vault 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c591681b73cba4f23a6c399ce65ecb232be4c8bb
-  data.tar.gz: 7f01da9d58aae383b63dd8bc666db5ca7e2181d8
+  metadata.gz: efbf977407c93919ed45ceff129bc3df6088d462
+  data.tar.gz: 7b3a458357a1a3a9eef3606eb5d1a8160d1d04c5
 SHA512:
-  metadata.gz: 1efa7198ad5a0713ba37826978cd417ac6de66da5023d220890b092c8758af7fb9a7a494ea9db685e1e21011e4f62fc4379c42b50f0d3fa6992a68d57ad8a319
-  data.tar.gz: 415e4410e7f5ba98827996d47ad10ef8f81caa12dd0a213698b019306717bfb08694a2ea598428a72629c3c6180739a49f6541c9553f3355f33391efcd6adc73
+  metadata.gz: ef87eb90b77096ce92ab3f2c765f9b897bac05ec82da49ac600b62b05847ab02cfa9f29f2d09244527be308be61e1f24b3bfa99cac7df5aef45d458c993d76d2
+  data.tar.gz: 01b3384ce315cfc0e30ee11fdc020327172cde312de1f89bff1b63bf6eacd8f18425234d742b76d5551428212315424612420969c2d16edaa09bb500dea75e21

data/.travis.yml

@@ -3,7 +3,7 @@ cache: bundler
 sudo: false
 
 before_install: |-
-  wget -O vault.zip -q https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_linux_amd64.zip
+  curl -so vault.zip https://releases.hashicorp.com/vault/0.6.0/vault_0.6.0_linux_amd64.zip
   unzip vault.zip
   mkdir ~/bin
   mv vault ~/bin

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Vault Ruby Changelog
 
+## v0.4.0.dev (Unreleased)
+
+NEW FEATURES
+
+- Add TTL wrapping to logical and auth backends
+- Support passing PGP keys to init
+
+BUG FIXES
+
+- New API documentation
+- Remove recursive requires
+
 ## v0.4.0 (March 31, 2016)
 
 NEW FEATURES

data/README.md

@@ -151,11 +151,39 @@ Vault.logical.read("secret/bacon")
 #=> #<Vault::Secret lease_id="">
 ```
 
-#### Seal the Vault
+#### Retrieve the Contents of a Secret
 ```ruby
-Vault.sys.seal #=> true
+secret = Vault.logical.read("secret/bacon")
+secret.data #=> { :cooktime = >"11", :delicious => true }
 ```
 
+### Response wrapping
+
+```ruby
+# Request new access token as wrapped response where the TTL of the temporary
+# token is "5s".
+wrapped = Vault.auth_token.create(wrap_ttl: "5s")
+
+# Unwrap the wrapped response to get the final token using the initial temporary
+# token from the first request.
+unwrapped = Vault.logical.unwrap(wrapped.wrap_info.token)
+
+# Extract the final token from the response.
+token = unwrapped.data.auth.client_token
+```
+
+A helper function is also provided when unwrapping a token directly:
+
+```ruby
+# Request new access token as wrapped response where the TTL of the temporary
+# token is "5s".
+wrapped = Vault.auth_token.create(wrap_ttl: "5s")
+
+# Unwrap wrapped response for final token using the initial temporary token.
+token = Vault.logical.unwrap_token(wrapped)
+```
+
+
 Development
 -----------
 1. Clone the project on GitHub
@@ -167,3 +195,4 @@ Important Notes:
 - **All new features must include test coverage.** At a bare minimum, Unit tests are required. It is preferred if you include acceptance tests as well.
 - **The tests must be be idempotent.** The HTTP calls made during a test should be able to be run over and over.
 - **Tests are order independent.** The default RSpec configuration randomizes the test order, so this should not be a problem.
+- **Integration tests require Vault**  Vault must be available in the path for the integration tests to pass.

data/lib/vault/api/auth_token.rb

@@ -15,16 +15,45 @@ module Vault
   end
 
   class AuthToken < Request
-    # Create an authentication token.
