lib/gdk/open_bao.rb (74 lines of code) (raw):
# frozen_string_literal: true
require 'json'
module GDK
# This class configures OpenBao dev server secrets persistence for GitLab
class OpenBao
NotRunningError = Class.new(StandardError)
attr_reader :init_output, :unseal_key, :root_token
def initialize
@unseal_key = nil
@root_token = nil
@init_output = nil
end
def configure
initialize_server
set_unseal_key
set_root_token
unseal_vault(unseal_key)
true
end
def initialize_server
return if vault_already_initialized?
args = %w[operator init -key-shares=1 -key-threshold=1 -format=json]
@init_output = shellout(args)
end
def unseal_vault(unseal_key)
return GDK::Output.puts('OpenBao is already unsealed') unless vault_sealed?
args = ['operator', 'unseal', unseal_key]
shellout(args)
GDK::Output.success('OpenBao has been unsealed successfully')
end
def vault_sealed?
args = %w[status -format json]
JSON.parse(shellout(args))['sealed']
end
def vault_already_initialized?
args = %w[operator init -status -format json]
JSON.parse(shellout(args))['Initialized']
end
def set_unseal_key
if init_output
@unseal_key = JSON.parse(init_output)['unseal_keys_hex'].pop
config.bury!('openbao.unseal_key', unseal_key)
config.save_yaml!
else
@unseal_key = config.openbao.unseal_key
end
end
def set_root_token
if init_output
@root_token = JSON.parse(init_output)['root_token']
config.bury!('openbao.root_token', root_token)
config.save_yaml!
else
@root_token = config.openbao.root_token
end
GDK::Output.puts("The root token is: #{root_token}") unless root_token.empty?
end
private
def shellout(*args)
openbao_config = config.openbao
sh = Shellout.new(
[openbao_config.bin.to_s].concat(*args),
env: {
'BAO_ADDR' => "http://#{openbao_config.__listen}",
'BAO_TOKEN' => openbao_config.root_token
}
)
result = sh.run
raise NotRunningError, "Running 'bao #{args.join(' ')} failed: #{sh.read_stderr}" unless sh.read_stderr.empty?
result
end
def config
GDK.config
end
end
end