biscuit 0.0.4 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/workflows/publish_gem.yml +21 -0
- data/.gitignore +3 -1
- data/.rspec +1 -0
- data/.travis.yml +13 -0
- data/CHANGELOG.markdown +16 -0
- data/Gemfile +3 -0
- data/LICENSE +17 -0
- data/README.md +99 -11
- data/Rakefile +2 -4
- data/bin/biscuit +4 -0
- data/biscuit.gemspec +8 -13
- data/lib/biscuit.rb +10 -1
- data/lib/biscuit/execution_error.rb +24 -0
- data/lib/biscuit/secrets_decrypter.rb +37 -0
- data/lib/biscuit/version.rb +1 -1
- metadata +43 -22
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: c9d55cb873d9a420bce70989d2463e389a14ae834e168bf8f105b1a5bf182f42
|
4
|
+
data.tar.gz: 61188e6d68cc7c24d50a20a567e4266408ec3cd097c07e3cd450e49e0503f756
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 44c2897ae14a681bf090b21ada81c70ba77acb436e586eca6456da4d9400fa21afdf4a844d27dee2b30f018071904f542fe57eb799727cd06c402d1332e93cec
|
7
|
+
data.tar.gz: 603f4e54503779d12433ddcb2edd1af17a94a1d9aa17f0b24e63538b3f0668448dbf82fa93bdd760edecd5566c13fd4ab1902a3d34c6882a3aa6cb1ad5d1a930
|
@@ -0,0 +1,21 @@
|
|
1
|
+
name: Publish Gem
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches:
|
6
|
+
- "master"
|
7
|
+
- "github-workflow-publish-gem"
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
build:
|
11
|
+
runs-on: ubuntu-latest
|
12
|
+
|
13
|
+
steps:
|
14
|
+
- uses: actions/checkout@v1
|
15
|
+
|
16
|
+
- name: Release Gem
|
17
|
+
uses: cadwallion/publish-rubygems-action@master
|
18
|
+
env:
|
19
|
+
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
20
|
+
RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}
|
21
|
+
RELEASE_COMMAND: rake release
|
data/.gitignore
CHANGED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--require spec_helper
|
data/.travis.yml
ADDED
data/CHANGELOG.markdown
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# 0.1.4
|
2
|
+
- [FIX] `open()` is deprecated for URIs. Uses `URI.open()`
|
3
|
+
- Bumps bundler version
|
4
|
+
- Bumps rake gem version
|
5
|
+
|
6
|
+
# 0.1.3
|
7
|
+
- No changes - apparently there was already a yanked 0.1.2 out there somewhere
|
8
|
+
|
9
|
+
# 0.1.2
|
10
|
+
|
11
|
+
- [FIX] Revert to using `YAML.load` to load the secrets
|
12
|
+
- [FIX] Don't split values containing `:` into broken pieces
|
13
|
+
- Relax `rake` dependency
|
14
|
+
- [DOC] Fill out README
|
15
|
+
- Set up CI
|
16
|
+
- Gitignore the actual `biscuit` binary
|
data/Gemfile
CHANGED
data/LICENSE
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
Copyright (c) 2019 User Testing, Inc.
|
3
|
+
|
4
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
|
5
|
+
and associated documentation files (the "Software"), to deal in the Software without restriction,
|
6
|
+
including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
7
|
+
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
|
8
|
+
subject to the following conditions:
|
9
|
+
|
10
|
+
The above copyright notice and this permission notice shall be included in all copies or substantial
|
11
|
+
portions of the Software.
