biscuit 0.0.7 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +3 -1
- data/.rspec +1 -0
- data/.travis.yml +13 -0
- data/CHANGELOG.markdown +11 -0
- data/Gemfile +3 -0
- data/LICENSE +1 -1
- data/README.md +99 -11
- data/biscuit.gemspec +5 -12
- data/lib/biscuit.rb +8 -3
- data/lib/biscuit/execution_error.rb +24 -0
- data/lib/biscuit/secrets_decrypter.rb +37 -0
- data/lib/biscuit/version.rb +1 -1
- metadata +24 -19
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 772b6c3f55da69d87fbe4ab2f66f92a05c0129e63ae5dea063deed7746d6962e
|
4
|
+
data.tar.gz: 06ccf7df45f75ae126e3ee90399db3cf042aab46d023f759de261e2214114946
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ceadbc913378a7198ba124894db276a7e27e0da91f51432db3f5ed634b3325fe9995ed6e472e0f0c9edca056824c2e3495fa2a21a35510eb1d776716b51bb4eb
|
7
|
+
data.tar.gz: 01f63ef22d709b3e3190f4d9ef1f7b8afa9dbad01348a32b8b696623da2506d395e568f6367f1d9684fcca5b0dd63c9e06cbf51c2c6a2ce196c96e7ba0f8e3c7
|
data/.gitignore
CHANGED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--require spec_helper
|
data/.travis.yml
ADDED
data/CHANGELOG.markdown
ADDED
@@ -0,0 +1,11 @@
|
|
1
|
+
# 0.1.3
|
2
|
+
- No changes - apparently there was already a yanked 0.1.2 out there somewhere
|
3
|
+
|
4
|
+
# 0.1.2
|
5
|
+
|
6
|
+
- [FIX] Revert to using `YAML.load` to load the secrets
|
7
|
+
- [FIX] Don't split values containing `:` into broken pieces
|
8
|
+
- Relax `rake` dependency
|
9
|
+
- [DOC] Fill out README
|
10
|
+
- Set up CI
|
11
|
+
- Gitignore the actual `biscuit` binary
|
data/Gemfile
CHANGED
data/LICENSE
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
The MIT License (MIT)
|
2
|
-
Copyright (c)
|
2
|
+
Copyright (c) 2019 User Testing, Inc.
|
3
3
|
|
4
4
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
|
5
5
|
and associated documentation files (the "Software"), to deal in the Software without restriction,
|
data/README.md
CHANGED
@@ -1,28 +1,108 @@
|
|
1
1
|
# Biscuit
|
2
2
|
|
3
|
-
|
3
|
+
[![Travis](https://img.shields.io/travis/usertesting/biscuit?style=for-the-badge)](https://travis-ci.org/usertesting/biscuit) [![Coveralls github](https://img.shields.io/coveralls/github/usertesting/biscuit?style=for-the-badge)](https://coveralls.io/github/usertesting/biscuit) [![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/usertesting/biscuit?style=for-the-badge)](https://codeclimate.com/github/usertesting/biscuit)
|
4
4
|
|
5
|
-
|
5
|
+
|
6
|
+
This gem is a Ruby wrapper around `@dcoker`'s [biscuit library](https://github.com/dcoker/biscuit), a multi-region HA key-value store for your AWS infrastructure secrets.
|
7
|
+
|
8
|
+
By using this Ruby library, it is easy to integrate into a Ruby/Rails stack.
|
6
9
|
|
7
10
|
## Installation
|
8
11
|
|
9
|
-
Add this line to your application's Gemfile:
|
12
|
+
- Add this line to your application's Gemfile:
|
13
|
+
|
14
|
+
```ruby
|
15
|
+
gem 'biscuit'
|
16
|
+
```
|
17
|
+
|
18
|
+
- And then run `bundle`.
|
19
|
+
|
20
|
+
- `touch` a yaml file (or multiple for different environments).
