class Sanctum::Command::Pull

Public Instance Methods

build_local_secrets(vault_secrets, transit_key) click to toggle source
# File lib/sanctum/command/pull.rb, line 69
def build_local_secrets(vault_secrets, transit_key)

  # read_local_files uses vault_secrets paths to create a new hash with local paths and values.
  # This means that we will only compare secrets/paths that exist in both vault and locally.
  # We will not for example, see differences if a file exists locally but not in vault.
  local_secrets = read_local_files(vault_secrets)
  # Decrypt local_secrets
  local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
  local_secrets
end
build_vault_secrets(tree, path) click to toggle source
# File lib/sanctum/command/pull.rb, line 57
def build_vault_secrets(tree, path)
  # Build local paths based on vault_prefix(tree) and paths specified in sanctum.yaml
  vault_secrets = build_path(tree, path)

  # Join the path array to create a path
  vault_secrets = join_path(vault_secrets, config_file)

  # Ensure local paths exist, relative to sanctum.yaml if they don't create them
  create_paths(vault_secrets)
  vault_secrets
end
create_paths(paths) click to toggle source
# File lib/sanctum/command/pull.rb, line 48
def create_paths(paths)
  paths.each do |k,v|
    k = Pathname.new(k)
    unless k.dirname.exist?
      k.dirname.mkpath
    end
  end
end
run() click to toggle source
# File lib/sanctum/command/pull.rb, line 7
def run
  puts yellow("Running `pull` for the following targets: \n#{targets.map{ |h| h.dig(:name)}.to_yaml.gsub("---\n", '')}")
  targets.each do |target|
    # Use command line if force: true
    if options[:cli][:force]
      force = options[:cli][:force]
    else
      force = target.fetch(:force) {options[:sanctum][:force]}
    end

    # Recursively get vault secrets for each prefix specified in sanctum.yaml
    secrets_list = VaultSecrets.new(vault_client, target[:prefix], target[:secrets_version]).get_all
    secrets_list.each do |k,v|

      vault_secrets = build_vault_secrets(v, [target[:path]])
      local_secrets = build_local_secrets(vault_secrets, target[:transit_key])

      #Compare secrets, if there are no differences continue to next target
      differences = compare_secrets(vault_secrets, local_secrets, target[:name], "pull")
      next if differences.nil?

      #Get uniq array of Hashdiff returned paths
      diff_paths = differences.map{|x| x[1][0]}.uniq

      #Only sync the differences
      vault_secrets = only_changes(diff_paths, vault_secrets)

      if force
        # Write files to disk and encrypt with transit
        warn red("#{target[:name]}: Forcefully writing differences to disk(pull)")
        VaultTransit.write_to_file(vault_client, vault_secrets, target[:transit_key])
      else
        #Confirm with user, and write to local file if approved
        next unless confirmed_with_user?
        VaultTransit.write_to_file(vault_client, vault_secrets, target[:transit_key])
      end
    end
  end

end