Class: Vault::Sys

Inherits:

Request

• Object
• Request
• Vault::Sys

Defined in:

lib/vault/api/sys.rb,
lib/vault/api/sys/auth.rb,
lib/vault/api/sys/init.rb,
lib/vault/api/sys/seal.rb,
lib/vault/api/sys/audit.rb,
lib/vault/api/sys/lease.rb,
lib/vault/api/sys/mount.rb,
lib/vault/api/sys/leader.rb,
lib/vault/api/sys/policy.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary

• #audits ⇒ Hash<Symbol, Audit>

  List all audis for the vault.

• #auths ⇒ Hash<Symbol, Auth>

  List all auths in Vault.

• #delete_policy(name) ⇒ Object

  Delete the policy with the given name.

• #disable_audit(path) ⇒ true

  Disable a particular audit.

• #disable_auth(path) ⇒ true

  Disable a particular authentication at the given path.

• #enable_audit(path, type, description, options = {}) ⇒ true

  Enable a particular audit.

• #enable_auth(path, type, description = nil) ⇒ true

  Enable a particular authentication at the given path.

• #init(options = {}) ⇒ InitResponse

  Initialize a new vault.

• #init_status ⇒ InitStatus

  Show the initialization status for this vault.

• #leader ⇒ LeaderStatus

  Determine the leader status for this vault.

• #mount(path, type, description = nil) ⇒ Object

  Create a mount at the given path.

• #mounts ⇒ Hash<Symbol, Mount>

  List all mounts in the vault.

• #policies ⇒ Array<String>

  The list of policies in vault.

• #policy(name) ⇒ Policy^?

  Get the policy by the given name.

• #put_policy(name, rules) ⇒ true

  Create a new policy with the given name and rules.

• #remount(from, to) ⇒ true

  Change the name of the mount.

• #renew(id, increment = 0) ⇒ Secret

  Renew a lease with the given ID.

• #revoke(id) ⇒ true

  Revoke the secret at the given id.

• #revoke_prefix(id) ⇒ true

  Revoke all secrets under the given prefix.

• #seal ⇒ true

  Seal the vault.

• #seal_status ⇒ SealStatus

  Get the current seal status.

• #unmount(path) ⇒ true

  Unmount the thing at the given path.

• #unseal(shard) ⇒ SealStatus

  Unseal the vault with the given shard.

Methods inherited from Request

#initialize, #inspect, #to_s

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#audits ⇒ Hash<Symbol, Audit>

List all audis for the vault.

Examples:

Vault.sys.audits #=> { :file => #<Audit> }

Returns:

• (Hash<Symbol, Audit>)

# File 'lib/vault/api/sys/audit.rb', line 15

def audits
  json = client.get("/v1/sys/audit")
  return Hash[*json.map do |k,v|
    [k.to_s.chomp("/").to_sym, Audit.decode(v)]
  end.flatten]
end

#auths ⇒ Hash<Symbol, Auth>

List all auths in Vault.

Examples:

Vault.sys.auths #=> {:token => #<Vault::Auth type="token", description="token based credentials">}

Returns:

• (Hash<Symbol, Auth>)

# File 'lib/vault/api/sys/auth.rb', line 15

def auths
  json = client.get("/v1/sys/auth")
  return Hash[*json.map do |k,v|
    [k.to_s.chomp("/").to_sym, Auth.decode(v)]
  end.flatten]
end

#delete_policy(name) ⇒ Object

Delete the policy with the given name. If a policy does not exist, vault will not return an error.

Examples:

Vault.sys.delete_policy("dev") #=> true

Parameters:

• name (String) —

  the name of the policy

# File 'lib/vault/api/sys/policy.rb', line 71

def delete_policy(name)
  client.delete("/v1/sys/policy/#{name}")
  return true
end

#disable_audit(path) ⇒ true

Disable a particular audit. If an audit does not exist, and error will be raised.

Parameters:

• path (String) —

  the path of the audit to disable

Returns:

• (true)

# File 'lib/vault/api/sys/audit.rb', line 55

def disable_audit(path)
  client.delete("/v1/sys/audit/#{path}")
  return true
end

#disable_auth(path) ⇒ true

Disable a particular authentication at the given path. If not auth exists at that path, an error will be raised.

