vault 0.13.0 → 0.13.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45b9f9e52cf35711735bdb4ff03db5c64712df2ad07b1ba50d5ba7172d0b5e15
-  data.tar.gz: ee28f237fee824b1e9381ed35c06f587bdf022ab26455a04221ca385ac1a4448
+  metadata.gz: 0ba24586cf3aedc6a9b72b5ea495aa3870e24961d2e1c28f26588efe89c3e778
+  data.tar.gz: 875863da0975071d886d611d18d5dc6ff0605c1bee4e3263e1b1dcc9b70100c2
 SHA512:
-  metadata.gz: 8afef6bdd52369d7af804cbe8dc182166ee49698d9d2d71b923401f6546b9fc7f5ce7514236eaf9c92b867f030ed78e200a83cd71a88f765eae48af45aa41ec1
-  data.tar.gz: 877dbfb3dba0fe37718a68bafe22218f4fb1bd9577d3263ed979d3a71c14bc78a603bacb32a231d4ae7c346171bd6e81b6b4f95ab7368be7dc5d1ac236860da7
+  metadata.gz: 060e894c68bc091fce76db59f9d9d17afce399b6b7f2e1df7944f560998cfe0c3d691d28902db279cc18301a35779e4f16fd03263a07f42835669b4eb1c10165
+  data.tar.gz: 4595750556960ac6e9bcc0d69615ae1dff5a993e85e0bd63f8320234089bdfdecda2863ea8c092e9bd1ebac9ef50b3e15d426a1e5449c2974f8cdd053b7abeb7

data/.circleci/config.yml

@@ -0,0 +1,42 @@
+version: 2.1
+
+references:
+  images:
+    ubuntu: &UBUNTU_IMAGE ubuntu-1604:201903-01
+
+jobs:
+  test:
+    machine:
+      image: *UBUNTU_IMAGE
+    parameters:
+      ruby-version:
+        type: string
+      vault-version:
+        type: string
+    steps:
+      - checkout
+      - run:
+          name: Install vault
+          command: |
+            curl -sLo vault.zip https://releases.hashicorp.com/vault/<< parameters.vault-version >>/vault_<< parameters.vault-version >>_linux_amd64.zip
+            unzip vault.zip
+            mkdir -p ~/bin
+            mv vault ~/bin
+            export PATH="~/bin:$PATH"
+      - run:
+          name: Run tests
+          command: |
+            export VAULT_VERSION=<< parameters.vault-version >>
+            rvm use << parameters.ruby-version >> --install --binary --fuzzy
+            bundle install --jobs=3 --retry=3 --path=vendor/bundle
+            bundle exec rake
+
+workflows:
+  run-tests:
+    jobs:
+      - test:
+          matrix:
+            parameters:
+              ruby-version: ["2.2", "2.3", "2.4"]
+              vault-version: ["1.0.3", "1.1.5", "1.2.4", "1.3.0"]
+          name: test-ruby-<< matrix.ruby-version >>-vault-<< matrix.vault-version >>

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Vault Ruby Changelog
 
+## v0.13.1 (April 28, 2020)
+
+IMPROVEMENTS
+
+- Added support for defining a namespace when initializing the client, as well as options for changing the namespace via method.
+- Added support for sys/namespaces API. Ability to Get, Create, Delete, and List namespaces has been provided.
+
 ## v0.12.0 (August 14, 2018)
 
 IMPROVEMENTS

data/README.md

@@ -28,6 +28,8 @@ Start a Vault client:
 ```ruby
 Vault.address = "http://127.0.0.1:8200" # Also reads from ENV["VAULT_ADDR"]
 Vault.token   = "abcd-1234" # Also reads from ENV["VAULT_TOKEN"]
+# Optional - if using the Namespace enterprise feature
+# Vault.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
 Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
 ```
@@ -43,6 +45,8 @@ Vault.configure do |config|
 
   # The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"]
   config.token = "abcd-1234"
+  # Optional - if using the Namespace enterprise feature
+  # config.namespace   = "my-namespace" # Also reads from ENV["VAULT_NAMESPACE"]
 
