vault_ruby_client 0.18.2

data/lib/vault/api/sys/auth.rb

@@ -0,0 +1,119 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+require "json"
+
+module Vault
+  class Auth < Response
+    # @!attribute [r] description
+    #   Description of the auth backend.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Name of the auth backend.
+    #   @return [String]
+    field :type
+  end
+
+  class AuthConfig < Response
+    # @!attribute [r] default_lease_ttl
+    #   The default time-to-live.
+    #   @return [String]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   The maximum time-to-live.
+    #   @return [String]
+    field :max_lease_ttl
+  end
+
+  class Sys
+    # List all auths in Vault.
+    #
+    # @example
+    #   Vault.sys.auths #=> {:token => #<Vault::Auth type="token", description="token based credentials">}
+    #
+    # @return [Hash<Symbol, Auth>]
+    def auths
+      json = client.get("/v1/sys/auth")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Auth.decode(v)]
+      end.flatten]
+    end
+
+    # Enable a particular authentication at the given path.
+    #
+    # @example
+    #   Vault.sys.enable_auth("github", "github") #=> true
+    #
+    # @param [String] path
+    #   the path to mount the auth
+    # @param [String] type
+    #   the type of authentication
+    # @param [String] description
+    #   a human-friendly description (optional)
+    #
+    # @return [true]
+    def enable_auth(path, type, description = nil)
+      payload = { type: type }
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Disable a particular authentication at the given path. If not auth
+    # exists at that path, an error will be raised.
+    #
+    # @example
+    #   Vault.sys.disable_auth("github") #=> true
+    #
+    # @param [String] path
+    #   the path to disable
+    #
+    # @return [true]
+    def disable_auth(path)
+      client.delete("/v1/sys/auth/#{encode_path(path)}")
+      return true
+    end
+
+    # Read the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github") #=> #<Vault::AuthConfig "default_lease_ttl"=3600, "max_lease_ttl"=7200>
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def auth_tune(path)
+      json = client.get("/v1/sys/auth/#{encode_path(path)}/tune")
+      return AuthConfig.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github", "default_lease_ttl" => 600, "max_lease_ttl" => 1200 ) #=>  true
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def put_auth_tune(path, config = {})
+      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config))
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
+  end
+end

data/lib/vault/api/sys/health.rb

@@ -0,0 +1,66 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+require "json"
+
+module Vault
+  class HealthStatus < Response
+    # @!attribute [r] initialized
+    #   Whether the Vault server is Initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+
+    # @!attribute [r] sealed
+    #   Whether the Vault server is Sealed.
+    #   @return [Boolean]
+    field :sealed, as: :sealed?
+
+    # @!attribute [r] standby
+    #   Whether the Vault server is in Standby mode.
+    #   @return [Boolean]
+    field :standby, as: :standby?
+
+    # @!attribute [r] replication_performance_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_performance_mode
+
+    # @!attribute [r] replication_dr_mode
+    #   Verbose description of DR mode (added in 0.9.2)
+    #   @return [String]
+    field :replication_dr_mode
+
+    # @!attribute [r] server_time_utc
+    #   Server time in Unix seconds, UTC
+    #   @return [Fixnum]
+    field :server_time_utc
+
+    # @!attribute [r] version
+    #   Server Vault version string (added in 0.6.1)
+    #   @return [String]
+    field :version
+
+    # @!attribute [r] cluster_name
+    #   Server cluster name
+    #   @return [String]
+    field :cluster_name
+
+    # @!attribute [r] cluster_id
+    #   Server cluster UUID
+    #   @return [String]
+    field :cluster_id
+  end
+
+  class Sys
+    # Show the health status for this vault.
+    #
+    # @example
+    #   Vault.sys.health_status #=> #Vault::HealthStatus @initialized=true, @sealed=false, @standby=false, @replication_performance_mode="disabled", @replication_dr_mode="disabled", @server_time_utc=1519776728, @version="0.9.3", @cluster_name="vault-cluster-997f514e", @cluster_id="c2dad70a-6d88-a06d-69f6-9ae7f5485998">
+    #
+    # @return [HealthStatus]
+    def health_status
+      json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200})
+      return HealthStatus.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/init.rb

