vault_api 1.0.0

data/lib/vault_api/client/policies.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+# VaultApi::Client::Policies
+module VaultApi
+  class Client
+    module Policies
+      def create_initial_user_policy(username)
+        puts "Creating #{username}_policy"
+        if VaultApi.put_policy("#{username}_policy", policy_json(username))
+          puts "Created #{username}_policy"
+          true
+        else
+          false
+        end
+      end
+
+      def read_policy(username)
+        VaultApi.policy("#{username}_policy")
+      end
+
+      def create_policy(username, path = '', capabilities = [])
+        policy_rules = {}
+        policy_rules[:path] ||= {}
+        policy_rules[:path][path.to_s] ||= {}
+        policy_rules[:path][path.to_s][:capabilities] = capabilities
+        VaultApi.put_policy("#{username}_policy", policy_rules.to_json)
+      end
+
+      def update_policy(username, path = '', capabilities = [])
+        policy = VaultApi.policy("#{username}_policy")
+        policy_rules = JSON.parse(policy.rules).with_indifferent_access
+        policy_rules[:path][path.to_s] ||= {}
+        policy_rules[:path][path.to_s][:capabilities] = capabilities
+        VaultApi.put_policy("#{username}_policy", policy_rules.to_json)
+      end
+
+      def delete_policy(username)
+        VaultApi.delete_policy("#{username}_policy")
+      end
+
+      private
+
+      def policy_json(username)
+        {
+          path: {
+            "secret/#{VaultApi.env}/#{username}/*" => {
+              capabilities: %w[create read update delete list]
+            },
+            "#{VaultApi.secret_global_base_path}/*" => {
+              capabilities: %w[read list]
+            },
+            :'secret/*' => {
+              capabilities: %w[read list]
+            },
+            :'auth/token/lookup-self' => {
+              capabilities: %w[read]
+            },
+            :'sys/capabilities-self' => {
+              capabilities: %w[update read]
+            },
+            :'sys/mounts' => {
+              capabilities: %w[read]
+            },
+            :'sys/auth' => {
+              capabilities: %w[read]
+            },
+            "sys/policy/#{username}_policy" => {
+              capabilities: %w[read]
+            }
+          }
+        }.to_json
+      end
+    end
+  end
+end

data/lib/vault_api/client/secrets.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+# VaultApi::Client::Secrets
+module VaultApi
+  class Client
+    module Secrets
+      def secrets(user_name = nil)
+        VaultApi.list(VaultApi.secret_base_path(user_name))
+      end
+
+      def read_secret(config_name, user_name = nil)
+        VaultApi.read("#{VaultApi.secret_base_path(user_name)}/#{config_name}").data
+      end
+
+      def add_secret(config_file_path, user_name = nil)
+        file_basename = File.basename(config_file_path, '.yml')
+        secret_path = "#{VaultApi.secret_base_path(user_name)}/#{file_basename}"
+
+        output_json = JSON.dump(YAML.load_file(config_file_path))
+        obj = JSON.parse(output_json)
+        content = obj[VaultApi.env.to_s]
+        VaultApi.write(secret_path, content)
+      end
+
+      def update_secret(config_file_path, user_name = nil)
+        add_secret(config_file_path, user_name) # overwrites existing file
+      end
+
+      def upload_secrets(config_folder_path, user_name = nil)
+        Dir.chdir config_folder_path
+        Dir.glob('*.yml').each do |file|
+          add_secret("#{config_folder_path}/#{file}", user_name)
+        end
+      end
+
+      def delete_secret(config_name, user_name = nil)
+        VaultApi.delete("#{VaultApi.secret_base_path(user_name)}/#{config_name}")
+      end
+    end
+  end
+end