   # Proxy connection information, also read as ENV["VAULT_PROXY_(thing)"]
   config.proxy_address  = "..."
@@ -85,7 +89,8 @@ And if you want to authenticate with a `AWS EC2` :
     # Export VAULT_ADDR to ENV then
     # Get the pkcs7 value from AWS
     signature = `curl http://169.254.169.254/latest/dynamic/instance-identity/pkcs7`
-    vault_token = Vault.auth.aws_ec2(ENV['EC2_ROLE'], signature, nil)
+    iam_role = `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
+    vault_token = Vault.auth.aws_ec2(iam_role, signature, nil)
     vault_client = Vault::Client.new(address: ENV["VAULT_ADDR"], token: vault_token.auth.client_token)
 ```
 
@@ -208,7 +213,8 @@ Development
 
 Important Notes:
 
-- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include acceptance tests as well.
+- **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include integration tests as well.
 - **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
 - **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.
 - **Integration tests require Vault**  Vault must be available in the path for the integration tests to pass.
+   - **In order to be considered an integration test:** The test MUST use the `vault_test_client` or `vault_redirect_test_client` as the client. This spawns a process, or uses an already existing process from another test, to run against.

data/lib/vault/api/kv.rb

@@ -104,7 +104,7 @@ module Vault
       end
     end
 
-    # Write the metadata of a secret at the given path. Note that teh data must
+    # Write the metadata of a secret at the given path. Note that the data must
     # be a {Hash}.
     #
     # @example

data/lib/vault/api/sys.rb

@@ -21,5 +21,6 @@ require_relative "sys/init"
 require_relative "sys/leader"
 require_relative "sys/lease"
 require_relative "sys/mount"
+require_relative "sys/namespace"
 require_relative "sys/policy"
 require_relative "sys/seal"

data/lib/vault/api/sys/mount.rb

@@ -16,6 +16,11 @@ module Vault
     #   Type of the mount.
     #   @return [String]
     field :type
+
+    # @!attribute [r] type
+    #   Options given to the mount.
+    #   @return [Hash<Symbol, Object>]
+    field :options
   end
 
   class Sys < Request

data/lib/vault/api/sys/namespace.rb

@@ -0,0 +1,85 @@
+module Vault
+  class Namespace < Response
+    # @!attribute [r] id
+    #   ID of the namespace
+    #   @return [String]
+    field :id
+
+    # @!attribute [r] path
+    #   Path of the namespace, includes parent paths if nested.
+    #   @return [String]
+    field :path
+  end
+
+  class Sys
+    # List all namespaces in a given scope. Ignores nested namespaces.
+    #
+    # @example
+    #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
+    #
+    #   @return [Hash<Symbol, Namespace>]
+    #
+    #   NOTE: Due to a bug in Vault Enterprise, to be fixed soon, this method CAN return a pure JSON string if a scoping namespace is provided.
+    def namespaces(scoped=nil)
+      path = ["v1", scoped, "sys", "namespaces"].compact
+      json = client.list(path.join("/"))
+      json = json[:data] if json[:data]
+      if json[:key_info]
+        json = json[:key_info]
+        hash = {}
+        json.each do |k,v|
+          hash[k.to_s.chomp("/").to_sym] = Namespace.decode(v)
+        end
+        hash
+      else
+        json
+      end
+    end
+
+    # Create a namespace. Nests the namespace if a namespace header is provided.
+    #
+    # @example
+    #   Vault.sys.create_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the potential path of the namespace, without any parent path provided
+    #
+    # @return [true]
+    def create_namespace(namespace)
+      client.put("/v1/sys/namespaces/#{namespace}", {})
+      return true
+    end
+
+    # Delete a namespace. Raises an error if the namespace provided is not empty.
+    #
+    # @example
+    #   Vault.sys.delete_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace to be deleted
+    #
+    # @return [true]
+    def delete_namespace(namespace)
+      client.delete("/v1/sys/namespaces/#{namespace}")
+      return true
+    end
