vault_ruby_client 0.18.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG.md +287 -0
  3. data/LICENSE +364 -0
  4. data/README.md +223 -0
  5. data/lib/vault/api/approle.rb +221 -0
  6. data/lib/vault/api/auth.rb +324 -0
  7. data/lib/vault/api/auth_tls.rb +95 -0
  8. data/lib/vault/api/auth_token.rb +245 -0
  9. data/lib/vault/api/help.rb +36 -0
  10. data/lib/vault/api/kv.rb +230 -0
  11. data/lib/vault/api/logical.rb +153 -0
  12. data/lib/vault/api/secret.rb +171 -0
  13. data/lib/vault/api/sys/audit.rb +94 -0
  14. data/lib/vault/api/sys/auth.rb +119 -0
  15. data/lib/vault/api/sys/health.rb +66 -0
  16. data/lib/vault/api/sys/init.rb +86 -0
  17. data/lib/vault/api/sys/leader.rb +51 -0
  18. data/lib/vault/api/sys/lease.rb +52 -0
  19. data/lib/vault/api/sys/mount.rb +165 -0
  20. data/lib/vault/api/sys/namespace.rb +86 -0
  21. data/lib/vault/api/sys/policy.rb +95 -0
  22. data/lib/vault/api/sys/quota.rb +110 -0
  23. data/lib/vault/api/sys/seal.rb +84 -0
  24. data/lib/vault/api/sys.rb +30 -0
  25. data/lib/vault/api/transform/alphabet.rb +46 -0
  26. data/lib/vault/api/transform/role.rb +45 -0
  27. data/lib/vault/api/transform/template.rb +57 -0
  28. data/lib/vault/api/transform/transformation.rb +64 -0
  29. data/lib/vault/api/transform.rb +32 -0
  30. data/lib/vault/api.rb +17 -0
  31. data/lib/vault/client.rb +460 -0
  32. data/lib/vault/configurable.rb +53 -0
  33. data/lib/vault/defaults.rb +218 -0
  34. data/lib/vault/encode.rb +22 -0
  35. data/lib/vault/errors.rb +87 -0
  36. data/lib/vault/persistent/connection.rb +45 -0
  37. data/lib/vault/persistent/pool.rb +51 -0
  38. data/lib/vault/persistent/timed_stack_multi.rb +73 -0
  39. data/lib/vault/persistent.rb +1161 -0
  40. data/lib/vault/request.rb +47 -0
  41. data/lib/vault/response.rb +92 -0
  42. data/lib/vault/vendor/connection_pool/timed_stack.rb +181 -0
  43. data/lib/vault/vendor/connection_pool/version.rb +8 -0
  44. data/lib/vault/vendor/connection_pool.rb +153 -0
  45. data/lib/vault/version.rb +6 -0
  46. data/lib/vault_ruby_client.rb +53 -0
  47. metadata +158 -0
@@ -0,0 +1,324 @@
1
+ # Copyright (c) HashiCorp, Inc.
2
+ # SPDX-License-Identifier: MPL-2.0
3
+
4
+ require "json"
5
+
6
+ require_relative "secret"
7
+ require_relative "../client"
8
+
9
+ module Vault
10
+ class Client
11
+ # A proxy to the {Auth} methods.
12
+ # @return [Auth]
13
+ def auth
14
+ @auth ||= Authenticate.new(self)
15
+ end
16
+ end
17
+
18
+ class Authenticate < Request
19
+ # Authenticate via the "token" authentication method. This authentication
20
+ # method is a bit bizarre because you already have a token, but hey,
21
+ # whatever floats your boat.
22
+ #
23
+ # This method hits the `/v1/auth/token/lookup-self` endpoint after setting
24
+ # the Vault client's token to the given token parameter. If the self lookup
25
+ # succeeds, the token is persisted onto the client for future requests. If
26
+ # the lookup fails, the old token (which could be unset) is restored on the
27
+ # client.