|
21
|
+
|
22
|
+
## Usage
|
23
|
+
|
24
|
+
### Loading K/V pairs into a hash
|
25
|
+
|
26
|
+
```ruby
|
27
|
+
secrets_file = "some_yaml_file.yaml"
|
28
|
+
SECRETS = Biscuit::SecretsDecrypter.new(secrets_file).load
|
29
|
+
|
30
|
+
puts SECRETS["some_password"]
|
31
|
+
# => "decrypted password"
|
32
|
+
```
|
33
|
+
|
34
|
+
### Loading into ENV Vars
|
35
|
+
|
36
|
+
If you store config in ENV vars as suggested by the [12 Factor App](https://12factor.net/config), you can load your AWS encrypted secrets into ENV vars like this:
|
10
37
|
|
11
38
|
```ruby
|
12
|
-
|
39
|
+
secrets_file = "some_yaml_file.yaml"
|
40
|
+
Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
|
41
|
+
ENV[key] = value
|
42
|
+
end
|
13
43
|
```
|
14
44
|
|
15
|
-
|
45
|
+
This approach pairs with [dotenv](https://github.com/bkeepers/dotenv) really well - dotenv for test/development, and biscuit for staging/production environments.
|
46
|
+
|
47
|
+
#### With Rails
|
16
48
|
|
17
|
-
|
49
|
+
Load your secrets in `application.rb`, between loading Rails/bundler, before the Application config starts:
|
18
50
|
|
19
|
-
|
51
|
+
```ruby
|
52
|
+
require "rails/all"
|
20
53
|
|
21
|
-
|
54
|
+
...
|
22
55
|
|
23
|
-
|
56
|
+
Bundler.require(*Rails.groups)
|
57
|
+
|
58
|
+
...
|
59
|
+
|
60
|
+
# Add in your biscuit loading here:
|
61
|
+
secrets_file = "#{__dir__}/secrets/#{Rails.env}.yml"
|
62
|
+
if File.exist?(secrets_file) # You can also check things like if Rails.env.production?
|
63
|
+
Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
|
64
|
+
ENV[key] = value
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
...
|
24
69
|
|
25
|
-
|
70
|
+
module MyApp
|
71
|
+
class Application < Rails::Application
|
72
|
+
....
|
73
|
+
```
|
74
|
+
|
75
|
+
#### Adding a new key
|
76
|
+
|
77
|
+
From the application root, run `biscuit put -f`, followed by the path to the yaml you want to encrypt in, followed by the key, followed by the example.
|
78
|
+
|
79
|
+
```bash
|
80
|
+
$ biscuit put -f config/secrets/production.yml SECRET_KEY "sensitive value"
|
81
|
+
```
|
82
|
+
|
83
|
+
#### Getting a key (CLI)
|
84
|
+
|
85
|
+
```bash
|
86
|
+
$ biscuit export -f config/secrets/production.yml | grep "SECRET_KEY"
|
87
|
+
```
|
88
|
+
|
89
|
+
#### A note on parsed values and quoting
|
90
|
+
|
91
|
+
Given this unencrypted YAML:
|
92
|
+
|
93
|
+
```yaml
|
94
|
+
foo: 1,2,3,4,5
|
95
|
+
```
|
96
|
+
|
97
|
+
You might think that `foo`'s value after being loaded would be `"1,2,3,4,5"`.
|
98
|
+
You'd be wrong... Ruby's YAML parser [strips out the commas](https://github.com/ruby/psych/issues/273), sees `12345`, and thinks "ah we have a number!"
|
99
|
+
Then the value is `12345`.
|
100
|
+
|
101
|
+
If you desire to keep the commas, you'll have to encode it quoted:
|
102
|
+
|
103
|
+
```yaml
|
104
|
+
foo: "1,2,3,4,5"
|
105
|
+
```
|
26
106
|
|
27
107
|
## Development
|
28
108
|
|
@@ -30,9 +110,17 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
30
110
|
|
31
111
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
32
112
|
|
113
|
+
## License
|
114
|
+
|
115
|
+
[MIT](LICENSE).
|
116
|
+
|
117
|
+
Library created by [UserTesting](https://usertesting.com)
|
118
|
+
|
119
|
+
![UserTesting](doc/UserTesting.png)
|
120
|
+
|
33
121
|
## Contributing
|
34
122
|
|
35
|
-
1. Fork it ( https://github.com/
|
123
|
+
1. Fork it ( https://github.com/usertesting/biscuit/fork )
|
36
124
|
2. Create your feature branch (`git checkout -b my-new-feature`)
|
37
125
|
3. Commit your changes (`git commit -am 'Add some feature'`)
|
38
126
|
4. Push to the branch (`git push origin my-new-feature`)
|
data/biscuit.gemspec
CHANGED
@@ -6,22 +6,15 @@ require 'biscuit/version'
|
|
6
6
|
Gem::Specification.new do |spec|
|
7
7
|
spec.name = "biscuit"
|
8
8
|
spec.version = Biscuit::VERSION
|
9
|
-
spec.authors = ["Suan-Aik Yeo"]
|
10
|
-
spec.email = ["yeosuanaik@gmail.com"]
|
9
|
+
spec.authors = ["Suan-Aik Yeo", "Justin Aiken"]
|
10
|
+
spec.email = ["yeosuanaik@gmail.com", "60tonangel@gmail.com"]
|
11
11
|
|
12
12
|
spec.summary = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
|
13
13
|
spec.description = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
|
14
14
|
spec.homepage = "https://github.com/usertesting/biscuit"
|
15
|
+
spec.license = "MIT"
