Class: Vault::Client

Inherits:
Object
  • Object
show all
Includes:
Configurable
Defined in:
lib/vault/client.rb,
lib/vault/api/sys.rb,
lib/vault/api/auth.rb,
lib/vault/api/help.rb,
lib/vault/api/approle.rb,
lib/vault/api/logical.rb,
lib/vault/api/auth_tls.rb,
lib/vault/api/auth_token.rb

Defined Under Namespace

Classes: SecurityError

Constant Summary collapse

USER_AGENT =

The user agent for this client.

"VaultRuby/#{Vault::VERSION} (+github.com/hashicorp/vault-ruby)".freeze
TOKEN_HEADER =

The name of the header used to hold the Vault token.

"X-Vault-Token".freeze
WRAP_TTL_HEADER =

The name of the header used to hold the wrapped request ttl.

"X-Vault-Wrap-TTL".freeze
LOCATION_HEADER =

The name of the header used for redirection.

"location".freeze
DEFAULT_HEADERS =

The default headers that are sent with every request.

{
  "Content-Type" => "application/json",
  "Accept"       => "application/json",
  "User-Agent"   => USER_AGENT,
}.freeze
JSON_PARSE_OPTIONS =

The default list of options to use when parsing JSON.

{
  max_nesting:      false,
  create_additions: false,
  symbolize_names:  true,
}.freeze
RESCUED_EXCEPTIONS =
[].tap do |a|
  # Failure to even open the socket (usually permissions)
  a << SocketError

  # Failed to reach the server (aka bad URL)
  a << Errno::ECONNREFUSED

  # Failed to read body or no response body given
  a << EOFError

  # Timeout (Ruby 1.9-)
  a << Timeout::Error

  # Timeout (Ruby 1.9+) - Ruby 1.9 does not define these constants so we
  # only add them if they are defiend
  a << Net::ReadTimeout if defined?(Net::ReadTimeout)
  a << Net::OpenTimeout if defined?(Net::OpenTimeout)

  a << PersistentHTTP::Error
end.freeze

Instance Method Summary collapse

Methods included from Configurable

#configure, keys, #options

Constructor Details

#initialize(options = {}) ⇒ Vault::Client

Create a new Client with the given options. Any options given take precedence over the default options.


71
72
73
74
75
76
77
78
79
80
# File 'lib/vault/client.rb', line 71

def initialize(options = {})
  # Use any options given, but fall back to the defaults set on the module
  Vault::Configurable.keys.each do |key|
    value = options.key?(key) ? options[key] : Defaults.public_send(key)
    instance_variable_set(:"@#{key}", value)
  end

  @lock = Mutex.new
  @nhp = nil
end

Instance Method Details

#approleAppRole

A proxy to the AppRole methods.

Returns:


12
13
14
# File 'lib/vault/api/approle.rb', line 12

def approle
  @approle ||= AppRole.new(self)
end

#authAuth

A proxy to the Auth methods.

Returns:


10
11
12
# File 'lib/vault/api/auth.rb', line 10

def auth
  @auth ||= Authenticate.new(self)
end

#auth_tlsAuthTLS

A proxy to the AuthTLS methods.

Returns:


12
13
14
# File 'lib/vault/api/auth_tls.rb', line 12

def auth_tls
  @auth_tls ||= AuthTLS.new(self)
end

#auth_tokenAuthToken

A proxy to the AuthToken methods.

Returns:


12
13
14
# File 'lib/vault/api/auth_token.rb', line 12

def auth_token
  @auth_token ||= AuthToken.new(self)
end

#build_uri(verb, path, params = {}) ⇒ URI

Construct a URL from the given verb and path. If the request is a GET or DELETE request, the params are assumed to be query params are are converted as such using #to_query_string.

If the path is relative, it is merged with the Defaults.address attribute. If the path is absolute, it is converted to a URI object and returned.

Parameters:

  • verb (Symbol)

    the lowercase HTTP verb (e.g. :get)

  • path (String)

    the absolute or relative HTTP path (url) to get

  • params (Hash) (defaults to: {})

    the list of params to build the URI with (for GET and DELETE requests)

Returns:

  • (URI)

314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
# File 'lib/vault/client.rb', line 314

def build_uri(verb, path, params = {})
  # Add any query string parameters
  if [:delete, :get].include?(verb)
    path = [path, to_query_string(params)].compact.join("?")
  end

  # Parse the URI
  uri = URI.parse(path)

  # Don't merge absolute URLs
  uri = URI.parse(File.join(address, path)) unless uri.absolute?

  # Return the URI object
  uri
end

#class_for_request(verb) ⇒ Class

Helper method to get the corresponding Net::HTTP class from the given HTTP verb.

