Class: Wault::Password

Inherits:

Object

• Object
• Wault::Password

Defined in:

lib/puppet/functions/wault/password.rb

Overview

TODO

Instance Attribute Summary

• #name ⇒ Object

  Returns the value of attribute name.

Instance Method Summary

• #configure ⇒ Object
• #expire ⇒ Object
• #facter(name) ⇒ Object
• #facts ⇒ Object
• #gen_facts ⇒ Object
• #generate ⇒ Object
• #get_value ⇒ Object
• #initialize(cache, name, params, scope) ⇒ Password constructor

  A new instance of Password.

• #key_expired? ⇒ Boolean
• #need_replace? ⇒ Boolean
• #path ⇒ Object
• #real_expire ⇒ Object
• #real_facts ⇒ Object
• #staled ⇒ Object
• #sync ⇒ Object
• #value ⇒ Object
• #yaml ⇒ Object

Constructor Details

#initialize(cache, name, params, scope) ⇒ Password

Returns a new instance of Password.

# File 'lib/puppet/functions/wault/password.rb', line 11

def initialize(cache, name, params, scope)
  # Требуемые параметры
  @cache_hash = cache.retrieve(self)
  @name = name
  @params = params
  @scope = scope
  @default_fact = '__common' # kv/__common/<name>

  # Параметры для настройки Wault
  @config_dir   = params.fetch('config_dir', '/opt/wault')
  @config_file  = params.fetch('config_file', "#{@config_dir}/.vault.yaml")
  @address      = params.fetch('address', yaml['address'])
  @namespace    = params.fetch('namespace', nil)

  # Параметры для внутреннего использования
  @stale = {}

  configure
  staled
end

Instance Attribute Details

#name ⇒ Object

Returns the value of attribute name.

# File 'lib/puppet/functions/wault/password.rb', line 9

def name
  @name
end

Instance Method Details

#configure ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 79

def configure
  yaml.each do |key, value|
    Vault.client.instance_variable_set(:"@#{key}", value)
  end
  Vault.client.instance_variable_set(:"@namespace", @namespace) unless @namespace.nil?
end

#expire ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 96

def expire
  return '' unless @params.key? 'expire'

  @params.fetch('expire')
end

#facter(name) ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 124

def facter(name)
  return @scope[name] if @scope.key? name

  Facter.value(name)
end

#facts ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 102

def facts
  @params.fetch('facts', @default_fact)
end

#gen_facts ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 116

def gen_facts
  facts.sort.map { |fact| "#{fact}__#{facter(fact)}" }
end

#generate ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 106

def generate
  SecureRandom.base64 14
end

#get_value ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 65

def get_value
  cache_key = [@name, @address]
  last_result = @cache_hash[cache_key]
  return last_result unless last_result.nil?
  value = Vault.logical.read(path)
  return nil unless value

  data = value.data
  censured_data = Puppet::Pops::Types::PSensitiveType::Sensitive.new(data)
  @cache_hash[cache_key] = censured_data

  censured_data
end

#key_expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/functions/wault/password.rb', line 61

def key_expired?
  @stale[:expire] ? Time.now.to_i > @stale[:expire] : false
end

#need_replace? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/functions/wault/password.rb', line 56

def need_replace?
  # Not password || expired || changed duration
  !@stale.key? :password or key_expired? or @stale[:expire_duration] != expire
end

#path ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 32

def path
  "kv/#{real_facts}/#{name}"
end

#real_expire ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 120

def real_expire
  ChronicDuration.parse(expire)
end

#real_facts ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 110

def real_facts
  return facts unless facts.is_a? Array

  gen_facts.join('/')
end

#staled ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 36

def staled
  result = get_value
  return {} unless result.is_a? Hash

  @stale[:password] = result[:value]
  @stale[:expire] = result[:expire].to_i if result[:expire].to_i > 0
  @stale[:expire_duration] = result[:expire_duration]
end

#sync ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 45

def sync
  return @stale[:password] unless need_replace?

  Vault.with_retries(Vault::HTTPConnectionError) do
    Vault.logical.write(path, value: value,
                        expire: real_expire ? Time.now.to_i + real_expire : real_expire,
                        expire_duration: expire, ttl: real_expire)
    value
  end
end

#value ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 90

def value
  @params['value'] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(generate) unless @params.key? 'value'

  @params.fetch('value')
end

#yaml ⇒ Object

# File 'lib/puppet/functions/wault/password.rb', line 86

def yaml
  YAML.load_file(@config_file)
end