|
15
16
|
|
16
|
-
|
17
|
-
# delete this section to allow pushing this gem to any host.
|
18
|
-
if spec.respond_to?(:metadata)
|
19
|
-
spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
|
20
|
-
else
|
21
|
-
raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
|
22
|
-
end
|
23
|
-
|
24
|
-
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
17
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|doc)/}) }
|
25
18
|
spec.bindir = "bin"
|
26
19
|
spec.executables = 'biscuit'
|
27
20
|
spec.require_paths = ["lib"]
|
@@ -30,5 +23,5 @@ Gem::Specification.new do |spec|
|
|
30
23
|
spec.add_development_dependency "bundler", "~> 1.9"
|
31
24
|
spec.add_development_dependency "rake", "~> 10.0"
|
32
25
|
|
33
|
-
spec.add_runtime_dependency "rake"
|
26
|
+
spec.add_runtime_dependency "rake"
|
34
27
|
end
|
data/lib/biscuit.rb
CHANGED
@@ -1,9 +1,14 @@
|
|
1
1
|
require "biscuit/version"
|
2
|
+
require "biscuit/secrets_decrypter"
|
3
|
+
require "biscuit/execution_error"
|
4
|
+
|
5
|
+
require "open3"
|
6
|
+
require "yaml"
|
2
7
|
|
3
8
|
module Biscuit
|
4
9
|
def self.run!(command)
|
5
|
-
|
6
|
-
raise
|
7
|
-
|
10
|
+
stdout, stderr, status = Open3.capture3("#{__dir__}/../bin/_biscuit #{command}")
|
11
|
+
raise Biscuit::ExecutionError.new(stderr, stdout) unless status == 0
|
12
|
+
stdout
|
8
13
|
end
|
9
14
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Biscuit
|
4
|
+
class ExecutionError < StandardError
|
5
|
+
def initialize(stderr, stdout=nil)
|
6
|
+
@stdout = stdout
|
7
|
+
@stderr = stderr
|
8
|
+
super(message)
|
9
|
+
end
|
10
|
+
|
11
|
+
def message
|
12
|
+
messages = []
|
13
|
+
messages << "std_out: #{truncate(@stdout)}" if @stdout
|
14
|
+
messages << "std_err: #{truncate(@stderr)}" if @stderr
|
15
|
+
messages.join(" ")
|
16
|
+
end
|
17
|
+
|
18
|
+
private
|
19
|
+
|
20
|
+
def truncate(message)
|
21
|
+
message.slice(0, 200)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Biscuit
|
4
|
+
class SecretsDecrypter
|
5
|
+
attr_reader :secrets_file
|
6
|
+
|
7
|
+
def initialize(secrets_file)
|
8
|
+
fail "#{secrets_file} is not found" unless File.exists? secrets_file
|
9
|
+
|
10
|
+
@secrets_file = secrets_file
|
11
|
+
end
|
12
|
+
|
13
|
+
def load(&block)
|
14
|
+
if block_given?