Examples:

Vault.sys.disable_auth("github") #=> true

Parameters:

• path (String) —

  the path to disable

Returns:

• (true)

# File 'lib/vault/api/sys/auth.rb', line 53

def disable_auth(path)
  client.delete("/v1/sys/auth/#{path}")
  return true
end

#enable_audit(path, type, description, options = {}) ⇒ true

Enable a particular audit. Note: the options depend heavily on the type of audit being enabled. Please refer to audit-specific documentation for which need to be enabled.

Examples:

Vault.sys.enable_audit("/file-audit", "file", "File audit", path: "/path/on/disk") #=> true

Parameters:

• path (String) —

  the path to mount the audit

• type (String) —

  the type of audit to enable

• description (String) —

  a human-friendly description of the audit backend

• options (Hash) (defaults to: {}) —

  audit-specific options

Returns:

• (true)

# File 'lib/vault/api/sys/audit.rb', line 39

def enable_audit(path, type, description, options = {})
  client.put("/v1/sys/audit/#{path}", JSON.fast_generate(
    type:        type,
    description: description,
    options:     options,
  ))
  return true
end

#enable_auth(path, type, description = nil) ⇒ true

Enable a particular authentication at the given path.

Examples:

Vault.sys.enable_auth("github", "github") #=> true

Parameters:

• path (String) —

  the path to mount the auth

• type (String) —

  the type of authentication

• description (String) (defaults to: nil) —

  a human-friendly description (optional)

Returns:

• (true)

# File 'lib/vault/api/sys/auth.rb', line 35

def enable_auth(path, type, description = nil)
  payload = { type: type }
  payload[:description] = description if !description.nil?

  client.post("/v1/sys/auth/#{path}", JSON.fast_generate(payload))
  return true
end

#init(options = {}) ⇒ InitResponse

Initialize a new vault.

Examples:

Vault.sys.init #=> #<Vault::InitResponse keys=["..."] root_token="...">

Parameters:

• options (Hash) (defaults to: {}) —

  the list of init options

Options Hash (options):

• :shares (Fixnum) —

  the number of shares

• :threshold (Fixnum) —

  the number of keys needed to unlock

Returns:

• (InitResponse)

# File 'lib/vault/api/sys/init.rb', line 38

def init(options = {})
  json = client.put("/v1/sys/init", JSON.fast_generate(
    secret_shares:    options.fetch(:shares, 5),
    secret_threshold: options.fetch(:threshold, 3),
  ))
  return InitResponse.decode(json)
end

#init_status ⇒ InitStatus

Show the initialization status for this vault.

Examples:

Vault.sys.init_status #=> #<Vault::InitStatus initialized=true>

Returns:

• (InitStatus)

# File 'lib/vault/api/sys/init.rb', line 19

def init_status
  json = client.get("/v1/sys/init")
  return InitStatus.decode(json)
end

#leader ⇒ LeaderStatus

Determine the leader status for this vault.

Examples:

Vault.sys.leader #=> #<Vault::LeaderStatus ha_enabled=false, is_self=false, leader_address="">

Returns:

• (LeaderStatus)

# File 'lib/vault/api/sys/leader.rb', line 20

def leader
  json = client.get("/v1/sys/leader")
  return LeaderStatus.decode(json)
end

#mount(path, type, description = nil) ⇒ Object

Create a mount at the given path.

Examples:

Vault.sys.mount("pg", "postgresql", "Postgres user management") #=> true

Parameters:

• path (String) —

  the path to mount at

• type (String) —

  the type of mount

• description (String) (defaults to: nil) —

  a human-friendly description (optional)

# File 'lib/vault/api/sys/mount.rb', line 33

def mount(path, type, description = nil)
  payload = { type: type }
  payload[:description] = description if !description.nil?

  client.post("/v1/sys/mounts/#{path}", JSON.fast_generate(payload))
  return true
end

#mounts ⇒ Hash<Symbol, Mount>

List all mounts in the vault.

Examples:

Vault.sys.mounts #=> { :secret => #<struct Vault::Mount type="generic", description="generic secret storage"> }

Returns:

• (Hash<Symbol, Mount>)

# File 'lib/vault/api/sys/mount.rb', line 15

def mounts
  json = client.get("/v1/sys/mounts")
  return Hash[*json.map do |k,v|
    [k.to_s.chomp("/").to_sym, Mount.decode(v)]
  end.flatten]
end

#policies ⇒ Array<String>

The list of policies in vault.

Examples:

Vault.sys.policies #=> ["root"]

Returns:

• (Array<String>)

# File 'lib/vault/api/sys/policy.rb', line 15

def policies
  client.get("/v1/sys/policy")[:policies]
end

#policy(name) ⇒ Policy^?

