vault_api 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: cad0684533828eb9a886d3fd4f87d2c0e6767167
+  data.tar.gz: 59365c804b209091283966c83e9ceb4949435a6a
+SHA512:
+  metadata.gz: c29828e3d653be206b029443a129d42275efb17ac760ed17d6d643819774a7c6f41b884aec702f99e0f24238ee1828b15f98fcd623e232d5e362150a9d32e077
+  data.tar.gz: 54de3d79f44d5a9146477d185d804cdfdfad9972bc6d5391f257feb42d09db6f9038b4e30529e09d7bb91bc9201327aceb94f24dfb328d1959b1e0d293042ef0

data/CHANGELOG

@@ -0,0 +1,9 @@
+=== 1.0.0
+* Added Vault API.
+* Reorganised directory structure.
+* Increased the configurability.
+* Renamed the configs to secrets.
+* Added ability to add and delete keys.
+* Added ability to clone keys from global to target_users.
+* Added ability to configure capabilities for .
+* Added ability for CRUD operations for Users, Paths, Policies, Secrets, Entries.

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,124 @@
+PATH
+  remote: .
+  specs:
+    vault_api (1.0.0)
+      activesupport
+      hashie
+      nokogiri
+      rest-client
+      vault
+      vcr (= 3.0)
+      webmock
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.6.0)
+      public_suffix (>= 2.0.2, < 4.0)
+    ast (2.4.0)
+    awesome_print (1.8.0)
+    aws-eventstream (1.0.3)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    byebug (10.0.2)
+    coderay (1.1.2)
+    concurrent-ruby (1.1.5)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    domain_name (0.5.20180417)
+      unf (>= 0.0.5, < 1.0.0)
+    hashdiff (0.4.0)
+    hashie (3.6.0)
+    http-cookie (1.0.3)
+      domain_name (~> 0.5)
+    i18n (1.6.0)
+      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.3)
+    method_source (0.9.0)
+    mime-types (3.2.2)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2019.0331)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    netrc (0.11.0)
+    nokogiri (1.10.3)
+      mini_portile2 (~> 2.4.0)
+    parallel (1.17.0)
+    parser (2.6.3.0)
+      ast (~> 2.4.0)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    public_suffix (3.1.1)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rest-client (2.0.2)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    rspec_junit_formatter (0.4.1)
+      rspec-core (>= 2, < 4, != 2.12.0)
+    rubocop (0.72.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.6)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    rubocop-rspec (1.33.0)
+      rubocop (>= 0.60.0)
+    ruby-progressbar (1.10.1)
+    safe_yaml (1.0.5)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.6)
+    unicode-display_width (1.6.0)
+    vault (0.12.0)
+      aws-sigv4
+    vcr (3.0.0)
+    webmock (3.6.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  awesome_print
+  bundler
+  byebug
+  pry
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rspec-expectations
+  rspec-mocks
+  rspec_junit_formatter
+  rubocop
+  rubocop-rspec
+  vault_api!
+
+BUNDLED WITH
+   1.17.1

