diffcrypt 0.4.1 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6d985bd619146b0cede42746b62e00f7e52a01a92a8e7a79718ab0f9b80391a
-  data.tar.gz: d0fb2659741c498608421b741b4fa1acfbdec8f74bc7ac65425a9c97017a9342
+  metadata.gz: fb31613525e78d8a5f45fe9276daa26127c3f6555b69864cf6c438713c8a5385
+  data.tar.gz: f0cccb6f0706f613284e4f42e04c482dc3368c9e3b121b4d3a895c961e74383b
 SHA512:
-  metadata.gz: 2ba3e972200d1a4d785a9f4bdc67defc04e26d94d35421f9cc2b8a9e956b56f693e452acf0fbbb98ea7f96eb3fc6454e92dbb7d3fa825a6dc16f2882f86b12c6
-  data.tar.gz: d1e7c88b0a323ecb366e2a9642b45c8b60701c1492d97615773d7c12e5fe5753086b440d9bd1ccc19662ca3cb9f67de6c64e90000229ee64df73d619cc0f70f4
+  metadata.gz: 3d0d83aedaafe07809888c2bf7edb1100ee7b51c3d99dbf9deaa6108932a6585246e7b1d0f917f403f5a765e4421a73804465afacb6bd1c942c4a2befee1ecec
+  data.tar.gz: d40a2bfb110cae3f2961c5ca57f5de5e5250d54354b9470b1ffa140bf88717970cb9d067f65a4f03576e26b7b2372c88b5294eb22158bbfcc51bb8aa749cb07a

data/.github/workflows/test.yml

@@ -0,0 +1,40 @@
+name: test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  rspec:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - "2.7.5"
+          - "3.0.3"
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Run rspec
+      run: bundle exec rake test
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - "2.7.5"
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Run rubocop
+      run: bundle exec rubocop

data/.rubocop.yml

@@ -1,5 +1,6 @@
 AllCops:
   NewCops: enable
+  TargetRubyVersion: 2.6
 
 Style/ClassAndModuleChildren:
   Exclude:
@@ -8,14 +9,26 @@ Style/Documentation:
   Enabled: false
 Metrics/MethodLength:
   Exclude:
+    - test/*_test.rb
     - test/**/*_test.rb
-TrailingCommaInArrayLiteral:
+Naming/VariableNumber:
+  Exclude:
+    - test/*_test.rb
+    - test/**/*_test.rb
+Style/TrailingCommaInArrayLiteral:
   EnforcedStyleForMultiline: consistent_comma
 Style/TrailingCommaInArguments:
   EnforcedStyleForMultiline: consistent_comma
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: consistent_comma
 Style/AccessorGrouping:
   EnforcedStyle: separated
+Style/OpenStructUse:
+  Exclude:
+    - test/*_test.rb
+    - test/**/*_test.rb
 
 Layout/LineLength:
   Exclude:
+    - test/*_test.rb
     - test/**/*_test.rb

data/CHANGELOG.md

@@ -7,6 +7,57 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+## Unreleased
+
+### Fixed
+
+- Broken namespace when saving credentials in rails
+
+
+
+## [0.6.0] - 2022-02-06
+
+### Added
+
+- Rails 7 support
+- Ruby 3.0 support
+
+### Changed
+
+- Updated all dependencies
+- Migrated from CircleCI to GitHub Actions
+- Moved repo to own organisation
+
+### Fixed
+
+- Only add `.gitignore` entry once #52
+
+
+
+## [0.5.1] - 2021-03-29
+
+### Added
+
+- Support for Rails 6.1
+
+
+
+## [0.5.0] - 2020-12-06
+
+### Added
+
+- `Diffcrypt::Rails::ApplicationHelper` to simplify integration
+- `rake diffcrypt:init` command to help setup credentials
+
+### Changed
+
+- Default cipher is now `aes-265-gcm`
+- YAML keys are now sorted
+- Improved support for rails native `aes-128-gcm` cipher
+- Improved test coverage for differing ciphers
+
+
+
 ## [0.4.1] - 2020-10-06
 
 ### Fixed

data/Gemfile

@@ -6,7 +6,8 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'minitest', '~> 5.0'
+gem 'minitest-reporters', '~> 1.5.0'
 gem 'rake', '~> 13.0'
-gem 'rubocop', '~> 0.92.0'
-gem 'simplecov', '~> 0.19.0', require: false # CodeClimate not compatible with 0.18+ yet - https://github.com/codeclimate/test-reporter/issues/413
-gem 'simplecov-lcov', '< 0.8'
+gem 'rubocop', '~> 1.25.1'
+gem 'simplecov', '~> 0.21.2', require: false # CodeClimate not compatible with 0.18+ yet - https://github.com/codeclimate/test-reporter/issues/413
+gem 'simplecov-lcov', '< 0.9'

data/README.md

@@ -1,7 +1,7 @@
 # Diffcrypt
 
 [![Gem Version](https://badge.fury.io/rb/diffcrypt.svg)](https://rubygems.org/gems/diffcrypt)
-[![CircleCI](https://circleci.com/gh/marcqualie/diffcrypt.svg?style=svg)](https://circleci.com/gh/marcqualie/diffcrypt)
+[![CircleCI](https://circleci.com/gh/diffcrypt/diffcrypt-ruby.svg?style=svg)](https://circleci.com/gh/diffcrypt/diffcrypt-ruby)
 