Get the policy by the given name. If a policy does not exist by that name, nil is returned.

Examples:

Vault.sys.policy("root") #=> #<Vault::Policy rules="">

Returns:

• (Policy, nil)

# File 'lib/vault/api/sys/policy.rb', line 26

def policy(name)
  json = client.get("/v1/sys/policy/#{name}")
  return Policy.decode(json)
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#put_policy(name, rules) ⇒ true

Create a new policy with the given name and rules.

It is recommend that you load policy rules from a file:

Examples:

policy = <<-EOH
  path "sys" {
    policy = "deny"
  }
EOH
Vault.sys.put_policy("dev", policy) #=> true

policy = File.read("/path/to/my/policy.hcl")
Vault.sys.put_policy("dev", policy)

Parameters:

• name (String) —

  the name of the policy

• rules (String) —

  the policy rules

Returns:

• (true)

# File 'lib/vault/api/sys/policy.rb', line 56

def put_policy(name, rules)
  client.put("/v1/sys/policy/#{name}", JSON.fast_generate(
    rules: rules,
  ))
  return true
end

#remount(from, to) ⇒ true

Change the name of the mount

Examples:

Vault.sys.remount("pg", "postgres") #=> true

Parameters:

• from (String) —

  the origin mount path

• to (String) —

  the new mount path

Returns:

• (true)

# File 'lib/vault/api/sys/mount.rb', line 67

def remount(from, to)
  client.post("/v1/sys/remount", JSON.fast_generate(
    from: from,
    to:   to,
  ))
  return true
end

#renew(id, increment = 0) ⇒ Secret

Renew a lease with the given ID.

Examples:

Vault.sys.renew("aws/username") #=> #<Vault::Secret ...>

Parameters:

• id (String) —

  the lease ID

• increment (Fixnum) (defaults to: 0)

Returns:

• (Secret)

# File 'lib/vault/api/sys/lease.rb', line 15

def renew(id, increment = 0)
  json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate(
    increment: increment,
  ))
  return Secret.decode(json)
end

#revoke(id) ⇒ true

Revoke the secret at the given id. If the secret does not exist, an error will be raised.

Examples:

Vault.sys.revoke("aws/username") #=> true

Parameters:

• id (String) —

  the lease ID

Returns:

• (true)

# File 'lib/vault/api/sys/lease.rb', line 32

def revoke(id)
  client.put("/v1/sys/revoke/#{id}", nil)
  return true
end

#revoke_prefix(id) ⇒ true

Revoke all secrets under the given prefix.

Examples:

Vault.sys.revoke_prefix("aws") #=> true

Parameters:

• id (String) —

  the lease ID

Returns:

• (true)

# File 'lib/vault/api/sys/lease.rb', line 46

def revoke_prefix(id)
  client.put("/v1/sys/revoke-prefix/#{id}", nil)
  return true
end

#seal ⇒ true

Seal the vault. Warning: this will seal the vault!

Examples:

Vault.sys.seal #=> true

Returns:

• (true)

# File 'lib/vault/api/sys/seal.rb', line 28

def seal
  client.put("/v1/sys/seal", nil)
  return true
end

#seal_status ⇒ SealStatus

Get the current seal status.

Examples:

Vault.sys.seal_status #=> #<Vault::SealStatus sealed=false, t=1, n=1, progress=0>

Returns:

• (SealStatus)

# File 'lib/vault/api/sys/seal.rb', line 17

def seal_status
  json = client.get("/v1/sys/seal-status")
  return SealStatus.decode(json)
end

#unmount(path) ⇒ true

Unmount the thing at the given path. If the mount does not exist, an error will be raised.

Examples:

Vault.sys.unmount("pg") #=> true

Parameters:

• path (String) —

  the path to unmount

Returns:

• (true)

# File 'lib/vault/api/sys/mount.rb', line 51

def unmount(path)
  client.delete("/v1/sys/mounts/#{path}")
  return true
end

#unseal(shard) ⇒ SealStatus

Unseal the vault with the given shard.

Examples:

Vault.sys.unseal("abcd-1234") #=> #<Vault::SealStatus sealed=true, t=3, n=5, progress=1>

Parameters:

• shard (String) —

  the key to use

Returns:

• (SealStatus)

# File 'lib/vault/api/sys/seal.rb', line 42

def unseal(shard)
  json = client.put("/v1/sys/unseal", JSON.fast_generate(
    key: shard,
  ))
  return SealStatus.decode(json)
end