vault 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: efbf977407c93919ed45ceff129bc3df6088d462
-  data.tar.gz: 7b3a458357a1a3a9eef3606eb5d1a8160d1d04c5
+  metadata.gz: 7c5b5358811dba9b5864bc118f19b2cb0c9b7925
+  data.tar.gz: 41acb15b4a2148910f3c7fb8a01f7b51ce31e8aa
 SHA512:
-  metadata.gz: ef87eb90b77096ce92ab3f2c765f9b897bac05ec82da49ac600b62b05847ab02cfa9f29f2d09244527be308be61e1f24b3bfa99cac7df5aef45d458c993d76d2
-  data.tar.gz: 01b3384ce315cfc0e30ee11fdc020327172cde312de1f89bff1b63bf6eacd8f18425234d742b76d5551428212315424612420969c2d16edaa09bb500dea75e21
+  metadata.gz: d6ec85927a497e7dcef985d8b32b59db6c5169c1c95820e311c3f3c6617c893e520c592b411806cf81a18d03d5a1dfab9988fb319a43330a4137d18dee7b61d0
+  data.tar.gz: 787597e6f6315e2620c766d5f83e625f520401399221bc0774d9f76b6a08d342baea5fe09d061fa6dc892876167af750800b7660dc6afff99abb15b025d6c33d

data/.travis.yml

@@ -2,20 +2,25 @@ language: ruby
 cache: bundler
 sudo: false
 
-before_install: |-
-  curl -so vault.zip https://releases.hashicorp.com/vault/0.6.0/vault_0.6.0_linux_amd64.zip
-  unzip vault.zip
-  mkdir ~/bin
-  mv vault ~/bin
-  export PATH="~/bin:$PATH"
+env:
+  - VAULT_VERSION=0.6.1
+  - VAULT_VERSION=0.6.0
+  - VAULT_VERSION=0.5.3
+  - VAULT_VERSION=0.4.1
+  - VAULT_VERSION=0.3.1
+
+before_install:
+  - wget -O vault.zip -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
+  - unzip vault.zip
+  - mkdir ~/bin
+  - mv vault ~/bin
+  - export PATH="~/bin:$PATH"
 
 branches:
   only:
     - master
 
 rvm:
-  - 1.9.3
-  - 2.0
   - 2.1
-  - 2.2
-  - 2.3.0
+  - 2.2.5
+  - 2.3.1

data/CHANGELOG.md

@@ -1,6 +1,24 @@
 # Vault Ruby Changelog
 
-## v0.4.0.dev (Unreleased)
+## v0.6.0.dev (Unreleased)
+
+## v0.6.0 (August 30, 2016)
+
+NEW FEATURES
+
+- Add support for Vault 0.6.1 APIs
+- Add new token `accessors` API method
+- Add TLS authentication endpoints
+
+BUG FIXES
+
+- Restore old `to_h` behavior on response objects
+
+IMPROVEMENTS
+
+- Bootstrap full testing harness against old Vault versions
+
+## v0.5.0 (August 16, 2016)
 
 NEW FEATURES
 

data/lib/vault/api.rb

@@ -1,6 +1,7 @@
 module Vault
   module API
     require_relative "api/auth_token"
+    require_relative "api/auth_tls"
     require_relative "api/auth"
     require_relative "api/help"
     require_relative "api/logical"

data/lib/vault/api/auth.rb

@@ -138,5 +138,29 @@ module Vault
       client.token = secret.auth.client_token
       return secret
     end
+
+    # Authenticate via a TLS authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example Sending raw pem contents
+    #   Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">
+    #
+    # @example Reading a pem from disk
+    #   Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] pem (default: the configured SSL pem file or contents)
+    #   The raw pem contents to use for the login procedure.
+    #
+    # @return [Secret]
+    def tls(pem = nil)
+      new_client = client.dup
+      new_client.ssl_pem_contents = pem if !pem.nil?
+
+      json = new_client.post("/v1/auth/cert/login")
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
   end
 end