|
12
|
+
|
13
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
14
|
+
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
15
|
+
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
16
|
+
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
|
17
|
+
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
CHANGED
@@ -1,28 +1,108 @@
|
|
1
1
|
# Biscuit
|
2
2
|
|
3
|
-
|
3
|
+
[![Travis](https://img.shields.io/travis/usertesting/biscuit?style=for-the-badge)](https://travis-ci.org/usertesting/biscuit) [![Coveralls github](https://img.shields.io/coveralls/github/usertesting/biscuit?style=for-the-badge)](https://coveralls.io/github/usertesting/biscuit) [![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/usertesting/biscuit?style=for-the-badge)](https://codeclimate.com/github/usertesting/biscuit)
|
4
4
|
|
5
|
-
|
5
|
+
|
6
|
+
This gem is a Ruby wrapper around `@dcoker`'s [biscuit library](https://github.com/dcoker/biscuit), a multi-region HA key-value store for your AWS infrastructure secrets.
|
7
|
+
|
8
|
+
By using this Ruby library, it is easy to integrate into a Ruby/Rails stack.
|
6
9
|
|
7
10
|
## Installation
|
8
11
|
|
9
|
-
Add this line to your application's Gemfile:
|
12
|
+
- Add this line to your application's Gemfile:
|
13
|
+
|
14
|
+
```ruby
|
15
|
+
gem 'biscuit'
|
16
|
+
```
|
17
|
+
|
18
|
+
- And then run `bundle`.
|
19
|
+
|
20
|
+
- `touch` a yaml file (or multiple for different environments).
|
21
|
+
|
22
|
+
## Usage
|
23
|
+
|
24
|
+
### Loading K/V pairs into a hash
|
25
|
+
|
26
|
+
```ruby
|
27
|
+
secrets_file = "some_yaml_file.yaml"
|
28
|
+
SECRETS = Biscuit::SecretsDecrypter.new(secrets_file).load
|
29
|
+
|
30
|
+
puts SECRETS["some_password"]
|
31
|
+
# => "decrypted password"
|
32
|
+
```
|
33
|
+
|
34
|
+
### Loading into ENV Vars
|
35
|
+
|
36
|
+
If you store config in ENV vars as suggested by the [12 Factor App](https://12factor.net/config), you can load your AWS encrypted secrets into ENV vars like this:
|
10
37
|
|
11
38
|
```ruby
|
12
|
-
|
39
|
+
secrets_file = "some_yaml_file.yaml"
|
40
|
+
Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
|
41
|
+
ENV[key] = value
|
42
|
+
end
|
13
43
|
```
|
14
44
|
|
15
|
-
|
45
|
+
This approach pairs with [dotenv](https://github.com/bkeepers/dotenv) really well - dotenv for test/development, and biscuit for staging/production environments.
|
46
|
+
|
47
|
+
#### With Rails
|
16
48
|
|
17
|
-
|
49
|
+
Load your secrets in `application.rb`, between loading Rails/bundler, before the Application config starts:
|
18
50
|
|
19
|
-
|
51
|
+
```ruby
|
52
|
+
require "rails/all"
|
20
53
|
|
21
|
-
|
54
|
+
...
|
22
55
|
|
23
|
-
|
56
|
+
Bundler.require(*Rails.groups)
|
57
|
+
|
58
|
+
...
|
59
|
+
|
60
|
+
# Add in your biscuit loading here:
|
61
|
+
secrets_file = "#{__dir__}/secrets/#{Rails.env}.yml"
|
62
|
+
if File.exist?(secrets_file) # You can also check things like if Rails.env.production?
|
63
|
+
Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
|
64
|
+
ENV[key] = value
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
...
|
24
69
|
|
25
|
-
|
70
|
+
module MyApp
|
71
|
+
class Application < Rails::Application
|
72
|
+
....
|
73
|
+
```
|
74
|
+
|
75
|
+
#### Adding a new key
|
76
|
+
|
77
|
+
From the application root, run `biscuit put -f`, followed by the path to the yaml you want to encrypt in, followed by the key, followed by the example.