data/LICENSE.txt

@@ -0,0 +1,23 @@
+Copyright (c) 2019 Sachin Wagh
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,226 @@
+# VaultApi
+
+A ruby wrapper for the Vault gem.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```
+gem 'vault_api'
+```
+And then execute:
+```
+$ bundle
+```
+Or install it yourself as:
+
+```
+$ gem build vault_api.gemspec
+$ gem install 'vault_api'
+```
+
+## Usage
+
+### Configuration
+
+Before you can make calls to VaultApi you must configure the library with a valid api_token or user/password. You can request a token be generated by VaultApi.
+
+There are two ways to configure the gem. You can pass a hash of configuration options when you create a client, or you can use a configure block.
+
+I) Passing hash of configuration.
+
+#### For admin user
+```ruby
+client = VaultApi.client({
+  address: 'VAULT_SERVER_ADDRESS',
+  token:   'VAULT_TOKEN',
+  env:     'ENVIRONMENT'
+})
+```
+#### For normal user
+```ruby
+client = VaultApi.client({
+  address:  'VAULT_SERVER_ADDRESS',
+  user:     'VAULT_USER_NAME',
+  password: 'VAULT_PASSWORD',
+  env:      'ENVIRONMENT'
+})
+```
+
+II) Using a configure block
+
+#### For admin user
+```ruby
+VaultApi.configure do |config|
+  config.address = 'VAULT_SERVER_ADDRESS'
+  config.token   = 'VAULT_TOKEN'
+  config.env     = 'ENVIRONMENT'
+end
+client = VaultApi.client
+```
+
+#### For normal user
+```ruby
+VaultApi.configure do |config|
+  config.address  = 'VAULT_SERVER_ADDRESS'
+  config.user     = 'VAULT_USER_NAME'
+  config.password = 'VAULT_PASSWORD'
+  config.env      = 'ENVIRONMENT'
+end
+client = VaultApi.client
+```
+## Limitations in Configuration
+
+To configure Vault as a root user, you must specify 'token' parameter in configuration and do not specify 'user' and 'password' parameters.
+
+To configure Vault as a normal user, you must specify 'user' and 'password' parameters
+in configuration not do not specify 'token' parameter.
+
+If you specify both i.e. 'token' and 'user-password' configurations then 'user-password' would be prefered over 'token' configuration. Still vault-api may not behave as expected.
+
+##### Example calls
+
+##### 1. Secrets
+###### i) Add a secret file.
+
+```ruby
+client.add_secret("path/to/secret/file/secret_file_name.yml")
+```
+
+###### ii) Upload secret files.
+
+```ruby
+client.upload_secrets("path/to/secrets/folder")
+```
+
+###### iii) Get a secret file.
+
+```ruby
+client.read_secret('secret_file_name')
+```
+
+###### iv) Get secrets.
+
+```ruby
+client.secrets
+```
+
+###### v) Delete a secret.
+
+```ruby
+client.delete_secret('secret_file_name')
+```
+
+##### 2. Policies
+###### i) Add a policy.
+
+```ruby
+client.create_policy('user', 'policy_path', ['capability_1', 'capability_2'])
+```
+
+###### ii) Get a policy.
+
+```ruby
+client.read_policy('user')
+```
+
+###### iii) Update a policy.
+
+```ruby
+client.update_policy('user', 'policy_path', ['capability_3'])
+```
+
+###### iv) Delete a policy
+
+```ruby
+client.delete_policy('user')
+```
+
+##### 3. Entries CRUD.
+###### i) Add an entry.
+
+```ruby
+client.add_entry('secret_name', 'key', 'value')
+```
+
+###### ii) Get an entry.
+
+```ruby
+client.read_entry('secret_name', 'key')
+```
+
+###### iii) Update an entry.
+
+```ruby
+client.update_entry('secret_name', 'key', 'value')
+```
+
+###### iv) Delete an entry.
+
+```ruby
+client.delete_entry('secret_name', 'key')
+```
+
+##### 4. Clone Entries.
+
+###### i) Clone an entry to single target user.
+
+```ruby
+client.clone_entry('secret_name', 'key', 'target_username')
+```
+
+###### ii) Clone multiple entries to single target user.
+
+```ruby
+client.clone_entry('secret_name', ['key1', 'key2'], 'target_username')
+```
+
+###### iii) Clone all entries to single target user.
+
+```ruby
+client.clone_entry('secret_name', 'all', 'target_username')
+```
+
+###### iv) Clone an entry to multiple target users.
+
+```ruby
+client.clone_entry('secret_name', 'key', ['target_username1', 'target_username2'])
+```
+
+###### v) Clone multiple entries to multiple target users.
+
+```ruby
+client.clone_entry('secret_name', ['key1', 'key2'], ['target_username1', 'target_username2'])
+```
+
+###### vi) Clone all entries to multiple target users.
+
+```ruby
+client.clone_entry('secret_name', 'all', ['target_username1', 'target_username2'])
+```
+
+###### vii) Clone an entry to all target users.
+
+```ruby
+client.clone_entry('secret_name', 'key', 'all')
+```
+
+###### viii) Clone multiple entries to all target users.
+
+```ruby
+client.clone_entry('secret_name', ['key1', 'key2'], 'all')
+```
+
+###### ix) Clone all entries to all target users.
+
+```ruby
+client.clone_entry('secret_name', 'all', 'all')
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+require 'vault_api'
+# This task  will be upload all *.yml files from config folder to vault
+desc ' upload all *.yml files from config folder to vault'
+task :upload, [:config_folder_path] do |_t, args|
+  VaultApi::Config.upload(args.config_folder_path)
+end
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/vault_conf

@@ -0,0 +1,43 @@
+# !/bin/bash
+
+# Default Values
+env=""
+config_folder_path=""
+
+# Show help
+help(){
+   echo "(-a) action (EX- upload_files)"
+   echo "(-l) config_folder_path having *yml files"
+   echo "(-h) help "
+ }
+
+while getopts a:l:h option;
+    do
+        case "$option" in
+        a)
+         action=${OPTARG};;
+        l)
+         config_folder_path=${optionARG};;
+        h)
+         helpflag="true"
+         help ;;
+    esac
+done
+
+if [ "$action" == 'upload_files' ]; then
+    if [ -z $action ]
+    then
+       echo " (-a) action (EX- upload_files)"
+    exit 1
+   fi
+
+   if [ -z $config_folder_path ]
+    then
+        echo " (-l)  config_folder_path having *yml files"
+    exit 1
+    fi
+    # To upload all config file to vault
+    bundle exec rake upload[$config_folder_path]
+elif [ ! helpflag ]; then
+   echo "Unknown paramter"
+fi

data/lib/vault_api/api.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require File.expand_path('request', __dir__)
+require File.expand_path('connection', __dir__)
+require File.expand_path('configuration', __dir__)
+
+module VaultApi
+  class API
+    include Request
+    include Connection
+
+    attr_accessor *Configuration::VALID_OPTIONS_KEYS
+
+    def initialize(options = {})
+      options = VaultApi.options.merge(options)
+      Configuration::VALID_OPTIONS_KEYS.each do |key|
+        send("#{key}=", options[key])
+      end
+    end
+
+    def config
+      conf = {}
+      Configuration::VALID_OPTIONS_KEYS.each do |key|
+        conf[key] = send key
+      end
+      conf
+    end
+  end
+end