28
+ #
29
+ # @example
30
+ # Vault.auth.token("6440e1bd-ba22-716a-887d-e133944d22bd") #=> #<Vault::Secret lease_id="">
31
+ # Vault.token #=> "6440e1bd-ba22-716a-887d-e133944d22bd"
32
+ #
33
+ # @param [String] new_token
34
+ # the new token to try to authenticate and store on the client
35
+ #
36
+ # @return [Secret]
37
+ def token(new_token)
38
+ old_token = client.token
39
+ client.token = new_token
40
+ json = client.get("/v1/auth/token/lookup-self")
41
+ secret = Secret.decode(json)
42
+ return secret
43
+ rescue
44
+ client.token = old_token
45
+ raise
46
+ end
47
+
48
+ # Authenticate via the "app-id" authentication method. If authentication is
49
+ # successful, the resulting token will be stored on the client and used for
50
+ # future requests.
51
+ #
52
+ # @example
53
+ # Vault.auth.app_id(
54
+ # "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
55
+ # "3b87be76-95cf-493a-a61b-7d5fc70870ad",
56
+ # ) #=> #<Vault::Secret lease_id="">
57
+ #
58
+ # @example with a custom mount point
59
+ # Vault.auth.app_id(
60
+ # "aeece56e-3f9b-40c3-8f85-781d3e9a8f68",
61
+ # "3b87be76-95cf-493a-a61b-7d5fc70870ad",
62
+ # mount: "new-app-id",
63
+ # )
64
+ #
65
+ # @param [String] app_id
66
+ # @param [String] user_id
67
+ # @param [Hash] options
68
+ # additional options to pass to the authentication call, such as a custom
69
+ # mount point
70
+ #
71
+ # @return [Secret]
72
+ def app_id(app_id, user_id, options = {})
73
+ payload = { app_id: app_id, user_id: user_id }.merge(options)
74
+ json = client.post("/v1/auth/app-id/login", JSON.fast_generate(payload))
75
+ secret = Secret.decode(json)
76
+ client.token = secret.auth.client_token
77
+ return secret
78
+ end
79
+
80
+ # Authenticate via the "approle" authentication method. If authentication is
81
+ # successful, the resulting token will be stored on the client and used for
82
+ # future requests.
83
+ #
84
+ # @example
85
+ # Vault.auth.approle(
86
+ # "db02de05-fa39-4855-059b-67221c5c2f63",
87
+ # "6a174c20-f6de-a53c-74d2-6018fcceff64",
88
+ # ) #=> #<Vault::Secret lease_id="">
89
+ #
90
+ # @param [String] role_id
91
+ # @param [String] secret_id (default: nil)
92
+ # It is required when `bind_secret_id` is enabled for the specified role_id
93
+ #
94
+ # @return [Secret]
95
+ def approle(role_id, secret_id=nil)
96
+ payload = { role_id: role_id }
97
+ payload[:secret_id] = secret_id if secret_id
98
+ json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
99
+ secret = Secret.decode(json)
100
+ client.token = secret.auth.client_token
101
+ return secret
102
+ end
103
+
104
+ # Authenticate via the "userpass" authentication method. If authentication
105
+ # is successful, the resulting token will be stored on the client and used
106
+ # for future requests.
107
+ #
108
+ # @example
109
+ # Vault.auth.userpass("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
110
+ #
111
+ # @example with a custom mount point
112
+ # Vault.auth.userpass("sethvargo", "s3kr3t", mount: "admin-login") #=> #<Vault::Secret lease_id="">
113
+ #
114
+ # @param [String] username
115
+ # @param [String] password
116
+ # @param [Hash] options
117
+ # additional options to pass to the authentication call, such as a custom
118
+ # mount point
119
+ #
120
+ # @return [Secret]
121
+ def userpass(username, password, options = {})
122
+ payload = { password: password }.merge(options)
123
+ json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
124
+ secret = Secret.decode(json)
125
+ client.token = secret.auth.client_token
126
+ return secret
127
+ end
128
+
129
+ # Authenticate via the "ldap" authentication method. If authentication
130
+ # is successful, the resulting token will be stored on the client and used
131
+ # for future requests.
