Class: Vault::Client
- Inherits:
-
Object
- Object
- Vault::Client
- Includes:
- Configurable
- Defined in:
- lib/vault/client.rb,
lib/vault/api/sys.rb,
lib/vault/api/auth.rb,
lib/vault/api/help.rb,
lib/vault/api/logical.rb,
lib/vault/api/auth_token.rb
Constant Summary collapse
- USER_AGENT =
The user agent for this client.
"VaultRuby/#{Vault::VERSION} (+github.com/hashicorp/vault-ruby)".freeze
- TOKEN_HEADER =
The name of the header used to hold the Vault token.
"X-Vault-Token".freeze
- LOCATION_HEADER =
The name of the header used for redirection.
"location".freeze
- DEFAULT_HEADERS =
The default headers that are sent with every request.
{ "Content-Type" => "application/json", "Accept" => "application/json", "User-Agent" => USER_AGENT, }.freeze
- JSON_PARSE_OPTIONS =
The default list of options to use when parsing JSON.
{ max_nesting: false, create_additions: false, symbolize_names: true, }.freeze
- RESCUED_EXCEPTIONS =
[].tap do |a| # Failure to even open the socket (usually permissions) a << SocketError # Failed to reach the server (aka bad URL) a << Errno::ECONNREFUSED # Failed to read body or no response body given a << EOFError # Timeout (Ruby 1.9-) a << Timeout::Error # Timeout (Ruby 1.9+) - Ruby 1.9 does not define these constants so we # only add them if they are defiend a << Net::ReadTimeout if defined?(Net::ReadTimeout) a << Net::OpenTimeout if defined?(Net::OpenTimeout) end.freeze
Instance Method Summary collapse
-
#auth ⇒ Auth
A proxy to the Auth methods.
-
#auth_token ⇒ AuthToken
A proxy to the AuthToken methods.
-
#build_uri(verb, path, params = {}) ⇒ URI
Construct a URL from the given verb and path.
-
#class_for_request(verb) ⇒ Class
Helper method to get the corresponding Net::HTTP class from the given HTTP verb.
-
#delete(path, params = {}, headers = {}) ⇒ Object
Perform a DELETE request.
-
#error(response) ⇒ Object
Raise a response error, extracting as much information from the server’s response as possible.
-
#get(path, params = {}, headers = {}) ⇒ Object
Perform a GET request.
-
#help(path) ⇒ Help
Gets help for the given path.
-
#initialize(options = {}) ⇒ Vault::Client
constructor
Create a new Client with the given options.
-
#logical ⇒ Logical
A proxy to the Logical methods.
-
#patch(path, data, headers = {}) ⇒ Object
Perform a PATCH request.
-
#post(path, data, headers = {}) ⇒ Object
Perform a POST request.
-
#put(path, data, headers = {}) ⇒ Object
Perform a PUT request.
-
#request(verb, path, data = {}, headers = {}) ⇒ String, Hash
Make an HTTP request with the given verb, data, params, and headers.
-
#same_options?(opts) ⇒ true, false
Determine if the given options are the same as ours.
-
#success(response) ⇒ String, Hash
Parse the response object and manipulate the result based on the given
Content-Type
header. -
#sys ⇒ Sys
A proxy to the Sys methods.
-
#to_query_string(hash) ⇒ String?
Convert the given hash to a list of query string parameters.
-
#with_retries(*rescued, &block) ⇒ Object
Execute the given block with retries and exponential backoff.
Methods included from Configurable
Constructor Details
#initialize(options = {}) ⇒ Vault::Client
Create a new Client with the given options. Any options given take precedence over the default options.
61 62 63 64 65 66 67 |
# File 'lib/vault/client.rb', line 61 def initialize( = {}) # Use any options given, but fall back to the defaults set on the module Vault::Configurable.keys.each do |key| value = .key?(key) ? [key] : Defaults.public_send(key) instance_variable_set(:"@#{key}", value) end end |
Instance Method Details
#auth ⇒ Auth
A proxy to the Auth methods.
10 11 12 |
# File 'lib/vault/api/auth.rb', line 10 def auth @auth ||= Authenticate.new(self) end |
#auth_token ⇒ AuthToken
A proxy to the AuthToken methods.