data/lib/vault_api/client/users.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'net/https'
+require 'uri'
+require 'securerandom'
+
+# VaultApi::Client::Users
+module VaultApi
+  class Client
+    module Users
+      def create_user(username)
+        secure_password = SecureRandom.hex(12)
+
+        creds = {
+          'password' => secure_password.to_s,
+          'policies' => "#{username}_policy"
+        }
+        uri = URI.parse("#{VaultApi.address}/v1/#{VaultApi.auth_users_path}/#{username}")
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+
+        request = Net::HTTP::Post.new(uri.request_uri)
+        request.body = creds.to_json
+        request['X-Vault-Token'] = VaultApi.token.to_s
+
+        http.request(request)
+
+        creds
+      end
+
+      def create_user_with_secret(username)
+        users = VaultApi.list(VaultApi.auth_users_path)
+
+        if users.include? username.to_s
+          puts "Vault user '#{username}' already exists."
+          # exit 1
+        else
+          create_initial_user_policy(username)
+          creds = create_user(username)
+          add_secrets_to_user_from_global(username)
+
+          creds
+        end
+      end
+
+      def add_secrets_to_user_from_global(username)
+        global_path = VaultApi.secret_global_base_path
+        secrets = VaultApi.list(global_path)
+
+        secrets.each do |filename|
+          path_admin = "#{global_path}/#{filename}"
+          data = VaultApi.read(path_admin).data
+          user_path = "secret/#{VaultApi.env}/#{username}/#{filename}"
+          VaultApi.write(user_path, data)
+        end
+      end
+
+      def delete_user(username)
+        VaultApi.delete("/#{VaultApi.auth_users_path}/#{username}")
+        delete_policy(username)
+        delete_path(VaultApi.secret_user_base_path(username))
+      end
+    end
+  end
+end

data/lib/vault_api/client.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require File.expand_path('api', __dir__)
+
+module VaultApi
+  # Wrapper for the VaultApi REST API.
+  class Client < API
+    Dir[File.expand_path('client/*.rb', __dir__)].each { |f| require f }
+
+    include VaultApi::Client::Paths
+    include VaultApi::Client::Users
+    include VaultApi::Client::Entries
+    include VaultApi::Client::Secrets
+    include VaultApi::Client::Policies
+  end
+end

data/lib/vault_api/configuration.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module VaultApi
+  module Configuration
+    VALID_OPTIONS_KEYS = %i[
+      address
+      token
+      user
+      password
+      env
+
+      logger
+    ].freeze
+
+    # Use the default Faraday adapter.
+    # DEFAULT_ADAPTER = Faraday.default_adapter
+
+    # By default use the main api URL.
+    DEFAULT_ADDRESS = ''
+
+    attr_accessor *VALID_OPTIONS_KEYS
+
+    # Convenience method to allow configuration options to be set in a block
+    def configure
+      yield self
+    end
+
+    def options
+      VALID_OPTIONS_KEYS.each_with_object({}) do |key, option|
+        option[key] = send(key)
+      end
+    end
+
+    # When this module is extended, reset all settings.
+    def self.extended(base)
+      base.reset
+    end
+
+    # Reset all configuration settings to default values.
+    def reset
+      self.address = DEFAULT_ADDRESS
+      # self.adapter  = DEFAULT_ADAPTER
+    end
+  end
+end

data/lib/vault_api/connection.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'vault'
+module VaultApi
+  module Connection
+    # private
+
+    def connection
+      if token
+        connection_obj = Vault::Client.new(address: address, token: token)
+      else
+        connection_obj = Vault::Client.new(address: address)
+        connection_obj.auth.userpass(user, password)
+      end
+      connection_obj
+    end
+  end
+end

data/lib/vault_api/error.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module VaultApi
+  class Error < StandardError
+    def initialize(e)
+      @wrapped_exception = nil
+
+      if e.respond_to?(:backtrace)
+        super(e.message)
+        @wrapped_exception = e
+      else
+        super(e.to_s)
+      end
+    end
+
+    def backtrace
+      if @wrapped_exception
+        @wrapped_exception.backtrace
+      else
+        super
+      end
+    end
+
+    def inspect
+      inner = ''
+      inner << " wrapped=#{@wrapped_exception.inspect}" if @wrapped_exception
+      inner << " #{super}" if inner.empty?
+      %(#<#{self.class}#{inner}>)
+    end
+  end
+
+  class ConnectionError < Error; end
+  class AuthorizationError < Error; end
+  class BadRequestError < Error; end
+  class RecordNotFoundError < Error; end
+
+  class TimeoutError < Error; end
+  class NotFoundError < Error; end
+  class SSLError < Error; end
+  class ParseError < Error; end
+  class UnauthorizedError < Error; end
+
+  %i[Error
+     ConnectionError AuthorizationError BadRequestError RecordNotFoundError
+     TimeoutError NotFoundError SSLError ParseError UnauthorizedError].each do |const|
+    Error.const_set(const, VaultApi.const_get(const))
+  end
+end