+    # Create an authentication token. Note that the parameters specified below
+    # are not validated and passed directly to the Vault server. Depending on
+    # the version of Vault in operation, some of these options may not work, and
+    # newer options may be available that are not listed here.
     #
-    # @example
+    # @example Creating a token
     #   Vault.auth_token.create #=> #<Vault::Secret lease_id="">
     #
+    # @example Creating a token assigned to policies with a wrap TTL
+    #   Vault.auth_token.create(
+    #     policies: ["myapp"],
+    #     wrap_ttl: 500,
+    #   )
+    #
     # @param [Hash] options
+    # @option options [String] :id
+    #   The ID of the client token - this can only be specified for root tokens
+    # @option options [Array<String>] :policies
+    #   List of policies to apply to the token
+    # @option options [Fixnum, String] :wrap_ttl
+    #   The number of seconds or a golang-formatted timestamp like "5s" or "10m"
+    #   for the TTL on the wrapped response
+    # @option options [Hash<String, String>] :meta
+    #   A map of metadata that is passed to audit backends
+    # @option options [Boolean] :no_parent
+    #   Create a token without a parent - see also {#create_orphan}
+    # @option options [Boolean] :no_default_policy
+    #   Create a token without the default policy attached
+    # @option options [Boolean] :renewable
+    #   Set whether this token is renewable or not
+    # @option options [String] :display_name
+    #   Name of the token
+    # @option options [Fixnum] :num_uses
+    #   Maximum number of uses for the token
     #
     # @return [Secret]
     def create(options = {})
-      json = client.post("/v1/auth/token/create", JSON.fast_generate(options))
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create", JSON.fast_generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -33,11 +62,27 @@ module Vault
     # @example
     #   Vault.auth_token.create_orphan #=> #<Vault::Secret lease_id="">
     #
-    # @param [Hash] options
+    # @param (see #create)
+    # @option (see #create)
     #
     # @return [Secret]
     def create_orphan(options = {})
-      json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options))
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options), headers)
+      return Secret.decode(json)
+    end
+
+    # Create an orphaned authentication token.
+    #
+    # @example
+    #   Vault.auth_token.create_with_role("developer") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [Hash] options
+    #
+    # @return [Secret]
+    def create_with_role(name, options = {})
+      headers = extract_headers!(options)
+      json = client.post("/v1/auth/token/create/#{CGI.escape(name)}", JSON.fast_generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -126,8 +171,8 @@ module Vault
     # @example
     #   Vault.auth_token.revoke_prefix("abcd-1234") #=> true
     #
-    # @param [String] id
-    #   the auth id
+    # @param [String] prefix
+    #   the prefix to revoke
     #
     # @return [true]
     def revoke_prefix(prefix)

data/lib/vault/api/help.rb

@@ -3,13 +3,23 @@ require_relative "../response"
 
 module Vault
   # Help is the response from a help query.
-  class Help < Response.new(:help, :see_also); end
+  class Help < Response
+    # @!attribute [r] help
+    #   The help information.
+    #   @return [String]
+    field :help
+
+    # @!attribute [r] see_also
+    #   Additional help documentation to see.
+    #   @return [String]
+    field :see_also
+  end
 
   class Client
     # Gets help for the given path.
     #
     # @example
-    #   Vault.help #=> #<Vault::Help help="..." see_also="...">
+    #   Vault.help("secret") #=> #<Vault::Help help="..." see_also="...">
     #
     # @param [String] path
     #   the path to get help for

data/lib/vault/api/logical.rb

@@ -23,8 +23,9 @@ module Vault
     #   the path to list
     #
     # @return [Array<String>]
-    def list(path)
-      json = client.get("/v1/#{CGI.escape(path)}", list: true)
+    def list(path, options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/#{CGI.escape(path)}", {}, headers)
       json[:data][:keys] || []
     rescue HTTPError => e
       return [] if e.code == 404
@@ -41,8 +42,9 @@ module Vault
     #   the path to read
     #
     # @return [Secret, nil]
-    def read(path)
-      json = client.get("/v1/#{CGI.escape(path)}")
+    def read(path, options = {})
+      headers = extract_headers!(options)
+      json = client.get("/v1/#{CGI.escape(path)}", {}, headers)
       return Secret.decode(json)
     rescue HTTPError => e
       return nil if e.code == 404
@@ -61,8 +63,9 @@ module Vault
     #   the data to write
     #
     # @return [Secret]
-    def write(path, data = {})
-      json = client.put("/v1/#{CGI.escape(path)}", JSON.fast_generate(data))
+    def write(path, data = {}, options = {})
+      headers = extract_headers!(options)
+      json = client.put("/v1/#{CGI.escape(path)}", JSON.fast_generate(data), headers)
       if json.nil?
