Class: Vault::Sys
- Defined in:
- lib/vault/api/sys.rb,
lib/vault/api/sys/auth.rb,
lib/vault/api/sys/init.rb,
lib/vault/api/sys/seal.rb,
lib/vault/api/sys/audit.rb,
lib/vault/api/sys/lease.rb,
lib/vault/api/sys/mount.rb,
lib/vault/api/sys/health.rb,
lib/vault/api/sys/leader.rb,
lib/vault/api/sys/policy.rb
Instance Attribute Summary
Attributes inherited from Request
Instance Method Summary collapse
-
#audit_hash(path, input) ⇒ String
Generates a HMAC verifier for a given input.
-
#audits ⇒ Hash<Symbol, Audit>
List all audits for the vault.
-
#auth_tune(path) ⇒ AuthConfig
Read the given auth path’s configuration.
-
#auths ⇒ Hash<Symbol, Auth>
List all auths in Vault.
-
#delete_policy(name) ⇒ Object
Delete the policy with the given name.
-
#disable_audit(path) ⇒ true
Disable a particular audit.
-
#disable_auth(path) ⇒ true
Disable a particular authentication at the given path.
-
#enable_audit(path, type, description, options = {}) ⇒ true
Enable a particular audit.
-
#enable_auth(path, type, description = nil) ⇒ true
Enable a particular authentication at the given path.
-
#health_status ⇒ HealthStatus
Show the health status for this vault.
-
#init(options = {}) ⇒ InitResponse
Initialize a new vault.
-
#init_status ⇒ InitStatus
Show the initialization status for this vault.
-
#leader ⇒ LeaderStatus
Determine the leader status for this vault.
-
#mount(path, type, description = nil) ⇒ Object
Create a mount at the given path.
-
#mount_tune(path, data = {}) ⇒ Object
Tune a mount at the given path.
-
#mounts ⇒ Hash<Symbol, Mount>
List all mounts in the vault.
-
#policies ⇒ Array<String>
The list of policies in vault.
-
#policy(name) ⇒ Policy?
Get the policy by the given name.
-
#put_auth_tune(path, config = {}) ⇒ AuthConfig
Write the given auth path’s configuration.
-
#put_policy(name, rules) ⇒ true
Create a new policy with the given name and rules.
-
#remount(from, to) ⇒ true
Change the name of the mount.
-
#renew(id, increment = 0) ⇒ Secret
Renew a lease with the given ID.
-
#revoke(id) ⇒ true
Revoke the secret at the given id.
-
#revoke_prefix(id) ⇒ true
Revoke all secrets under the given prefix.
-
#seal ⇒ true
Seal the vault.
-
#seal_status ⇒ SealStatus
Get the current seal status.
- #step_down ⇒ Object
-
#unmount(path) ⇒ true
Unmount the thing at the given path.
-
#unseal(shard) ⇒ SealStatus
Unseal the vault with the given shard.
Methods inherited from Request
Methods included from EncodePath
Constructor Details
This class inherits a constructor from Vault::Request
Instance Method Details
#audit_hash(path, input) ⇒ String
Generates a HMAC verifier for a given input.
85 86 87 88 89 |
# File 'lib/vault/api/sys/audit.rb', line 85 def audit_hash(path, input) json = client.post("/v1/sys/audit-hash/#{encode_path(path)}", JSON.fast_generate(input: input)) json = json[:data] if json[:data] json[:hash] end |
#audits ⇒ Hash<Symbol, Audit>
List all audits for the vault.
28 29 30 31 32 33 34 |
# File 'lib/vault/api/sys/audit.rb', line 28 def audits json = client.get("/v1/sys/audit") json = json[:data] if json[:data] return Hash[*json.map do |k,v| [k.to_s.chomp("/").to_sym, Audit.decode(v)] end.flatten] end |
#auth_tune(path) ⇒ AuthConfig
Read the given auth path’s configuration.
89 90 91 92 93 94 95 |
# File 'lib/vault/api/sys/auth.rb', line 89 def auth_tune(path) json = client.get("/v1/sys/auth/#{encode_path(path)}/tune") return AuthConfig.decode(json) rescue HTTPError => e return nil if e.code == 404 raise end |
#auths ⇒ Hash<Symbol, Auth>
List all auths in Vault.
