class Sanctum::VaultTransit

Public Class Methods

create_path(path) click to toggle source
# File lib/sanctum/vault_transit.rb, line 79
def self.create_path(path)
  path = Pathname.new(path).parent.to_path
  FileUtils.mkdir_p(path) unless File.directory?(path)
end
decode(string) click to toggle source
# File lib/sanctum/vault_transit.rb, line 75
def self.decode(string)
  Base64.decode64(string)
end
decrypt(vault_client, secrets, transit_key) click to toggle source
# File lib/sanctum/vault_transit.rb, line 25
def self.decrypt(vault_client, secrets, transit_key)
  transit_key = Pathname.new(transit_key)

  secrets.each do |k, v|
    v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/decrypt/#{transit_key.basename}", ciphertext: v)
    v = JSON(decode(v.data[:plaintext]))
    secrets[k] = v
  end
  secrets
rescue Vault::HTTPClientError => e
  if e.code == 403
    raise red("#{transit_key} either doesn't exist, or you don't have the proper permissions")
  end
  raise
end
encode(string) click to toggle source
# File lib/sanctum/vault_transit.rb, line 71
def self.encode(string)
  Base64.encode64(string)
end
encrypt(vault_client, secrets, transit_key) click to toggle source
# File lib/sanctum/vault_transit.rb, line 8
def self.encrypt(vault_client, secrets, transit_key)
  transit_key = Pathname.new(transit_key)

  secrets.each do |k, v|
    v = encode(v.to_json)
    #TODO: Fix this....
    v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/encrypt/#{transit_key.basename}", plaintext: v)
    secrets[k] = v
  end
  secrets
rescue Vault::HTTPClientError => e
  if e.code == 403
    raise red("#{transit_key} either doesn't exist, or you don't have the proper permissions")
  end
  raise
end
write_to_file(vault_client, secrets, transit_key) click to toggle source

Writes secrets encrypted with transit to local files

@param vault_client [VaultClient] client used interact with the vault api @param secrets [hash] {“/local/path”: {key: value}} @param transit_key [String] key used to encrypt blobs via the transit backend

# File lib/sanctum/vault_transit.rb, line 46
def self.write_to_file(vault_client, secrets, transit_key)
  # Coerce vault data values to strings
  # To ensure a consistent experience pulling and pushing to vault
  secrets.each { |_, v| v.transform_values!(&:to_s) }
  secrets = encrypt(vault_client, secrets, transit_key)
  secrets.each do |k, v|
    create_path(k)
    File.write(k, v.data[:ciphertext])
  end
end
write_to_vault(vault_client, secrets, secrets_version="1") click to toggle source

Writes secrets to vault

@param vault_client [VaultClient] client used to interact with the vault api @param secrets [hash] {“/vault/path”: {key: value}} @param secrets_version [String] vault backend version[1, 2]

# File lib/sanctum/vault_transit.rb, line 62
def self.write_to_vault(vault_client, secrets, secrets_version="1")
  secrets.each do |k, v|
    # Coerce vault data values to strings
    # To ensure a consistent experience pulling and pushing to vault
    v.transform_values!(&:to_s)
    secrets_version == "2" ? vault_client.logical.write(k, data: v) : vault_client.logical.write(k, v)
  end
end