class Sanctum::VaultSecrets
Attributes
prefix[R]
secrets_version[R]
vault_client[R]
Public Class Methods
new(vault_client, prefix, secrets_version="1")
click to toggle source
# File lib/sanctum/vault_secrets.rb, line 6 def initialize(vault_client, prefix, secrets_version="1") @vault_client = vault_client @prefix = prefix @secrets_version = secrets_version end
Public Instance Methods
get_all()
click to toggle source
API version 2 uses /metadata path to list, but /data to read.
TODO Fix, change list_prefix
back to prefix at some point. Use new kv from vault-ruby once it's updated
# File lib/sanctum/vault_secrets.rb, line 14 def get_all raise yellow( "Vault prefix: '#{prefix}' does not exist, or doesn't contain any secrets to pull/check"\ "\nEnsure mount is enabled and use `sanctum create`, and `sanctum push` to add secrets" ) if invalid_prefix? secrets_from_vault = Hash.new secrets_from_vault[prefix] = JSON(list_recursive(list_prefix).to_json) secrets_from_vault end
Private Instance Methods
invalid_prefix?()
click to toggle source
API version 2 uses /metadata path to list, but /data to read. TODO Fix, change list_prefix
back to prefix at some point. Use new kv from vault-ruby once it's updated
# File lib/sanctum/vault_secrets.rb, line 75 def invalid_prefix? vault_client.logical.list(list_prefix).empty? end
list_prefix()
click to toggle source
API version 2 uses /metadata path to list, but /data to read. TODO remove method and use kv from vault-ruby once available.
# File lib/sanctum/vault_secrets.rb, line 29 def list_prefix if secrets_version == "2" prefix.include?("/data") ? prefix.sub(/data/, "metadata") : "#{prefix}/metadata" else prefix end end
list_recursive(list_prefix, parent = '')
click to toggle source
TODO Fix, change list_prefix
back to prefix at some point. Use new kv from vault-ruby once it's updated
# File lib/sanctum/vault_secrets.rb, line 38 def list_recursive(list_prefix, parent = '') me = File.join(parent, list_prefix) result = vault_client.logical.list(me).inject({}) do |hash, item| case item when /.*\/$/ hash[item.gsub(/\/$/, '').to_sym] = list_recursive(item, me) else hash[item.to_sym] = read_data(item, me) end hash end result end
read_data(item, parent = '')
click to toggle source
Used by list_recursive
method only API version 2 uses /metadata path to list, but /data to read. TODO Update to use kv from vault-ruby once available.
# File lib/sanctum/vault_secrets.rb, line 55 def read_data(item, parent = '') me = File.join(parent, item) # me will contain /metadata if secrets_version 2 due to list_prefix method if secrets_version == "2" me = me.sub(/metadata/, "data") # It's possible for a vault secret to be nil... if vault_client.logical.read(me).nil? warn red("vault secret '#{me}' contains a null vaule, ignoring...") {} else vault_client.logical.read(me).data[:data] end else vault_client.logical.read(me).data end end