132
+ #
133
+ # @example
134
+ # Vault.auth.ldap("sethvargo", "s3kr3t") #=> #<Vault::Secret lease_id="">
135
+ #
136
+ # @param [String] username
137
+ # @param [String] password
138
+ # @param [Hash] options
139
+ # additional options to pass to the authentication call, such as a custom
140
+ # mount point
141
+ #
142
+ # @return [Secret]
143
+ def ldap(username, password, options = {})
144
+ payload = { password: password }.merge(options)
145
+ json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
146
+ secret = Secret.decode(json)
147
+ client.token = secret.auth.client_token
148
+ return secret
149
+ end
150
+
151
+ # Authenticate via the GitHub authentication method. If authentication is
152
+ # successful, the resulting token will be stored on the client and used
153
+ # for future requests.
154
+ #
155
+ # @example
156
+ # Vault.auth.github("mypersonalgithubtoken") #=> #<Vault::Secret lease_id="">
157
+ #
158
+ # @param [String] github_token
159
+ #
160
+ # @return [Secret]
161
+ def github(github_token, path="/v1/auth/github/login")
162
+ payload = {token: github_token}
163
+ json = client.post(path, JSON.fast_generate(payload))
164
+ secret = Secret.decode(json)
165
+ client.token = secret.auth.client_token
166
+ return secret
167
+ end
168
+
169
+ # Authenticate via the AWS EC2 authentication method. If authentication is
170
+ # successful, the resulting token will be stored on the client and used
171
+ # for future requests.
172
+ #
173
+ # @example
174
+ # Vault.auth.aws_ec2("read-only", "pkcs7", "vault-nonce") #=> #<Vault::Secret lease_id="">
175
+ #
176
+ # @param [String] role
177
+ # @param [String] pkcs7
178
+ # pkcs7 returned by the instance identity document (with line breaks removed)
179
+ # @param [String] nonce optional
180
+ # @param [String] route optional
181
+ #
182
+ # @return [Secret]
183
+ def aws_ec2(role, pkcs7, nonce = nil, route = nil)
184
+ route ||= '/v1/auth/aws-ec2/login'
185
+ payload = { role: role, pkcs7: pkcs7 }
186
+ # Set a custom nonce if client is providing one
187
+ payload[:nonce] = nonce if nonce
188
+ json = client.post(route, JSON.fast_generate(payload))
189
+ secret = Secret.decode(json)
190
+ client.token = secret.auth.client_token
191
+ return secret
192
+ end
193
+
194
+ # Authenticate via AWS IAM auth method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.)
195
+ # If authentication is successful, the resulting token will be stored on the client and used
196
+ # for future requests.
197
+ #
198
+ # @example
199
+ # Vault.auth.aws_iam("dev-role-iam", Aws::InstanceProfileCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id="">
200
+ #
201
+ # @param [String] role
202
+ # @param [CredentialProvider] credentials_provider
203
+ # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html
204
+ # @param [String] iam_auth_header_value optional
205
+ # As of Jan 2018, Vault will accept ANY or NO header if none is configured by the Vault server admin
206
+ # @param [String] sts_endpoint optional
207
+ # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
208
+ # @param [String] route optional
209
+ # @return [Secret]
210
+ def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com', route = nil)
211
+ require "aws-sigv4"
212
+ require "base64"
213
+
214
+ request_body = 'Action=GetCallerIdentity&Version=2011-06-15'
215
+ request_method = 'POST'
216
+
217
+ route ||= '/v1/auth/aws/login'
218
+
219
+ vault_headers = {
220
+ 'User-Agent' => Vault::Client::USER_AGENT,
221
+ 'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
222
+ }
223
+
224
+ vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value
225
+
226
+ sig4_headers = Aws::Sigv4::Signer.new(
227
+ service: 'sts',
228
+ region: region_from_sts_endpoint(sts_endpoint),
229
+ credentials_provider: credentials_provider
230
+ ).sign_request(
231
+ http_method: request_method,
232
+ url: sts_endpoint,
233
+ headers: vault_headers,
234
+ body: request_body
235
+ ).headers
236
+
237
+ payload = {
238
+ role: role,
239
+ iam_http_request_method: request_method,
240
+ iam_request_url: Base64.strict_encode64(sts_endpoint),
241
+ iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json),
242
+ iam_request_body: Base64.strict_encode64(request_body)
243
+ }
244
+
245
+ json = client.post(route, JSON.fast_generate(payload))
246
+ secret = Secret.decode(json)
247
+ client.token = secret.auth.client_token
248
+ return secret
249
+ end
250
+
251
+ # Authenticate via the GCP authentication method. If authentication is
252
+ # successful, the resulting token will be stored on the client and used
253
+ # for future requests.