35 36 37 38 39 40 41 |
# File 'lib/vault/api/sys/auth.rb', line 35 def auths json = client.get("/v1/sys/auth") json = json[:data] if json[:data] return Hash[*json.map do |k,v| [k.to_s.chomp("/").to_sym, Auth.decode(v)] end.flatten] end |
#delete_policy(name) ⇒ Object
Delete the policy with the given name. If a policy does not exist, vault will not return an error.
87 88 89 90 |
# File 'lib/vault/api/sys/policy.rb', line 87 def delete_policy(name) client.delete("/v1/sys/policy/#{encode_path(name)}") return true end |
#disable_audit(path) ⇒ true
Disable a particular audit. If an audit does not exist, and error will be raised.
69 70 71 72 |
# File 'lib/vault/api/sys/audit.rb', line 69 def disable_audit(path) client.delete("/v1/sys/audit/#{encode_path(path)}") return true end |
#disable_auth(path) ⇒ true
Disable a particular authentication at the given path. If not auth exists at that path, an error will be raised.
74 75 76 77 |
# File 'lib/vault/api/sys/auth.rb', line 74 def disable_auth(path) client.delete("/v1/sys/auth/#{encode_path(path)}") return true end |
#enable_audit(path, type, description, options = {}) ⇒ true
Enable a particular audit. Note: the options
depend heavily on the type of audit being enabled. Please refer to audit-specific documentation for which need to be enabled.
53 54 55 56 57 58 59 60 |
# File 'lib/vault/api/sys/audit.rb', line 53 def enable_audit(path, type, description, = {}) client.put("/v1/sys/audit/#{encode_path(path)}", JSON.fast_generate( type: type, description: description, options: , )) return true end |
#enable_auth(path, type, description = nil) ⇒ true
Enable a particular authentication at the given path.
56 57 58 59 60 61 62 |
# File 'lib/vault/api/sys/auth.rb', line 56 def enable_auth(path, type, description = nil) payload = { type: type } payload[:description] = description if !description.nil? client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload)) return true end |
#health_status ⇒ HealthStatus
Show the health status for this vault.
58 59 60 61 |
# File 'lib/vault/api/sys/health.rb', line 58 def health_status json = client.get("/v1/sys/health", {:sealedcode => 200, :uninitcode => 200, :standbycode => 200}) return HealthStatus.decode(json) end |
#init(options = {}) ⇒ InitResponse
Initialize a new vault.
69 70 71 72 73 74 75 76 77 78 79 80 81 |
# File 'lib/vault/api/sys/init.rb', line 69 def init( = {}) json = client.put("/v1/sys/init", JSON.fast_generate( root_token_pgp_key: .fetch(:root_token_pgp_key, nil), secret_shares: .fetch(:secret_shares, .fetch(:shares, 5)), secret_threshold: .fetch(:secret_threshold, .fetch(:threshold, 3)), pgp_keys: .fetch(:pgp_keys, nil), stored_shares: .fetch(:stored_shares, nil), recovery_shares: .fetch(:recovery_shares, nil), recovery_threshold: .fetch(:recovery_threshold, nil), recovery_pgp_keys: .fetch(:recovery_pgp_keys, nil), )) return InitResponse.decode(json) end |
#init_status ⇒ InitStatus
Show the initialization status for this vault.
35 36 37 38 |
# File 'lib/vault/api/sys/init.rb', line 35 def init_status json = client.get("/v1/sys/init") return InitStatus.decode(json) end |
#leader ⇒ LeaderStatus
Determine the leader status for this vault.
38 39 40 41 |
# File 'lib/vault/api/sys/leader.rb', line 38 def leader json = client.get("/v1/sys/leader") return LeaderStatus.decode(json) end |
#mount(path, type, description = nil) ⇒ Object
Create a mount at the given path.
47 48 49 50 51 52 53 |
# File 'lib/vault/api/sys/mount.rb', line 47 def mount(path, type, description = nil) payload = { type: type } payload[:description] = description if !description.nil? client.post("/v1/sys/mounts/#{encode_path(path)}", JSON.fast_generate(payload)) return true end |
#mount_tune(path, data = {}) ⇒ Object
Tune a mount at the given path.