         return true
       else
@@ -84,5 +87,64 @@ module Vault
       client.delete("/v1/#{CGI.escape(path)}")
       return true
     end
+
+    # Unwrap the data stored against the given token. If the secret does not
+    # exist, `nil` will be returned.
+    #
+    # @example
+    #   Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] wrapper
+    #   the token to use when unwrapping the value
+    #
+    # @return [Secret, nil]
+    def unwrap(wrapper)
+      client.with_token(wrapper) do |client|
+        json = client.get("/v1/cubbyhole/response")
+        secret = Secret.decode(json)
+
+        # If there is nothing in the cubbyhole, return early.
+        if secret.nil? || secret.data.nil? || secret.data[:response].nil?
+          return nil
+        end
+
+        # Extract the response and parse it into a new secret.
+        json = JSON.parse(secret.data[:response], symbolize_names: true)
+        secret = Secret.decode(json)
+        return secret
+      end
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Unwrap a token in a wrapped response given the temporary token.
+    #
+    # @example
+    #   Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> "0f0f40fd-06ce-4af1-61cb-cdc12796f42b"
+    #
+    # @param [String, Secret] wrapper
+    #   the token to unwrap
+    #
+    # @return [String, nil]
+    def unwrap_token(wrapper)
+      # If provided a secret, grab the token. This is really just to make the
+      # API a bit nicer.
+      if wrapper.is_a?(Secret)
+        wrapper = wrapper.wrap_info.token
+      end
+
+      # Unwrap
+      response = unwrap(wrapper)
+
+      # If nothing was there, return nil
+      if response.nil? || response.auth.nil?
+        return nil
+      end
+
+      return response.auth.client_token
+    rescue HTTPError => e
+      raise
+    end
   end
 end

data/lib/vault/api/secret.rb

@@ -1,23 +1,154 @@
 require_relative "../response"
 
 module Vault
-  # Secret is a representation of a secret.
-  class Secret < Response.new(:lease_id, :lease_duration, :renewable, :data, :auth)
-    alias_method :renewable?, :renewable
-
-    alias_method :raw_auth, :auth
-    def auth
-      return @auth if defined?(@auth)
-      if raw_auth.nil?
-        @auth = nil
-      else
-        @auth = SecretAuth.decode(raw_auth)
-      end
-    end
+  # Secret is a representation of a secret from Vault. Almost all data returned
+  # from Vault is represented as a secret.
+  class Secret < Response
+    # @!attribute [r] auth
+    #   Authentication information for this secret, if any. Most secrets will
+    #   contain this field, but it may also be `nil`. When authenticating to
+    #   Vault, the resulting Vault token will be included in this embedded
+    #   field.
+    #
+    #   @example Authenticating to Vault
+    #     secret = Vault.auth.userpass("username", "password")
+    #     secret.auth.client_token #=> "fdb29070-6379-70c9-ca3a-46152fb66de1"
+    #
+    #   @return [SecretAuth, nil]
+    field :auth, load: ->(v) { SecretAuth.decode(v) }
+
+    # @!attribute [r] data
+    #   Arbitrary data returned by the secret. The keys returned are dependent
+    #   upon the request made. For more information on the names of the keys
+    #   that may be returned, please see the Vault documentation.
+    #
+    #   @example Reading data
+    #     secret = Vault.auth.token("abcd1234")
+    #     secret.data[:id] #=> "abcd1234"
+    #     secret.data[:ttl] #=> 0
+    #
+    #   @return [Hash<Symbol, Object>]
+    field :data, freeze: true
+
+    # @!attribute [r] lease_duration
+    #   The number of seconds this lease is valid. If this number is 0 or nil,
+    #   the secret does not expire.