254
+ #
255
+ # @example
256
+ # Vault.auth.gcp("read-only", "jwt", "gcp") #=> #<Vault::Secret lease_id="">
257
+ #
258
+ # @param [String] role
259
+ # @param [String] jwt
260
+ # jwt returned by the instance identity metadata, or iam api
261
+ # @param [String] path optional
262
+ # the path were the gcp auth backend is mounted
263
+ #
264
+ # @return [Secret]
265
+ def gcp(role, jwt, path = 'gcp')
266
+ payload = { role: role, jwt: jwt }
267
+ json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.fast_generate(payload))
268
+ secret = Secret.decode(json)
269
+ client.token = secret.auth.client_token
270
+ return secret
271
+ end
272
+
273
+ # Authenticate via a TLS authentication method. If authentication is
274
+ # successful, the resulting token will be stored on the client and used
275
+ # for future requests.
276
+ #
277
+ # @example Sending raw pem contents
278
+ # Vault.auth.tls(pem_contents) #=> #<Vault::Secret lease_id="">
279
+ #
280
+ # @example Reading a pem from disk
281
+ # Vault.auth.tls(File.read("/path/to/my/certificate.pem")) #=> #<Vault::Secret lease_id="">
282
+ #
283
+ # @example Sending to a cert authentication backend mounted at a custom location
284
+ # Vault.auth.tls(pem_contents, 'custom/location') #=> #<Vault::Secret lease_id="">
285
+ #
286
+ # @param [String] pem (default: the configured SSL pem file or contents)
287
+ # The raw pem contents to use for the login procedure.
288
+ #
289
+ # @param [String] path (default: 'cert')
290
+ # The path to the auth backend to use for the login procedure.
291
+ #
292
+ # @param [String] name optional
293
+ # The named certificate role provided to the login request.
294
+ #
295
+ # @return [Secret]
296
+ def tls(pem = nil, path = 'cert', name: nil)
297
+ new_client = client.dup
298
+ new_client.ssl_pem_contents = pem if !pem.nil?
299
+
300
+ opts = {}
301
+ opts[:name] = name if name
302
+ json = new_client.post("/v1/auth/#{CGI.escape(path)}/login", opts)
303
+ secret = Secret.decode(json)
304
+ client.token = secret.auth.client_token
305
+ return secret
306
+ end
307
+
308
+ private
309
+
310
+ # Parse an AWS region from a STS endpoint
311
+ # STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
312
+ # Take care changing below regex with that edge case in mind
313
+ #
314
+ # @param [String] sts_endpoint
315
+ # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
316
+ #
317
+ # @return [String] aws region
318
+ def region_from_sts_endpoint(sts_endpoint)
319
+ valid_sts_endpoint = %r{https:\/\/sts\.?(.*)\.amazonaws\.com}.match(sts_endpoint)
320
+ raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
321
+ valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
322
+ end
323
+ end
324
+ end
@@ -0,0 +1,95 @@
1
+ # Copyright (c) HashiCorp, Inc.
2
+ # SPDX-License-Identifier: MPL-2.0
3
+
4
+ require "json"
5
+
6
+ require_relative "secret"
7
+ require_relative "../client"
8
+ require_relative "../request"
9
+ require_relative "../response"
10
+
11
+ module Vault
12
+ class Client
13
+ # A proxy to the {AuthTLS} methods.
14
+ # @return [AuthTLS]
15
+ def auth_tls
16
+ @auth_tls ||= AuthTLS.new(self)
17
+ end
18
+ end
19
+
20
+ class AuthTLS < Request
21
+ # Saves a certificate with the given name and attributes. The certificate
22
+ # with the given name must already exist.
23
+ #
24
+ # @example
25
+ # Vault.auth_tls.set_certificate("web", {
26
+ # display_name: "web-cert",
27
+ # certificate: "-----BEGIN CERTIFICATE...",
28
+ # policies: "default",
29
+ # ttl: 3600,
30
+ # }) #=> true
31
+ #
32
+ # @param [String] name
33
+ # the name of the certificate
34
+ # @param [Hash] options
35
+ # @option options [String] :certificate
36
+ # The PEM-formatted CA certificate.
