Class: WorkOS::Vault

Inherits:

Object

• Object
• WorkOS::Vault

Defined in:

lib/workos/vault.rb

Instance Method Summary

• #create_data_key(context:, request_options: {}) ⇒ WorkOS::CreateDataKeyResponse

  Create a data key.

• #create_decrypt(keys:, request_options: {}) ⇒ WorkOS::DecryptResponse

  Decrypt a data key.

• #create_kv(key_context:, name:, value:, request_options: {}) ⇒ WorkOS::ObjectMetadata

  Create an object.

• #create_rekey(context:, encrypted_keys:, request_options: {}) ⇒ WorkOS::CreateDataKeyResponse

  Re-encrypt a data key.

• #decrypt(encrypted_data:, associated_data: nil) ⇒ Object

  Decrypt data previously encrypted by encrypt.

• #delete_kv(id:, version_check: nil, request_options: {}) ⇒ WorkOS::DeleteObjectResponse

  Delete an object.

• #encrypt(data:, context:, associated_data: nil) ⇒ Object

  Encrypt data locally using AES-GCM with a data key derived from the context.

• #get_kv(id:, request_options: {}) ⇒ WorkOS::ObjectModel

  Read an object by ID.

• #get_name(name:, request_options: {}) ⇒ WorkOS::ObjectModel

  Read an object by name.

• #initialize(client) ⇒ Vault constructor

  A new instance of Vault.

• #list_kv(limit: 10, before: nil, after: nil, order: nil, search: nil, updated_after: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::ObjectSummary>

  List objects.

• #list_kv_metadata(id:, request_options: {}) ⇒ WorkOS::ObjectWithoutValue

  Describe an object.

• #list_kv_versions(id:, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::ObjectVersion>

  List object versions.

• #update_kv(id:, value:, version_check: nil, request_options: {}) ⇒ WorkOS::ObjectWithoutValue

  Update an object.

Constructor Details

#initialize(client) ⇒ Vault

Returns a new instance of Vault.

# File 'lib/workos/vault.rb', line 12

def initialize(client)
  @client = client
end

Instance Method Details

#create_data_key(context:, request_options: {}) ⇒ WorkOS::CreateDataKeyResponse

Create a data key

Parameters:

• context (Hash{String => String}) —

  Map of values used to determine the encryption key.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::CreateDataKeyResponse)

# File 'lib/workos/vault.rb', line 20

def create_data_key(
  context:,
  request_options: {}
)
  body = {
    "context" => context
  }
  response = @client.request(
    method: :post,
    path: "/vault/v1/keys/data-key",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::CreateDataKeyResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_decrypt(keys:, request_options: {}) ⇒ WorkOS::DecryptResponse

Decrypt a data key

Parameters:

• keys (String) —

  Base64-encoded encrypted data key to decrypt.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::DecryptResponse)

# File 'lib/workos/vault.rb', line 43

def create_decrypt(
  keys:,
  request_options: {}
)
  body = {
    "keys" => keys
  }
  response = @client.request(
    method: :post,
    path: "/vault/v1/keys/decrypt",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::DecryptResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_kv(key_context:, name:, value:, request_options: {}) ⇒ WorkOS::ObjectMetadata

Create an object

Parameters:

• key_context (Hash{String => String}) —

  Map of values used to determine the encryption key.

• name (String) —

  Unique name for the object.

• value (String) —

  Plaintext data to encrypt and store.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ObjectMetadata)

# File 'lib/workos/vault.rb', line 146

def create_kv(
  key_context:,
  name:,
  value:,
  request_options: {}
)
  body = {
    "key_context" => key_context,
    "name" => name,
    "value" => value
  }
  response = @client.request(
    method: :post,
    path: "/vault/v1/kv",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::ObjectMetadata.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#create_rekey(context:, encrypted_keys:, request_options: {}) ⇒ WorkOS::CreateDataKeyResponse

Re-encrypt a data key

Parameters:

• context (Hash{String => String}) —

  Map of values used to determine the new encryption key.

• encrypted_keys (String) —

  Base64-encoded encrypted data key blob to re-encrypt.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::CreateDataKeyResponse)

# File 'lib/workos/vault.rb', line 67

def create_rekey(
  context:,
  encrypted_keys:,
  request_options: {}
)
  body = {
    "context" => context,
    "encrypted_keys" => encrypted_keys
  }
  response = @client.request(
    method: :post,
    path: "/vault/v1/keys/rekey",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::CreateDataKeyResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#decrypt(encrypted_data:, associated_data: nil) ⇒ Object

Decrypt data previously encrypted by encrypt.

# File 'lib/workos/vault.rb', line 314

def decrypt(encrypted_data:, associated_data: nil)
  payload = Base64.decode64(encrypted_data)
  iv = payload.byteslice(0, 12)
  tag = payload.byteslice(12, 16)
  key_len, leb_len = decode_u32_leb128(payload.byteslice(28, payload.bytesize - 28))
  keys_index = 28 + leb_len
  key_blob = payload.byteslice(keys_index, key_len)
  ciphertext = payload.byteslice(keys_index + key_len, payload.bytesize - (keys_index + key_len))
  dk = create_decrypt(keys: Base64.strict_encode64(key_blob))
  key = Base64.decode64(dk.data_key)
  aes_gcm_decrypt(ciphertext, key, iv, tag, associated_data&.b)
end

#delete_kv(id:, version_check: nil, request_options: {}) ⇒ WorkOS::DeleteObjectResponse

Delete an object

Parameters:

• id (String) —

  Unique identifier of the object.