+    #
+    #   @example Getting lease duration
+    #     secret = Vault.logical.read("secret/foo")
+    #     secret.lease_duration #=> 2592000 # 30 days
+    #
+    #   @return [Fixnum]
+    field :lease_duration
+
+    # @!attribute [r] lease_id
+    #   Unique ID for the lease associated with this secret. The `lease_id` is a
+    #   path and UUID that uniquely represents the secret. This may be used for
+    #   renewing and revoking the secret, if permitted.
+    #
+    #   @example Getting lease ID
+    #     secret = Vault.logical.read("postgresql/creds/readonly")
+    #     secret.lease_id #=> "postgresql/readonly/fdb29070-6379-70c9-ca3a-46152fb66de1"
+    #
+    #   @return [String]
+    field :lease_id
+
+    # @!method [r] renewable?
+    #   Returns whether this lease is renewable.
+    #
+    #   @example Checking if a lease is renewable
+    #     secret = Vault.logical.read("secret/foo")
+    #     secret.renewable? #=> false
+    #
+    #   @return [Boolean]
+    field :renewable, as: :renewable?
+
+    # @!attribute [r] warnings
+    #   List of warnings returned by the Vault server. These are returned by the
+    #   Vault server and may include deprecation information, new APIs, or
+    #   request using the API differently in the future.
+    #
+    #   @example Display warnings
+    #     result = Vault.logical.read("secret/foo")
+    #     result.warnings #=> ["This path has been deprecated"]
+    #
+    #   @return [Array<String>, nil]
+    field :warnings, freeze: true
+
+    # @!attribute [r] wrap_info
+    #   Wrapped information sent with the request (only present in Vault 0.6+).
+    #   @return [WrapInfo, nil]
+    field :wrap_info, load: ->(v) { WrapInfo.decode(v) }
+  end
+
+  # SecretAuth is a struct that contains the information about auth data, if
+  # present. This is never returned alone and is usually embededded in a
+  # {Secret}.
+  class SecretAuth < Response
+    # @!attribute [r] accessor
+    #   Accessor for the token. This is like a `lease_id`, but for a token.
+    #   @return [String]
+    field :accessor
+
+    # @!attribute [r] client_token
+    #   The client token for this authentication.
+    #   @return [String]
+    field :client_token
+
+    # @!attribute [r] lease_duration
+    #   Number of seconds the token is valid.
+    #   @return [Fixnum]
+    field :lease_duration
+
+    # @!attribute [r] metadata
+    #   Arbitrary metadata from the authentication.
+    #
+    #   @example Listing metadata attached to an authentication
+    #     auth.metadata #=> { :username => "sethvargo" }
+    #
+    #   @return [Hash<Symbol, Object>, nil]
+    field :metadata, freeze: true
+
+    # @!attribute [r] policies
+    #   List of policies attached to this authentication.
+    #
+    #   @example Listing policies attached to an authentication
+    #     auth.policies #=> ["default"]
+    #
+    #   @return [Array<String>, nil]
+    field :policies, freeze: true
+
+    # @!attribute [r] renewable
+    #   Returns whether this authentication is renewable.
+    #
+    #   @example Checking if an authentication is renewable
+    #     auth.renewable? #=> false
+    #
+    #   @return [Boolean]
+    field :renewable, as: :renewable?
   end
 
-  # SecretAuth is a struct that contains the information about auth data if present.
-  class SecretAuth < Response.new(:client_token, :policies, :metadata, :lease_duration, :renewable)
-    alias_method :renewable?, :renewable
+  # WrapInfo is the information returned by a wrapped response. This is almost
+  # always embedded as part of a {Secret}.
+  class WrapInfo < Response
+    # @!attribute [r] token
+    #   Wrapped response token. This token may be used to unwrap the response.
+    #   @return [String]
+    field :token
+
+    # @!attribute [r] wrapped_accessor
+    #   Accessor for the wrapped token. This is like a `lease_id`, but for a token.
