Class: Hiera::Backend::Eyaml::Encryptors::Vault
- Inherits:
-
Encryptor
- Object
- Encryptor
- Hiera::Backend::Eyaml::Encryptors::Vault
show all
- Defined in:
- lib/hiera/backend/eyaml/encryptors/vault.rb,
lib/hiera/backend/eyaml/encryptors/vault/httphandler.rb
Defined Under Namespace
Classes: AuthenticationError, HTTPError, Httphandler
Constant Summary
collapse
- VERSION =
"0.0.2"
- HTTP_HANDLER =
Hiera::Backend::Eyaml::Encryptors::Vault::Httphandler
Class Method Summary
collapse
Class Method Details
.authenticate ⇒ Object
122
123
124
125
126
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 122
def authenticate
unless token_configured?
login if @approle_token.nil?
end
end
|
.create_keys ⇒ Object
65
66
67
68
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 65
def create_keys
diagnostic_message = self.option :diagnostic_message
puts "Create_keys: #{diagnostic_message}"
end
|
.decrypt(string) ⇒ Object
185
186
187
188
189
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 185
def decrypt(string)
response = vault_post({ 'ciphertext' => string}, :decrypt)
response_data=response['data']
Base64.decode64(response_data['plaintext'])
end
|
.encrypt(plain) ⇒ Object
191
192
193
194
195
196
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 191
def encrypt(plain)
encoded = Base64.encode64(plain)
response = vault_post({ 'plaintext' => encoded}, :encrypt)
response_data=response['data']
response_data['ciphertext']
end
|
.endpoint(action) ⇒ Object
128
129
130
131
132
133
134
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 128
def endpoint(action)
{
:decrypt => "transit/decrypt/#{option :keyname}",
:encrypt => "transit/encrypt/#{option :keyname}",
:login => "auth/approle/login"
}[action]
end
|
.login ⇒ Object
80
81
82
83
84
85
86
87
88
89
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 80
def login
role_id = option :role_id
secret_id = option :secret_id
login_data = { "role_id" => role_id }
login_data['secret_id'] = secret_id unless secret_id.nil?
response = vault_post(login_data, :login, false)
@approle_token = response['auth']['client_token']
end
|
.parse_response(response) ⇒ Object
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 142
def parse_response(response)
body = JSON.load(response.body)
if response.code_type == Net::HTTPOK
return body
else
if response.code == "403"
raise AuthenticationError, body
end
if body['errors'].is_a?(Array)
message = body['errors'].join("\n")
else
message = "Failed to decrypt entry #{body}"
end
raise Exception, "Error decrypting data from Vault: #{message}"
end
end
|
.read_file(file) ⇒ Object
95
96
97
98
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 95
def read_file(file)
raise Exception, "Cannot read #{file}" unless File.exists?(file)
File.read(file)
end
|
.ssl? ⇒ Boolean
91
92
93
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 91
def ssl?
option :use_ssl
end
|
.ssl_cert ⇒ Object
106
107
108
109
110
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 106
def ssl_cert
return nil if option(:ssl_cert).nil?
@vault_ssl_cert ||= read_file(option :ssl_cert)
@vault_ssl_cert
end
|
.ssl_key ⇒ Object
100
101
102
103
104
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 100
def ssl_key
return nil if option(:ssl_key).nil?
@vault_ssl_key ||= read_file(option :ssl_key)
@vault_ssl_key
end
|
.token ⇒ Object
117
118
119
120
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 117
def token
authenticate
option(:token) || @approle_token
end
|
113
114
115
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 113
def token_configured?
not option(:token).nil?
end
|
.url_path(action) ⇒ Object
136
137
138
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 136
def url_path(action)
vault_url(endpoint(action))
end
|
.vault_post(data, action, use_token = true, headers = {}) ⇒ Object
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 159
def vault_post(data, action, use_token=true, ={})
url = url_path(action)
http_options = {}
if ssl?
http_options = {
:ssl => true,
:ssl_verify => option(:ssl_verify),
:ssl_cert => ssl_cert,
:ssl_key => ssl_key,
}
end
begin
tries ||= 0
['X-Vault-Token'] = token if use_token
parse_response HTTP_HANDLER.post(url, data, , http_options)
rescue AuthenticationError => e
login
retry if (tries += 1) < 2
raise
rescue HTTPError => e
raise Exception, "HTTP Error: #{e}"
end
end
|
.vault_url(endpoint) ⇒ Object
72
73
74
75
76
77
78
|
# File 'lib/hiera/backend/eyaml/encryptors/vault.rb', line 72
def vault_url(endpoint)
uri = []
uri << option(:addr)
uri << "v#{option :api_version}"
uri << endpoint
uri.flatten.join("/")
end
|