Class: Hiera::Backend::Eyaml::Encryptors::Vault

Inherits:

Encryptor

• Object
• Encryptor
• Hiera::Backend::Eyaml::Encryptors::Vault

Defined in:

lib/hiera/backend/eyaml/encryptors/vault.rb,
lib/hiera/backend/eyaml/encryptors/vault/httphandler.rb

Defined Under Namespace

Classes: AuthenticationError, HTTPError, Httphandler

Constant Summary

VERSION =

"0.0.2"

HTTP_HANDLER =

Hiera::Backend::Eyaml::Encryptors::Vault::Httphandler

Class Method Summary

• .authenticate ⇒ Object
• .create_keys ⇒ Object
• .decrypt(string) ⇒ Object
• .encrypt(plain) ⇒ Object
• .endpoint(action) ⇒ Object
• .login ⇒ Object
• .parse_response(response) ⇒ Object
• .read_file(file) ⇒ Object
• .ssl? ⇒ Boolean
• .ssl_cert ⇒ Object
• .ssl_key ⇒ Object
• .token ⇒ Object
• .token_configured? ⇒ Boolean
• .url_path(action) ⇒ Object
• .vault_post(data, action, use_token = true, headers = {}) ⇒ Object
• .vault_url(endpoint) ⇒ Object

  BEGIN IMPORT.

Class Method Details

.authenticate ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 122

def authenticate
  unless token_configured?
    login if @approle_token.nil?
  end
end

.create_keys ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 65

def create_keys
  diagnostic_message = self.option :diagnostic_message 
  puts "Create_keys: #{diagnostic_message}"
end

.decrypt(string) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 185

def decrypt(string)
  response = vault_post({ 'ciphertext' => string}, :decrypt)
  response_data=response['data']
  Base64.decode64(response_data['plaintext'])
end

.encrypt(plain) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 191

def encrypt(plain)
  encoded = Base64.encode64(plain)
  response = vault_post({ 'plaintext' => encoded}, :encrypt)
  response_data=response['data']
  response_data['ciphertext']
end

.endpoint(action) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 128

def endpoint(action)
  {
    :decrypt => "transit/decrypt/#{option :keyname}",
    :encrypt => "transit/encrypt/#{option :keyname}",
    :login   => "auth/approle/login"
  }[action]
end

.login ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 80

def login
  role_id = option :role_id
  secret_id = option :secret_id

  login_data = { "role_id" => role_id }
  login_data['secret_id'] = secret_id unless secret_id.nil?

  response = vault_post(login_data, :login, false)
  @approle_token = response['auth']['client_token']
end

.parse_response(response) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 142

def parse_response(response)
  body = JSON.load(response.body)
  if response.code_type == Net::HTTPOK
    return body
  else
    if response.code == "403"
      raise AuthenticationError, body
    end
    if body['errors'].is_a?(Array)
      message = body['errors'].join("\n")
    else
      message = "Failed to decrypt entry #{body}"
    end
    raise Exception, "Error decrypting data from Vault: #{message}"
  end
end

.read_file(file) ⇒ Object

Raises:

• (Exception)

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 95

def read_file(file)
  raise Exception, "Cannot read #{file}" unless File.exists?(file)
  File.read(file)
end

.ssl? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 91

def ssl?
  option :use_ssl
end

.ssl_cert ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 106

def ssl_cert
  return nil if option(:ssl_cert).nil?
  @vault_ssl_cert ||= read_file(option :ssl_cert)
  @vault_ssl_cert
end

.ssl_key ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 100

def ssl_key
  return nil if option(:ssl_key).nil?
  @vault_ssl_key ||= read_file(option :ssl_key)
  @vault_ssl_key
end

.token ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 117

def token
  authenticate
  option(:token) || @approle_token
end

.token_configured? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 113

def token_configured?
  not option(:token).nil?
end

.url_path(action) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 136

def url_path(action)
  vault_url(endpoint(action))
end

.vault_post(data, action, use_token = true, headers = {}) ⇒ Object

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 159

def vault_post(data, action, use_token=true, headers={})
  url = url_path(action)
  http_options = {}

  if ssl?
    http_options = {
      :ssl        => true,
      :ssl_verify => option(:ssl_verify),
      :ssl_cert   => ssl_cert,
      :ssl_key    => ssl_key,
    }
  end

  begin
    tries ||= 0
    headers['X-Vault-Token'] = token if use_token
    parse_response HTTP_HANDLER.post(url, data, headers, http_options)
  rescue AuthenticationError => e
    login
    retry if (tries += 1) < 2
    raise
  rescue HTTPError => e
    raise Exception, "HTTP Error: #{e}"
  end
end

.vault_url(endpoint) ⇒ Object

BEGIN IMPORT

# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 72

def vault_url(endpoint)
  uri = []
  uri << option(:addr)
  uri << "v#{option :api_version}"
  uri << endpoint
  uri.flatten.join("/")
end