activerecord-aws-secret-connector 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ede52301fb5baadbaec680812560494af3ebde837bd361eb78c1ff08da8a42a0
+  data.tar.gz: b01c4a66519fcc1a7f6dce66e8994f35e01852e5f5ad6a24dbf285717894eba8
+SHA512:
+  metadata.gz: c67c45b27406f82c1a56a31f5cce4770d3cec41436e6c82849eb2db982ed728914fd8b0225140e5831c7283c730d1c68922cc7e8be5d323171601ba163fa659c
+  data.tar.gz: 9d2b6299ac6277b064f78eac2cb5271fdd50e81aca5cdf70e47204f0d035b3b275d70ec0566bf5b1b8c12a9e3fa5c22786a7dfefbffd0e63a63cb55f79e0b65d

data/CONTRIBUTING.md

@@ -0,0 +1,11 @@
+# Contributing
+
+1. Fork the repository.
+2. Make your change with new passing tests, following the existing style.
+3. Write a [good commit message], push your fork, and submit a pull request.
+
+[good commit message]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
+
+Others will give constructive feedback.  This is a time for discussion and
+improvements, and making the necessary changes will be required before we can
+merge the contribution.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in capistrano-dotenv.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Zygo Team Repository
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,70 @@
+# ActiveRecord AWS Secret Connector
+An adapter to make possibly to use active record and database.yml to connect to database using aws secrets manager
+
+## Features
+
+This adapter makes possible to store all database connection information on aws secrets manager, and even configure it to rotate the password from time to time,
+and configures directly database.yml to connect to aws secret and easily use it to connect to the database.
+
+This gem also uses rails can cache feature to store the database connection informations and avoid to connect and request those informations from ass secret every time. By default, it will expire the cache in 60 minutes.
+
+## Installation
+
+Add this line to gemfile
+
+```ruby
+gem "activerecord-aws-secret-connector"
+```
+
+And then run
+```bash
+bundle
+```
+
+After that, configure the database.yml, specifiyng the aws secret key that
+```yaml
+# config/database.yml
+
+production:
+  aws_secret: YOUR_AWS_SECRET_KAY_FOR_DATABASE_CONNECTION
+```
+
+This gem will connect to aws secret only for database config environments that has a `aws_secret` key on database.yml, working as default for other environments.
+
+When `aws_secret` is present, it will ignore the keys `host`, `port`, `database`, `username` and `password`, even if they are passed on database.yml too. It will override the database.yml values with values from aws secret in that case.
+
+## Options
+
+### Cache expiration
+
+By default, the gem will not use cache to store the database connection informations from aws secret. If you want to use cache and save some requests for aws secret, you need to set `cache_secret` key as true on database.yml, like below:
+
+```yaml
+production:
+  aws_secret: YOUR_AWS_SECRET_KAY_FOR_DATABASE_CONNECTION
+  cache_secret: true
+```
+
+When you set `cache_key` as true, the gem will use a default value for the cache key as DATABASE_SECRET_FOR_ENVIRONMENT and 60 minutes as expiration. Both attributes can be customized directly on database.yml too using `cache_key` and `cache_expires_in` keys. The value for `cache_expires_in` must be in minutes.
+
+```yaml
+production:
+  aws_secret: YOUR_AWS_SECRET_KAY_FOR_DATABASE_CONNECTION
+  cache_secret: true
+  cache_key: CUSTOMIZED_CACHE_KEY
+  cache_expires_in: 360
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/zygotecnologia/activerecord-aws-secret-connector.
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the (Contributor Covenant)[http://contributor-covenant.org/] code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the (MIT License)[https://opensource.org/licenses/MIT].
+
+## TODO:
+
+- [ ] Adds tests
+- [ ] Adds configuration to connect to a different aws region from the default application aws region

data/activerecord-aws-secret-connector.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'active_record/aws_secret_connector/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'activerecord-aws-secret-connector'
+  spec.version       = ActiveRecord::AwsSecretConnector::VERSION
+  spec.authors       = ['João Paulo Lethier']
+  spec.email         = ['jplethier@gmail.com']
+  spec.description   = %q{Adds ability to active record connect to database using aws secret to store database connection informations}
+  spec.summary       = %q{Adds ability to active record connect to database using aws secret to store database connection informations}
+  spec.homepage      = 'https://github.com/zygotecnologia/activerecord-aws-secret-connector'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'aws-sdk-secretsmanager', '~> 1.43.0'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+end

data/lib/active_record/aws_secret_connector/version.rb

@@ -0,0 +1,5 @@
+module ActiveRecord
+  module AwsSecretConnector
+    VERSION = "0.0.1"
+  end
+end

data/lib/active_record/connection_adapters/connection_pool.rb

@@ -0,0 +1,65 @@
+module ActiveRecord
+  module ConnectionAdapters
+    class ConnectionPool
+      private
+
+      DEFAULT_DATABASE_SECRET_CACHE_KEY = "DATABASE_SECRET_FOR_#{Rails.env.upcase}"
+
+      # Overrides default new_connection method from active record
+      # to verify if database.yml has an aws_secret key
+      # It uses the aws_secret from database.yml to get
+      # all database connection informations from aws secret
+      # and possibly cache it to use it later easier
+      # when this key is present.
+      # Otherwise, just work as normal connection for activerecord default feature
+      def new_connection
+        config = spec.config
+
+        if spec.config.key? :aws_secret
+          database_info = database_config_with_cache if spec.config.try(:cache_secret)
+
+          database_info ||= database_config_from_secret
+
+          config.merge!(
+            host: database_info["host"],
+            port: database_info["port"],
+            database: database_info["dbname"],
+            username: database_info["username"],
+            password: database_info["password"]
+          )
+        end
+
+        Base.send(spec.adapter_method, config).tap do |conn|
+          conn.check_version
+        end
+      end
+
+      # Returns database config from cache if it is there, otherwise
+      # gets it from aws secret, stores it on cache and returns
+      #
+      # @return { "host" => "SOME_VALUE", "port" => "SOME_VALUE", "dbname" => "SOME_VALUE", "username" => "SOME_VALUE", "password" => "SOME_VALUE" }
+      def database_config_with_cache
+        Rails.cache.fetch(database_secret_cache_key, expire_in: database_secret_cache_expiration) do
+          database_config_from_secret
+        end
+      end
+
+      # Returns database config from secret directly
+      #
+      # @return { "host" => "SOME_VALUE", "port" => "SOME_VALUE", "dbname" => "SOME_VALUE", "username" => "SOME_VALUE", "password" => "SOME_VALUE" }
+      def database_config_from_secret
+        client = Aws::SecretsManager::Client.new
+
+        JSON.parse(client.get_secret_value(secret_id: spec.config[:aws_secret]).secret_string)
+      end
+
+      def database_secret_cache_key
+        spec.config.try(:cache_key).presence || DEFAULT_DATABASE_SECRET_CACHE_KEY
+      end
+
+      def database_secret_cache_expiration
+        (spec.config.try(:cache_expires_in).presence || 60).minutes
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: activerecord-aws-secret-connector
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- João Paulo Lethier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-12-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.43.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.43.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Adds ability to active record connect to database using aws secret to
+  store database connection informations
+email:
+- jplethier@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- activerecord-aws-secret-connector.gemspec
+- lib/active_record/aws_secret_connector/version.rb
+- lib/active_record/connection_adapters/connection_pool.rb
+homepage: https://github.com/zygotecnologia/activerecord-aws-secret-connector
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key: 
+specification_version: 4
+summary: Adds ability to active record connect to database using aws secret to store
+  database connection informations
+test_files: []