vault_ruby_client 0.18.2

data/lib/vault/defaults.rb

@@ -0,0 +1,218 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+require "pathname"
+require "base64"
+
+module Vault
+  module Defaults
+    # The default vault address.
+    # @return [String]
+    VAULT_ADDRESS = "https://127.0.0.1:8200".freeze
+
+    # The default path to the vault token on disk.
+    # @return [String]
+    DEFAULT_VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze
+
+    # The list of SSL ciphers to allow. You should not change this value unless
+    # you absolutely know what you are doing!
+    # @return [String]
+    SSL_CIPHERS = "TLSv1.2:!aNULL:!eNULL".freeze
+
+    # The default number of attempts.
+    # @return [Fixnum]
+    RETRY_ATTEMPTS = 2
+
+    # The default backoff interval.
+    # @return [Fixnum]
+    RETRY_BASE = 0.05
+
+    # The maximum amount of time for a single exponential backoff to sleep.
+    RETRY_MAX_WAIT = 2.0
+
+    # The default size of the connection pool
+    DEFAULT_POOL_SIZE = 16
+
+    # The default timeout in seconds for retrieving a connection from the connection pool
+    DEFAULT_POOL_TIMEOUT = 0.5
+
+    # The set of exceptions that are detect and retried by default
+    # with `with_retries`
+    RETRIED_EXCEPTIONS = [HTTPServerError, MissingRequiredStateError]
+
+    class << self
+      # The list of calculated options for this configurable.
+      # @return [Hash]
+      def options
+        Hash[*Configurable.keys.map { |key| [key, public_send(key)] }.flatten]
+      end
+
+      # The address to communicate with Vault.
+      # @return [String]
+      def address
+        ENV["VAULT_ADDR"] || VAULT_ADDRESS
+      end
+
+      # The vault token to use for authentiation.
+      # @return [String, nil]
+      def token
+        ENV["VAULT_TOKEN"] || fetch_from_disk("VAULT_TOKEN_FILE")
+      end
+
+      def fetch_from_disk(env_var)
+        path = ENV[env_var] ? Pathname.new(ENV[env_var]) : DEFAULT_VAULT_DISK_TOKEN
+        if path.exist? && path.readable?
+          path.read.chomp
+        end
+      end
+
+      # Vault Namespace, if any.
+      # @return [String, nil]
+      def namespace
+        ENV["VAULT_NAMESPACE"]
+      end
+
+      # The SNI host to use when connecting to Vault via TLS.
+      # @return [String, nil]
+      def hostname
+        ENV["VAULT_TLS_SERVER_NAME"]
+      end
+
+      # The number of seconds to wait when trying to open a connection before
+      # timing out
+      # @return [String, nil]
+      def open_timeout
+        ENV["VAULT_OPEN_TIMEOUT"]
+      end
+
+      # The size of the connection pool to communicate with Vault
+      # @return Integer
+      def pool_size
+        if var = ENV["VAULT_POOL_SIZE"]
+          var.to_i
+        else
+          DEFAULT_POOL_SIZE
+        end
+      end
+
+      # The timeout for getting a connection from the connection pool that communicates with Vault
+      # @return Float
+      def pool_timeout
+        if var = ENV["VAULT_POOL_TIMEOUT"]
+          var.to_f
+        else
+          DEFAULT_POOL_TIMEOUT
+        end
+      end
+
+      # The HTTP Proxy server address as a string
+      # @return [String, nil]
+      def proxy_address
+        ENV["VAULT_PROXY_ADDRESS"]
+      end
+
+      # The HTTP Proxy server username as a string
+      # @return [String, nil]
+      def proxy_username
+        ENV["VAULT_PROXY_USERNAME"]
+      end
+
+      # The HTTP Proxy user password as a string
+      # @return [String, nil]
+      def proxy_password
+        ENV["VAULT_PROXY_PASSWORD"]
+      end
+
+      # The HTTP Proxy server port as a string
+      # @return [String, nil]
+      def proxy_port
+        ENV["VAULT_PROXY_PORT"]
+      end
+
+      # The number of seconds to wait when reading a response before timing out
+      # @return [String, nil]
+      def read_timeout
+        ENV["VAULT_READ_TIMEOUT"]
+      end
+
+      # The ciphers that will be used when communicating with vault over ssl
+      # You should only change the defaults if the ciphers are not available on
+      # your platform and you know what you are doing
+      # @return [String]
+      def ssl_ciphers
+        ENV["VAULT_SSL_CIPHERS"] || SSL_CIPHERS
+      end
+
+      # The raw contents (as a string) for the pem file. To specify the path to
+      # the pem file, use {#ssl_pem_file} instead. This value is preferred over
+      # the value for {#ssl_pem_file}, if set.
+      # @return [String, nil]
+      def ssl_pem_contents
+        if ENV["VAULT_SSL_PEM_CONTENTS_BASE64"]
+          Base64.decode64(ENV["VAULT_SSL_PEM_CONTENTS_BASE64"])
+        else
+          ENV["VAULT_SSL_PEM_CONTENTS"]
+        end
+      end
+
+      # The path to a pem on disk to use with custom SSL verification
+      # @return [String, nil]
+      def ssl_pem_file
+        ENV["VAULT_SSL_CERT"] || ENV["VAULT_SSL_PEM_FILE"]
+      end
+
+      # Passphrase to the pem file on disk to use with custom SSL verification
+      # @return [String, nil]
+      def ssl_pem_passphrase
+        ENV["VAULT_SSL_CERT_PASSPHRASE"]
+      end
+
+      # The path to the CA cert on disk to use for certificate verification
+      # @return [String, nil]
+      def ssl_ca_cert
+        ENV["VAULT_CACERT"]
+      end
+
+      # The CA cert store to use for certificate verification
+      # @return [OpenSSL::X509::Store, nil]
+      def ssl_cert_store
+        nil
+      end
+
+      # The path to the directory on disk holding CA certs to use
+      # for certificate verification
+      # @return [String, nil]
+      def ssl_ca_path
+        ENV["VAULT_CAPATH"]
+      end
+
+      # Verify SSL requests (default: true)
+      # @return [true, false]
+      def ssl_verify
+        # Vault CLI uses this envvar, so accept it by precedence
+        if !ENV["VAULT_SKIP_VERIFY"].nil?
+          return false
+        end
+
+        if ENV["VAULT_SSL_VERIFY"].nil?
+          true
+        else
+          %w[t y].include?(ENV["VAULT_SSL_VERIFY"].downcase[0])
+        end
+      end
+
+      # The number of seconds to wait for connecting and verifying SSL
+      # @return [String, nil]
+      def ssl_timeout
+        ENV["VAULT_SSL_TIMEOUT"]
+      end
+
+      # A default meta-attribute to set all timeout values - individually set
+      # timeout values will take precedence
+      # @return [String, nil]
+      def timeout
+        ENV["VAULT_TIMEOUT"]
+      end
+    end
+  end
+end