+
+    # Retrieve a namespace by path.
+    #
+    # @example
+    #   Vault.sys.get_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace ot be retrieved
+    #
+    # @return [Namespace]
+    def get_namespace(namespace)
+      json = client.get("/v1/sys/namespaces/#{namespace}")
+      if data = json.dig(:data)
+        Namespace.decode(data)
+      else
+        json
+      end
+    end
+  end
+end

data/lib/vault/client.rb

@@ -16,6 +16,9 @@ module Vault
     # The name of the header used to hold the Vault token.
     TOKEN_HEADER = "X-Vault-Token".freeze
 
+    # The name of the header used to hold the Namespace.
+    NAMESPACE_HEADER = "X-Vault-Namespace".freeze
+
     # The name of the header used to hold the wrapped request ttl.
     WRAP_TTL_HEADER = "X-Vault-Wrap-TTL".freeze
 
@@ -255,6 +258,12 @@ module Vault
         headers[TOKEN_HEADER] ||= token
       end
 
+      # Add the Vault Namespace header - users could still override this on a
+      # per-request basis
+      if !namespace.nil?
+        headers[NAMESPACE_HEADER] ||= namespace
+      end
+
       # Add headers
       headers.each do |key, value|
         request.add_field(key, value)

data/lib/vault/configurable.rb

@@ -7,6 +7,7 @@ module Vault
         :address,
         :token,
         :hostname,
+        :namespace,
         :open_timeout,
         :proxy_address,
         :proxy_password,

data/lib/vault/defaults.rb

@@ -61,6 +61,13 @@ module Vault
         nil
       end
 
+
+      # Vault Namespace, if any.
+      # @return [String, nil]
+      def namespace
+        ENV["VAULT_NAMESPACE"]
+      end
+
       # The SNI host to use when connecting to Vault via TLS.
       # @return [String, nil]
       def hostname

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.13.0"
+  VERSION = "0.13.1"
 end

data/vault.gemspec

@@ -19,12 +19,12 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "aws-sigv4"
+  spec.add_runtime_dependency "aws-sigv4", "1.1.1"
 
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "pry"
+  spec.add_development_dependency "bundler", "~> 2.1.4"
+  spec.add_development_dependency "pry",     "~> 0.13.1"
   spec.add_development_dependency "rake",    "~> 12.0"
   spec.add_development_dependency "rspec",   "~> 3.5"
-  spec.add_development_dependency "yard"
-  spec.add_development_dependency "webmock", "~> 2.3"
+  spec.add_development_dependency "yard",    "~> 0.9.24"
+  spec.add_development_dependency "webmock", "~> 3.8.3"
 end

metadata

@@ -1,57 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 0.13.1
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-10-01 00:00:00.000000000 Z
+date: 2020-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.1.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.1.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.1.4
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.13.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -84,30 +84,30 @@ dependencies:
   name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.9.24
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 3.8.3
 description: Vault is a Ruby API client for interacting with a Vault server.
 email:
 - sethvargo@gmail.com
@@ -115,9 +115,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -141,6 +141,7 @@ files:
 - lib/vault/api/sys/leader.rb
 - lib/vault/api/sys/lease.rb
 - lib/vault/api/sys/mount.rb
+- lib/vault/api/sys/namespace.rb
 - lib/vault/api/sys/policy.rb
 - lib/vault/api/sys/seal.rb
 - lib/vault/client.rb
@@ -178,8 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.

data/.travis.yml

@@ -1,29 +0,0 @@
-dist: trusty
-sudo: false
-language: ruby
-cache: bundler
-
-env:
-  - VAULT_VERSION=0.11.4
-  - VAULT_VERSION=0.10.4
-  - VAULT_VERSION=0.9.6
-  - VAULT_VERSION=0.8.3
-  - VAULT_VERSION=0.7.3
-  - VAULT_VERSION=0.6.5
-  - VAULT_VERSION=0.5.3
-
-before_install:
-  - curl -sLo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
-  - unzip vault.zip
-  - mkdir -p ~/bin
-  - mv vault ~/bin
-  - export PATH="~/bin:$PATH"
-
-branches:
-  only:
-    - master
-
-rvm:
-  - 2.2
-  - 2.3
-  - 2.4