Class: Vault::Client
- Inherits:
-
Object
- Object
- Vault::Client
- Includes:
- Configurable
- Defined in:
- lib/vault/api/kv.rb,
lib/vault/client.rb,
lib/vault/api/sys.rb,
lib/vault/api/auth.rb,
lib/vault/api/help.rb,
lib/vault/api/approle.rb,
lib/vault/api/logical.rb,
lib/vault/api/auth_tls.rb,
lib/vault/api/transform.rb,
lib/vault/api/auth_token.rb
Defined Under Namespace
Classes: SecurityError
Constant Summary collapse
- USER_AGENT =
The user agent for this client.
"VaultRuby/#{Vault::VERSION} (+github.com/hashicorp/vault-ruby)".freeze
- TOKEN_HEADER =
The name of the header used to hold the Vault token.
"X-Vault-Token".freeze
- NAMESPACE_HEADER =
The name of the header used to hold the Namespace.
"X-Vault-Namespace".freeze
- WRAP_TTL_HEADER =
The name of the header used to hold the wrapped request ttl.
"X-Vault-Wrap-TTL".freeze
- LOCATION_HEADER =
The name of the header used for redirection.
"location".freeze
- DEFAULT_HEADERS =
The default headers that are sent with every request.
{ "Content-Type" => "application/json", "Accept" => "application/json", "User-Agent" => USER_AGENT, }.freeze
- JSON_PARSE_OPTIONS =
The default list of options to use when parsing JSON.
{ max_nesting: false, create_additions: false, symbolize_names: true, }.freeze
- RESCUED_EXCEPTIONS =
[].tap do |a| # Failure to even open the socket (usually permissions) a << SocketError # Failed to reach the server (aka bad URL) a << Errno::ECONNREFUSED # Failed to read body or no response body given a << EOFError # Timeout (Ruby 1.9-) a << Timeout::Error # Timeout (Ruby 1.9+) - Ruby 1.9 does not define these constants so we # only add them if they are defiend a << Net::ReadTimeout if defined?(Net::ReadTimeout) a << Net::OpenTimeout if defined?(Net::OpenTimeout) a << PersistentHTTP::Error end.freeze
Instance Method Summary collapse
-
#approle ⇒ AppRole
A proxy to the AppRole methods.
-
#auth ⇒ Auth
A proxy to the Auth methods.
-
#auth_tls ⇒ AuthTLS
A proxy to the AuthTLS methods.
-
#auth_token ⇒ AuthToken
A proxy to the AuthToken methods.
-
#build_uri(verb, path, params = {}) ⇒ URI
Construct a URL from the given verb and path.
-
#class_for_request(verb) ⇒ Class
Helper method to get the corresponding Net::HTTP class from the given HTTP verb.
-
#delete(path, params = {}, headers = {}) ⇒ Object
Perform a DELETE request.
-
#error(response) ⇒ Object
Raise a response error, extracting as much information from the server’s response as possible.
-
#get(path, params = {}, headers = {}) ⇒ Object
Perform a GET request.
-
#help(path) ⇒ Help
Gets help for the given path.
-
#initialize(options = {}) ⇒ Vault::Client
constructor
Create a new Client with the given options.
-
#kv(mount) ⇒ KV
A proxy to the KV methods.
-
#list(path, params = {}, headers = {}) ⇒ Object
Perform a LIST request.
-
#logical ⇒ Logical
A proxy to the Logical methods.
-
#patch(path, data, headers = {}) ⇒ Object
Perform a PATCH request.
-
#post(path, data = {}, headers = {}) ⇒ Object
Perform a POST request.
-
#put(path, data, headers = {}) ⇒ Object
Perform a PUT request.
-
#request(verb, path, data = {}, headers = {}) ⇒ String, Hash
Make an HTTP request with the given verb, data, params, and headers.
-
#same_options?(opts) ⇒ true, false
Determine if the given options are the same as ours.
-
#shutdown ⇒ Object
Shutdown any open pool connections.
-
#success(response) ⇒ String, Hash
Parse the response object and manipulate the result based on the given
Content-Type
header. -
#sys ⇒ Sys
A proxy to the Sys methods.
-
#to_query_string(hash) ⇒ String?
Convert the given hash to a list of query string parameters.
-
#transform ⇒ Transform
A proxy to the Transform methods.
-
#with_retries(*rescued, &block) ⇒ Object
Execute the given block with retries and exponential backoff.
-
#with_token(token) {|Vault::Client| ... } ⇒ Object
Creates and yields a new client object with the given token.
Methods included from Configurable
Constructor Details
#initialize(options = {}) ⇒ Vault::Client
Create a new Client with the given options. Any options given take precedence over the default options.