|
15
|
+
secrets.each{ |key, value|
|
16
|
+
block.call(key, value)
|
17
|
+
}
|
18
|
+
else
|
19
|
+
secrets
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def secrets
|
26
|
+
@_secrets ||= YAML.load(exported)
|
27
|
+
end
|
28
|
+
|
29
|
+
def exported
|
30
|
+
@_exported ||= Biscuit.run!("export -f '#{secrets_file}'")
|
31
|
+
end
|
32
|
+
|
33
|
+
def secret_lines
|
34
|
+
@_secret_lines ||= exported.split("\n").select { |line| line =~ /\S/ }
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/lib/biscuit/version.rb
CHANGED
metadata
CHANGED
@@ -1,67 +1,72 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: biscuit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Suan-Aik Yeo
|
8
|
+
- Justin Aiken
|
8
9
|
autorequire:
|
9
10
|
bindir: bin
|
10
11
|
cert_chain: []
|
11
|
-
date:
|
12
|
+
date: 2019-10-23 00:00:00.000000000 Z
|
12
13
|
dependencies:
|
13
14
|
- !ruby/object:Gem::Dependency
|
14
15
|
name: bundler
|
15
16
|
requirement: !ruby/object:Gem::Requirement
|
16
17
|
requirements:
|
17
|
-
- - ~>
|
18
|
+
- - "~>"
|
18
19
|
- !ruby/object:Gem::Version
|
19
20
|
version: '1.9'
|
20
21
|
type: :development
|
21
22
|
prerelease: false
|
22
23
|
version_requirements: !ruby/object:Gem::Requirement
|
23
24
|
requirements:
|
24
|
-
- - ~>
|
25
|
+
- - "~>"
|
25
26
|
- !ruby/object:Gem::Version
|
26
27
|
version: '1.9'
|
27
28
|
- !ruby/object:Gem::Dependency
|
28
29
|
name: rake
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
30
31
|
requirements:
|
31
|
-
- - ~>
|
32
|
+
- - "~>"
|
32
33
|
- !ruby/object:Gem::Version
|
33
34
|
version: '10.0'
|
34
35
|
type: :development
|
35
36
|
prerelease: false
|
36
37
|
version_requirements: !ruby/object:Gem::Requirement
|
37
38
|
requirements:
|
38
|
-
- - ~>
|
39
|
+
- - "~>"
|
39
40
|
- !ruby/object:Gem::Version
|
40
41
|
version: '10.0'
|
41
42
|
- !ruby/object:Gem::Dependency
|
42
43
|
name: rake
|
43
44
|
requirement: !ruby/object:Gem::Requirement
|
44
45
|
requirements:
|
45
|
-
- -
|
46
|
+
- - ">="
|
46
47
|
- !ruby/object:Gem::Version
|
47
|
-
version: '
|
48
|
+
version: '0'
|
48
49
|
type: :runtime
|
49
50
|
prerelease: false
|
50
51
|
version_requirements: !ruby/object:Gem::Requirement
|
51
52
|
requirements:
|
52
|
-
- -
|
53
|
+
- - ">="
|
53
54
|
- !ruby/object:Gem::Version
|
54
|
-
version: '
|
55
|
+
version: '0'
|
55
56
|
description: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
|
56
57
|
email:
|
57
58
|
- yeosuanaik@gmail.com
|
59
|
+
- 60tonangel@gmail.com
|
58
60
|
executables:
|
59
61
|
- biscuit
|
60
62
|
extensions:
|
61
63
|
- Rakefile
|
62
64
|
extra_rdoc_files: []
|
63
65
|
files:
|
64
|
-
- .gitignore
|
66
|
+
- ".gitignore"
|
67
|
+
- ".rspec"
|
68
|
+
- ".travis.yml"
|
69
|
+
- CHANGELOG.markdown
|
65
70
|
- Gemfile
|
66
71
|
- LICENSE
|
67
72
|
- README.md
|
@@ -71,30 +76,30 @@ files:
|
|
71
76
|
- bin/setup
|
72
77
|
- biscuit.gemspec
|
73
78
|
- lib/biscuit.rb
|
79
|
+
- lib/biscuit/execution_error.rb
|
80
|
+
- lib/biscuit/secrets_decrypter.rb
|
74
81
|
- lib/biscuit/version.rb
|
75
82
|
homepage: https://github.com/usertesting/biscuit
|
76
|
-
licenses:
|
77
|
-
|
78
|
-
|
83
|
+
licenses:
|
84
|
+
- MIT
|
85
|
+
metadata: {}
|
79
86
|
post_install_message:
|
80
87
|
rdoc_options: []
|
81
88
|
require_paths:
|
82
89
|
- lib
|
83
90
|
required_ruby_version: !ruby/object:Gem::Requirement
|
84
91
|
requirements:
|
85
|
-
- -
|
92
|
+
- - ">="
|
86
93
|
- !ruby/object:Gem::Version
|
87
94
|
version: '0'
|
88
95
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
89
96
|
requirements:
|
90
|
-
- -
|
97
|
+
- - ">="
|
91
98
|
- !ruby/object:Gem::Version
|
92
99
|
version: '0'
|
93
100
|
requirements: []
|
94
|
-
|
95
|
-
rubygems_version: 2.0.14
|
101
|
+
rubygems_version: 3.0.6
|
96
102
|
signing_key:
|
97
103
|
specification_version: 4
|
98
104
|
summary: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
|
99
105
|
test_files: []
|
100
|
-
has_rdoc:
|