data/lib/vault/api/auth_tls.rb

@@ -0,0 +1,92 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {AuthTLS} methods.
+    # @return [AuthTLS]
+    def auth_tls
+      @auth_tls ||= AuthTLS.new(self)
+    end
+  end
+
+  class AuthTLS < Request
+    # Saves a certificate with the given name and attributes. The certificate
+    # with the given name must already exist.
+    #
+    # @example
+    #   Vault.auth_tls.set_certificate("web", {
+    #     display_name: "web-cert",
+    #     certificate:  "-----BEGIN CERTIFICATE...",
+    #     policies:     "default",
+    #     ttl:          3600,
+    #   }) #=> true
+    #
+    # @param [String] name
+    #   the name of the certificate
+    # @param [Hash] options
+    # @option options [String] :certificate
+    #   The PEM-formatted CA certificate.
+    # @option options [String] :policies
+    #   A comma-separated list of policies issued when authenticating with this
+    #   CA.
+    # @option options [String] :display_name
+    #   The name to display on tokens issued against this CA.
+    # @option options [Fixnum] :ttl
+    #   The TTL period of the token, provided as a number of seconds.
+    #
+    # @return [true]
+    def set_certificate(name, options = {})
+      headers = extract_headers!(options)
+      client.post("/v1/auth/cert/certs/#{CGI.escape(name)}", JSON.fast_generate(options), headers)
+      return true
+    end
+
+    # Get the certificate by the given name. If a certificate does not exist by that name,
+    # +nil+ is returned.
+    #
+    # @example
+    #   Vault.auth_tls.certificate("web") #=> #<Vault::Secret lease_id="...">
+    #
+    # @return [Secret, nil]
+    def certificate(name)
+      json = client.get("/v1/auth/cert/certs/#{CGI.escape(name)}")
+      return Secret.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # The list of certificates in vault auth backend.
+    #
+    # @example
+    #   Vault.auth_tls.certificates #=> ["web"]
+    #
+    # @return [Array<String>]
+    def certificates(options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/cert/certs", options, headers)
+      return Secret.decode(json).data[:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Delete the certificate with the given name. If a certificate does not exist, vault
+    # will not return an error.
+    #
+    # @example
+    #   Vault.auth_tls.delete_certificate("web") #=> true
+    #
+    # @param [String] name
+    #   the name of the certificate
+    def delete_certificate(name)
+      client.delete("/v1/auth/cert/certs/#{CGI.escape(name)}")
+      return true
+    end
+  end
+end

data/lib/vault/api/auth_token.rb

@@ -15,6 +15,19 @@ module Vault
   end
 
   class AuthToken < Request
+    # Lists all token accessors.
+    #
+    # @example Listing token accessors
+    #   result = Vault.auth_token.accessors #=> #<Vault::Secret>
+    #   result.data[:keys] #=> ["476ea048-ded5-4d07-eeea-938c6b4e43ec", "bb00c093-b7d3-b0e9-69cc-c4d85081165b"]
+    #
+    # @return [Array<Secret>]
+    def accessors(options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/token/accessors", options, headers)
+      return Secret.decode(json)
+    end
+
     # Create an authentication token. Note that the parameters specified below
     # are not validated and passed directly to the Vault server. Depending on
     # the version of Vault in operation, some of these options may not work, and
@@ -99,6 +112,17 @@ module Vault
       return Secret.decode(json)
     end
 
+    # Lookup information about the given token accessor.
+    #
+    # @example
+    #   Vault.auth_token.lookup_accessor("acbd-...") #=> #<Vault::Secret lease_id="">
+    def lookup_accessor(accessor)
+      json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
+        accessor: accessor,
+      ))
+      return Secret.decode(json)
+    end
+
     # Lookup information about the given token.
     #
     # @example

data/lib/vault/api/sys/audit.rb

@@ -27,6 +27,7 @@ module Vault
     # @return [Hash<Symbol, Audit>]
     def audits
       json = client.get("/v1/sys/audit")
+      json = json[:data] if json[:data]
       return Hash[*json.map do |k,v|
         [k.to_s.chomp("/").to_sym, Audit.decode(v)]
       end.flatten]

