defaults: add support for token_file env

Matias Bertani · matiasbertani · commit e29f9ddebe08 · 2024-01-29T16:54:13.000-03:00
diff --git a/lib/vault/defaults.rb b/lib/vault/defaults.rb
@@ -10,9 +10,9 @@ module Defaults
     # @return [String]
     VAULT_ADDRESS = "https://127.0.0.1:8200".freeze
 
-    # The path to the vault token on disk.
+    # The default path to the vault token on disk.
     # @return [String]
-    VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze
+    DEFAULT_VAULT_DISK_TOKEN = Pathname.new("#{ENV["HOME"]}/.vault-token").expand_path.freeze
 
     # The list of SSL ciphers to allow. You should not change this value unless
     # you absolutely know what you are doing!
@@ -56,18 +56,16 @@ def address
       # The vault token to use for authentiation.
       # @return [String, nil]
       def token
-        if !ENV["VAULT_TOKEN"].nil?
-          return ENV["VAULT_TOKEN"]
-        end
+        ENV["VAULT_TOKEN"] || fetch_from_disk("VAULT_TOKEN_FILE")
+      end
 
-        if VAULT_DISK_TOKEN.exist? && VAULT_DISK_TOKEN.readable?
-          return VAULT_DISK_TOKEN.read.chomp
+      def fetch_from_disk(env_var)
+        path = ENV[env_var] ? Pathname.new(ENV[env_var]) : DEFAULT_VAULT_DISK_TOKEN
+        if path&.exist? && path.readable?
+          path.read.chomp
         end
-
-        nil
       end
 
-
       # Vault Namespace, if any.
       # @return [String, nil]
       def namespace
diff --git a/spec/unit/defaults_spec.rb b/spec/unit/defaults_spec.rb
@@ -26,8 +26,40 @@ module Vault
     end
 
     describe ".token" do
+      it "uses ENV['VAULT_TOKEN'] if present" do
+        with_stubbed_env("VAULT_TOKEN" => "testing") do
+          expect(Defaults.token).to eq("testing")
+        end
+      end
+
+      it "delegates to fetch_from_disk if ENV['VAULT_TOKEN'] is not present" do
+        with_stubbed_env("VAULT_TOKEN" => nil) do
+          allow(Defaults).to receive(:fetch_from_disk).with("VAULT_TOKEN_FILE").and_return("fetch_from_disk_token")
+          expect(Defaults.token).to eq("fetch_from_disk_token")
+          expect(Defaults).to have_received(:fetch_from_disk)
+        end
+      end
+
+      it "prefers the environment over local token" do
+        with_stubbed_env("VAULT_TOKEN" => "testing2") do
+          allow(Defaults).to receive(:fetch_from_disk)
+          expect(Defaults.token).to eq("testing2")
+          expect(Defaults).to_not have_received(:fetch_from_disk)
+        end
+      end
+
+      it "returns nil if ENV['VAULT_TOKEN'] is not present and fetch_from_disk return nil" do
+        with_stubbed_env("VAULT_TOKEN" => nil) do
+          allow(Defaults).to receive(:fetch_from_disk).and_return(nil)
+          expect(Defaults.token).to be_nil
+        end
+      end
+    end
+
+    describe ".fetch_from_disk" do
       let(:token) { File.expand_path("~/.vault-token") }
       let(:backup_token) { File.expand_path("~/.vault-token.old") }
+      let(:custom_token_path) { File.expand_path("~/custom_token_path") }
 
       before do
         if File.exist?(token)
@@ -41,21 +73,23 @@ module Vault
         end
       end
 
-      it "uses ~/.vault-token when present" do
-        File.open(token, "w") { |f| f.write("testing\n") }
-        expect(Defaults.token).to eq("testing")
+      it "reads from ENV specified path if present and file is readable" do
+        File.open(custom_token_path, "w") { |f| f.write("token_from_custom_path\n") }
+        with_stubbed_env("VAULT_TOKEN_FILE" => custom_token_path) do
+          expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to eq("token_from_custom_path")
+        end
       end
 
-      it "uses ENV['VAULT_TOKEN'] if present" do
-        with_stubbed_env("VAULT_TOKEN" => "testing") do
-          expect(Defaults.token).to eq("testing")
+      it "reads from default path if ENV specified path is not present" do
+        File.open(Defaults::DEFAULT_VAULT_DISK_TOKEN, "w") { |f| f.write("default_path_token\n") }
+        with_stubbed_env("VAULT_TOKEN_FILE" => nil) do
+          expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to eq("default_path_token")
         end
       end
 
-      it "prefers the environment over local token" do
-        File.open(token, "w") { |f| f.write("testing1\n") }
-        with_stubbed_env("VAULT_TOKEN" => "testing2") do
-          expect(Defaults.token).to eq("testing2")
+      it "returns nil if no readable file is found" do
+        with_stubbed_env("VAULT_TOKEN_FILE" => "/non/existent/path") do
+          expect(Defaults.fetch_from_disk("VAULT_TOKEN_FILE")).to be_nil
         end
       end
     end