Parameters:

  • verb (#to_s)

    the HTTP verb to create a class from

Returns:

  • (Class)

337
338
339
# File 'lib/vault/client.rb', line 337

def class_for_request(verb)
  Net::HTTP.const_get(verb.to_s.capitalize)
end

#delete(path, params = {}, headers = {}) ⇒ Object

Perform a DELETE request.

See Also:


214
215
216
# File 'lib/vault/client.rb', line 214

def delete(path, params = {}, headers = {})
  request(:delete, path, params, headers)
end

#error(response) ⇒ Object

Raise a response error, extracting as much information from the server's response as possible.

Parameters:

  • response (HTTP::Message)

    the response object from the request

Raises:


379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
# File 'lib/vault/client.rb', line 379

def error(response)
  if response.body && response.body.match("missing client token")
    raise MissingTokenError
  end

  # Use the correct exception class
  case response
  when Net::HTTPClientError
    klass = HTTPClientError
  when Net::HTTPServerError
    klass = HTTPServerError
  else
    klass = HTTPError
  end

  if (response.content_type || '').include?("json")    # Attempt to parse the error as JSON

    begin
      json = JSON.parse(response.body, JSON_PARSE_OPTIONS)

      if json[:errors]
        raise klass.new(address, response, json[:errors])
      end
    rescue JSON::ParserError; end
  end

  raise klass.new(address, response, [response.body])
end

#get(path, params = {}, headers = {}) ⇒ Object

Perform a GET request.

See Also:


183
184
185
# File 'lib/vault/client.rb', line 183

def get(path, params = {}, headers = {})
  request(:get, path, params, headers)
end

#help(path) ⇒ Help

Gets help for the given path.

Examples:

Vault.help("secret") #=> #<Vault::Help help="..." see_also="...">

Parameters:

  • path (String)

    the path to get help for

Returns:


28
29
30
31
# File 'lib/vault/api/help.rb', line 28

def help(path)
  json = self.get("/v1/#{EncodePath.encode_path(path)}", help: 1)
  return Help.decode(json)
end

#list(path, params = {}, headers = {}) ⇒ Object

Perform a LIST request.

See Also:


189
190
191
192
# File 'lib/vault/client.rb', line 189

def list(path, params = {}, headers = {})
  params = params.merge(list: true)
  request(:get, path, params, headers)
end

#logicalLogical

A proxy to the Logical methods.

Returns:


10
11
12
# File 'lib/vault/api/logical.rb', line 10

def logical
  @logical ||= Logical.new(self)
end

#patch(path, data, headers = {}) ⇒ Object

Perform a PATCH request.

See Also:


208
209
210
# File 'lib/vault/client.rb', line 208

def patch(path, data, headers = {})
  request(:patch, path, data, headers)
end

#post(path, data = {}, headers = {}) ⇒ Object

Perform a POST request.

See Also:


196
197
198
# File 'lib/vault/client.rb', line 196

def post(path, data = {}, headers = {})
  request(:post, path, data, headers)
end

#put(path, data, headers = {}) ⇒ Object

Perform a PUT request.

See Also:


202
203
204
# File 'lib/vault/client.rb', line 202

def put(path, data, headers = {})
  request(:put, path, data, headers)
end

#request(verb, path, data = {}, headers = {}) ⇒ String, Hash

Make an HTTP request with the given verb, data, params, and headers. If the response has a return type of JSON, the JSON is automatically parsed and returned as a hash; otherwise it is returned as a string.

Parameters:

  • verb (Symbol)

    the lowercase symbol of the HTTP verb (e.g. :get, :delete)

  • path (String)

    the absolute or relative path from Defaults.address to make the request against

  • data (#read, Hash, nil) (defaults to: {})

    the data to use (varies based on the verb)

  • headers (Hash) (defaults to: {})

    the list of headers to use

Returns:

  • (String, Hash)

    the response body

Raises:

  • (HTTPError)

    if the request is not an HTTP 200 OK


237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
# File 'lib/vault/client.rb', line 237

def request(verb, path, data = {}, headers = {})
  # Build the URI and request object from the given information
  uri = build_uri(verb, path, data)
  request = class_for_request(verb).new(uri.request_uri)
  if uri.userinfo()
    request.basic_auth uri.user, uri.password
  end

  if proxy_address and uri.scheme.downcase == "https"
    raise SecurityError, "no direct https connection to vault"
  end