+    #   @return [String]
+    field :wrapped_accessor
+
+    # @!attribute [r] creation_time
+    #   Date & time when the wrapped token was created
+    #   @return [Time]
+    field :creation_time, load: ->(v) { Time.parse(v) }
+
+    # @!attribute [r] ttl
+    #   The TTL on the token returned in seconds.
+    #   @return [Fixnum]
+    field :ttl
   end
 end

data/lib/vault/api/sys/audit.rb

@@ -1,9 +1,22 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class Audit < Response.new(:type, :description, :options); end
+  class Audit < Response
+    # @!attribute [r] description
+    #   Description of the audit backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] options
+    #   Map of options configured to the audit backend.
+    #   @return [Hash<Symbol, Object>]
+    field :options
+
+    # @!attribute [r] type
+    #   Name of the audit backend.
+    #   @return [String]
+    field :type
+  end
 
   class Sys
     # List all audis for the vault.

data/lib/vault/api/sys/auth.rb

@@ -1,9 +1,17 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class Auth < Response.new(:type, :description); end
+  class Auth < Response
+    # @!attribute [r] description
+    #   Description of the auth backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Name of the auth backend.
+    #   @return [String]
+    field :type
+  end
 
   class Sys
     # List all auths in Vault.

data/lib/vault/api/sys/init.rb

@@ -1,12 +1,23 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class InitResponse < Response.new(:keys, :root_token); end
+  class InitResponse < Response
+    # @!attribute [r] keys
+    #   List of unseal keys.
+    #   @return [Array<String>]
+    field :keys
+
+    # @!attribute [r] root_token
+    #   Initial root token.
+    #   @return [String]
+    field :root_token
+  end
 
-  class InitStatus < Response.new(:initialized)
-    alias_method :initialized?, :initialized
+  class InitStatus < Response
+    # @!method initialized?
+    #   Returns whether the Vault server is initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
   end
 
   class Sys
@@ -33,12 +44,15 @@ module Vault
     #   the number of shares
     # @option options [Fixnum] :threshold
     #   the number of keys needed to unlock
+    # @option options [Array] :pgp_keys
+    #   an optional Array of base64-encoded PGP public keys to encrypt shares with
     #
     # @return [InitResponse]
     def init(options = {})
       json = client.put("/v1/sys/init", JSON.fast_generate(
         secret_shares:    options.fetch(:shares, 5),
         secret_threshold: options.fetch(:threshold, 3),
+        pgp_keys:         options.fetch(:pgp_keys, nil)
       ))
       return InitResponse.decode(json)
     end

data/lib/vault/api/sys/leader.rb

@@ -1,13 +1,31 @@
-require_relative "../sys"
-
 module Vault
-  class LeaderStatus < Response.new(:ha_enabled, :is_self, :leader_address)
-    alias_method :ha_enabled?, :ha_enabled
-    alias_method :ha?, :ha_enabled
-    alias_method :is_self?, :is_self
-    alias_method :is_leader?, :is_self
-    alias_method :leader?, :is_self
-    alias_method :address, :leader_address
+  class LeaderStatus < Response
+    # @!method ha_enabled?
+    #   Returns whether the high-availability mode is enabled.
+    #   @return [Boolean]
+    field :ha_enabled, as: :ha_enabled?
+
+    # @!method leader?
+    #   Returns whether the Vault server queried is the leader.
+    #   @return [Boolean]
+    field :is_self, as: :leader?
+
+    # @!attribute [r] address
+    #   URL where the server is running.
+    #   @return [String]
+    field :leader_address, as: :address
+
+    # @deprecated Use {#ha_enabled?} instead
+    def ha?; ha_enabled?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_leader?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_self?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def self?; leader?; end
   end
 
   class Sys

data/lib/vault/api/sys/lease.rb

@@ -1,5 +1,3 @@
-require_relative "../sys"
-
 module Vault
   class Sys
     # Renew a lease with the given ID.

data/lib/vault/api/sys/mount.rb

@@ -1,9 +1,22 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class Mount < Response.new(:type, :description); end
+  class Mount < Response
+    # @!attribute [r] config
+    #   Arbitrary configuration for the backend.