@@ -0,0 +1,86 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+require "json"
+
+module Vault
+  class InitResponse < Response
+    # @!attribute [r] keys
+    #   List of unseal keys.
+    #   @return [Array<String>]
+    field :keys
+
+    # @!attribute [r] keys_base64
+    #   List of unseal keys, base64-encoded
+    #   @return [Array<String>]
+    field :keys_base64
+
+    # @!attribute [r] root_token
+    #   Initial root token.
+    #   @return [String]
+    field :root_token
+  end
+
+  class InitStatus < Response
+    # @!method initialized?
+    #   Returns whether the Vault server is initialized.
+    #   @return [Boolean]
+    field :initialized, as: :initialized?
+  end
+
+  class Sys
+    # Show the initialization status for this vault.
+    #
+    # @example
+    #   Vault.sys.init_status #=> #<Vault::InitStatus initialized=true>
+    #
+    # @return [InitStatus]
+    def init_status
+      json = client.get("/v1/sys/init")
+      return InitStatus.decode(json)
+    end
+
+    # Initialize a new vault.
+    #
+    # @example
+    #   Vault.sys.init #=> #<Vault::InitResponse keys=["..."] root_token="...">
+    #
+    # @param [Hash] options
+    #   the list of init options
+    #
+    # @option options [String] :root_token_pgp_key
+    #   optional base64-encoded PGP public key used to encrypt the initial root
+    #   token.
+    # @option options [Fixnum] :secret_shares
+    #   the number of shares
+    # @option options [Fixnum] :secret_threshold
+    #   the number of keys needed to unlock
+    # @option options [Array<String>] :pgp_keys
+    #   an optional Array of base64-encoded PGP public keys to encrypt sharees
+    # @option options [Fixnum] :stored_shares
+    #   the number of shares that should be encrypted by the HSM for
+    #   auto-unsealing
+    # @option options [Fixnum] :recovery_shares
+    #   the number of shares to split the recovery key into
+    # @option options [Fixnum] :recovery_threshold
+    #   the number of shares required to reconstruct the recovery key
+    # @option options [Array<String>] :recovery_pgp_keys
+    #   an array of PGP public keys used to encrypt the output for the recovery
+    #   keys
+    #
+    # @return [InitResponse]
+    def init(options = {})
+      json = client.put("/v1/sys/init", JSON.fast_generate(
+        root_token_pgp_key: options.fetch(:root_token_pgp_key, nil),
+        secret_shares:      options.fetch(:secret_shares, options.fetch(:shares, 5)),
+        secret_threshold:   options.fetch(:secret_threshold, options.fetch(:threshold, 3)),
+        pgp_keys:           options.fetch(:pgp_keys, nil),
+        stored_shares:      options.fetch(:stored_shares, nil),
+        recovery_shares:    options.fetch(:recovery_shares, nil),
+        recovery_threshold: options.fetch(:recovery_threshold, nil),
+        recovery_pgp_keys:  options.fetch(:recovery_pgp_keys, nil),
+      ))
+      return InitResponse.decode(json)
+    end
+  end
+end

data/lib/vault/api/sys/leader.rb

@@ -0,0 +1,51 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+  class LeaderStatus < Response
+    # @!method ha_enabled?
+    #   Returns whether the high-availability mode is enabled.
+    #   @return [Boolean]
+    field :ha_enabled, as: :ha_enabled?
+
+    # @!method leader?
+    #   Returns whether the Vault server queried is the leader.
+    #   @return [Boolean]
+    field :is_self, as: :leader?
+
+    # @!attribute [r] address
+    #   URL where the server is running.
+    #   @return [String]
+    field :leader_address, as: :address
+
+    # @deprecated Use {#ha_enabled?} instead
+    def ha?; ha_enabled?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_leader?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def is_self?; leader?; end
+
+    # @deprecated Use {#leader?} instead
+    def self?; leader?; end
+  end
+
+  class Sys
+    # Determine the leader status for this vault.
+    #
+    # @example
+    #   Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">
+    #
+    # @return [LeaderStatus]
+    def leader
+      json = client.get("/v1/sys/leader")
+      return LeaderStatus.decode(json)
+    end
+
+    def step_down
+      client.put("/v1/sys/step-down", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/lease.rb

