From 4d9d4f27052f130cf21a595c4b2ede1a84cb47f2 Mon Sep 17 00:00:00 2001 From: Matias Bertani Date: Wed, 17 May 2023 11:59:27 -0300 Subject: [PATCH] defaults: add support for token_file env --- lib/vault/defaults.rb | 18 ++++++------- spec/unit/defaults_spec.rb | 54 +++++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 20 deletions(-) diff --git a/lib/vault/defaults.rb b/lib/vault/defaults.rb index 3c6e85df..c128ca50 100644 --- a/lib/vault/defaults.rb +++ b/lib/vault/defaults.rb @@ -10,9 +10,9 @@ module Defaults # @return [String] VAULT_ADDRESS = "https://127.0.0.1:8200".freeze - # The path to the vault token on disk. + # The default path to the vault token on disk. # @return [String] - VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze + DEFAULT_VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze # The list of SSL ciphers to allow. You should not change this value unless # you absolutely know what you are doing! @@ -56,18 +56,16 @@ def address # The vault token to use for authentiation. # @return [String, nil] def token - if !ENV["VAULT_TOKEN"].nil? - return ENV["VAULT_TOKEN"] - end + ENV["VAULT_TOKEN"] || fetch_from_disk("VAULT_TOKEN_FILE") + end - if VAULT_DISK_TOKEN.exist? && VAULT_DISK_TOKEN.readable? - return VAULT_DISK_TOKEN.read.chomp + def fetch_from_disk(env_var) + path = ENV[env_var] ? Pathname.new(ENV[env_var]) : DEFAULT_VAULT_DISK_TOKEN + if path.exist? && path.readable? + path.read.chomp end - - nil end - # Vault Namespace, if any. # @return [String, nil] def namespace diff --git a/spec/unit/defaults_spec.rb b/spec/unit/defaults_spec.rb index 0da7be5d..fcad6188 100644 --- a/spec/unit/defaults_spec.rb +++ b/spec/unit/defaults_spec.rb @@ -26,8 +26,40 @@ module Vault end describe ".token" do + it "uses ENV['VAULT_TOKEN'] if present" do + with_stubbed_env("VAULT_TOKEN" => "testing") do + expect(Defaults.token).to eq("testing") + end + end + + it "delegates to fetch_from_disk if ENV['VAULT_TOKEN'] is not present" do + with_stubbed_env("VAULT_TOKEN" => nil) do + allow(Defaults).to receive(:fetch_from_disk).with("VAULT_TOKEN_FILE").and_return("fetch_from_disk_token") + expect(Defaults.token).to eq("fetch_from_disk_token") + expect(Defaults).to have_received(:fetch_from_disk) + end + end + + it "prefers the environment over local token" do + with_stubbed_env("VAULT_TOKEN" => "testing2") do + allow(Defaults).to receive(:fetch_from_disk) + expect(Defaults.token).to eq("testing2") + expect(Defaults).to_not have_received(:fetch_from_disk) + end + end + + it "returns nil if ENV['VAULT_TOKEN'] is not present and fetch_from_disk return nil" do + with_stubbed_env("VAULT_TOKEN" => nil) do + allow(Defaults).to receive(:fetch_from_disk).and_return(nil) + expect(Defaults.token).to be_nil + end + end + end + + describe ".fetch_from_disk" do let(:token) { File.expand_path("~/.vault-token") } let(:backup_token) { File.expand_path("~/.vault-token.old") } + let(:custom_token_path) { File.expand_path("~/custom_token_path") } before do if File.exist?(token) @@ -41,21 +73,23 @@ module Vault end end - it "uses ~/.vault-token when present" do - File.open(token, "w") { |f| f.write("testing\n") } - expect(Defaults.token).to eq("testing") + it "reads from ENV specified path if present and file is readable" do + File.open(custom_token_path, "w") { |f| f.write("token_from_custom_path\n") } + with_stubbed_env("VAULT_TOKEN_FILE" => custom_token_path) do + expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to eq("token_from_custom_path") + end end - it "uses ENV['VAULT_TOKEN'] if present" do - with_stubbed_env("VAULT_TOKEN" => "testing") do - expect(Defaults.token).to eq("testing") + it "reads from default path if ENV specified path is not present" do + File.open(Defaults::DEFAULT_VAULT_DISK_TOKEN, "w") { |f| f.write("default_path_token\n") } + with_stubbed_env("VAULT_TOKEN_FILE" => nil) do + expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to eq("default_path_token") end end - it "prefers the environment over local token" do - File.open(token, "w") { |f| f.write("testing1\n") } - with_stubbed_env("VAULT_TOKEN" => "testing2") do - expect(Defaults.token).to eq("testing2") + it "returns nil if no readable file is found" do + with_stubbed_env("VAULT_TOKEN_FILE" => "/non/existent/path") do + expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to be_nil end end end