Class: Vault::Logical

Inherits:

Request

• Object
• Request
• Vault::Logical

Defined in:

lib/vault/api/logical.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary

• #delete(path) ⇒ true

  Delete the secret at the given path.

• #list(path, options = {}) ⇒ Array<String>

  List the secrets at the given path, if the path supports listing.

• #read(path, options = {}) ⇒ Secret^?

  Read the secret at the given path.

• #unwrap(wrapper) ⇒ Secret^?

  Unwrap the data stored against the given token.

• #unwrap_token(wrapper) ⇒ String^?

  Unwrap a token in a wrapped response given the temporary token.

• #write(path, data = {}, options = {}) ⇒ Secret

  Write the secret at the given path with the given data.

Methods inherited from Request

#initialize, #inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#delete(path) ⇒ true

Delete the secret at the given path. If the secret does not exist, vault will still return true.

Examples:

Vault.logical.delete("secret/password") #=> true

Parameters:

• path (String) —

  the path to delete

Returns:

• (true)

# File 'lib/vault/api/logical.rb', line 86

def delete(path)
  client.delete("/v1/#{encode_path(path)}")
  return true
end

#list(path, options = {}) ⇒ Array<String>

List the secrets at the given path, if the path supports listing. If the the path does not exist, an exception will be raised.

Examples:

Vault.logical.list("secret") #=> [#<Vault::Secret>, #<Vault::Secret>, ...]

Parameters:

• path (String) —

  the path to list

Returns:

• (Array<String>)

# File 'lib/vault/api/logical.rb', line 26

def list(path, options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/#{encode_path(path)}", {}, headers)
  json[:data][:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#read(path, options = {}) ⇒ Secret^?

Read the secret at the given path. If the secret does not exist, nil will be returned.

Examples:

Vault.logical.read("secret/password") #=> #<Vault::Secret lease_id="">

Parameters:

• path (String) —

  the path to read

Returns:

• (Secret, nil)

# File 'lib/vault/api/logical.rb', line 45

def read(path, options = {})
  headers = extract_headers!(options)
  json = client.get("/v1/#{encode_path(path)}", {}, headers)
  return Secret.decode(json)
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#unwrap(wrapper) ⇒ Secret^?

Unwrap the data stored against the given token. If the secret does not exist, ‘nil` will be returned.

Examples:

Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> #<Vault::Secret lease_id="">

Parameters:

• wrapper (String) —

  the token to use when unwrapping the value

Returns:

• (Secret, nil)

# File 'lib/vault/api/logical.rb', line 101

def unwrap(wrapper)
  client.with_token(wrapper) do |client|
    json = client.get("/v1/cubbyhole/response")
    secret = Secret.decode(json)

    # If there is nothing in the cubbyhole, return early.
    if secret.nil? || secret.data.nil? || secret.data[:response].nil?
      return nil
    end

    # Extract the response and parse it into a new secret.
    json = JSON.parse(secret.data[:response], symbolize_names: true)
    secret = Secret.decode(json)
    return secret
  end
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#unwrap_token(wrapper) ⇒ String^?

Unwrap a token in a wrapped response given the temporary token.

Examples:

Vault.logical.unwrap("f363dba8-25a7-08c5-430c-00b2367124e6") #=> "0f0f40fd-06ce-4af1-61cb-cdc12796f42b"

Parameters:

• wrapper (String, Secret) —

  the token to unwrap

Returns:

• (String, nil)

# File 'lib/vault/api/logical.rb', line 130

def unwrap_token(wrapper)
  # If provided a secret, grab the token. This is really just to make the
  # API a bit nicer.
  if wrapper.is_a?(Secret)
    wrapper = wrapper.wrap_info.token
  end

  # Unwrap
  response = unwrap(wrapper)

  # If nothing was there, return nil
  if response.nil? || response.auth.nil?
    return nil
  end

  return response.auth.client_token
rescue HTTPError => e
  raise
end

#write(path, data = {}, options = {}) ⇒ Secret

Write the secret at the given path with the given data. Note that the data must be a Hash!

Examples:

Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">

Parameters:

• path (String) —

  the path to write

• data (Hash) (defaults to: {}) —

  the data to write

Returns:

• (Secret)

# File 'lib/vault/api/logical.rb', line 66

def write(path, data = {}, options = {})
  headers = extract_headers!(options)
  json = client.put("/v1/#{encode_path(path)}", JSON.fast_generate(data), headers)
  if json.nil?
    return true
  else
    return Secret.decode(json)
  end
end