@@ -0,0 +1,52 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+  class Sys
+    # Renew a lease with the given ID.
+    #
+    # @example
+    #   Vault.sys.renew("aws/username") #=> #<Vault::Secret ...>
+    #
+    # @param [String] id
+    #   the lease ID
+    # @param [Fixnum] increment
+    #
+    # @return [Secret]
+    def renew(id, increment = 0)
+      json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
+        increment: increment,
+      ))
+      return Secret.decode(json)
+    end
+
+    # Revoke the secret at the given id. If the secret does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.revoke("aws/username") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke(id)
+      client.put("/v1/sys/revoke/#{id}", nil)
+      return true
+    end
+
+    # Revoke all secrets under the given prefix.
+    #
+    # @example
+    #   Vault.sys.revoke_prefix("aws") #=> true
+    #
+    # @param [String] id
+    #   the lease ID
+    #
+    # @return [true]
+    def revoke_prefix(id)
+      client.put("/v1/sys/revoke-prefix/#{id}", nil)
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/mount.rb

@@ -0,0 +1,165 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+require "json"
+
+module Vault
+  class Mount < Response
+    # @!attribute [r] config
+    #   Arbitrary configuration for the backend.
+    #   @return [Hash<Symbol, Object>]
+    field :config
+
+    # @!attribute [r] description
+    #   Description of the mount.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] type
+    #   Type of the mount.
+    #   @return [String]
+    field :type
+
+    # @!attribute [r] type
+    #   Options given to the mount.
+    #   @return [Hash<Symbol, Object>]
+    field :options
+  end
+
+  class MountTune < Response
+    # @!attribute [r] description
+    #   Specifies the description of the mount.
+    #   @return [String]
+    field :description
+
+    # @!attribute [r] default_lease_ttl
+    #   Specifies the default time-to-live.
+    #   @return [Fixnum]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   Specifies the maximum time-to-live.
+    #   @return [Fixnum]
+    field :max_lease_ttl
+
+    # @!attribute [r] audit_non_hmac_request_keys
+    #   Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the request data object.
+    #   @return [Array<String>]
+    field :audit_non_hmac_request_keys
+
+    # @!attribute [r] audit_non_hmac_response_keys
+    #   Specifies the comma-separated list of keys that will not be HMAC'd by audit devices in the response data object.
+    #   @return [Array<String>]
+    field :audit_non_hmac_response_keys
+
+    # @!attribute [r] listing_visibility
+    #   Specifies whether to show this mount in the UI-specific listing endpoint.
+    #   @return [String]
+    field :listing_visibility
+
+    # @!attribute [r] passthrough_request_headers
+    #   Comma-separated list of headers to whitelist and pass from the request to the plugin.
+    #   @return [Array<String>]
+    field :passthrough_request_headers
+
+    # @!attribute [r] allowed_response_headers
+    #   Comma-separated list of headers to whitelist, allowing a plugin to include them in the response.
+    #   @return [Array<String>]
+    field :allowed_response_headers
+  end
+
+  class Sys < Request
+    # List all mounts in the vault.
+    #
+    # @example
+    #   Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }
+    #
+    # @return [Hash<Symbol, Mount>]
+    def mounts
+      json = client.get("/v1/sys/mounts")
+      json = json[:data] if json[:data]
+      return Hash[*json.map do |k,v|
+        [k.to_s.chomp("/").to_sym, Mount.decode(v)]
+      end.flatten]
+    end
+
+    # Create a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount("pg", "postgresql", "Postgres user management") #=> true
+    #
+    # @param [String] path
+    #   the path to mount at
+    # @param [String] type
+    #   the type of mount
+    # @param [String] description
+    #   a human-friendly description (optional)
+    def mount(path, type, description = nil, options = {})
+      payload = options.merge type: type
+      payload[:description] = description if !description.nil?
+
+      client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload))
+      return true
+    end
+
+    # Get the mount tunings at a given path.
+    #
+    # @example
+    #   Vault.sys.get_mount_tune("pki") #=> { :pki => #<struct Vault::MountTune default_lease_ttl=2764800> }
+    #
+    # @return [MountTune]
+    def get_mount_tune(path)
+      json = client.get("/v1/sys/mounts/#{encode_path(path)}/tune")
+      json = json[:data] if json[:data]
+      return MountTune.decode(json)
+    end
+
+    # Tune a mount at the given path.
+    #
+    # @example
+    #   Vault.sys.mount_tune("pki", max_lease_ttl: '87600h') #=> true
+    #
+    # @param [String] path
+    #   the path to write
+    # @param [Hash] data
+    #   the data to write
+    def mount_tune(path, data = {})
+      json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.fast_generate(data))
+      return true
+    end
+
+    # Unmount the thing at the given path. If the mount does not exist, an error
+    # will be raised.
+    #
+    # @example
+    #   Vault.sys.unmount("pg") #=> true
+    #
+    # @param [String] path
+    #   the path to unmount
+    #
+    # @return [true]
+    def unmount(path)
+      client.delete("/v1/sys/mounts/#{encode_path(path)}")
+      return true
+    end
+
+    # Change the name of the mount
+    #
+    # @example
+    #   Vault.sys.remount("pg", "postgres") #=> true
+    #
+    # @param [String] from
+    #   the origin mount path
+    # @param [String] to
+    #   the new mount path
+    #
+    # @return [true]
+    def remount(from, to)
+      client.post("/v1/sys/remount", JSON.fast_generate(
+        from: from,
+        to:   to,
+      ))
+      return true
+    end
+  end
+end