74 75 76 77 78 79 80 81 82 83 |
# File 'lib/vault/client.rb', line 74 def initialize( = {}) # Use any options given, but fall back to the defaults set on the module Vault::Configurable.keys.each do |key| value = .key?(key) ? [key] : Defaults.public_send(key) instance_variable_set(:"@#{key}", value) end @lock = Mutex.new @nhp = nil end |
Instance Method Details
#approle ⇒ AppRole
A proxy to the AppRole methods.
12 13 14 |
# File 'lib/vault/api/approle.rb', line 12 def approle @approle ||= AppRole.new(self) end |
#auth ⇒ Auth
A proxy to the Auth methods.
10 11 12 |
# File 'lib/vault/api/auth.rb', line 10 def auth @auth ||= Authenticate.new(self) end |
#auth_tls ⇒ AuthTLS
A proxy to the AuthTLS methods.
12 13 14 |
# File 'lib/vault/api/auth_tls.rb', line 12 def auth_tls @auth_tls ||= AuthTLS.new(self) end |
#auth_token ⇒ AuthToken
A proxy to the AuthToken methods.
12 13 14 |
# File 'lib/vault/api/auth_token.rb', line 12 def auth_token @auth_token ||= AuthToken.new(self) end |
#build_uri(verb, path, params = {}) ⇒ URI
Construct a URL from the given verb and path. If the request is a GET or DELETE request, the params are assumed to be query params are are converted as such using #to_query_string.
If the path is relative, it is merged with the Defaults.address attribute. If the path is absolute, it is converted to a URI object and returned.
323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 |
# File 'lib/vault/client.rb', line 323 def build_uri(verb, path, params = {}) # Add any query string parameters if [:delete, :get].include?(verb) path = [path, to_query_string(params)].compact.join("?") end # Parse the URI uri = URI.parse(path) # Don't merge absolute URLs uri = URI.parse(File.join(address, path)) unless uri.absolute? # Return the URI object uri end |
#class_for_request(verb) ⇒ Class
Helper method to get the corresponding Net::HTTP class from the given HTTP verb.
346 347 348 |
# File 'lib/vault/client.rb', line 346 def class_for_request(verb) Net::HTTP.const_get(verb.to_s.capitalize) end |
#delete(path, params = {}, headers = {}) ⇒ Object
Perform a DELETE request.
217 218 219 |
# File 'lib/vault/client.rb', line 217 def delete(path, params = {}, headers = {}) request(:delete, path, params, headers) end |
#error(response) ⇒ Object
Raise a response error, extracting as much information from the server’s response as possible.
388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 |
# File 'lib/vault/client.rb', line 388 def error(response) if response.body && response.body.match("missing client token") raise MissingTokenError end # Use the correct exception class case response when Net::HTTPClientError klass = HTTPClientError when Net::HTTPServerError klass = HTTPServerError else klass = HTTPError end if (response.content_type || '').include?("json") # Attempt to parse the error as JSON begin json = JSON.parse(response.body, JSON_PARSE_OPTIONS) if json[:errors] raise klass.new(address, response, json[:errors]) end rescue JSON::ParserError; end end raise klass.new(address, response, [response.body]) end |
#get(path, params = {}, headers = {}) ⇒ Object
Perform a GET request.
186 187 188 |
# File 'lib/vault/client.rb', line 186 def get(path, params = {}, headers = {}) request(:get, path, params, headers) end |
#help(path) ⇒ Help
Gets help for the given path.
28 29 30 31 |
# File 'lib/vault/api/help.rb', line 28 def help(path) json = self.get("/v1/#{EncodePath.encode_path(path)}", help: 1) return Help.decode(json) end |
#kv(mount) ⇒ KV
A proxy to the KV methods.
10 11 12 |
# File 'lib/vault/api/kv.rb', line 10 def kv(mount) KV.new(self, mount) end |
#list(path, params = {}, headers = {}) ⇒ Object
Perform a LIST request.
192 193 194 195 |
# File 'lib/vault/client.rb', line 192 def list(path, params = {}, headers = {}) params = params.merge(list: true) request(:get, path, params, headers) end |
#logical ⇒ Logical
A proxy to the Logical methods.
10 11 12 |
# File 'lib/vault/api/logical.rb', line 10 def logical @logical ||= Logical.new(self) end |
#patch(path, data, headers = {}) ⇒ Object
Perform a PATCH request.
211 212 213 |
# File 'lib/vault/client.rb', line 211 def patch(path, data, headers = {}) request(:patch, path, data, headers) end |
#post(path, data = {}, headers = {}) ⇒ Object
Perform a POST request.
199 200 201 |
# File 'lib/vault/client.rb', line 199 def post(path, data = {}, headers = {}) request(:post, path, data, headers) end |
#put(path, data, headers = {}) ⇒ Object
Perform a PUT request.