12 13 14 |
# File 'lib/vault/api/auth_token.rb', line 12 def auth_token @auth_token ||= AuthToken.new(self) end |
#build_uri(verb, path, params = {}) ⇒ URI
Construct a URL from the given verb and path. If the request is a GET or DELETE request, the params are assumed to be query params are are converted as such using #to_query_string.
If the path is relative, it is merged with the Defaults.address attribute. If the path is absolute, it is converted to a URI object and returned.
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
# File 'lib/vault/client.rb', line 248 def build_uri(verb, path, params = {}) # Add any query string parameters if [:delete, :get].include?(verb) path = [path, to_query_string(params)].compact.join("?") end # Parse the URI uri = URI.parse(path) # Don't merge absolute URLs uri = URI.parse(File.join(address, path)) unless uri.absolute? # Return the URI object uri end |
#class_for_request(verb) ⇒ Class
Helper method to get the corresponding Net::HTTP class from the given HTTP verb.
271 272 273 |
# File 'lib/vault/client.rb', line 271 def class_for_request(verb) Net::HTTP.const_get(verb.to_s.capitalize) end |
#delete(path, params = {}, headers = {}) ⇒ Object
Perform a DELETE request.
101 102 103 |
# File 'lib/vault/client.rb', line 101 def delete(path, params = {}, headers = {}) request(:delete, path, params, headers) end |
#error(response) ⇒ Object
Raise a response error, extracting as much information from the server’s response as possible.
313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 |
# File 'lib/vault/client.rb', line 313 def error(response) if response.body && response.body.match("missing client token") raise MissingTokenError end # Use the correct exception class case response when Net::HTTPClientError klass = HTTPClientError when Net::HTTPServerError klass = HTTPServerError else klass = HTTPError end if (response.content_type || '').include?("json") # Attempt to parse the error as JSON begin json = JSON.parse(response.body, JSON_PARSE_OPTIONS) if json[:errors] raise klass.new(address, response, json[:errors]) end rescue JSON::ParserError; end end raise klass.new(address, response, [response.body]) end |
#get(path, params = {}, headers = {}) ⇒ Object
Perform a GET request.
77 78 79 |
# File 'lib/vault/client.rb', line 77 def get(path, params = {}, headers = {}) request(:get, path, params, headers) end |
#help(path) ⇒ Help
Gets help for the given path.
18 19 20 21 |
# File 'lib/vault/api/help.rb', line 18 def help(path) json = self.get("/v1/#{path}", help: 1) return Help.decode(json) end |
#logical ⇒ Logical
A proxy to the Logical methods.
10 11 12 |
# File 'lib/vault/api/logical.rb', line 10 def logical @logical ||= Logical.new(self) end |
#patch(path, data, headers = {}) ⇒ Object
Perform a PATCH request.
95 96 97 |
# File 'lib/vault/client.rb', line 95 def patch(path, data, headers = {}) request(:patch, path, data, headers) end |
#post(path, data, headers = {}) ⇒ Object
Perform a POST request.
83 84 85 |
# File 'lib/vault/client.rb', line 83 def post(path, data, headers = {}) request(:post, path, data, headers) end |
#put(path, data, headers = {}) ⇒ Object
Perform a PUT request.
89 90 91 |
# File 'lib/vault/client.rb', line 89 def put(path, data, headers = {}) request(:put, path, data, headers) end |
#request(verb, path, data = {}, headers = {}) ⇒ String, Hash
Make an HTTP request with the given verb, data, params, and headers. If the response has a return type of JSON, the JSON is automatically parsed and returned as a hash; otherwise it is returned as a string.