 
 Diffable encrypted files that you can safely commit into your repo.
@@ -66,17 +66,10 @@ Currently there is not native support for rails, but ActiveSupport can be monkey
 the built in encrypter. All existing `rails credentials:edit` also work with this method.
 
 ```ruby
-require 'diffcrypt/rails/encrypted_configuration'
+# config/application.rb
 module Rails
   class Application
-    def encrypted(path, key_path: 'config/aes-128-gcm.key', env_key: 'RAILS_MASTER_KEY')
-      Diffcrypt::Rails::EncryptedConfiguration.new(
-        config_path: Rails.root.join(path),
-        key_path: Rails.root.join(key_path),
-        env_key: env_key,
-        raise_if_missing_key: config.require_master_key,
-      )
-    end
+    include Diffcrypt::Rails::ApplicationHelper
   end
 end
 ```
@@ -104,7 +97,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/marcqualie/diffcrypt.
+Bug reports and pull requests are welcome on GitHub at https://github.com/diffcrypt/diffcrypt-ruby.
 
 
 

data/Rakefile

@@ -8,5 +8,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << 'lib'
   t.test_files = FileList['test/**/*_test.rb']
 end
-
 task default: :test
+
+path = File.expand_path(__dir__)
+Dir.glob("#{path}/lib/diffcrypt/tasks/**/*.rake").sort.each { |f| load f }

data/SECURITY.md

@@ -8,7 +8,8 @@ Since the internal APIs may change dramatically until v1.0, here is a list of th
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.3.x   | :white_check_mark: |
+| 0.5.1   | :white_check_mark: |
+| 0.6.x   | :white_check_mark: |
 
 
 

data/diffcrypt.gemspec

@@ -10,14 +10,14 @@ Gem::Specification.new do |spec|
 
   spec.summary       = 'Diffable encrypted configuration files'
   spec.description   = 'Diffable encrypted configuration files that can be safely committed into a git repository'
-  spec.homepage      = 'https://github.com/marcqualie/diffcrypt'
+  spec.homepage      = 'https://github.com/diffcrypt/diffcrypt-ruby'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
 
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 
   spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://github.com/marcqualie/diffcrypt'
+  spec.metadata['source_code_uri'] = 'https://github.com/diffcrypt/diffcrypt-ruby'
   # spec.metadata['changelog_uri'] = "TODO: Put your gem's CHANGELOG.md URL here."
 
   # Specify which files should be added to the gem when it is released.
@@ -29,6 +29,7 @@ Gem::Specification.new do |spec|
   spec.executables = %w[diffcrypt]
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'activesupport', '~> 6.0.0'
+  spec.add_runtime_dependency 'activesupport', '>= 6.0', '< 7.1'
   spec.add_runtime_dependency 'thor', '>= 0.20', '< 2'
+  spec.metadata['rubygems_mfa_required'] = 'true'
 end

data/lib/diffcrypt/encryptor.rb

@@ -12,7 +12,7 @@ require_relative './version'
 
 module Diffcrypt
   class Encryptor
-    DEFAULT_CIPHER = 'aes-128-gcm'
+    DEFAULT_CIPHER = 'aes-256-gcm'
 
     def self.generate_key(cipher = DEFAULT_CIPHER)
       SecureRandom.hex(ActiveSupport::MessageEncryptor.key_len(cipher))
@@ -47,11 +47,11 @@ module Diffcrypt
     # @param [String] contents The raw YAML string to be encrypted
     # @param [String, nil] original_encrypted_contents The original (encrypted) content to determine which keys have changed
     # @return [String]
-    def encrypt(contents, original_encrypted_contents = nil)
+    def encrypt(contents, original_encrypted_contents = nil, cipher: nil)
       data = encrypt_data contents, original_encrypted_contents
       YAML.dump(
         'client' => "diffcrypt-#{Diffcrypt::VERSION}",
-        'cipher' => @cipher,
+        'cipher' => cipher || @cipher,
         'data' => data,
       )
     end
@@ -86,7 +86,7 @@ module Diffcrypt
                       key_changed ? encrypt_string(value) : original_encrypted_value
                     end
       end
-      data
+      data.sort.to_h
     end
     # rubocop:enable Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/CyclomaticComplexity
 

data/lib/diffcrypt/file.rb

@@ -14,7 +14,10 @@ module Diffcrypt
       to_yaml['cipher']
     end
 
+    # Determines the cipher to use for encryption/decryption
     def cipher
+      return 'aes-128-gcm' if format == 'activesupport'
+
       to_yaml['cipher'] || Encryptor::DEFAULT_CIPHER
     end
 