  # Get a list of headers
  headers = DEFAULT_HEADERS.merge(headers)

  # Add the Vault token header - users could still override this on a
  # per-request basis
  if !token.nil?
    headers[TOKEN_HEADER] ||= token
  end

  # Add headers
  headers.each do |key, value|
    request.add_field(key, value)
  end

  # Setup PATCH/POST/PUT
  if [:patch, :post, :put].include?(verb)
    if data.respond_to?(:read)
      request.content_length = data.size
      request.body_stream = data
    elsif data.is_a?(Hash)
      request.form_data = data
    else
      request.body = data
    end
  end

  begin
    # Create a connection using the block form, which will ensure the socket
    # is properly closed in the event of an error.
    response = pool.request(uri, request)

    case response
    when Net::HTTPRedirection      # On a redirect of a GET or HEAD request, the URL already contains
      # the data as query string parameters.

      if [:head, :get].include?(verb)
        data = {}
      end
      request(verb, response[LOCATION_HEADER], data, headers)
    when Net::HTTPSuccess
      success(response)
    else
      error(response)
    end
  rescue *RESCUED_EXCEPTIONS => e
    raise HTTPConnectionError.new(address, e)
  end
end

#same_options?(opts) ⇒ true, false

Determine if the given options are the same as ours.

Returns:

  • (true, false)

177
178
179
# File 'lib/vault/client.rb', line 177

def same_options?(opts)
  options.hash == opts.hash
end

#shutdownObject

Shutdown any open pool connections. Pool will be recreated upon next request.


158
159
160
161
# File 'lib/vault/client.rb', line 158

def shutdown
  @nhp.shutdown()
  @nhp = nil
end

#success(response) ⇒ String, Hash

Parse the response object and manipulate the result based on the given Content-Type header. For now, this method only parses JSON, but it could be expanded in the future to accept other content types.

Parameters:

  • response (HTTP::Message)

    the response object from the request

Returns:

  • (String, Hash)

    the parsed response, as an object


364
365
366
367
368
369
370
# File 'lib/vault/client.rb', line 364

def success(response)
  if response.body && (response.content_type || '').include?("json")
    JSON.parse(response.body, JSON_PARSE_OPTIONS)
  else
    response.body
  end
end

#sysSys

A proxy to the Sys methods.

Returns:


9
10
11
# File 'lib/vault/api/sys.rb', line 9

def sys
  @sys ||= Sys.new(self)
end

#to_query_string(hash) ⇒ String?

Convert the given hash to a list of query string parameters. Each key and value in the hash is URI-escaped for safety.

Parameters:

  • hash (Hash)

    the hash to create the query string from

Returns:

  • (String, nil)

    the query string as a string, or nil if there are no params


349
350
351
352
353
# File 'lib/vault/client.rb', line 349

def to_query_string(hash)
  hash.map do |key, value|
    "#{CGI.escape(key.to_s)}=#{CGI.escape(value.to_s)}"
  end.join('&')[/.+/]
end

#with_retries(*rescued, &block) ⇒ Object

Execute the given block with retries and exponential backoff.

Parameters:

  • rescued (Array<Exception>)

    the list of exceptions to rescue


412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
# File 'lib/vault/client.rb', line 412

def with_retries(*rescued, &block)
  options      = rescued.last.is_a?(Hash) ? rescued.pop : {}
  exception    = nil
  retries      = 0

  rescued = Defaults::RETRIED_EXCEPTIONS if rescued.empty?

  max_attempts = options[:attempts] || Defaults::RETRY_ATTEMPTS
  backoff_base = options[:base]     || Defaults::RETRY_BASE
  backoff_max  = options[:max_wait] || Defaults::RETRY_MAX_WAIT

  begin
    return yield retries, exception
  rescue *rescued => e
    exception = e

    retries += 1
    raise if retries > max_attempts

    # Calculate the exponential backoff combined with an element of
    # randomness.
    backoff = [backoff_base * (2 ** (retries - 1)), backoff_max].min
    backoff = backoff * (0.5 * (1 + Kernel.rand))

    # Ensure we are sleeping at least the minimum interval.
    backoff = [backoff_base, backoff].max

    # Exponential backoff.
    Kernel.sleep(backoff)

    # Now retry
    retry
  end
end

#with_token(token) {|Vault::Client| ... } ⇒ Object

Creates and yields a new client object with the given token. This may be used safely in a threadsafe manner because the original client remains unchanged. The value of the block is returned.

Yields:


168
169
170
171
172
173
# File 'lib/vault/client.rb', line 168

def with_token(token)
  client = self.dup
  client.token = token
  return yield client if block_given?
  return nil
end