cipherpipe 0.1.0 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/README.md +18 -0
  4. data/cipherpipe.gemspec +1 -1
  5. data/lib/cipherpipe/cli.rb +2 -0
  6. data/lib/cipherpipe/commands/ec2.rb +36 -0
  7. data/lib/cipherpipe/commands/help.rb +3 -0
  8. data/lib/cipherpipe/configuration.rb +2 -1
  9. data/lib/cipherpipe/external_source.rb +3 -2
  10. data/lib/cipherpipe/vault/ec2_token.rb +36 -0
  11. data/lib/cipherpipe/vault.rb +10 -0
  12. data/lib/cipherpipe.rb +1 -0
  13. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 15b425e50ef35bf3fc0b593f4c4c7e8b356704fb00e8319e635e05062c8f5fc5
4
- data.tar.gz: 66aaa053fc30dd29b72552bfd1374143ce300a8da80d716fdd870e65a8553d20
3
+ metadata.gz: e9b2fab8ec6b717ba29bc3c22384079406026f74695a132edf66d874d5d15314
4
+ data.tar.gz: bf35ea57b17d3ff040fae15078ed8d303330d318a6067903a0c89e0f57e41d3b
5
5
  SHA512:
6
- metadata.gz: c1c251974d2c8b78835b568c3b9174e7d5e603e3f345a91b801c9d24e7929a0612f6043dd16be6135da6e3038f50055081275c29fdc71256923dcbb9a0297c56
7
- data.tar.gz: b703b2dd774baeead92f5f713c1436503c56d1ca80ebbeed0436366375450ce71f73f1f0a3109ed518c04c9db9e05844f9d68fc3c6739d8080a4a3a047ce4043
6
+ metadata.gz: b19efd4d039824f3222d8dc53b8279712acf2d5ecf203e199901fa65b656c4a29bf1b122eaf7e71d2b8d2e0e823dbbcb864ae6e0fa1b4f4a558589309da325bc
7
+ data.tar.gz: 076ad3592c79152537e8afae5db73c8d6e6b4025272738dacf2b9f123380a82141691beca3f483635773377020ce456befb8ba94f6dc792f5ce612a9580dd455
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- cipherpipe (0.1.0)
4
+ cipherpipe (0.2.0)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -32,6 +32,8 @@ And add the following to an initializer to load the secrets:
32
32
  Cipherpipe::Commands::Load.call
33
33
  ```
34
34
 
35
+ If you're using Vault's EC2 authentication and have specified an `ec2_role` value for the primary source (as noted in the configuration example below), then loading the secrets will automatically authenticate against Vault using the EC2 instance's PKCS7-signed identity.
36
+
35
37
  ## Configuration
36
38
 
37
39
  Everything for Cipherpipe is managed in a YAML configuration file `.cipherpipe.yml` which you should place in the root of your project. You'll need to specify at least one source (and mark it as the primary). Having an output file/format is optional, but likely useful.
@@ -49,6 +51,18 @@ sources:
49
51
  primary: true
50
52
  ```
51
53
 
54
+ If you're running this on EC2 servers that are set up to authenticate with Vault via a specific role, you can provide that with the `ec2_role` setting and it'll automatically be used:
55
+
56
+ ```yml
57
+ file: .env.ENVIRONMENT
58
+ format: env
59
+ sources:
60
+ - type: vault
61
+ destination: apps/myapp/ENVIRONMENT
62
+ primary: true
63
+ ec2_role: servers
64
+ ```
65
+
52
66
  Another example, for use with a Terraform project:
53
67
 
54
68
  ```yml
@@ -85,6 +99,10 @@ Uploading will take the data from the configured file and send it to all of the
85
99
 
86
100
  Make sure that the configured secrets file is _not_ stored in version control. The `.cipherpipe.yml` file, however, should definitely be stored.
87
101
 
102
+ If you're using Vault's EC2 authentication and have specified an `ec2_role` value for the primary source, you can automatically save a token for your system user (in `~/.vault-token`) with the `ec2` command:
103
+
104
+ $ cipherpipe ec2
105
+
88
106
  ## Dependencies
89
107
 
90
108
  If you're using Vault (which is likely, given it's currently the only supported secret storage service), you'll need to make sure it's using the V2 kv secrets engine.
data/cipherpipe.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |spec|
2
2
  spec.name = "cipherpipe"
3
- spec.version = "0.1.0"
3
+ spec.version = "0.2.0"
4
4
  spec.authors = ["Pat Allan"]
5
5
  spec.email = ["pat@freelancing-gods.com"]
6
6
 
data/lib/cipherpipe/cli.rb CHANGED
@@ -5,6 +5,8 @@ class Cipherpipe::CLI
5
5
  Cipherpipe::Commands::Upload.call configuration
6
6
  when "download"
7
7
  Cipherpipe::Commands::Download.call configuration
8
+ when "ec2"
9
+ Cipherpipe::Commands::EC2.call configuration
8
10
  else
9
11
  Cipherpipe::Commands::Help.call configuration
10
12
  end
data/lib/cipherpipe/commands/ec2.rb ADDED
@@ -0,0 +1,36 @@
1
+ class Cipherpipe::Commands::EC2
2
+ TOKEN_FILE = File.expand_path("~/.vault-token")
3
+
4
+ def self.call(configuration = nil)
5
+ new(configuration).call
6
+ end
7
+
8
+ def initialize(configuration)
9
+ @configuration = configuration
10
+ end
11
+
12
+ def call
13
+ require_relative "../vault"
14
+ require_relative "../vault/ec2_token"
15
+
16
+ if external_source.ec2_role.nil?
17
+ puts "No EC2 role is defined, so EC2 authentication is not possible."