data/lib/vault/api/sys/namespace.rb

@@ -0,0 +1,86 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+  class Namespace < Response
+    # @!attribute [r] id
+    #   ID of the namespace
+    #   @return [String]
+    field :id
+
+    # @!attribute [r] path
+    #   Path of the namespace, includes parent paths if nested.
+    #   @return [String]
+    field :path
+  end
+
+  class Sys
+    # List all namespaces in a given scope. Ignores nested namespaces.
+    #
+    # @example
+    #   Vault.sys.namespaces #=> { :foo => #<struct Vault::Namespace id="xxxx1", path="foo/" }
+    #
+    #   @return [Hash<Symbol, Namespace>]
+    def namespaces(scoped=nil)
+      path = ["v1", scoped, "sys", "namespaces"].compact
+      json = client.list(path.join("/"))
+      json = json[:data] if json[:data]
+      if json[:key_info]
+        json = json[:key_info]
+        hash = {}
+        json.each do |k,v|
+          hash[k.to_s.chomp("/").to_sym] = Namespace.decode(v)
+        end
+        hash
+      else
+        json
+      end
+    end
+
+    # Create a namespace. Nests the namespace if a namespace header is provided.
+    #
+    # @example
+    #   Vault.sys.create_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the potential path of the namespace, without any parent path provided
+    #
+    # @return [true]
+    def create_namespace(namespace)
+      client.put("/v1/sys/namespaces/#{namespace}", {})
+      return true
+    end
+
+    # Delete a namespace. Raises an error if the namespace provided is not empty.
+    #
+    # @example
+    #   Vault.sys.delete_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace to be deleted
+    #
+    # @return [true]
+    def delete_namespace(namespace)
+      client.delete("/v1/sys/namespaces/#{namespace}")
+      return true
+    end
+
+    # Retrieve a namespace by path.
+    #
+    # @example
+    #   Vault.sys.get_namespace("foo")
+    #
+    # @param [String] namespace
+    #   the path of the namespace ot be retrieved
+    #
+    # @return [Namespace]
+    def get_namespace(namespace)
+      json = client.get("/v1/sys/namespaces/#{namespace}")
+      if data = json.dig(:data)
+        Namespace.decode(data)
+      else
+        json
+      end
+    end
+  end
+end