class Sanctum::VaultSecrets

Attributes

prefix[R]
secrets_version[R]
vault_client[R]

Public Class Methods

new(vault_client, prefix, secrets_version="1") click to toggle source
# File lib/sanctum/vault_secrets.rb, line 6
def initialize(vault_client, prefix, secrets_version="1")
  @vault_client = vault_client
  @prefix = prefix
  @secrets_version = secrets_version
end

Public Instance Methods

get_all() click to toggle source
API version 2 uses /metadata path to list, but /data to read.

TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated

# File lib/sanctum/vault_secrets.rb, line 14
def get_all
  raise yellow(
    "Vault prefix: '#{prefix}' does not exist, or doesn't contain any secrets to pull/check"\
    "\nEnsure mount is enabled and use `sanctum create`, and `sanctum push` to add secrets"
  ) if invalid_prefix?

  secrets_from_vault = Hash.new
  secrets_from_vault[prefix] = JSON(list_recursive(list_prefix).to_json)
  secrets_from_vault
end

Private Instance Methods

invalid_prefix?() click to toggle source

API version 2 uses /metadata path to list, but /data to read. TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated

# File lib/sanctum/vault_secrets.rb, line 75
def invalid_prefix?
  vault_client.logical.list(list_prefix).empty?
end
list_prefix() click to toggle source

API version 2 uses /metadata path to list, but /data to read. TODO remove method and use kv from vault-ruby once available.

# File lib/sanctum/vault_secrets.rb, line 29
def list_prefix
  if secrets_version == "2"
    prefix.include?("/data") ? prefix.sub(/data/, "metadata") : "#{prefix}/metadata"
  else
    prefix
  end
end
list_recursive(list_prefix, parent = '') click to toggle source

TODO Fix, change list_prefix back to prefix at some point. Use new kv from vault-ruby once it's updated

# File lib/sanctum/vault_secrets.rb, line 38
def list_recursive(list_prefix, parent = '')
  me = File.join(parent, list_prefix)
  result = vault_client.logical.list(me).inject({}) do |hash, item|
    case item
    when /.*\/$/
      hash[item.gsub(/\/$/, '').to_sym] = list_recursive(item, me)
    else
      hash[item.to_sym] = read_data(item, me)
    end
    hash
  end
  result
end
read_data(item, parent = '') click to toggle source

Used by list_recursive method only API version 2 uses /metadata path to list, but /data to read. TODO Update to use kv from vault-ruby once available.

# File lib/sanctum/vault_secrets.rb, line 55
def read_data(item, parent = '')
  me = File.join(parent, item)

  # me will contain /metadata if secrets_version 2 due to list_prefix method
  if secrets_version == "2"
    me = me.sub(/metadata/, "data")
    # It's possible for a vault secret to be nil...
    if vault_client.logical.read(me).nil?
      warn red("vault secret '#{me}' contains a null vaule, ignoring...")
      {}
    else
      vault_client.logical.read(me).data[:data]
    end
  else
    vault_client.logical.read(me).data
  end
end