205 206 207 |
# File 'lib/vault/client.rb', line 205 def put(path, data, headers = {}) request(:put, path, data, headers) end |
#request(verb, path, data = {}, headers = {}) ⇒ String, Hash
Make an HTTP request with the given verb, data, params, and headers. If the response has a return type of JSON, the JSON is automatically parsed and returned as a hash; otherwise it is returned as a string.
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 |
# File 'lib/vault/client.rb', line 240 def request(verb, path, data = {}, headers = {}) # Build the URI and request object from the given information uri = build_uri(verb, path, data) request = class_for_request(verb).new(uri.request_uri) if uri.userinfo() request.basic_auth uri.user, uri.password end if proxy_address and uri.scheme.downcase == "https" raise SecurityError, "no direct https connection to vault" end # Get a list of headers headers = DEFAULT_HEADERS.merge(headers) # Add the Vault token header - users could still override this on a # per-request basis if !token.nil? headers[TOKEN_HEADER] ||= token end # Add the Vault Namespace header - users could still override this on a # per-request basis if !namespace.nil? headers[NAMESPACE_HEADER] ||= namespace end # Add headers headers.each do |key, value| request.add_field(key, value) end # Setup PATCH/POST/PUT if [:patch, :post, :put].include?(verb) if data.respond_to?(:read) request.content_length = data.size request.body_stream = data elsif data.is_a?(Hash) request.form_data = data else request.body = data end end begin # Create a connection using the block form, which will ensure the socket # is properly closed in the event of an error. response = pool.request(uri, request) case response when Net::HTTPRedirection # On a redirect of a GET or HEAD request, the URL already contains # the data as query string parameters. if [:head, :get].include?(verb) data = {} end request(verb, response[LOCATION_HEADER], data, headers) when Net::HTTPSuccess success(response) else error(response) end rescue *RESCUED_EXCEPTIONS => e raise HTTPConnectionError.new(address, e) end end |
#same_options?(opts) ⇒ true, false
Determine if the given options are the same as ours.
180 181 182 |
# File 'lib/vault/client.rb', line 180 def (opts) .hash == opts.hash end |
#shutdown ⇒ Object
Shutdown any open pool connections. Pool will be recreated upon next request.
161 162 163 164 |
# File 'lib/vault/client.rb', line 161 def shutdown @nhp.shutdown() @nhp = nil end |
#success(response) ⇒ String, Hash
Parse the response object and manipulate the result based on the given Content-Type
header. For now, this method only parses JSON, but it could be expanded in the future to accept other content types.
373 374 375 376 377 378 379 |
# File 'lib/vault/client.rb', line 373 def success(response) if response.body && (response.content_type || '').include?("json") JSON.parse(response.body, JSON_PARSE_OPTIONS) else response.body end end |
#sys ⇒ Sys
A proxy to the Sys methods.
9 10 11 |
# File 'lib/vault/api/sys.rb', line 9 def sys @sys ||= Sys.new(self) end |
#to_query_string(hash) ⇒ String?
Convert the given hash to a list of query string parameters. Each key and value in the hash is URI-escaped for safety.
358 359 360 361 362 |
# File 'lib/vault/client.rb', line 358 def to_query_string(hash) hash.map do |key, value| "#{CGI.escape(key.to_s)}=#{CGI.escape(value.to_s)}" end.join('&')[/.+/] end |
#transform ⇒ Transform
A proxy to the Transform methods.
8 9 10 |
# File 'lib/vault/api/transform.rb', line 8 def transform @transform ||= Transform.new(self) end |
#with_retries(*rescued, &block) ⇒ Object
Execute the given block with retries and exponential backoff.
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 |
# File 'lib/vault/client.rb', line 421 def with_retries(*rescued, &block) = rescued.last.is_a?(Hash) ? rescued.pop : {} exception = nil retries = 0 rescued = Defaults::RETRIED_EXCEPTIONS if rescued.empty? max_attempts = [:attempts] || Defaults::RETRY_ATTEMPTS backoff_base = [:base] || Defaults::RETRY_BASE backoff_max = [:max_wait] || Defaults::RETRY_MAX_WAIT begin return yield retries, exception rescue *rescued => e exception = e retries += 1 raise if retries > max_attempts # Calculate the exponential backoff combined with an element of # randomness. backoff = [backoff_base * (2 ** (retries - 1)), backoff_max].min backoff = backoff * (0.5 * (1 + Kernel.rand)) # Ensure we are sleeping at least the minimum interval. backoff = [backoff_base, backoff].max # Exponential backoff. Kernel.sleep(backoff) # Now retry retry end end |
#with_token(token) {|Vault::Client| ... } ⇒ Object
Creates and yields a new client object with the given token. This may be used safely in a threadsafe manner because the original client remains unchanged. The value of the block is returned.
171 172 173 174 175 176 |
# File 'lib/vault/client.rb', line 171 def with_token(token) client = self.dup client.token = token return yield client if block_given? return nil end |