data/lib/vault_api/request.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module VaultApi
+  module Request
+    def list(params)
+      request(:list, params)
+    end
+
+    def read(params)
+      request(:read, params)
+    end
+
+    def write(path, config)
+      request(:write, path, config)
+    end
+
+    def delete(params)
+      request(:delete, params)
+    end
+
+    def policy(params)
+      request_sys(:policy, params)
+    end
+
+    def put_policy(params, rules)
+      request_sys(:put_policy, params, rules)
+    end
+
+    def delete_policy(params)
+      request_sys(:delete_policy, params)
+    end
+
+    private
+
+    def request(method, *params)
+      begin
+        response = case method
+                   when :write
+                     connection.logical.send(method, params[0], params[1])
+                   else
+                     connection.logical.send(method, params[0])
+                   end
+      rescue StandardError => e
+        raise Error, e
+      end
+
+      response
+    end
+
+    def request_sys(method, *params)
+      begin
+        response = case method
+                   when :put_policy
+                     connection.sys.send(method, params[0], params[1])
+                   else
+                     connection.sys.send(method, params[0])
+                   end
+      rescue StandardError => e
+        raise Error, e
+      end
+
+      response
+    end
+  end
+end

data/lib/vault_api/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module VaultApi
+  VERSION = '1.0.0'
+end

data/lib/vault_api.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'pry'
+require 'active_support/all'
+
+require 'vault_api/api'
+require 'vault_api/client'
+require 'vault_api/version'
+
+require File.expand_path('vault_api/configuration', __dir__)
+require File.expand_path('vault_api/api', __dir__)
+require File.expand_path('vault_api/client', __dir__)
+require File.expand_path('vault_api/error', __dir__)
+
+module VaultApi
+  extend Configuration
+  # Alias for VaultApi::Client.new
+  # @return [VaultApi::Client]
+  def self.client(options = {})
+    VaultApi::Client.new(options)
+  end
+
+  # Delegate to VaultApi::Client
+  def self.method_missing(method, *args, &block)
+    return super unless client.respond_to?(method)
+
+    client.send(method, *args, &block)
+  end
+
+  def self.secret_base_path(user_name = nil)
+    if user_name.present?
+      secret_user_base_path(user_name)
+    elsif VaultApi.user.present? # && VaultApi.password.present?
+      secret_user_base_path
+    elsif VaultApi.token.present?
+      secret_global_base_path
+    else
+      ''
+    end
+  end
+
+  def self.secret_global_base_path
+    "secret/global/#{VaultApi.env}"
+  end
+
+  def self.secret_user_base_path(user_name = nil)
+    if user_name.present?
+      "secret/#{VaultApi.env}/#{user_name}"
+    else
+      "secret/#{VaultApi.env}/#{VaultApi.user}"
+    end
+  end
+
+  def self.auth_users_path
+    'auth/userpass/users'
+  end
+end

data/vault_api.gemspec

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'vault_api/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'vault_api'
+  spec.version       = VaultApi::VERSION
+  spec.authors       = ['Sachin S Wagh']
+  spec.email         = ['sachinwagh2392@gmail.com']
+
+  spec.summary       = 'Client for the vault_api API'
+  spec.description   = 'Client for the vault_api API'
+  spec.homepage      = ''
+  spec.license       = 'MIT'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  # spec.files = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'byebug'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec-expectations'
+  spec.add_development_dependency 'rspec-mocks'
+  spec.add_development_dependency 'rspec_junit_formatter'
+
+  ###
+  spec.add_development_dependency 'awesome_print'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rspec'
+
+  spec.add_runtime_dependency 'activesupport'
+  # spec.add_runtime_dependency 'faraday'
+  # spec.add_runtime_dependency 'faraday_middleware'
+  spec.add_runtime_dependency 'hashie'
+  spec.add_runtime_dependency 'nokogiri'
+  # spec.add_runtime_dependency 'vcr'
+  spec.add_runtime_dependency 'rest-client'
+  spec.add_runtime_dependency 'vcr', '3.0'
+  ###
+
+  spec.add_runtime_dependency('vault')
+  spec.add_runtime_dependency('webmock')
+end