37
+ # @option options [String] :policies
38
+ # A comma-separated list of policies issued when authenticating with this
39
+ # CA.
40
+ # @option options [String] :display_name
41
+ # The name to display on tokens issued against this CA.
42
+ # @option options [Fixnum] :ttl
43
+ # The TTL period of the token, provided as a number of seconds.
44
+ #
45
+ # @return [true]
46
+ def set_certificate(name, options = {})
47
+ headers = extract_headers!(options)
48
+ client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.fast_generate(options), headers)
49
+ return true
50
+ end
51
+
52
+ # Get the certificate by the given name. If a certificate does not exist by that name,
53
+ # +nil+ is returned.
54
+ #
55
+ # @example
56
+ # Vault.auth_tls.certificate("web") #=> #<Vault::Secret lease_id="...">
57
+ #
58
+ # @return [Secret, nil]
59
+ def certificate(name)
60
+ json = client.get("/v1/auth/cert/certs/#{encode_path(name)}")
61
+ return Secret.decode(json)
62
+ rescue HTTPError => e
63
+ return nil if e.code == 404
64
+ raise
65
+ end
66
+
67
+ # The list of certificates in vault auth backend.
68
+ #
69
+ # @example
70
+ # Vault.auth_tls.certificates #=> ["web"]
71
+ #
72
+ # @return [Array<String>]
73
+ def certificates(options = {})
74
+ headers = extract_headers!(options)
75
+ json = client.list("/v1/auth/cert/certs", options, headers)
76
+ return Secret.decode(json).data[:keys] || []
77
+ rescue HTTPError => e
78
+ return [] if e.code == 404
79
+ raise
80
+ end
81
+
82
+ # Delete the certificate with the given name. If a certificate does not exist, vault
83
+ # will not return an error.
84
+ #
85
+ # @example
86
+ # Vault.auth_tls.delete_certificate("web") #=> true
87
+ #
88
+ # @param [String] name
89
+ # the name of the certificate
90
+ def delete_certificate(name)
91
+ client.delete("/v1/auth/cert/certs/#{encode_path(name)}")
92
+ return true
93
+ end
94
+ end
95
+ end
@@ -0,0 +1,245 @@
1
+ # Copyright (c) HashiCorp, Inc.
2
+ # SPDX-License-Identifier: MPL-2.0
3
+
4
+ require "json"
5
+
6
+ require_relative "secret"
7
+ require_relative "../client"
8
+ require_relative "../request"
9
+ require_relative "../response"
10
+
11
+ module Vault
12
+ class Client
13
+ # A proxy to the {AuthToken} methods.
14
+ # @return [AuthToken]
15
+ def auth_token
16
+ @auth_token ||= AuthToken.new(self)
17
+ end
18
+ end
19
+
20
+ class AuthToken < Request
21
+ # Lists all token accessors.
22
+ #
23
+ # @example Listing token accessors
24
+ # result = Vault.auth_token.accessors #=> #<Vault::Secret>
25
+ # result.data[:keys] #=> ["476ea048-ded5-4d07-eeea-938c6b4e43ec", "bb00c093-b7d3-b0e9-69cc-c4d85081165b"]
26
+ #
27
+ # @return [Array<Secret>]
28
+ def accessors(options = {})
29
+ headers = extract_headers!(options)
30
+ json = client.list("/v1/auth/token/accessors", options, headers)
31
+ return Secret.decode(json)
32
+ end
33
+
34
+ # Create an authentication token. Note that the parameters specified below
35
+ # are not validated and passed directly to the Vault server. Depending on
36
+ # the version of Vault in operation, some of these options may not work, and
37
+ # newer options may be available that are not listed here.
