Class: Veil::CredentialCollection::Base

Inherits:

Object

• Object
• Veil::CredentialCollection::Base

Extended by:

Forwardable

Defined in:

lib/veil/credential_collection/base.rb

Direct Known Subclasses

ChefSecretsEnv, ChefSecretsFd, ChefSecretsFile

Instance Attribute Summary

• #credentials ⇒ Object readonly

  Returns the value of attribute credentials.

• #decryptor ⇒ Object readonly

  Returns the value of attribute decryptor.

• #encryptor ⇒ Object readonly

  Returns the value of attribute encryptor.

• #hasher ⇒ Object readonly

  Returns the value of attribute hasher.

• #version ⇒ Object readonly

  Returns the value of attribute version.

Class Method Summary

• .create(hash = {}) ⇒ Object

Instance Method Summary

• #add(*args) ⇒ Object (also: #<<)

  Add a new credential to the credentials.

• #add_from_file(filepath, *args) ⇒ Object

  Add the contents of a file as a credential after verifying that the file can be read.

• #credentials_as_hash ⇒ Object
• #credentials_for_export ⇒ Object (also: #legacy_credentials_hash)
• #exist?(*args) ⇒ Boolean

  Check to see if a given credential has been added.

• #get(*args) ⇒ Object (also: #get_credential)

  Retrieves a credential from the credential store:.

• #initialize(opts = {}) ⇒ Base constructor

  A new instance of Base.

• #remove(group_or_cred, cred = nil) ⇒ Object (also: #delete)
• #rotate(group_or_cred, cred = nil) ⇒ Object
• #rotate_credentials ⇒ Object
• #rotate_hasher ⇒ Object
• #save ⇒ Object
• #to_hash ⇒ Object (also: #to_h)

Constructor Details

#initialize(opts = {}) ⇒ Base

Returns a new instance of Base.

# File 'lib/veil/credential_collection/base.rb', line 21

def initialize(opts = {})
  @hasher = Veil::Hasher.create(opts[:hasher] || {})
  @decryptor, @encryptor = Veil::Cipher.create(opts[:cipher] || {})
  @credentials = expand_credentials_hash(decryptor.decrypt(opts[:credentials]) || {})
  @version = opts[:version] || 1
end

Instance Attribute Details

#credentials ⇒ Object (readonly)

Returns the value of attribute credentials.

# File 'lib/veil/credential_collection/base.rb', line 17

def credentials
  @credentials
end

#decryptor ⇒ Object (readonly)

Returns the value of attribute decryptor.

# File 'lib/veil/credential_collection/base.rb', line 17

def decryptor
  @decryptor
end

#encryptor ⇒ Object (readonly)

Returns the value of attribute encryptor.

# File 'lib/veil/credential_collection/base.rb', line 17

def encryptor
  @encryptor
end

#hasher ⇒ Object (readonly)

Returns the value of attribute hasher.

# File 'lib/veil/credential_collection/base.rb', line 17

def hasher
  @hasher
end

#version ⇒ Object (readonly)

Returns the value of attribute version.

# File 'lib/veil/credential_collection/base.rb', line 17

def version
  @version
end

Class Method Details

.create(hash = {}) ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 10

def create(hash = {})
  new(hash)
end

Instance Method Details

#add(*args) ⇒ Object Also known as: <<

Add a new credential to the credentials

Parameters:

• args (Hash)

# File 'lib/veil/credential_collection/base.rb', line 109

def add(*args)
  params = { name: nil, group: nil, length: 128, value: nil, force: false }
  case args.length
  when 1
    # add('foo')
    params[:name] = args.first
  when 2
    if args.all? { |a| a.is_a?(String) }
      # add('my_app', 'foo')
      params[:group], params[:name] = args
    elsif args[1].is_a?(Hash)
      # add('my_app', value: 'something')
      # add('foo', length: 50)
      params[:name] = args.first
      params.merge!(args[1])
    end
  when 3
    # add('my_app', 'foo', value: 'something')
    # add('my_app', 'foo', length: 50)
    params[:group], params[:name] = args[0], args[1]
    params.merge!(args[2])
  else
    raise ArgumentError, "wrong number of arguments (given #{args.length}, expected 1-3)"
  end

  add_from_params(params)
end

#add_from_file(filepath, *args) ⇒ Object

Add the contents of a file as a credential after verifying that the file can be read. Usage:

 add_from_file(filename, "secretname")
 add_from_file(filename, "groupname", "secretname")

Anything added from file will automatically be frozen.

add‘s options are not supported.