data/lib/vault/api/sys/auth.rb

@@ -22,6 +22,7 @@ module Vault
     # @return [Hash<Symbol, Auth>]
     def auths
       json = client.get("/v1/sys/auth")
+      json = json[:data] if json[:data]
       return Hash[*json.map do |k,v|
         [k.to_s.chomp("/").to_sym, Auth.decode(v)]
       end.flatten]

data/lib/vault/api/sys/mount.rb

@@ -27,6 +27,7 @@ module Vault
     # @return [Hash<Symbol, Mount>]
     def mounts
       json = client.get("/v1/sys/mounts")
+      json = json[:data] if json[:data]
       return Hash[*json.map do |k,v|
         [k.to_s.chomp("/").to_sym, Mount.decode(v)]
       end.flatten]

data/lib/vault/client.rb

@@ -202,8 +202,8 @@ module Vault
         connection.ciphers = ssl_ciphers
 
         # Custom pem files, no problem!
-        if ssl_pem_file
-          pem = File.read(ssl_pem_file)
+        pem = ssl_pem_contents || ssl_pem_file ? File.read(ssl_pem_file) : nil
+        if pem
           connection.cert = OpenSSL::X509::Certificate.new(pem)
           connection.key = OpenSSL::PKey::RSA.new(pem, ssl_pem_passphrase)
           connection.verify_mode = OpenSSL::SSL::VERIFY_PEER

data/lib/vault/configurable.rb

@@ -13,6 +13,7 @@ module Vault
         :proxy_username,
         :read_timeout,
         :ssl_ciphers,
+        :ssl_pem_contents,
         :ssl_pem_file,
         :ssl_pem_passphrase,
         :ssl_ca_cert,

data/lib/vault/defaults.rb

@@ -98,10 +98,18 @@ module Vault
         ENV["VAULT_SSL_CIPHERS"] || SSL_CIPHERS
       end
 
+      # The raw contents (as a string) for the pem file. To specify the path to
+      # the pem file, use {#ssl_pem_file} instead. This value is preferred over
+      # the value for {#ssl_pem_file}, if set.
+      # @return [String, nil]
+      def ssl_pem_contents
+        ENV["VAULT_SSL_PEM_CONTENTS"]
+      end
+
       # The path to a pem on disk to use with custom SSL verification
       # @return [String, nil]
       def ssl_pem_file
-        ENV["VAULT_SSL_CERT"]
+        ENV["VAULT_SSL_CERT"] || ENV["VAULT_SSL_PEM_FILE"]
       end
 
       # Passphrase to the pem file on disk to use with custom SSL verification

data/lib/vault/response.rb

@@ -62,5 +62,28 @@ module Vault
         end
       end
     end
+
+    # Create a hash-bashed representation of this response.
+    #
+    # @return [Hash]
+    def to_h
+      self.class.fields.inject({}) do |h, (k, opts)|
+        if opts[:as].nil?
+          h[k] = self.public_send(k)
+        else
+          h[k] = self.public_send(opts[:as])
+        end
+
+        if !h[k].nil? && h[k].respond_to?(:to_h)
+          h[k] = h[k].to_h
+        end
+
+        h
+      end
+    end
+
+    def ==(other)
+      self.to_h == other.to_h
+    end
   end
 end

data/lib/vault/version.rb

@@ -1,3 +1,3 @@
 module Vault
-  VERSION = "0.5.0"
+  VERSION = "0.6.0"
 end

data/vault.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "pry"
   spec.add_development_dependency "rake",    "~> 10.0"
-  spec.add_development_dependency "rspec",   "~> 3.2"
+  spec.add_development_dependency "rspec",   "~> 3.5"
   spec.add_development_dependency "yard"
   spec.add_development_dependency "webmock", "~> 1.22"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-08-16 00:00:00.000000000 Z
+date: 2016-08-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '3.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.2'
+        version: '3.5'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -112,6 +112,7 @@ files:
 - lib/vault.rb
 - lib/vault/api.rb
 - lib/vault/api/auth.rb
+- lib/vault/api/auth_tls.rb
 - lib/vault/api/auth_token.rb
 - lib/vault/api/help.rb
 - lib/vault/api/logical.rb