,
+        :ssl_ciphers,
         :ssl_pem_file,
+        :ssl_ca_cert,
+        :ssl_ca_path,
         :ssl_verify,
+        :ssl_timeout,
+        :timeout,
       ]
     end
 
@@ -24,18 +31,6 @@ module Vault
       yield self
     end
 
-    # Reset all the values to their defaults.
-    #
-    # @return [self]
-    def reset!
-      defaults = Defaults.options
-      Vault::Configurable.keys.each do |key|
-        instance_variable_set(:"@#{key}", defaults[key])
-      end
-      self
-    end
-    alias_method :setup!, :reset!
-
     # The list of options for this configurable.
     #
     # @return [Hash<Symbol, Object>]

data/lib/vault/defaults.rb

@@ -1,9 +1,20 @@
+require "pathname"
+
 module Vault
   module Defaults
     # The default vault address.
     # @return [String]
     VAULT_ADDRESS = "https://127.0.0.1:8200".freeze
 
+    # The path to the vault token on disk.
+    # @return [String]
+    VAULT_DISK_TOKEN = Pathname.new("~/.vault-token").expand_path.freeze
+
+    # The list of SSL ciphers to allow. You should not change this value unless
+    # you absolutely know what you are doing!
+    # @return [String]
+    SSL_CIPHERS = "TLSv1.2:!aNULL:!eNULL".freeze
+
     class << self
       # The list of calculated options for this configurable.
       # @return [Hash]
@@ -20,7 +31,18 @@ module Vault
       # The vault token to use for authentiation.
       # @return [String, nil]
       def token
-        ENV["VAULT_TOKEN"]
+        if VAULT_DISK_TOKEN.exist? && VAULT_DISK_TOKEN.readable?
+          VAULT_DISK_TOKEN.read
+        else
+          ENV["VAULT_TOKEN"]
+        end
+      end
+
+      # The number of seconds to wait when trying to open a connection before
+      # timing out
+      # @return [String, nil]
+      def open_timeout
+        ENV["VAULT_OPEN_TIMEOUT"]
       end
 
       # The HTTP Proxy server address as a string
@@ -47,14 +69,46 @@ module Vault
         ENV["VAULT_PROXY_PORT"]
       end
 
+      # The number of seconds to wait when reading a response before timing out
+      # @return [String, nil]
+      def read_timeout
+        ENV["VAULT_READ_TIMEOUT"]
+      end
+
+      # The ciphers that will be used when communicating with vault over ssl
+      # You should only change the defaults if the ciphers are not available on
+      # your platform and you know what you are doing
+      # @return [String]
+      def ssl_ciphers
+        ENV["VAULT_SSL_CIPHERS"] || SSL_CIPHERS
+      end
+
       # The path to a pem on disk to use with custom SSL verification
       # @return [String, nil]
       def ssl_pem_file
         ENV["VAULT_SSL_CERT"]
       end
 
-      # Verify SSL requests (default: true)
+      # The path to a pem on disk to use with custom SSL verification
+      # @return [String, nil]
+      def ssl_pem_passphrase
+        ENV["VAULT_SSL_CERT_PASSPHRASE"]
+      end
+
+      # The path to the CA cert on disk to use for certificate verification
+      # @return [String, nil]
+      def ssl_ca_cert
+        ENV["VAULT_CACERT"]
+      end
       #
+      # The path to the directory on disk holding CA certs to use
+      # for certificate verification
+      # @return [String, nil]
+      def ssl_ca_path
+        ENV["VAULT_CAPATH"]
+      end
+
+      # Verify SSL requests (default: true)
       # @return [true, false]
       def ssl_verify
         if ENV["VAULT_SSL_VERIFY"].nil?
@@ -63,6 +117,19 @@ module Vault
           %w[t y].include?(ENV["VAULT_SSL_VERIFY"].downcase[0])
         end
       end
+
+      # The number of seconds to wait for connecting and verifying SSL
+      # @return [String, nil]
+      def ssl_timeout
+        ENV["VAULT_SSL_TIMEOUT"]
+      end
+
+      # A default meta-attribute to set all timeout values - individually set
+      # timeout values will take precedence
+      # @return [String, nil]
+      def timeout
+        ENV["VAULT_TIMEOUT"]
+      end
     end
   end
 end

data/lib/vault/errors.rb

@@ -5,10 +5,18 @@ module Vault
     def initialize
       super <<-EOH
 Missing Vault token! I cannot make requests to Vault without a token. Please
-set a Vault token:
+set a Vault token in the client:
 
     Vault.token = "42d1dee5-eb6e-102c-8d23-cc3ba875da51"
 
+or authenticate with Vault using the Vault CLI:
+
+    $ vault auth ...
+
+or set the environment variable $VAULT_TOKEN to the token value:
+
+    $ export VAULT_TOKEN="..."
+
 Please refer to the documentation for more examples.
 EOH
     end
@@ -17,13 +25,21 @@ EOH
   class HTTPConnectionError < VaultError
     attr_reader :address
 
-    def initialize(address)
+    def initialize(address, exception)
       @address = address
+      @exception = exception
 
       super <<-EOH
 The Vault server at `#{address}' is not currently
-accepting connections. Please ensure that the server is running an that your
+accepting connections. Please ensure that the server is running and that your
 authentication information is correct.
+
+The original error was `#{exception.class}'. Additional information (if any) is
+shown below:
+
+    #{exception.message}
+
+Please refer to the documentation for more help.
 EOH
     end
   end

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/vault.gemspec

@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "pry"
   spec.add_development_dependency "rake",    "~> 10.0"
   spec.add_development_dependency "rspec",   "~> 3.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-05-14 00:00:00.000000000 Z
+date: 2015-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -70,6 +84,7 @@ files:
 - Rakefile
 - lib/vault.rb
 - lib/vault/api.rb
+- lib/vault/api/auth.rb
 - lib/vault/api/auth_token.rb
 - lib/vault/api/help.rb
 - lib/vault/api/logical.rb