data/lib/vault_api/client/entries.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+# VaultApi::Client::Entries
+module VaultApi
+  class Client
+    module Entries
+      def entries(secret_name, user_name = nil)
+        read_secret(secret_name, user_name)
+      end
+
+      def add_entry(secret_name, key, value, user_name = nil)
+        process_entry(secret_name, key, value, user_name)
+      end
+
+      def read_entry(secret_name, key, user_name = nil)
+        path = config_path(secret_name, user_name)
+        config = VaultApi.read(path).data
+        config[key.to_sym]
+      end
+
+      def update_entry(secret_name, key, value, user_name = nil)
+        process_entry(secret_name, key, value, user_name)
+      end
+
+      def delete_entry(secret_name, key, user_name = nil)
+        config = VaultApi.read_secret(secret_name, user_name)
+        config = config.dup if config.frozen? # read
+        config.delete(key.to_sym)
+        path = config_path(secret_name)
+        VaultApi.write(path, config) # write
+      end
+
+      def clone_entry(secret_name, key, target)
+        if [secret_name, key, target].any?(&:blank?)
+          puts 'secret_name can\'t be blank'
+        elsif key.blank?
+          puts 'key can\'t be blank'
+        elsif target.blank?
+          puts 'target can\'t be blank'
+        else
+          if !target.is_a?(Array) && target.to_sym == :all
+            clone_entry_to_all_users(secret_name, key)
+          elsif target.is_a?(String) || target.is_a?(Symbol)
+            clone_entry_to_target_users(secret_name, key, [target])
+          elsif target.is_a?(Array)
+            clone_entry_to_target_users(secret_name, key, target)
+          else
+            'Invalid Target'
+          end
+        end
+      end
+
+      private
+
+      def clone_entry_to_users(secret_name, key, users)
+        secret = VaultApi.read_secret(secret_name)
+        secret = secret.dup.symbolize_keys
+
+        if (key.is_a?(String) && key != 'all') || (key.is_a?(Symbol) && key != :all)
+          clone_single_entry_to_users(secret_name, key, secret, users)
+        elsif key.is_a?(Array) || key.to_sym == :all
+          clone_multiple_entries_to_users(secret_name, key, secret, users)
+        end
+      end
+
+      def clone_single_entry_to_users(secret_name, key, secret, users)
+        response = {}
+
+        value = secret[key.to_sym]
+        users.map do |user_name|
+          # puts "single: user_name: #{user_name}, key: #{key}, #{value}"
+          response[user_name] ||= {}
+          entry_response = VaultApi.add_entry(secret_name, key, value, user_name)
+          response[user_name][key.to_sym] = entry_response
+        end
+
+        # puts "response: #{response}"
+
+        response
+      end
+
+      def clone_multiple_entries_to_users(secret_name, key, secret, users)
+        response = {}
+        keys = if key.is_a?(Array)
+                 key
+               else
+                 (key.to_sym == :all ? secret.keys : [])
+        end
+
+        users.map do |user_name|
+          response[user_name] ||= {}
+
+          keys.each do |k|
+            v = secret[k.to_sym]
+            entry_response = VaultApi.add_entry(secret_name, k, v, user_name)
+            response[user_name][k.to_sym] = entry_response
+          end
+        end
+
+        response
+      end
+
+      def clone_entry_to_all_users(secret_name, key)
+        users = VaultApi.list(VaultApi.auth_users_path)
+        clone_entry_to_users(secret_name, key, users)
+      end
+
+      def clone_entry_to_target_users(secret_name, key, targets)
+        targets = targets.map(&:to_sym)
+        users = VaultApi.list(VaultApi.auth_users_path) # auth_users_path
+        users = users.map(&:to_sym)
+        valid_users = (users & targets) # extracts valid target users.
+        clone_entry_to_users(secret_name, key, valid_users)
+      end
+
+      def config_path(secret_name, user_name = nil)
+        "#{VaultApi.secret_base_path(user_name)}/#{secret_name}"
+      end
+
+      def process_entry(secret_name, key, value, user_name = nil)
+        config = VaultApi.read_secret(secret_name, user_name) # read
+        config = config.dup if config.frozen?
+        config[key.to_sym] = value                 # merge
+        path = config_path(secret_name, user_name)
+        VaultApi.write(path, config)               # write
+      end
+    end
+  end
+end

data/lib/vault_api/client/paths.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module VaultApi
+  class Client
+    module Paths
+      def delete_path(vault_secret_path)
+        config_data = VaultApi.list(vault_secret_path.to_s)
+
+        if config_data.present?
+          config_data.to_a.each do |file_name|
+            VaultApi.delete("#{vault_secret_path}/#{file_name}")
+          end
+        end
+
+        VaultApi.delete(vault_secret_path.to_s)
+      end
+    end
+  end
+end