18
+ else
19
+ File.write TOKEN_FILE, Cipherpipe::Vault::EC2Token.call(external_source)
20
+ end
21
+ rescue Cipherpipe::Vault::EC2Token::ConnectionError => error
22
+ warn error.message
23
+ end
24
+
25
+ private
26
+
27
+ def configuration
28
+ @configuration ||= Cipherpipe::Configuration.new
29
+ end
30
+
31
+ def external_source
32
+ @external_source ||= configuration.external_sources.detect { |source|
33
+ source.primary?
34
+ }
35
+ end
36
+ end
data/lib/cipherpipe/commands/help.rb CHANGED
@@ -12,6 +12,9 @@ class Cipherpipe::Commands::Help
12
12
 
13
13
  cipherpipe download # loads the secrets from the primary source
14
14
  cipherpipe upload # uploads secrets to all sources
15
+ cipherpipe ec2 # authenticate your user using Vault's EC2 approach.
16
+ # This command will overwrite your ~/.vault-token
17
+ # file.
15
18
 
16
19
  TXT
17
20
  end
data/lib/cipherpipe/configuration.rb CHANGED
@@ -52,7 +52,8 @@ class Cipherpipe::Configuration
52
52
  Cipherpipe::ExternalSource.new(
53
53
  hash["type"],
54
54
  hash["destination"].gsub("ENVIRONMENT", environment),
55
- hash["primary"]
55
+ hash["primary"],
56
+ hash["ec2_role"]
56
57
  )
57
58
  end
58
59
 
data/lib/cipherpipe/external_source.rb CHANGED
@@ -1,12 +1,13 @@
1
1
  class Cipherpipe::ExternalSource
2
2
  UnknownProviderError = Class.new Cipherpipe::Error
3
3
 
4
- attr_reader :type, :destination, :primary
4
+ attr_reader :type, :destination, :primary, :ec2_role
5
5
 
6
- def initialize(type, destination, primary = false)
6
+ def initialize(type, destination, primary = false, ec2_role = nil)
7
7
  @type = type
8
8
  @destination = destination
9
9
  @primary = primary
10
+ @ec2_role = ec2_role
10
11
  end
11
12
 
12
13
  def download
data/lib/cipherpipe/vault/ec2_token.rb ADDED
@@ -0,0 +1,36 @@
1
+ require "uri"
2
+ require "net/http"
3
+ require "vault"
4
+
5
+ class Cipherpipe::Vault::EC2Token
6
+ ConnectionError = Class.new Cipherpipe::Error
7
+ URL = URI.parse(
8
+ "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"
9
+ )
10
+
11
+ def self.call(external_source)
12
+ new(external_source).call
13
+ end
14
+
15
+ def initialize(external_source)
16
+ @external_source = external_source
17
+ end
18
+
19
+ def call
20
+ ::Vault.auth.aws_ec2(
21
+ external_source.ec2_role, signature
22
+ ).auth.client_token
23
+ end
24
+
25
+ private
26
+
27
+ attr_reader :external_source
28
+
29
+ def signature
30
+ http = Net::HTTP.new URL.host, URL.port
31
+ http.open_timeout = 1 # second
32
+ http.request_get(URL.path).body.gsub("\n", "")
33
+ rescue Net::OpenTimeout => error
34
+ raise ConnectionError, "Unable to read the local EC2 information endpoint"
35
+ end
36
+ end
data/lib/cipherpipe/vault.rb CHANGED
@@ -6,6 +6,7 @@ class Cipherpipe::Vault
6
6
  def self.download(external_source)
7
7
  require_relative "vault/download"
8
8
 
9
+ set_token external_source
9
10
  Cipherpipe::Vault::Download.call external_source
10
11
  end
11
12
 
@@ -14,4 +15,13 @@ class Cipherpipe::Vault
14
15
 
15
16
  Cipherpipe::Vault::Upload.call external_source, settings
16
17
  end
18
+
19
+ def self.set_token(external_source)
20
+ return unless external_source.ec2_role
21
+
22
+ require_relative "vault/ec2_token"
23
+ ::Vault.client.token = Cipherpipe::Vault::EC2Token.call external_source
24
+ rescue Cipherpipe::Vault::EC2Token::ConnectionError => error
25
+ warn error.message
26
+ end
17
27
  end
data/lib/cipherpipe.rb CHANGED
@@ -5,6 +5,7 @@ module Cipherpipe
5
5
  end
6
6
 
7
7
  require_relative "cipherpipe/commands/download"
8
+ require_relative "cipherpipe/commands/ec2"
8
9
  require_relative "cipherpipe/commands/help"
9
10
  require_relative "cipherpipe/commands/load"
10
11
  require_relative "cipherpipe/commands/upload"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cipherpipe
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Pat Allan
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-06-06 00:00:00.000000000 Z
11
+ date: 2018-06-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -89,6 +89,7 @@ files:
89
89
  - lib/cipherpipe.rb
90
90
  - lib/cipherpipe/cli.rb
91
91
  - lib/cipherpipe/commands/download.rb
92
+ - lib/cipherpipe/commands/ec2.rb
92
93
  - lib/cipherpipe/commands/help.rb
93
94
  - lib/cipherpipe/commands/load.rb
94
95
  - lib/cipherpipe/commands/upload.rb
@@ -101,6 +102,7 @@ files:
101
102
  - lib/cipherpipe/vault.rb
102
103
  - lib/cipherpipe/vault/api.rb
103
104
  - lib/cipherpipe/vault/download.rb
105
+ - lib/cipherpipe/vault/ec2_token.rb
104
106
  - lib/cipherpipe/vault/upload.rb
105
107
  homepage: https://github.com/limbrapp/cipherpipe
106
108
  licenses: