class Sanctum::Command::Update

Public Instance Methods

run() click to toggle source
# File lib/sanctum/command/update.rb, line 6
def run
  raise red("Please only specify one target") if targets.count > 1
  target = targets.first

  # Use command line if force: true
  if options[:cli][:force]
    force = options[:cli][:force]
  else
    force = target.fetch(:force) {options[:sanctum][:force]}
  end

  update_mount(target, force)
end

Private Instance Methods

additional_acl_warning() click to toggle source
# File lib/sanctum/command/update.rb, line 56
def additional_acl_warning
  warn yellow(
    "\nIf you use policies to limit secrets access you may need to have your permissions updated"\
    "\nSee https://www.vaultproject.io/docs/secrets/kv/kv-v2.html#acl-rules for more info"\
    "\nSee examples/single_target for updated policy example."\
  )
end
already_upgraded_warning() click to toggle source
# File lib/sanctum/command/update.rb, line 64
def already_upgraded_warning
  raise red(
    "Mount appears to have already been updated. This could be due to `secrets_version: 2` specified"\
    "\nin sanctum.yaml, or the mount having already been upgraded."\
    "\nTo try anyway you can pass `--force` on the command line"
  )
end
confirm_upgrade?(target) click to toggle source
# File lib/sanctum/command/update.rb, line 78
def confirm_upgrade?(target)
  warn yellow("\nUpgrading will make the mount temporarily unavailable")
  warn red("\nPlease ensure you are fully synced(all secrets have been pushed/pulled)")
  warn yellow("Would you like to continue?: ")
  question = STDIN.gets.chomp.upcase

  if ["Y", "YES"].include? question
    warn yellow("\nUpgrading #{target[:prefix]}")
    true
  else
    raise yellow("\nSkipping....\n")
    false
  end
end
nothing_happened_warning() click to toggle source
# File lib/sanctum/command/update.rb, line 72
def nothing_happened_warning
  warn yellow(
    "Request returned a nil response, which could mean mount is already upgraded"
  )
end
post_upgrade_warning() click to toggle source
# File lib/sanctum/command/update.rb, line 49
def post_upgrade_warning
  warn yellow(
    "\nOnce the upgrade has been completed update sanctum.yaml."\
    "\nPlease add or update `secrets_version:` key to each configured target."\
  )
end
pre_upgrade_warning() click to toggle source
# File lib/sanctum/command/update.rb, line 39
def pre_upgrade_warning
  warn yellow(
    "\nPlease read 'Upgrading from Version 1' documentation BEFORE you upgrade"\
    "\nThe addition of `/data`, and `/metadata` endpoints will break applications that are dependant on v1 endpoints"\
    "\nYou will want to update permissions policies, and applications BEFORE you upgrade"\
    "\nhttps://www.vaultproject.io/docs/secrets/kv/kv-v2.html#upgrading-from-version-1"\
  )
  additional_acl_warning
end
update_mount(target, force) click to toggle source
# File lib/sanctum/command/update.rb, line 22
def update_mount(target, force)
  data = { options: { version: "2" }, listing_visability: "unauth" }.to_json
  pre_upgrade_warning

  if force
    # When force option is used we will try to run the upgrade command mount, even if it's already been upgraded
    # Request will be a no-op and return null. So we need to remove `data` from the prefix if it's been added.
    force_prefix = target[:prefix].include?("/data") ? target[:prefix].sub(/\/data/, "") : target[:prefix]
    warn yellow("\nUpgrading #{force_prefix}")
    upgrade_response = vault_client.request(:post, "/v1/sys/mounts/#{force_prefix}/tune", data)
  else
    already_upgraded_warning if target[:secrets_version] == "2"
    upgrade_response = confirm_upgrade?(target) ? vault_client.request(:post, "/v1/sys/mounts/#{target[:prefix]}/tune", data) : nil
  end
  upgrade_response.nil? ? nothing_happened_warning : (warn yellow("#{upgrade_response}\n#{post_upgrade_warning}"))
end