+    #   @return [Hash<Symbol, Object>]
+    field :config
+
+    # @!attribute [r] description
+    #   Description of the mount.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Type of the mount.
+    #   @return [String]
+    field :type
+  end
 
   class Sys < Request
     # List all mounts in the vault.
@@ -38,6 +51,20 @@ module Vault
       return true
     end
 
+    # Tune a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount_tune("pki", max_lease_ttl: '87600h') #=> true
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    def mount_tune(path, data = {})
+      json = client.post("/v1/sys/mounts/#{CGI.escape(path)}/tune", JSON.fast_generate(data))
+      return true
+    end
+
     # Unmount the thing at the given path. If the mount does not exist, an error
     # will be raised.
     #

data/lib/vault/api/sys/policy.rb

@@ -1,9 +1,25 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class Policy < Response.new(:rules); end
+  class Policy < Response
+    # @!attribute [r] name
+    #   Name of the policy.
+    #
+    #   @example Get the name of the policy
+    #     policy.name #=> "default"
+    #
+    #   @return [String]
+    field :name
+
+    # @!attribute [r] rules
+    #   Raw HCL policy.
+    #
+    #   @example Display the list of rules
+    #     policy.rules #=> "path \"secret/foo\" {}"
+    #
+    #   @return [String]
+    field :rules
+  end
 
   class Sys
     # The list of policies in vault.

data/lib/vault/api/sys/seal.rb

@@ -1,10 +1,42 @@
 require "json"
 
-require_relative "../sys"
-
 module Vault
-  class SealStatus < Response.new(:sealed, :t, :n, :progress)
-    alias_method :sealed?, :sealed
+  class SealStatus < Response
+    # @!method sealed?
+    #   Returns if the Vault is sealed.
+    #
+    #   @example Check if the Vault is sealed
+    #     status.sealed? #=> true
+    #
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute t
+    #   Threshold of keys required to unseal the Vault.
+    #
+    #   @example Get the threshold of keys
+    #     status.t #=> 3
+    #
+    #   @return [Fixnum]
+    field :t
+
+    # @!attribute n
+    #   Total number of unseal keys.
+    #
+    #   @example Get the total number of keys
+    #     status.n #=> 5
+    #
+    #   @return [Fixnum]
+    field :n
+
+    # @!attribute progress
+    #   Number of keys that have been entered.
+    #
+    #   @example Get the current unseal progress
+    #     status.progress #=> 2
+    #
+    #   @return [Fixnum]
+    field :progress
   end
 
   class Sys

data/lib/vault/client.rb

@@ -16,6 +16,9 @@ module Vault
     # The name of the header used to hold the Vault token.
     TOKEN_HEADER = "X-Vault-Token".freeze
 
+    # The name of the header used to hold the wrapped request ttl.
+    WRAP_TTL_HEADER = "X-Vault-Wrap-TTL".freeze
+
     # The name of the header used for redirection.
     LOCATION_HEADER = "location".freeze
 
@@ -66,6 +69,18 @@ module Vault
       end
     end
 
+    # Creates and yields a new client object with the given token. This may be
+    # used safely in a threadsafe manner because the original client remains
+    # unchanged. The value of the block is returned.
+    #
+    # @yield [Vault::Client]
+    def with_token(token)
+      client = self.dup
+      client.token = token
+      return yield client if block_given?
+      return nil
+    end
+
     # Determine if the given options are the same as ours.
     # @return [true, false]
     def same_options?(opts)
@@ -78,6 +93,13 @@ module Vault
       request(:get, path, params, headers)
     end
 
+    # Perform a LIST request.
+    # @see Client#request
+    def list(path, params = {}, headers = {})
+      params = params.merge(list: true)
+      request(:get, path, params, headers)
+    end
+
     # Perform a POST request.
     # @see Client#request
     def post(path, data = {}, headers = {})
@@ -132,7 +154,7 @@ module Vault
       # Add the Vault token header - users could still override this on a
       # per-request basis
       if !token.nil?