data/lib/vault/encode.rb

@@ -0,0 +1,22 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+  module EncodePath
+
+    # Encodes a string according to the rules for URL paths. This is
+    # used as opposed to CGI.escape because in a URL path, space
+    # needs to be escaped as %20 and CGI.escapes a space as +.
+    #
+    # @param [String]
+    #
+    # @return [String]
+    def encode_path(path)
+      path.b.gsub(%r!([^a-zA-Z0-9_.-/]+)!) { |m|
+        '%' + m.unpack('H2' * m.bytesize).join('%').upcase
+      }
+    end
+
+    module_function :encode_path
+  end
+end

data/lib/vault/errors.rb

@@ -0,0 +1,87 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+  class VaultError < RuntimeError; end
+
+  class MissingTokenError < VaultError
+    def initialize
+      super <<-EOH
+Missing Vault token! I cannot make requests to Vault without a token. Please
+set a Vault token in the client:
+
+    Vault.token = "42d1dee5-eb6e-102c-8d23-cc3ba875da51"
+
+or authenticate with Vault using the Vault CLI:
+
+    $ vault auth ...
+
+or set the environment variable $VAULT_TOKEN to the token value:
+
+    $ export VAULT_TOKEN="..."
+
+Please refer to the documentation for more examples.
+EOH
+    end
+  end
+
+  class MissingRequiredStateError < VaultError
+    def initialize
+      super <<-EOH
+The performance standby node does not yet have the 
+most recent index state required to authenticate 
+the request.
+
+Generally, the request should be retried with the with_retries clause.
+EOH
+    end
+  end
+
+  class HTTPConnectionError < VaultError
+    attr_reader :address
+
+    def initialize(address, exception)
+      @address = address
+      @exception = exception
+
+      super <<-EOH
+The Vault server at `#{address}' is not currently
+accepting connections. Please ensure that the server is running and that your
+authentication information is correct.
+
+The original error was `#{exception.class}'. Additional information (if any) is
+shown below:
+
+    #{exception.message}
+
+Please refer to the documentation for more help.
+EOH
+    end
+
+    def original_exception
+      @exception
+    end
+  end
+
+  class HTTPError < VaultError
+    attr_reader :address, :response, :code, :errors
+
+    def initialize(address, response, errors = [])
+      @address, @response, @errors = address, response, errors
+      @code  = response.code.to_i
+      errors = errors.map { |error| "  * #{error}" }
+
+      super <<-EOH
+The Vault server at `#{address}' responded with a #{code}.
+Any additional information the server supplied is shown below:
+
+#{errors.join("\n").rstrip}
+
+Please refer to the documentation for help.
+EOH
+    end
+  end
+
+  class HTTPClientError < HTTPError; end
+  class HTTPServerError < HTTPError; end
+end