38
+ #
39
+ # @example Creating a token
40
+ # Vault.auth_token.create #=> #<Vault::Secret lease_id="">
41
+ #
42
+ # @example Creating a token assigned to policies with a wrap TTL
43
+ # Vault.auth_token.create(
44
+ # policies: ["myapp"],
45
+ # wrap_ttl: 500,
46
+ # )
47
+ #
48
+ # @param [Hash] options
49
+ # @option options [String] :id
50
+ # The ID of the client token - this can only be specified for root tokens
51
+ # @option options [Array<String>] :policies
52
+ # List of policies to apply to the token
53
+ # @option options [Fixnum, String] :wrap_ttl
54
+ # The number of seconds or a golang-formatted timestamp like "5s" or "10m"
55
+ # for the TTL on the wrapped response
56
+ # @option options [Hash<String, String>] :meta
57
+ # A map of metadata that is passed to audit backends
58
+ # @option options [Boolean] :no_parent
59
+ # Create a token without a parent - see also {#create_orphan}
60
+ # @option options [Boolean] :no_default_policy
61
+ # Create a token without the default policy attached
62
+ # @option options [Boolean] :renewable
63
+ # Set whether this token is renewable or not
64
+ # @option options [String] :display_name
65
+ # Name of the token
66
+ # @option options [Fixnum] :num_uses
67
+ # Maximum number of uses for the token
68
+ #
69
+ # @return [Secret]
70
+ def create(options = {})
71
+ headers = extract_headers!(options)
72
+ json = client.post("/v1/auth/token/create", JSON.fast_generate(options), headers)
73
+ return Secret.decode(json)
74
+ end
75
+
76
+ # Create an orphaned authentication token.
77
+ #
78
+ # @example
79
+ # Vault.auth_token.create_orphan #=> #<Vault::Secret lease_id="">
80
+ #
81
+ # @param (see #create)
82
+ # @option (see #create)
83
+ #
84
+ # @return [Secret]
85
+ def create_orphan(options = {})
86
+ headers = extract_headers!(options)
87
+ json = client.post("/v1/auth/token/create-orphan", JSON.fast_generate(options), headers)
88
+ return Secret.decode(json)
89
+ end
90
+
91
+ # Create an orphaned authentication token.
92
+ #
93
+ # @example
94
+ # Vault.auth_token.create_with_role("developer") #=> #<Vault::Secret lease_id="">
95
+ #
96
+ # @param [Hash] options
97
+ #
98
+ # @return [Secret]
99
+ def create_with_role(name, options = {})
100
+ headers = extract_headers!(options)
101
+ json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.fast_generate(options), headers)
102
+ return Secret.decode(json)
103
+ end
104
+
105
+ # Lookup information about the current token.
106
+ #
107
+ # @example
108
+ # Vault.auth_token.lookup("abcd-...") #=> #<Vault::Secret lease_id="">
109
+ #
110
+ # @param [String] token
111
+ # @param [Hash] options
112
+ #
113
+ # @return [Secret]
114
+ def lookup(token, options = {})
115
+ headers = extract_headers!(options)
116
+ json = client.post("/v1/auth/token/lookup", JSON.fast_generate(
117
+ token: token,
118
+ ), headers)
119
+ return Secret.decode(json)
120
+ end
121
+
122
+ # Lookup information about the given token accessor.
123
+ #
124
+ # @example
125
+ # Vault.auth_token.lookup_accessor("acbd-...") #=> #<Vault::Secret lease_id="">
126
+ #
127
+ # @param [String] accessor
128
+ # @param [Hash] options
129
+ def lookup_accessor(accessor, options = {})
130
+ headers = extract_headers!(options)
131
+ json = client.post("/v1/auth/token/lookup-accessor", JSON.fast_generate(
132
+ accessor: accessor,
133
+ ), headers)
134
+ return Secret.decode(json)
135
+ end
136
+
137
+ # Lookup information about the given token.
138
+ #
139
+ # @example
140
+ # Vault.auth_token.lookup_self #=> #<Vault::Secret lease_id="">
141
+ #
142
+ # @return [Secret]
143
+ def lookup_self
144
+ json = client.get("/v1/auth/token/lookup-self")
145
+ return Secret.decode(json)
146
+ end
147
+
148
+ # Renew the given authentication token.