|
78
|
+
|
79
|
+
```bash
|
80
|
+
$ biscuit put -f config/secrets/production.yml SECRET_KEY "sensitive value"
|
81
|
+
```
|
82
|
+
|
83
|
+
#### Getting a key (CLI)
|
84
|
+
|
85
|
+
```bash
|
86
|
+
$ biscuit export -f config/secrets/production.yml | grep "SECRET_KEY"
|
87
|
+
```
|
88
|
+
|
89
|
+
#### A note on parsed values and quoting
|
90
|
+
|
91
|
+
Given this unencrypted YAML:
|
92
|
+
|
93
|
+
```yaml
|
94
|
+
foo: 1,2,3,4,5
|
95
|
+
```
|
96
|
+
|
97
|
+
You might think that `foo`'s value after being loaded would be `"1,2,3,4,5"`.
|
98
|
+
You'd be wrong... Ruby's YAML parser [strips out the commas](https://github.com/ruby/psych/issues/273), sees `12345`, and thinks "ah we have a number!"
|
99
|
+
Then the value is `12345`.
|
100
|
+
|
101
|
+
If you desire to keep the commas, you'll have to encode it quoted:
|
102
|
+
|
103
|
+
```yaml
|
104
|
+
foo: "1,2,3,4,5"
|
105
|
+
```
|
26
106
|
|
27
107
|
## Development
|
28
108
|
|
@@ -30,9 +110,17 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
30
110
|
|
31
111
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
32
112
|
|
113
|
+
## License
|
114
|
+
|
115
|
+
[MIT](LICENSE).
|
116
|
+
|
117
|
+
Library created by [UserTesting](https://usertesting.com)
|
118
|
+
|
119
|
+
![UserTesting](doc/UserTesting.png)
|
120
|
+
|
33
121
|
## Contributing
|
34
122
|
|
35
|
-
1. Fork it ( https://github.com/
|
123
|
+
1. Fork it ( https://github.com/usertesting/biscuit/fork )
|
36
124
|
2. Create your feature branch (`git checkout -b my-new-feature`)
|
37
125
|
3. Commit your changes (`git commit -am 'Add some feature'`)
|
38
126
|
4. Push to the branch (`git push origin my-new-feature`)
|
data/Rakefile
CHANGED
@@ -1,8 +1,6 @@
|
|
1
|
-
require 'bundler'
|
2
|
-
require 'bundler/gem_tasks'
|
3
1
|
require 'open-uri'
|
4
2
|
|
5
|
-
UPSTREAM_VERSION = '0.1.
|
3
|
+
UPSTREAM_VERSION = '0.1.3'
|
6
4
|
|
7
5
|
def fetch(release_url)
|
8
6
|
tgz_path = download_file(release_url)
|
@@ -14,7 +12,7 @@ end
|
|
14
12
|
def download_file(url)
|
15
13
|
filename = URI(url).path.split('/').last
|
16
14
|
|
17
|
-
IO.copy_stream(open(url), "/tmp/#{filename}")
|
15
|
+
IO.copy_stream(URI.open(url), "/tmp/#{filename}")
|
18
16
|
|
19
17
|
"/tmp/#{filename}"
|
20
18
|
end
|
data/bin/biscuit
CHANGED
@@ -1,5 +1,9 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
|
3
3
|
this_gems_root = Gem::Specification.find_by_name("biscuit").gem_dir
|
4
|
+
|
5
|
+
# We aren't using Biscuit.run! here because we want output to be streamed as it arrives for interactive use,
|
6
|
+
# and we don't care about capturing the result
|
4
7
|
system("#{this_gems_root}/bin/_biscuit", *ARGV)
|
8
|
+
|
5
9
|
exit $?.exitstatus
|
data/biscuit.gemspec
CHANGED
@@ -6,27 +6,22 @@ require 'biscuit/version'
|
|
6
6
|
Gem::Specification.new do |spec|
|
7
7
|
spec.name = "biscuit"
|
8
8
|
spec.version = Biscuit::VERSION
|
9
|
-
spec.authors = ["Suan-Aik Yeo"]
|
10
|
-
spec.email = ["yeosuanaik@gmail.com"]
|
9
|
+
spec.authors = ["Suan-Aik Yeo", "Justin Aiken"]
|
10
|
+
spec.email = ["yeosuanaik@gmail.com", "60tonangel@gmail.com"]
|
11
11
|
|
12
12
|
spec.summary = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
|
13
13
|
spec.description = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
|
14
14
|
spec.homepage = "https://github.com/usertesting/biscuit"
|
15
|
+
spec.license = "MIT"