data/lib/vault/persistent/connection.rb

@@ -0,0 +1,45 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+##
+# A Net::HTTP connection wrapper that holds extra information for managing the
+# connection's lifetime.
+
+module Vault
+class PersistentHTTP::Connection # :nodoc:
+
+  attr_accessor :http
+
+  attr_accessor :last_use
+
+  attr_accessor :requests
+
+  attr_accessor :ssl_generation
+
+  def initialize http_class, http_args, ssl_generation
+    @http           = http_class.new(*http_args)
+    @ssl_generation = ssl_generation
+
+    reset
+  end
+
+  def finish
+    @http.finish
+  rescue IOError
+  ensure
+    reset
+  end
+
+  def reset
+    @last_use = PersistentHTTP::EPOCH
+    @requests = 0
+  end
+
+  def ressl ssl_generation
+    @ssl_generation = ssl_generation
+
+    finish
+  end
+
+end
+end

data/lib/vault/persistent/pool.rb

@@ -0,0 +1,51 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+class PersistentHTTP::Pool < Vault::ConnectionPool # :nodoc:
+
+  attr_reader :available # :nodoc:
+  attr_reader :key # :nodoc:
+
+  def initialize(options = {}, &block)
+    super
+
+    @available = PersistentHTTP::TimedStackMulti.new(@size, &block)
+    @key = :"current-#{@available.object_id}"
+  end
+
+  def checkin net_http_args
+    stack = Thread.current[@key][net_http_args]
+
+    raise ConnectionPool::Error, 'no connections are checked out' if
+      stack.empty?
+
+    conn = stack.pop
+
+    if stack.empty?
+      @available.push conn, connection_args: net_http_args
+    end
+
+    nil
+  end
+
+  def checkout net_http_args
+    stacks = Thread.current[@key] ||= Hash.new { |h, k| h[k] = [] }
+    stack  = stacks[net_http_args]
+
+    if stack.empty? then
+      conn = @available.pop @timeout, connection_args: net_http_args
+    else
+      conn = stack.last
+    end
+
+    stack.push conn
+
+    conn
+  end
+
+end
+end
+
+require_relative 'timed_stack_multi'
+

data/lib/vault/persistent/timed_stack_multi.rb

@@ -0,0 +1,73 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+module Vault
+class PersistentHTTP::TimedStackMulti < ConnectionPool::TimedStack # :nodoc:
+
+  def initialize(size = 0, &block)
+    super
+
+    @enqueued = 0
+    @ques = Hash.new { |h, k| h[k] = [] }
+    @lru = {}
+    @key = :"connection_args-#{object_id}"
+  end
+
+  def empty?
+    (@created - @enqueued) >= @max
+  end
+
+  def length
+    @max - @created + @enqueued
+  end
+
+  private
+
+  def connection_stored? options = {} # :nodoc:
+    !@ques[options[:connection_args]].empty?
+  end
+
+  def fetch_connection options = {} # :nodoc:
+    connection_args = options[:connection_args]
+
+    @enqueued -= 1
+    lru_update connection_args
+    @ques[connection_args].pop
+  end
+
+  def lru_update connection_args # :nodoc:
+    @lru.delete connection_args
+    @lru[connection_args] = true
+  end
+
+  def shutdown_connections # :nodoc:
+    @ques.each_key do |key|
+      super connection_args: key
+    end
+  end
+
+  def store_connection obj, options = {} # :nodoc:
+    @ques[options[:connection_args]].push obj
+    @enqueued += 1
+  end
+
+  def try_create options = {} # :nodoc:
+    connection_args = options[:connection_args]
+
+    if @created >= @max && @enqueued >= 1
+      oldest, = @lru.first
+      @lru.delete oldest
+      @ques[oldest].pop
+
+      @created -= 1
+    end
+
+    if @created < @max
+      @created += 1
+      lru_update connection_args
+      return @create_block.call(connection_args)
+    end
+  end
+
+end
+end