@@ -23,11 +26,33 @@ module Diffcrypt
       ::File.exist?(@path)
     end
 
+    # Determines the format to be used for encryption
+    # @return [String] diffcrypt|activesupport
+    def format
+      return 'diffcrypt' if read == ''
+      return 'diffcrypt' if read.index('---')&.zero?
+
+      'activesupport'
+    end
+
     # @return [String] Raw contents of the file
     def read
+      return '' unless ::File.exist?(@path)
+
       @read ||= ::File.read(@path)
+      @read
+    end
+
+    # Save the encrypted contents back to disk
+    # @return [Boolean] True is file save was successful
+    def write(key, data, cipher: nil)
+      cipher ||= self.cipher
+      yaml = ::YAML.dump(data)
+      contents = Encryptor.new(key, cipher: cipher).encrypt(yaml)
+      ::File.write(@path, contents)
     end
 
+    # TODO: This seems useless, figure out what's up
     def encrypt(key, cipher: DEFAULT_CIPHER)
       return read if encrypted?
 
@@ -42,7 +67,7 @@ module Diffcrypt
     end
 
     def to_yaml
-      @to_yaml ||= YAML.safe_load(read)
+      @to_yaml ||= YAML.safe_load(read) || {}
     end
   end
 end

data/lib/diffcrypt/rails/application_helper.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative './encrypted_configuration'
+
+module Diffcrypt
+  module Rails
+    module ApplicationHelper
+      def encrypted(path, key_path: 'config/master.key', env_key: 'RAILS_MASTER_KEY')
+        config_path, key_path = resolve_encrypted_paths(path, key_path)
+
+        Diffcrypt::Rails::EncryptedConfiguration.new(
+          config_path: config_path,
+          key_path: key_path,
+          env_key: env_key,
+          raise_if_missing_key: config.require_master_key,
+        )
+      end
+
+      protected
+
+      def resolve_encrypted_paths(config_path, key_path)
+        config_path_abs = ::Rails.root.join(config_path)
+        key_path_abs = ::Rails.root.join(key_path)
+
+        # We always want to use `config/credentials/[environment]` for consistency
+        # If the master credentials do not exist, and a user has not specificed an environment, default to development
+        if config_path == 'config/credentials.yml.enc' && ::File.exist?(config_path_abs.to_s) == false
+          config_path_abs = ::Rails.root.join('config/credentials/development.yml.enc')
+          key_path_abs = ::Rails.root.join('config/credentials/development.key')
+        end
+
+        [
+          config_path_abs,
+          key_path_abs,
+        ]
+      end
+    end
+  end
+end

data/lib/diffcrypt/rails/encrypted_configuration.rb

@@ -4,6 +4,8 @@ require 'fileutils'
 require 'pathname'
 require 'tmpdir'
 
+require 'active_support/isolated_execution_state' if Gem.loaded_specs['activesupport'].version.to_s.index('7.')&.zero?
+
 require 'active_support/ordered_options'
 require 'active_support/core_ext/hash'
 require 'active_support/core_ext/module/delegation'
@@ -52,7 +54,7 @@ module Diffcrypt
       def write(contents, original_encrypted_contents = nil)
         deserialize(contents)
 
-        IO.binwrite "#{content_path}.tmp", encrypt(contents, original_encrypted_contents)
+        ::File.binwrite "#{content_path}.tmp", encrypt(contents, original_encrypted_contents)
         ::FileUtils.mv "#{content_path}.tmp", content_path
       end
 
@@ -88,6 +90,13 @@ module Diffcrypt
       end
       # rubocop:enable Metrics/AbcSize
 
+      # Standard rails credentials encrypt the entire file. We need to detect this to use the correct
+      # data interface
+      # @return [Boolean]
+      def rails_native_credentials?(contents)
+        contents.index('---').nil?
+      end
+
       # @param [String] contents The new content to be encrypted
       # @param [String] diff_against The original (encrypted) content to determine which keys have changed
       # @return [String] Encrypted content to commit
@@ -98,7 +107,7 @@ module Diffcrypt
       # @param [String] contents
       # @return [String]
       def decrypt(contents)
-        if contents.index('---').nil?
+        if rails_native_credentials?(contents)
           active_support_encryptor.decrypt_and_verify contents
         else
           encryptor.decrypt contents
@@ -110,7 +119,7 @@ module Diffcrypt
       def active_support_encryptor
         @active_support_encryptor ||= ActiveSupport::MessageEncryptor.new(
           [key].pack('H*'),
-          cipher: @diffcrypt_file.cipher,
+          cipher: 'aes-128-gcm',
         )
       end
 