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 |
# File 'lib/vault/client.rb', line 124 def request(verb, path, data = {}, headers = {}) # Build the URI and request object from the given information uri = build_uri(verb, path, data) request = class_for_request(verb).new(uri.request_uri) # Get a list of headers headers = DEFAULT_HEADERS.merge(headers) # Add the Vault token header - users could still override this on a # per-request basis if !token.nil? request.add_field(TOKEN_HEADER, token) end # Add headers headers.each do |key, value| request.add_field(key, value) end # Setup PATCH/POST/PUT if [:patch, :post, :put].include?(verb) if data.respond_to?(:read) request.content_length = data.size request.body_stream = data elsif data.is_a?(Hash) request.form_data = data else request.body = data end end # Create the HTTP connection object - since the proxy information defaults # to +nil+, we can just pass it to the initializer method instead of doing # crazy strange conditionals. connection = Net::HTTP.new(uri.host, uri.port, proxy_address, proxy_port, proxy_username, proxy_password) # Use a custom open timeout if open_timeout || timeout connection.open_timeout = (open_timeout || timeout).to_i end # Use a custom read timeout if read_timeout || timeout connection.read_timeout = (read_timeout || timeout).to_i end # Apply SSL, if applicable if uri.scheme == "https" # Turn on SSL connection.use_ssl = true # Vault requires TLS1.2 connection.ssl_version = "TLSv1_2" # Only use secure ciphers connection.ciphers = ssl_ciphers # Custom pem files, no problem! if ssl_pem_file pem = File.read(ssl_pem_file) connection.cert = OpenSSL::X509::Certificate.new(pem) connection.key = OpenSSL::PKey::RSA.new(pem, ssl_pem_passphrase) connection.verify_mode = OpenSSL::SSL::VERIFY_PEER end # Use custom CA cert for verification if ssl_ca_cert connection.ca_file = ssl_ca_cert end # Use custom CA path that contains CA certs if ssl_ca_path connection.ca_path = ssl_ca_path end # Naughty, naughty, naughty! Don't blame me when someone hops in # and executes a MITM attack! if !ssl_verify connection.verify_mode = OpenSSL::SSL::VERIFY_NONE end # Use custom timeout for connecting and verifying via SSL if ssl_timeout || timeout connection.ssl_timeout = (ssl_timeout || timeout).to_i end end begin # Create a connection using the block form, which will ensure the socket # is properly closed in the event of an error. connection.start do |http| response = http.request(request) case response when Net::HTTPRedirection request(verb, response[LOCATION_HEADER], data, headers) when Net::HTTPSuccess success(response) else error(response) end end rescue *RESCUED_EXCEPTIONS => e raise HTTPConnectionError.new(address, e) end end |
#same_options?(opts) ⇒ true, false
Determine if the given options are the same as ours.
71 72 73 |
# File 'lib/vault/client.rb', line 71 def (opts) .hash == opts.hash end |
#success(response) ⇒ String, Hash
Parse the response object and manipulate the result based on the given Content-Type
header. For now, this method only parses JSON, but it could be expanded in the future to accept other content types.
298 299 300 301 302 303 304 |
# File 'lib/vault/client.rb', line 298 def success(response) if response.body && (response.content_type || '').include?("json") JSON.parse(response.body, JSON_PARSE_OPTIONS) else response.body end end |
#sys ⇒ Sys
A proxy to the Sys methods.
9 10 11 |
# File 'lib/vault/api/sys.rb', line 9 def sys @sys ||= Sys.new(self) end |
#to_query_string(hash) ⇒ String?
Convert the given hash to a list of query string parameters. Each key and value in the hash is URI-escaped for safety.
283 284 285 286 287 |
# File 'lib/vault/client.rb', line 283 def to_query_string(hash) hash.map do |key, value| "#{CGI.escape(key.to_s)}=#{CGI.escape(value.to_s)}" end.join('&')[/.+/] end |
#with_retries(*rescued, &block) ⇒ Object
Execute the given block with retries and exponential backoff.
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 |
# File 'lib/vault/client.rb', line 346 def with_retries(*rescued, &block) = rescued.last.is_a?(Hash) ? rescued.pop : {} exception = nil retries = 0 max_attempts = [:attempts] || Defaults::RETRY_ATTEMPTS backoff_base = [:base] || Defaults::RETRY_BASE backoff_max = [:max_wait] || Defaults::RETRY_MAX_WAIT begin return yield retries rescue *rescued => e exception = e retries += 1 raise if retries > max_attempts # Calculate the exponential backoff combined with an element of # randomness. backoff = [backoff_base * (2 ** (retries - 1)), backoff_max].min backoff = backoff * (0.5 * (1 + Kernel.rand)) # Ensure we are sleeping at least the minimum interval. backoff = [backoff_base, backoff].max # Exponential backoff. Kernel.sleep(backoff) # Now retry retry end end |