|
15
16
|
|
16
|
-
|
17
|
-
# delete this section to allow pushing this gem to any host.
|
18
|
-
if spec.respond_to?(:metadata)
|
19
|
-
spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
|
20
|
-
else
|
21
|
-
raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
|
22
|
-
end
|
23
|
-
|
24
|
-
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
17
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|doc)/}) }
|
25
18
|
spec.bindir = "bin"
|
26
19
|
spec.executables = 'biscuit'
|
27
20
|
spec.require_paths = ["lib"]
|
28
21
|
spec.extensions = ["Rakefile"]
|
29
22
|
|
30
|
-
spec.add_development_dependency "bundler", "~> 1
|
31
|
-
spec.add_development_dependency "rake", "~>
|
23
|
+
spec.add_development_dependency "bundler", "~> 2.1"
|
24
|
+
spec.add_development_dependency "rake", "~> 13.0"
|
25
|
+
|
26
|
+
spec.add_runtime_dependency "rake"
|
32
27
|
end
|
data/lib/biscuit.rb
CHANGED
@@ -1,5 +1,14 @@
|
|
1
1
|
require "biscuit/version"
|
2
|
+
require "biscuit/secrets_decrypter"
|
3
|
+
require "biscuit/execution_error"
|
4
|
+
|
5
|
+
require "open3"
|
6
|
+
require "yaml"
|
2
7
|
|
3
8
|
module Biscuit
|
4
|
-
|
9
|
+
def self.run!(command)
|
10
|
+
stdout, stderr, status = Open3.capture3("#{__dir__}/../bin/_biscuit #{command}")
|
11
|
+
raise Biscuit::ExecutionError.new(stderr, stdout) unless status == 0
|
12
|
+
stdout
|
13
|
+
end
|
5
14
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Biscuit
|
4
|
+
class ExecutionError < StandardError
|
5
|
+
def initialize(stderr, stdout=nil)
|
6
|
+
@stdout = stdout
|
7
|
+
@stderr = stderr
|
8
|
+
super(message)
|
9
|
+
end
|
10
|
+
|
11
|
+
def message
|
12
|
+
messages = []
|
13
|
+
messages << "std_out: #{truncate(@stdout)}" if @stdout
|
14
|
+
messages << "std_err: #{truncate(@stderr)}" if @stderr
|
15
|
+
messages.join(" ")
|
16
|
+
end
|
17
|
+
|
18
|
+
private
|
19
|
+
|
20
|
+
def truncate(message)
|
21
|
+
message.slice(0, 200)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Biscuit
|
4
|
+
class SecretsDecrypter
|
5
|
+
attr_reader :secrets_file
|
6
|
+
|
7
|
+
def initialize(secrets_file)
|
8
|
+
fail "#{secrets_file} is not found" unless File.exists? secrets_file
|
9
|
+
|
10
|
+
@secrets_file = secrets_file
|
11
|
+
end
|
12
|
+
|
13
|
+
def load(&block)
|
14
|
+
if block_given?