data/lib/diffcrypt/railtie.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'diffcrypt/rails/application_helper'
+
+module Diffcrypt
+  class Railtie < ::Rails::Railtie
+    railtie_name :diffcrypt
+
+    rake_tasks do
+      path = ::File.expand_path(__dir__)
+      ::Dir.glob("#{path}/tasks/**/*.rake").each { |f| load f }
+    end
+  end
+end

data/lib/diffcrypt/tasks/rails.rake

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/BlockLength
+namespace :diffcrypt do
+  desc 'Initialize credentials for all environments'
+  task :init, %i[environments] do |_t, args|
+    args.with_defaults(
+      environments: 'development,test,staging,production',
+    )
+    environments = args.environments.split(',')
+
+    environments.each do |environment|
+      key_path = Rails.root.join('config', 'credentials', "#{environment}.key")
+      file_path = Rails.root.join('config', 'credentials', "#{environment}.yml.enc")
+      next if File.exist?(file_path) || File.exist?(key_path)
+
+      # Generate a new key
+      key = Diffcrypt::Encryptor.generate_key
+      key_dir = File.dirname(key_path)
+      Dir.mkdir(key_dir) unless Dir.exist?(key_dir)
+      ::File.write(key_path, key)
+
+      # Encrypt default contents
+      file = Diffcrypt::File.new(file_path)
+      data = {
+        'secret_key_base' => SecureRandom.hex(32),
+      }
+      file.write(key, data)
+    end
+
+    # Ensure .key files are always ignored
+    gitignore_path = Rails.root.join('.gitignore')
+    unless File.read(gitignore_path).include?('config/credentials/*.key')
+      ::File.open(gitignore_path, 'a') do |f|
+        f.write("\nconfig/credentials/*.key")
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/BlockLength

data/lib/diffcrypt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Diffcrypt
-  VERSION = '0.4.1'
+  VERSION = '0.6.1'
 end

data/lib/diffcrypt.rb

@@ -2,6 +2,7 @@
 
 require 'diffcrypt/encryptor'
 require 'diffcrypt/version'
+require 'diffcrypt/railtie' if defined?(Rails)
 
 module Diffcrypt
   class Error < StandardError; end
@@ -16,7 +17,7 @@ module Diffcrypt
     def initialize(key_path:, env_key:)
       super \
         'Missing encryption key to decrypt file with. ' \
-          "Ask your team for your master key and write it to #{key_path} or put it in the ENV['#{env_key}']."
+        "Ask your team for your master key and write it to #{key_path} or put it in the ENV['#{env_key}']."
     end
   end
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: diffcrypt
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.6.1
 platform: ruby
 authors:
 - Marc Qualie
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-06 00:00:00.000000000 Z
+date: 2022-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -53,8 +59,8 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".circleci/config.yml"
 - ".github/dependabot.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - CHANGELOG.md
@@ -71,15 +77,19 @@ files:
 - lib/diffcrypt/cli.rb
 - lib/diffcrypt/encryptor.rb
 - lib/diffcrypt/file.rb
+- lib/diffcrypt/rails/application_helper.rb
 - lib/diffcrypt/rails/encrypted_configuration.rb
+- lib/diffcrypt/railtie.rb
+- lib/diffcrypt/tasks/rails.rake
 - lib/diffcrypt/version.rb
 - tmp/.keep
-homepage: https://github.com/marcqualie/diffcrypt
+homepage: https://github.com/diffcrypt/diffcrypt-ruby
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/marcqualie/diffcrypt
-  source_code_uri: https://github.com/marcqualie/diffcrypt
+  homepage_uri: https://github.com/diffcrypt/diffcrypt-ruby
+  source_code_uri: https://github.com/diffcrypt/diffcrypt-ruby
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -88,14 +98,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Diffable encrypted configuration files

data/.circleci/config.yml

@@ -1,26 +0,0 @@
-version: 2.1
-
-jobs:
-  build:
-    docker:
-      - image: circleci/ruby:2.6.6
-    working_directory: /mnt/ramdisk
-    steps:
-      - checkout
-      - run: bundle install
-      - run:
-          name: Setup Code Climate test-reporter
-          command: |
-            # download test reporter as a static binary
-            curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-            chmod +x ./cc-test-reporter
-      - run:
-          name: rake test
-          command: |
-            ./cc-test-reporter before-build
-            bundle exec rake test
-            ./cc-test-reporter after-build --coverage-input-type lcov --exit-code $?
-      - run:
-          name: rubocop
-          command: bundle exec rubocop
-          when: always