Class: Vault::KV

Inherits:

Request

• Object
• Request
• Vault::KV

Defined in:

lib/vault/api/kv.rb

Instance Attribute Summary

• #mount ⇒ Object readonly

  Returns the value of attribute mount.

Attributes inherited from Request

#client

Instance Method Summary

• #delete(path) ⇒ true

  Delete the secret at the given path.

• #delete_versions(path, versions) ⇒ true

  Mark specific versions of a secret as deleted.

• #destroy(path) ⇒ true

  Completely remove a secret and its metadata.

• #destroy_versions(path, versions) ⇒ true

  Completely remove specific versions of a secret.

• #initialize(client, mount) ⇒ KV constructor

  A new instance of KV.

• #list(path = "", options = {}) ⇒ Array<String>

  List the names of secrets at the given path, if the path supports listing.

• #patch_metadata(path, metadata = {}, options = {}) ⇒ true

  Patch the metadata of a secret at the given path.

• #read(path, version = nil, options = {}) ⇒ Secret^?

  Read the secret at the given path.

• #read_metadata(path) ⇒ Hash^?

  Read the metadata of a secret at the given path.

• #undelete_versions(path, versions) ⇒ true

  Mark specific versions of a secret as active.

• #write(path, data = {}, options = {}) ⇒ Secret

  Write the secret at the given path with the given data.

• #write_metadata(path, metadata = {}) ⇒ true

  Write the metadata of a secret at the given path.

Methods inherited from Request

#inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

#initialize(client, mount) ⇒ KV

Returns a new instance of KV.

# File 'lib/vault/api/kv.rb', line 21

def initialize(client, mount)
  super client

  @mount = mount
end

Instance Attribute Details

#mount ⇒ Object (readonly)

Returns the value of attribute mount.

# File 'lib/vault/api/kv.rb', line 19

def mount
  @mount
end

Instance Method Details

#delete(path) ⇒ true

Delete the secret at the given path. If the secret does not exist, vault will still return true.

Examples:

Vault.logical.delete("secret/password") #=> true

Parameters:

• path (String) —

  the path to delete

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 158

def delete(path)
  client.delete("/v1/#{mount}/data/#{encode_path(path)}")

  true
end

#delete_versions(path, versions) ⇒ true

Mark specific versions of a secret as deleted.

Examples:

Vault.kv("secret").delete_versions("password", [1, 2])

Parameters:

• path (String) —

  the path to remove versions from

• versions (Array<Integer>) —

  an array of versions to remove

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 175

def delete_versions(path, versions)
  client.post("/v1/#{mount}/delete/#{encode_path(path)}", JSON.fast_generate(versions: versions))

  true
end

#destroy(path) ⇒ true

Completely remove a secret and its metadata.

Examples:

Vault.kv("secret").destroy("password")

Parameters:

• path (String) —

  the path to remove

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 207

def destroy(path)
  client.delete("/v1/#{mount}/metadata/#{encode_path(path)}")

  true
end

#destroy_versions(path, versions) ⇒ true

Completely remove specific versions of a secret.

Examples:

Vault.kv("secret").destroy_versions("password", [1, 2])

Parameters:

• path (String) —

  the path to remove versions from

• versions (Array<Integer>) —

  an array of versions to destroy

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 224

def destroy_versions(path, versions)
  client.post("/v1/#{mount}/destroy/#{encode_path(path)}", JSON.fast_generate(versions: versions))

  true
end

#list(path = "", options = {}) ⇒ Array<String>

List the names of secrets at the given path, if the path supports listing. If the the path does not exist, an empty array will be returned.

Examples:

Vault.kv("secret").list("foo") #=> ["bar", "baz"]

Parameters:

• path (String) (defaults to: "") —

  the path to list

Returns:

• (Array<String>)

# File 'lib/vault/api/kv.rb', line 37

def list(path = "", options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/#{mount}/metadata/#{encode_path(path)}", {}, headers)
  json[:data][:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#patch_metadata(path, metadata = {}, options = {}) ⇒ true

Patch the metadata of a secret at the given path. Note that the data must be a Hash.

Examples:

Vault.kv("secret").patch_metadata("password", custom_metadata: { my_custom_key: "my_value" }, max_versions: 3)

Parameters:

• path (String) —

  the path to patch

• metadata (Hash) (defaults to: {}) —

  the metadata to patch

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 140

def patch_metadata(path, metadata = {}, options = {})
  headers = extract_headers!(options)
  headers["Content-Type"] = "application/merge-patch+json"
  client.patch("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.fast_generate(metadata), headers)

  true
end

#read(path, version = nil, options = {}) ⇒ Secret^?

Read the secret at the given path. If the secret does not exist, nil will be returned. The latest version is returned by default, but you can request a specific version.

Examples:

Vault.kv("secret").read("password") #=> #<Vault::Secret lease_id="">

Parameters:

• path (String) —

  the path to read

• version (Integer) (defaults to: nil) —

  the version of the secret

Returns:

• (Secret, nil)

# File 'lib/vault/api/kv.rb', line 59

def read(path, version = nil, options = {})
  headers = extract_headers!(options)
  params  = {}
  params[:version] = version unless version.nil?

  json = client.get("/v1/#{mount}/data/#{encode_path(path)}", params, headers)
  return Secret.decode(json[:data])
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#read_metadata(path) ⇒ Hash^?

Read the metadata of a secret at the given path. If the secret does not exist, nil will be returned.

Examples:

Vault.kv("secret").read_metadata("password") => {...}

Parameters:

• path (String) —

  the path to read

Returns:

• (Hash, nil)

# File 'lib/vault/api/kv.rb', line 81

def read_metadata(path)
  client.get("/v1/#{mount}/metadata/#{encode_path(path)}")[:data]
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#undelete_versions(path, versions) ⇒ true

Mark specific versions of a secret as active.

Examples:

Vault.kv("secret").undelete_versions("password", [1, 2])

Parameters:

• path (String) —

  the path to enable versions for

• versions (Array<Integer>) —

  an array of versions to mark as undeleted

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 192

def undelete_versions(path, versions)
  client.post("/v1/#{mount}/undelete/#{encode_path(path)}", JSON.fast_generate(versions: versions))

  true
end

#write(path, data = {}, options = {}) ⇒ Secret

Write the secret at the given path with the given data. Note that the data must be a Hash!

Examples:

Vault.logical.write("secret/password", value: "secret") #=> #<Vault::Secret lease_id="">

Parameters:

• path (String) —

  the path to write

• data (Hash) (defaults to: {}) —

  the data to write

Returns:

• (Secret)

# File 'lib/vault/api/kv.rb', line 100

def write(path, data = {}, options = {})
  headers = extract_headers!(options)
  json = client.post("/v1/#{mount}/data/#{encode_path(path)}", JSON.fast_generate(:data => data), headers)
  if json.nil?
    return true
  else
    return Secret.decode(json)
  end
end

#write_metadata(path, metadata = {}) ⇒ true

Write the metadata of a secret at the given path. Note that the data must be a Hash.

Examples:

Vault.kv("secret").write_metadata("password", max_versions => 3)

Parameters:

• path (String) —

  the path to write

• metadata (Hash) (defaults to: {}) —

  the metadata to write

Returns:

• (true)

# File 'lib/vault/api/kv.rb', line 122

def write_metadata(path, metadata = {})
  client.post("/v1/#{mount}/metadata/#{encode_path(path)}", JSON.fast_generate(metadata))

  true
end