|
15
|
+
secrets.each{ |key, value|
|
16
|
+
block.call(key, value)
|
17
|
+
}
|
18
|
+
else
|
19
|
+
secrets
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def secrets
|
26
|
+
@_secrets ||= YAML.load(exported)
|
27
|
+
end
|
28
|
+
|
29
|
+
def exported
|
30
|
+
@_exported ||= Biscuit.run!("export -f '#{secrets_file}'")
|
31
|
+
end
|
32
|
+
|
33
|
+
def secret_lines
|
34
|
+
@_secret_lines ||= exported.split("\n").select { |line| line =~ /\S/ }
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/lib/biscuit/version.rb
CHANGED
metadata
CHANGED
@@ -1,54 +1,75 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: biscuit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Suan-Aik Yeo
|
8
|
-
|
8
|
+
- Justin Aiken
|
9
|
+
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date:
|
12
|
+
date: 2021-06-02 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: bundler
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
16
17
|
requirements:
|
17
|
-
- - ~>
|
18
|
+
- - "~>"
|
18
19
|
- !ruby/object:Gem::Version
|
19
|
-
version: '1
|
20
|
+
version: '2.1'
|
20
21
|
type: :development
|
21
22
|
prerelease: false
|
22
23
|
version_requirements: !ruby/object:Gem::Requirement
|
23
24
|
requirements:
|
24
|
-
- - ~>
|
25
|
+
- - "~>"
|
25
26
|
- !ruby/object:Gem::Version
|
26
|
-
version: '1
|
27
|
+
version: '2.1'
|
27
28
|
- !ruby/object:Gem::Dependency
|
28
29
|
name: rake
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
30
31
|
requirements:
|
31
|
-
- - ~>
|
32
|
+
- - "~>"
|
32
33
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
34
|
+
version: '13.0'
|
34
35
|
type: :development
|
35
36
|
prerelease: false
|
36
37
|
version_requirements: !ruby/object:Gem::Requirement
|
37
38
|
requirements:
|
38
|
-
- - ~>
|
39
|
+
- - "~>"
|
39
40
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
41
|
+
version: '13.0'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: rake
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - ">="
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
type: :runtime
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0'
|
41
56
|
description: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
|
42
57
|
email:
|
43
58
|
- yeosuanaik@gmail.com
|
59
|
+
- 60tonangel@gmail.com
|
44
60
|
executables:
|
45
61
|
- biscuit
|
46
62
|
extensions:
|
47
63
|
- Rakefile
|
48
64
|
extra_rdoc_files: []
|
49
65
|
files:
|
50
|
-
- .
|
66
|
+
- ".github/workflows/publish_gem.yml"
|
67
|
+
- ".gitignore"
|
68
|
+
- ".rspec"
|
69
|
+
- ".travis.yml"
|
70
|
+
- CHANGELOG.markdown
|
51
71
|
- Gemfile
|
72
|
+
- LICENSE
|
52
73
|
- README.md
|
53
74
|
- Rakefile
|
54
75
|
- bin/biscuit
|
@@ -56,30 +77,30 @@ files:
|
|
56
77
|
- bin/setup
|
57
78
|
- biscuit.gemspec
|
58
79
|
- lib/biscuit.rb
|
80
|
+
- lib/biscuit/execution_error.rb
|
81
|
+
- lib/biscuit/secrets_decrypter.rb
|
59
82
|
- lib/biscuit/version.rb
|
60
83
|
homepage: https://github.com/usertesting/biscuit
|
61
|
-
licenses:
|
62
|
-
|
63
|
-
|
64
|
-
post_install_message:
|
84
|
+
licenses:
|
85
|
+
- MIT
|
86
|
+
metadata: {}
|
87
|
+
post_install_message:
|
65
88
|
rdoc_options: []
|
66
89
|
require_paths:
|
67
90
|
- lib
|
68
91
|
required_ruby_version: !ruby/object:Gem::Requirement
|
69
92
|
requirements:
|
70
|
-
- -
|
93
|
+
- - ">="
|
71
94
|
- !ruby/object:Gem::Version
|
72
95
|
version: '0'
|
73
96
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
74
97
|
requirements:
|
75
|
-
- -
|
98
|
+
- - ">="
|
76
99
|
- !ruby/object:Gem::Version
|
77
100
|
version: '0'
|
78
101
|
requirements: []
|
79
|
-
|
80
|
-
|
81
|
-
signing_key:
|
102
|
+
rubygems_version: 3.2.3
|
103
|
+
signing_key:
|
82
104
|
specification_version: 4
|
83
105
|
summary: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
|
84
106
|
test_files: []
|
85
|
-
has_rdoc:
|