• version_check (String, nil) (defaults to: nil) —

  Expected current version for optimistic locking.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::DeleteObjectResponse)

# File 'lib/workos/vault.rb', line 240

def delete_kv(
  id:,
  version_check: nil,
  request_options: {}
)
  params = {
    "version_check" => version_check
  }.compact
  response = @client.request(
    method: :delete,
    path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    params: params,
    request_options: request_options
  )
  result = WorkOS::DeleteObjectResponse.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#encrypt(data:, context:, associated_data: nil) ⇒ Object

Encrypt data locally using AES-GCM with a data key derived from the context. Returns base64(IV || TAG || LEB128(len(keyBlob)) || keyBlob || ciphertext).

# File 'lib/workos/vault.rb', line 304

def encrypt(data:, context:, associated_data: nil)
  pair = create_data_key(context: context)
  key = Base64.decode64(pair.data_key)
  key_blob = Base64.decode64(pair.encrypted_keys)
  prefix = encode_u32_leb128(key_blob.bytesize)
  iv, ciphertext, tag = aes_gcm_encrypt(data.b, key, associated_data&.b)
  Base64.strict_encode64(iv + tag + prefix + key_blob + ciphertext)
end

#get_kv(id:, request_options: {}) ⇒ WorkOS::ObjectModel

Read an object by ID

Parameters:

• id (String) —

  Unique identifier of the object.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ObjectModel)

# File 'lib/workos/vault.rb', line 192

def get_kv(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::ObjectModel.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#get_name(name:, request_options: {}) ⇒ WorkOS::ObjectModel

Read an object by name

Parameters:

• name (String) —

  Unique name of the object.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ObjectModel)

# File 'lib/workos/vault.rb', line 173

def get_name(
  name:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/vault/v1/kv/name/#{WorkOS::Util.encode_path(name)}",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::ObjectModel.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_kv(limit: 10, before: nil, after: nil, order: nil, search: nil, updated_after: nil, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::ObjectSummary>

List objects

Parameters:

• limit (Integer, nil) (defaults to: 10) —

  Upper limit on the number of objects to return.

• before (String, nil) (defaults to: nil) —

  Cursor for the previous page of results.

• after (String, nil) (defaults to: nil) —

  Cursor for the next page of results.

• order (WorkOS::Types::VaultOrder, nil) (defaults to: nil) —

  Sort direction for results.

• search (String, nil) (defaults to: nil) —

  Filter results by name or structured search JSON.

• updated_after (String, nil) (defaults to: nil) —

  ISO 8601 timestamp to filter by last modified time.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::ObjectSummary>)

# File 'lib/workos/vault.rb', line 97

def list_kv(
  limit: 10,
  before: nil,
  after: nil,
  order: nil,
  search: nil,
  updated_after: nil,
  request_options: {}
)
  params = {
    "limit" => limit,
    "before" => before,
    "after" => after,
    "order" => order,
    "search" => search,
    "updatedAfter" => updated_after
  }.compact
  response = @client.request(
    method: :get,
    path: "/vault/v1/kv",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_kv(
      limit: limit,
      before: before,
      after: cursor,
      order: order,
      search: search,
      updated_after: updated_after,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::ObjectSummary,
    filters: {limit: limit, before: before, order: order, search: search, updated_after: updated_after},
    fetch_next: fetch_next
  )
end

#list_kv_metadata(id:, request_options: {}) ⇒ WorkOS::ObjectWithoutValue

Describe an object

Parameters:

• id (String) —

  Unique identifier of the object.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ObjectWithoutValue)

# File 'lib/workos/vault.rb', line 264

def list_kv_metadata(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}/metadata",
    auth: true,
    request_options: request_options
  )
  result = WorkOS::ObjectWithoutValue.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#list_kv_versions(id:, request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::ObjectVersion>

List object versions

Parameters:

• id (String) —

  Unique identifier of the object.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::ObjectVersion>)

# File 'lib/workos/vault.rb', line 283

def list_kv_versions(
  id:,
  request_options: {}
)
  response = @client.request(
    method: :get,
    path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}/versions",
    auth: true,
    request_options: request_options
  )
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::ObjectVersion,
    filters: {id: id}
  )
end

#update_kv(id:, value:, version_check: nil, request_options: {}) ⇒ WorkOS::ObjectWithoutValue

Update an object

Parameters:

• id (String) —

  Unique identifier of the object.

• value (String) —

  New plaintext value.

• version_check (String, nil) (defaults to: nil) —

  ID of the expected current version for optimistic locking.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::ObjectWithoutValue)

# File 'lib/workos/vault.rb', line 213

def update_kv(
  id:,
  value:,
  version_check: nil,
  request_options: {}
)
  body = {
    "value" => value,
    "version_check" => version_check
  }.compact
  response = @client.request(
    method: :put,
    path: "/vault/v1/kv/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::ObjectWithoutValue.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end