-        request.add_field(TOKEN_HEADER, token)
+        headers[TOKEN_HEADER] ||= token
       end
 
       # Add headers

data/lib/vault/defaults.rb

@@ -47,7 +47,7 @@ module Vault
         end
 
         if VAULT_DISK_TOKEN.exist? && VAULT_DISK_TOKEN.readable?
-          return VAULT_DISK_TOKEN.read
+          return VAULT_DISK_TOKEN.read.chomp
         end
 
         nil
@@ -128,7 +128,7 @@ module Vault
       def ssl_verify
         # Vault CLI uses this envvar, so accept it by precedence
         if !ENV["VAULT_SKIP_VERIFY"].nil?
-          return true
+          return false
         end
 
         if ENV["VAULT_SSL_VERIFY"].nil?

data/lib/vault/request.rb

@@ -15,5 +15,27 @@ module Vault
     def inspect
       "#<#{self.class.name}:0x#{"%x" % (self.object_id << 1)}>"
     end
+
+    private
+
+    # Removes the given header fields from options and returns the result. This
+    # modifies the given options in place.
+    #
+    # @param [Hash] options
+    #
+    # @return [Hash]
+    def extract_headers!(options = {})
+      extract = {
+        wrap_ttl: Vault::Client::WRAP_TTL_HEADER,
+      }
+
+      {}.tap do |h|
+        extract.each do |k,v|
+          if options[k]
+            h[v] = options.delete(k)
+          end
+        end
+      end
+    end
   end
 end

data/lib/vault/response.rb

@@ -1,18 +1,64 @@
 module Vault
-  module Response
-    def self.new(*members)
-      Struct.new(*members) do
-        def self.decode(object)
-          self.new(*object.values_at(*self.members))
-        end
+  class Response
+    # Defines a new field. This is designed to be used by the subclass as a
+    # mini-DSL.
+    #
+    # @example Default
+    #   field :data
+    #
+    # @example With a mutator
+    #   field :present, as: :present?
+    #
+    # @param n [Symbol] the name of the field
+    # @option opts [Symbol] :as alias for method name
+    #
+    # @!visibility private
+    def self.field(n, opts = {})
+      self.fields[n] = opts
 
-        def to_s
-          "#<#{self.class.name}>"
+      if opts[:as].nil?
+        attr_reader n
+      else
+        define_method(opts[:as]) do
+          instance_variable_get(:"@#{n}")
         end
+      end
+    end
+
+    # Returns the list of fields defined on this subclass.
+    # @!visibility private
+    def self.fields
+      @fields ||= {}
+    end
+
+    # Decodes the given object (usually a Hash) into an instance of this class.
+    #
+    # @param object [Hash<Symbol, Object>]
+    def self.decode(object)
+      self.new(object)
+    end
+
+    def initialize(opts = {})
+      # Initialize all fields as nil to start
+      self.class.fields.each do |k, _|
+        instance_variable_set(:"@#{k}", nil)
+      end
+
+      # For each supplied option, set the instance variable if it was defined
+      # as a field.
+      opts.each do |k, v|
+        if self.class.fields.key?(k)
+          opts = self.class.fields[k]
+
+          if (m = opts[:load]) && !v.nil?
+            v = m.call(v)
+          end
+
+          if opts[:freeze]
+            v = v.freeze
+          end
 
-        def inspect
-          data = self.members.map { |m| "@#{m}=#{self.public_send(m).inspect}" }.join(", ")
-          "#<#{self.class.name} #{data}>"
+          instance_variable_set(:"@#{k}", v)
         end
       end
     end

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/vault.gemspec

@@ -23,5 +23,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "pry"
   spec.add_development_dependency "rake",    "~> 10.0"
   spec.add_development_dependency "rspec",   "~> 3.2"
+  spec.add_development_dependency "yard"
   spec.add_development_dependency "webmock", "~> 1.22"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-03-31 00:00:00.000000000 Z
+date: 2016-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -139,7 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.3
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Vault is a Ruby API client for interacting with a Vault server.