# File 'lib/veil/credential_collection/base.rb', line 147

def add_from_file(filepath, *args)
  unless File.readable?(filepath)
    raise Veil::FileNotReadable.new("Cannot read #{filepath}")
  end
  add(*args, value: File.read(filepath),
             frozen: true)
end

#credentials_as_hash ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 179

def credentials_as_hash
  hash = Hash.new

  credentials.each do |cred_or_group_name, cred_or_group_attrs|
    if cred_or_group_attrs.is_a?(Hash)
      cred_or_group_attrs.each do |name, cred|
        hash[cred_or_group_name] ||= Hash.new
        hash[cred_or_group_name][name] = cred.to_hash
      end
    else
      hash[cred_or_group_name] = cred_or_group_attrs.to_hash
    end
  end

  hash
end

#credentials_for_export ⇒ Object Also known as: legacy_credentials_hash

# File 'lib/veil/credential_collection/base.rb', line 196

def credentials_for_export
  hash = Hash.new

  credentials.each do |namespace, cred_or_creds|
    if cred_or_creds.is_a?(Veil::Credential)
      hash[namespace] = cred_or_creds.value
    else
      hash[namespace] = {}
      cred_or_creds.each { |name, cred| hash[namespace][name] = cred.value }
    end
  end

  hash
end

#exist?(*args) ⇒ Boolean

Check to see if a given credential has been added.

Returns:

• (Boolean)

# File 'lib/veil/credential_collection/base.rb', line 97

def exist?(*args)
  get(*args)
  true
rescue Veil::GroupNotFound, Veil::CredentialNotFound
  false
end

#get(*args) ⇒ Object Also known as: get_credential

Retrieves a credential from the credential store:

get(name)
get(group, name)

# File 'lib/veil/credential_collection/base.rb', line 61

def get(*args)
  case args.length
  when 1
    cred_name = args[0]
    c = credentials[cred_name]
    if c.nil?
      raise Veil::CredentialNotFound, "Credential '#{cred_name}' not found."
    else
      c.value
    end
  when 2
    group_name = args[0]
    cred_name = args[1]

    g = credentials[group_name]
    if g.nil?
      raise Veil::GroupNotFound, "Credential group '#{group_name}' not found."
    else
      c = g[cred_name]
      if c.nil?
        raise Veil::CredentialNotFound, "Credential '#{cred_name}' not found in group '#{group_name}'."
      else
        c.value
      end
    end
  else
    raise ArgumentError, "wrong number of arguments (given #{args.length}, expected 1 or 2)"
  end
end

#remove(group_or_cred, cred = nil) ⇒ Object Also known as: delete

# File 'lib/veil/credential_collection/base.rb', line 155

def remove(group_or_cred, cred = nil)
  if group_or_cred && cred && credentials.key?(group_or_cred)
    credentials[group_or_cred].delete(cred)
  else
    credentials.delete(group_or_cred)
  end
end

#rotate(group_or_cred, cred = nil) ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 43

def rotate(group_or_cred, cred = nil)
  if cred && credentials.key?(group_or_cred) && credentials[group_or_cred].key?(cred)
    credentials[group_or_cred][cred].rotate(hasher)
  elsif credentials.key?(group_or_cred)
    if credentials[group_or_cred].is_a?(Hash)
      credentials[group_or_cred].each { |_s, c| c.rotate(hasher) }
    else
      credentials[group_or_cred].rotate(hasher)
    end
  end
end

#rotate_credentials ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 169

def rotate_credentials
  credentials.each do |cred_or_group_name, cred_or_group|
    if cred_or_group.is_a?(Veil::Credential)
      cred_or_group.rotate(hasher)
    else
      cred_or_group.each { |_group, cred| cred.rotate(hasher) }
    end
  end
end

#rotate_hasher ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 164

def rotate_hasher
  @hasher = Veil::Hasher.create
  rotate_credentials
end

#save ⇒ Object

# File 'lib/veil/credential_collection/base.rb', line 39

def save
  raise "Save has not been implemented for this class"
end

#to_hash ⇒ Object Also known as: to_h

# File 'lib/veil/credential_collection/base.rb', line 28

def to_hash
  {
    type: self.class.name,
    version: version,
    hasher: hasher.to_h,
    cipher: encryptor.to_h,
    credentials: encryptor.encrypt(credentials_as_hash.to_json)
  }
end