64 65 66 67 |
# File 'lib/vault/api/sys/mount.rb', line 64 def mount_tune(path, data = {}) json = client.post("/v1/sys/mounts/#{encode_path(path)}/tune", JSON.fast_generate(data)) return true end |
#mounts ⇒ Hash<Symbol, Mount>
List all mounts in the vault.
28 29 30 31 32 33 34 |
# File 'lib/vault/api/sys/mount.rb', line 28 def mounts json = client.get("/v1/sys/mounts") json = json[:data] if json[:data] return Hash[*json.map do |k,v| [k.to_s.chomp("/").to_sym, Mount.decode(v)] end.flatten] end |
#policies ⇒ Array<String>
The list of policies in vault.
31 32 33 |
# File 'lib/vault/api/sys/policy.rb', line 31 def policies client.get("/v1/sys/policy")[:policies] end |
#policy(name) ⇒ Policy?
Get the policy by the given name. If a policy does not exist by that name, nil
is returned.
42 43 44 45 46 47 48 |
# File 'lib/vault/api/sys/policy.rb', line 42 def policy(name) json = client.get("/v1/sys/policy/#{encode_path(name)}") return Policy.decode(json) rescue HTTPError => e return nil if e.code == 404 raise end |
#put_auth_tune(path, config = {}) ⇒ AuthConfig
Write the given auth path’s configuration.
107 108 109 110 111 112 113 114 |
# File 'lib/vault/api/sys/auth.rb', line 107 def put_auth_tune(path, config = {}) json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config)) if json.nil? return true else return Secret.decode(json) end end |
#put_policy(name, rules) ⇒ true
Create a new policy with the given name and rules.
It is recommend that you load policy rules from a file:
72 73 74 75 76 77 |
# File 'lib/vault/api/sys/policy.rb', line 72 def put_policy(name, rules) client.put("/v1/sys/policy/#{encode_path(name)}", JSON.fast_generate( rules: rules, )) return true end |
#remount(from, to) ⇒ true
Change the name of the mount
95 96 97 98 99 100 101 |
# File 'lib/vault/api/sys/mount.rb', line 95 def remount(from, to) client.post("/v1/sys/remount", JSON.fast_generate( from: from, to: to, )) return true end |
#renew(id, increment = 0) ⇒ Secret
Renew a lease with the given ID.
13 14 15 16 17 18 |
# File 'lib/vault/api/sys/lease.rb', line 13 def renew(id, increment = 0) json = client.put("/v1/sys/renew/#{id}", JSON.fast_generate( increment: increment, )) return Secret.decode(json) end |
#revoke(id) ⇒ true
Revoke the secret at the given id. If the secret does not exist, an error will be raised.
30 31 32 33 |
# File 'lib/vault/api/sys/lease.rb', line 30 def revoke(id) client.put("/v1/sys/revoke/#{id}", nil) return true end |
#revoke_prefix(id) ⇒ true
Revoke all secrets under the given prefix.
44 45 46 47 |
# File 'lib/vault/api/sys/lease.rb', line 44 def revoke_prefix(id) client.put("/v1/sys/revoke-prefix/#{id}", nil) return true end |
#seal ⇒ true
Seal the vault. Warning: this will seal the vault!
60 61 62 63 |
# File 'lib/vault/api/sys/seal.rb', line 60 def seal client.put("/v1/sys/seal", nil) return true end |
#seal_status ⇒ SealStatus
Get the current seal status.
49 50 51 52 |
# File 'lib/vault/api/sys/seal.rb', line 49 def seal_status json = client.get("/v1/sys/seal-status") return SealStatus.decode(json) end |
#step_down ⇒ Object
43 44 45 46 |
# File 'lib/vault/api/sys/leader.rb', line 43 def step_down client.put("/v1/sys/step-down", nil) return true end |
#unmount(path) ⇒ true
Unmount the thing at the given path. If the mount does not exist, an error will be raised.
79 80 81 82 |
# File 'lib/vault/api/sys/mount.rb', line 79 def unmount(path) client.delete("/v1/sys/mounts/#{encode_path(path)}") return true end |
#unseal(shard) ⇒ SealStatus
Unseal the vault with the given shard.
74 75 76 77 78 79 |
# File 'lib/vault/api/sys/seal.rb', line 74 def unseal(shard) json = client.put("/v1/sys/unseal", JSON.fast_generate( key: shard, )) return SealStatus.decode(json) end |