class Sanctum::VaultTransit
Public Class Methods
create_path(path)
click to toggle source
# File lib/sanctum/vault_transit.rb, line 79 def self.create_path(path) path = Pathname.new(path).parent.to_path FileUtils.mkdir_p(path) unless File.directory?(path) end
decode(string)
click to toggle source
# File lib/sanctum/vault_transit.rb, line 75 def self.decode(string) Base64.decode64(string) end
decrypt(vault_client, secrets, transit_key)
click to toggle source
# File lib/sanctum/vault_transit.rb, line 25 def self.decrypt(vault_client, secrets, transit_key) transit_key = Pathname.new(transit_key) secrets.each do |k, v| v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/decrypt/#{transit_key.basename}", ciphertext: v) v = JSON(decode(v.data[:plaintext])) secrets[k] = v end secrets rescue Vault::HTTPClientError => e if e.code == 403 raise red("#{transit_key} either doesn't exist, or you don't have the proper permissions") end raise end
encode(string)
click to toggle source
# File lib/sanctum/vault_transit.rb, line 71 def self.encode(string) Base64.encode64(string) end
encrypt(vault_client, secrets, transit_key)
click to toggle source
# File lib/sanctum/vault_transit.rb, line 8 def self.encrypt(vault_client, secrets, transit_key) transit_key = Pathname.new(transit_key) secrets.each do |k, v| v = encode(v.to_json) #TODO: Fix this.... v = vault_client.logical.write("#{transit_key.dirname.to_s.split("/")[0]}/encrypt/#{transit_key.basename}", plaintext: v) secrets[k] = v end secrets rescue Vault::HTTPClientError => e if e.code == 403 raise red("#{transit_key} either doesn't exist, or you don't have the proper permissions") end raise end
write_to_file(vault_client, secrets, transit_key)
click to toggle source
Writes secrets encrypted with transit to local files
@param vault_client [VaultClient] client used interact with the vault api @param secrets [hash] {“/local/path”: {key: value}} @param transit_key [String] key used to encrypt blobs via the transit backend
# File lib/sanctum/vault_transit.rb, line 46 def self.write_to_file(vault_client, secrets, transit_key) # Coerce vault data values to strings # To ensure a consistent experience pulling and pushing to vault secrets.each { |_, v| v.transform_values!(&:to_s) } secrets = encrypt(vault_client, secrets, transit_key) secrets.each do |k, v| create_path(k) File.write(k, v.data[:ciphertext]) end end
write_to_vault(vault_client, secrets, secrets_version="1")
click to toggle source
Writes secrets to vault
@param vault_client [VaultClient] client used to interact with the vault api @param secrets [hash] {“/vault/path”: {key: value}} @param secrets_version [String] vault backend version[1, 2]
# File lib/sanctum/vault_transit.rb, line 62 def self.write_to_vault(vault_client, secrets, secrets_version="1") secrets.each do |k, v| # Coerce vault data values to strings # To ensure a consistent experience pulling and pushing to vault v.transform_values!(&:to_s) secrets_version == "2" ? vault_client.logical.write(k, data: v) : vault_client.logical.write(k, v) end end