Module: Vault::Transit

Defined in:
lib/vault/transit.rb,
lib/vault/transit/version.rb,
lib/vault/transit/configurable.rb

Defined Under Namespace

Modules: Configurable

Constant Summary collapse

DEFAULT_ENCODING =

The default encoding.

Returns:

  • (String) 
"utf-8".freeze
DEV_WARNING =

The warning string to print when running in development mode.

"[vault-transit] Using in-memory cipher - this is not secure " \
"and should never be used in production-like environments!".freeze
VERSION = 
"0.1.0"

Class Attribute Summary collapse

Class Method Summary collapse

Class Attribute Details

.clientObject (readonly)

Returns the value of attribute client.



22
23
24
 
# File 'lib/vault/transit.rb', line 22

def client
  @client
end

Class Method Details

.decrypt(key, ciphertext, client = self.client) ⇒ String

Decrypt the given ciphertext data using the provided key.

Parameters:

  • key (String)

    the key to decrypt at

  • ciphertext (String)

    the ciphertext to decrypt

  • client (Vault::Client) (defaults to: self.client)

    the Vault client to use

Returns:

  • (String)

    the decrypted plaintext text



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/vault/transit.rb', line 60

def decrypt(key, ciphertext, client = self.client)
  if ciphertext.nil? || ciphertext.empty?
    return ciphertext
  end

  key  = key.to_s if !key.is_a?(String)

  with_retries_and_reauthentication do
    if self.enabled?
      result = self.vault_decrypt(key, ciphertext, client)
    else
      result = self.memory_decrypt(key, ciphertext, client)
    end

    return self.force_encoding(result)
  end
end

.encrypt(key, plaintext, client = self.client) ⇒ String

Encrypt the given plaintext data using the provided key.

Parameters:

  • key (String)

    the key to encrypt at

  • plaintext (String)

    the plaintext to encrypt

  • client (Vault::Client) (defaults to: self.client)

    the Vault client to use

Returns:

  • (String)

    the encrypted cipher text



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'lib/vault/transit.rb', line 89

def encrypt(key, plaintext, client = self.client)
  if plaintext.nil? || plaintext.empty?
    return plaintext
  end

  key  = key.to_s if !key.is_a?(String)

  with_retries_and_reauthentication do
    if self.enabled?
      result = self.vault_encrypt(key, plaintext, client)
    else
      result = self.memory_encrypt(key, plaintext, client)
    end

    return self.force_encoding(result)
  end
end

.method_missing(m, *args, &block) ⇒ Object

Delegate all methods to the client object, essentially making the module object behave like a Client.



36
37
38
39
40
41
42
 
# File 'lib/vault/transit.rb', line 36

def method_missing(m, *args, &block)
  if client.respond_to?(m)
    client.public_send(m, *args, &block)
  else
    super
  end
end

.respond_to_missing?(m, include_private = false) ⇒ Boolean

Delegating ‘respond_to` to the Client.

Returns:

  • (Boolean) 


45
46
47
 
# File 'lib/vault/transit.rb', line 45

def respond_to_missing?(m, include_private = false)
  client.respond_to?(m, include_private) || super
end

.rewrap(key, ciphertext, client = self.client) ⇒ String

Rewrap the given ciphertext data using the provided key.

Parameters:

  • key (String)

    the key to rewrap at

  • ciphertext (String)

    the ciphertext to rewrap

  • client (Vault::Client) (defaults to: self.client)

    the Vault client to use

Returns:

  • (String)

    the rewrapped ciphertext text



118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
 
# File 'lib/vault/transit.rb', line 118

def rewrap(key, ciphertext, client = self.client)
  if ciphertext.nil? || ciphertext.empty?
    return ciphertext
  end

  key  = key.to_s unless key.is_a?(String)
  route  = File.join("transit", "rewrap", key)

  with_retries_and_reauthentication do
    if self.enabled?
      secret = client.logical.write(route,
        ciphertext: ciphertext,
      )
      result = secret.data[:ciphertext]
    else
      result = ciphertext
    end
    return self.force_encoding(result)
  end
end

.rotate(key, client = self.client) ⇒ Object

Rotate the key to a new version

Parameters:

  • key (String)

    the key to rotate

  • client (Vault::Client) (defaults to: self.client)

    the Vault client to use



146
147
148
149
150
151
152
153
154
155
 
# File 'lib/vault/transit.rb', line 146

def rotate(key, client = self.client)
  key  = key.to_s unless key.is_a?(String)
  route  = File.join("transit", "keys", key, "rotate")

  with_retries_and_reauthentication do
    if self.enabled?
      client.logical.write(route)
    end
  end
end

.set_min_decryption_version(key, min_decryption_version, client = self.client) ⇒ Object

Set the minimum decryption version a using the provided key.

Parameters:

  • key (String)

    the key to configure

  • min_decryption_version (int)

    the new minimum decryption version

  • client (Vault::Client) (defaults to: self.client)

    the Vault client to use



166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/vault/transit.rb', line 166

def set_min_decryption_version(key, min_decryption_version, client = self.client)
  key  = key.to_s unless key.is_a?(String)

  with_retries_and_reauthentication do
    if self.enabled?
      route = File.join("transit", "keys", key, "config")
      client.logical.write(route,
        min_decryption_version: min_decryption_version,
      )
    end
  end
end

.setup!Object 



24
25
26
27
28
29
30
31
32
 
# File 'lib/vault/transit.rb', line 24

def setup!
  ::Vault.setup!
  @client = ::Vault.client
  @client.class.instance_eval do
    include ::Vault::Transit::Configurable
  end

  self
end