Module: Vault::Rails

Defined in:

lib/vault/rails.rb,
lib/vault/rails/errors.rb,
lib/vault/rails/version.rb,
lib/vault/rails/configurable.rb,
lib/vault/rails/json_serializer.rb

Defined Under Namespace

Modules: Configurable, JSONSerializer Classes: InvalidCiphertext, UnknownSerializerError, ValidationFailedError, VaultRailsError

Constant Summary

SERIALIZERS =

The list of serializers.

Returns:

• (Hash<Symbol, Module>)

{
  json: Vault::Rails::JSONSerializer,
}.freeze

DEFAULT_ENCODING =

The default encoding.

Returns:

• (String)

"utf-8".freeze

DEV_WARNING =

The warning string to print when running in development mode.

"[vault-rails] Using in-memory cipher - this is not secure " \
"and should never be used in production-like environments!".freeze

DEV_PREFIX =

"vault:dev:".freeze

VERSION =

"0.9.0"

Class Attribute Summary

• .client ⇒ Vault::Client readonly

  API client object based off the configured options in Configurable.

Class Method Summary

• .decrypt(path, key, ciphertext, client: self.client, context: nil) ⇒ String

  Decrypt the given ciphertext data using the provided mount and key.

• .encrypt(path, key, plaintext, client: self.client, context: nil) ⇒ String

  Encrypt the given plaintext data using the provided mount and key.

• .method_missing(m, *args, &block) ⇒ Object

  Delegate all methods to the client object, essentially making the module object behave like a Client.

• .respond_to_missing?(m, include_private = false) ⇒ Boolean

  Delegating ‘respond_to` to the Client.

• .serializer_for(key) ⇒ ~Serializer

  Get the serializer that corresponds to the given key.

• .setup! ⇒ Object
• .transform_decode(ciphertext, opts = {}) ⇒ Object
• .transform_encode(plaintext, opts = {}) ⇒ Object

Class Attribute Details

.client ⇒ Vault::Client (readonly)

API client object based off the configured options in Configurable.

Returns:

• (Vault::Client)

# File 'lib/vault/rails.rb', line 38

def client
  @client
end

Class Method Details

.decrypt(path, key, ciphertext, client: self.client, context: nil) ⇒ String

Decrypt the given ciphertext data using the provided mount and key.

Parameters:

• path (String) —

  the mount point

• key (String) —

  the key to decrypt at

• ciphertext (String) —

  the ciphertext to decrypt

• client (Vault::Client) (defaults to: self.client) —

  the Vault client to use

Returns:

• (String) —

  the decrypted plaintext text

# File 'lib/vault/rails.rb', line 111

def decrypt(path, key, ciphertext, client: self.client, context: nil)
  if ciphertext.blank?
    return ciphertext
  end

  path = path.to_s if !path.is_a?(String)
  key  = key.to_s if !key.is_a?(String)

  with_retries do
    if self.enabled?
      result = self.vault_decrypt(path, key, ciphertext, client: client, context: context)
    else
      result = self.memory_decrypt(path, key, ciphertext, client: client, context: context)
    end

    return self.force_encoding(result)
  end
end

.encrypt(path, key, plaintext, client: self.client, context: nil) ⇒ String

Encrypt the given plaintext data using the provided mount and key.

Parameters:

• path (String) —

  the mount point

• key (String) —

  the key to encrypt at

• plaintext (String) —

  the plaintext to encrypt

• client (Vault::Client) (defaults to: self.client) —

  the Vault client to use

Returns:

• (String) —

  the encrypted cipher text

# File 'lib/vault/rails.rb', line 79

def encrypt(path, key, plaintext, client: self.client, context: nil)
  if plaintext.blank?
    return plaintext
  end

  path = path.to_s if !path.is_a?(String)
  key  = key.to_s if !key.is_a?(String)

  with_retries do
    if self.enabled?
      result = self.vault_encrypt(path, key, plaintext, client: client, context: context)
    else
      result = self.memory_encrypt(path, key, plaintext, client: client, context: context)
    end

    return self.force_encoding(result)
  end
end

.method_missing(m, *args, &block) ⇒ Object

Delegate all methods to the client object, essentially making the module object behave like a Client.

# File 'lib/vault/rails.rb', line 53

def method_missing(m, *args, &block)
  if client.respond_to?(m)
    client.public_send(m, *args, &block)
  else
    super
  end
end

.respond_to_missing?(m, include_private = false) ⇒ Boolean

Delegating ‘respond_to` to the Client.

Returns:

• (Boolean)

# File 'lib/vault/rails.rb', line 62

def respond_to_missing?(m, include_private = false)
  client.respond_to?(m, include_private) || super
end

.serializer_for(key) ⇒ ~Serializer

Get the serializer that corresponds to the given key. If the key does not correspond to a known serializer, an exception will be raised.

Parameters:

• key (#to_sym) —

  the name of the serializer

Returns:

• (~Serializer)

# File 'lib/vault/rails.rb', line 137

def serializer_for(key)
  key = key.to_sym if !key.is_a?(Symbol)

  if serializer = SERIALIZERS[key]
    return serializer
  else
    raise Vault::Rails::UnknownSerializerError.new(key)
  end
end

.setup! ⇒ Object

# File 'lib/vault/rails.rb', line 40

def setup!
  Vault.setup!

  @client = Vault.client
  @client.class.instance_eval do
    include Vault::Rails::Configurable
  end

  self
end

.transform_decode(ciphertext, opts = {}) ⇒ Object

# File 'lib/vault/rails.rb', line 160

def transform_decode(ciphertext, opts={})
  return ciphertext if ciphertext&.empty?
  request_opts = {}
  request_opts[:value] = ciphertext

  if opts[:transformation]
    request_opts[:transformation] = opts[:transformation]
  end

  role_name = transform_role_name(opts)
  puts request_opts
  client.transform.decode(role_name: role_name, **request_opts)
end

.transform_encode(plaintext, opts = {}) ⇒ Object

# File 'lib/vault/rails.rb', line 147

def transform_encode(plaintext, opts={})
  return plaintext if plaintext&.empty?
  request_opts = {}
  request_opts[:value] = plaintext

  if opts[:transformation]
    request_opts[:transformation] = opts[:transformation]
  end

  role_name = transform_role_name(opts)
  client.transform.encode(role_name: role_name, **request_opts)
end