149
+ #
150
+ # @example
151
+ # Vault.auth_token.renew("abcd-1234") #=> #<Vault::Secret lease_id="">
152
+ #
153
+ # @param [String] token
154
+ # the auth token
155
+ # @param [Fixnum] increment
156
+ #
157
+ # @return [Secret]
158
+ def renew(token, increment = 0, options = {})
159
+ headers = extract_headers!(options)
160
+ json = client.put("/v1/auth/token/renew", JSON.fast_generate(
161
+ token: token,
162
+ increment: increment,
163
+ ), headers)
164
+ return Secret.decode(json)
165
+ end
166
+
167
+ # Renews a lease associated with the calling token.
168
+ #
169
+ # @example
170
+ # Vault.auth_token.renew_self #=> #<Vault::Secret lease_id="">
171
+ #
172
+ # @param [Fixnum] increment
173
+ #
174
+ # @return [Secret]
175
+ def renew_self(increment = 0, options = {})
176
+ headers = extract_headers!(options)
177
+ json = client.put("/v1/auth/token/renew-self", JSON.fast_generate(
178
+ increment: increment,
179
+ ), headers)
180
+ return Secret.decode(json)
181
+ end
182
+
183
+ # Revokes the token used to call it.
184
+ #
185
+ # @example
186
+ # Vault.auth_token.revoke_self #=> 204
187
+ #
188
+ # @return response code.
189
+ def revoke_self
190
+ client.post("/v1/auth/token/revoke-self")
191
+ end
192
+
193
+ # Revoke exactly the orphans at the id.
194
+ #
195
+ # @example
196
+ # Vault.auth_token.revoke_orphan("abcd-1234") #=> true
197
+ #
198
+ # @param [String] token
199
+ # the token to revoke
200
+ #
201
+ # @return [true]
202
+ def revoke_orphan(token, options = {})
203
+ headers = extract_headers!(options)
204
+ client.put("/v1/auth/token/revoke-orphan", JSON.fast_generate(
205
+ token: token,
206
+ ), headers)
207
+ return true
208
+ end
209
+
210
+ # Revoke exactly the orphans at the id.
211
+ #
212
+ # @example
213
+ # Vault.auth_token.revoke_accessor("abcd-1234") #=> true
214
+ #
215
+ # @param [String] accessor
216
+ # the accessor to revoke
217
+ #
218
+ # @return [true]
219
+ def revoke_accessor(accessor, options = {})
220
+ headers = extract_headers!(options)
221
+ client.put("/v1/auth/token/revoke-accessor", JSON.fast_generate(
222
+ accessor: accessor,
223
+ ), headers)
224
+ return true
225
+ end
226
+
227
+ # Revoke the token and all its children.
228
+ #
229
+ # @example
230
+ # Vault.auth_token.revoke("abcd-1234") #=> true
231
+ #
232
+ # @param [String] token
233
+ # the auth token
234
+ #
235
+ # @return [true]
236
+ def revoke(token, options = {})
237
+ headers = extract_headers!(options)
238
+ client.put("/v1/auth/token/revoke", JSON.fast_generate(
239
+ token: token,
240
+ ), headers)
241
+ return true
242
+ end
243
+ alias_method :revoke_tree, :revoke
244
+ end
245
+ end
@@ -0,0 +1,36 @@
1
+ # Copyright (c) HashiCorp, Inc.
2
+ # SPDX-License-Identifier: MPL-2.0
3
+
4
+ require_relative "../client"
5
+ require_relative "../response"
6
+
7
+ module Vault
8
+ # Help is the response from a help query.
9
+ class Help < Response
10
+ # @!attribute [r] help
11
+ # The help information.
12
+ # @return [String]
13
+ field :help
14
+
15
+ # @!attribute [r] see_also
16
+ # Additional help documentation to see.
17
+ # @return [String]
18
+ field :see_also
19
+ end
20
+
21
+ class Client
22
+ # Gets help for the given path.
23
+ #
24
+ # @example
25
+ # Vault.help("secret") #=> #<Vault::Help help="..." see_also="...">
26
+ #
27
+ # @param [String] path
28
+ # the path to get help for
29
+ #
30
+ # @return [Help]
31
+ def help(path)
32
+ json = self.get("/v1/#{EncodePath.encode_path(path)}", help: 1)
33
+ return Help.decode(json)
34
+ end
35
+ end
36
+ end