Class: ConfigurationService::Test::VaultAdminClient

Inherits:

Object

• Object
• ConfigurationService::Test::VaultAdminClient

Defined in:

lib/configuration_service/test/vault_admin_client.rb

Overview

Fixture helper for Vault test orchestration provider

It bypasses the Provider::Vault configuration service provider and manipulates Vault directly.

Never use this with a production Vault instance.

Class Method Summary

• .preflight_check ⇒ Object

  Test Vault access.

Instance Method Summary

• #consumer_policy(identifier) ⇒ String

  Create a Vault policy for requesting configuration.

• #consumer_token(identifier) ⇒ String

  Create a Vault token to request configuration.

• #delete_configuration(identifier) ⇒ Object

  Delete configuration.

• #initialize(options = {}) ⇒ VaultAdminClient constructor

  A new instance of VaultAdminClient.

• #none_policy(identifier) ⇒ String

  Create a Vault deny policy.

• #none_token(identifier) ⇒ String

  Create a Vault token with no privilege.

• #publisher_policy(identifier) ⇒ String

  Create a Vault policy for publishing configuration.

• #publisher_token(identifier) ⇒ String

  Create a Vault token to publish configuration.

Constructor Details

#initialize(options = {}) ⇒ VaultAdminClient

A new instance of VaultAdminClient

It expects a development mode Vault instance listening at https://127.0.0.1:8200 and expects a root token for that instance in the VAULT_TOKEN envinronment variable. Accepts the VAULT_ADDR and VAULT_CACERT environment variables if present.

# File 'lib/configuration_service/test/vault_admin_client.rb', line 24

def initialize(options = {})
  if ENV["VAULT_TOKEN"] and File.exists?("#{ENV["HOME"]}/.vault-token")
    $stderr.puts "warning: ~/.vault-token overrides VAULT_TOKEN environment variable"
  end
  @vault = ::Vault::Client.new
  @vault.ssl_ciphers = ConfigurationService::Provider::Vault::SSL_CIPHERS
end

Class Method Details

.preflight_check ⇒ Object

Test Vault access

Creates a new ConfigurationService::Test::VaultAdminClient and uses it to test connectivity to the development mode Vault instance.

Raises:

• (::Vault::VaultError) —

  on failure

# File 'lib/configuration_service/test/vault_admin_client.rb', line 122

def self.preflight_check
  new.send(:preflight_check)
end

Instance Method Details

#consumer_policy(identifier) ⇒ String

Create a Vault policy for requesting configuration

Parameters:

• identifier (String) —

  the configuration identifier to create the read policy for

Returns:

• (String) —

  the policy

# File 'lib/configuration_service/test/vault_admin_client.rb', line 63

def consumer_policy(identifier)
  create_policy_for(identifier, "consumer", "read")
end

#consumer_token(identifier) ⇒ String

Create a Vault token to request configuration

Parameters:

• identifier (String) —

  the configuration identifier to authorize the token to read

Returns:

• (String) —

  the token

# File 'lib/configuration_service/test/vault_admin_client.rb', line 51

def consumer_token(identifier)
  create_token_for(consumer_policy(identifier))
end

#delete_configuration(identifier) ⇒ Object

Delete configuration

Parameters:

• identifier (String) —

  the configuration identifier

# File 'lib/configuration_service/test/vault_admin_client.rb', line 38

def delete_configuration(identifier)
  path = ConfigurationService::Provider::Vault::PathHelper.path(identifier)
  @vault.logical.delete(path)
end

#none_policy(identifier) ⇒ String

Create a Vault deny policy

Parameters:

• identifier (String) —

  the configuration identifier to create the deny policy for

Returns:

• (String) —

  the policy

# File 'lib/configuration_service/test/vault_admin_client.rb', line 111

def none_policy(identifier)
  create_policy_for(identifier, "guest", "deny")
end

#none_token(identifier) ⇒ String

Create a Vault token with no privilege

Parameters:

• identifier (String) —

  the configuration identifier to deny the token for

Returns:

• (String) —

  the token

# File 'lib/configuration_service/test/vault_admin_client.rb', line 99

def none_token(identifier)
  create_token_for(none_policy(identifier))
end

#publisher_policy(identifier) ⇒ String

Create a Vault policy for publishing configuration

Parameters:

• identifier (String) —

  the configuration identifier to create the write policy for

Returns:

• (String) —

  the policy

# File 'lib/configuration_service/test/vault_admin_client.rb', line 87

def publisher_policy(identifier)
  create_policy_for(identifier, "publisher", "write")
end

#publisher_token(identifier) ⇒ String

Create a Vault token to publish configuration

Parameters:

• identifier (String) —

  the configuration identifier to authorize the token to write

Returns:

• (String) —

  the token

# File 'lib/configuration_service/test/vault_admin_client.rb', line 75

def publisher_token(identifier)
  create_token_for(publisher_policy(identifier))
end