dotenv-vault-rails 0.3.2 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c2498829468fc91f5d62a80bffdbe4cacb60b452da0fa52bea294942cebe4ca
-  data.tar.gz: b65a4b20a5c1b33239da2694b633d6c765434056f8601a8215c487e9279549f6
+  metadata.gz: 52add50daa3bd323beb1d314caebf3a7b289a61a7948053f40756407d5c47385
+  data.tar.gz: f11b2b4e205d23804130afe2d57b9c0f110ee84a003df2557c6e3560fb6d19f3
 SHA512:
-  metadata.gz: 6201aec01c18d719e2d21455f0bd54f813958dd2658500e036fd51b97fe5eb775e57d71ff94c44713d5af9c3d2b403c8bae6ac75935b790aa54d7eb2082a069e
-  data.tar.gz: a80a6fd4955cf1b3dc5827702c0b852dab047d502e3a3d7c8817547c19ca95a26050452b41f6199e10a7d88e79039f2ac580cb4e1a816c41f2732e20b000806d
+  metadata.gz: 5fe76da20b724172f3b714f614be72092372634b3e496d2838efa02742ec9843cdf05adc7063193c87688834ed62eae25e5c835a72b7663620b3b5a339b2f691
+  data.tar.gz: 25a8c6491705632524b232769223eada1d793a7ae4c432fbde1c3db4bd6fa6c8bed6f4943cd48ecd7aa22d84d15abcfd5f18050082797016322d5cec3a9c6c19

data/Gemfile.lock

@@ -1,11 +1,12 @@
 PATH
   remote: .
   specs:
-    dotenv-vault (0.3.2)
+    dotenv-vault (0.4.0)
       dotenv
-    dotenv-vault-rails (0.3.2)
+      lockbox
+    dotenv-vault-rails (0.4.0)
       dotenv-rails
-      dotenv-vault (= 0.3.2)
+      dotenv-vault (= 0.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -40,6 +41,7 @@ GEM
     erubi (1.11.0)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
+    lockbox (1.0.0)
     loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)

data/dotenv-vault.gemspec

@@ -26,6 +26,7 @@ Gem::Specification.new "dotenv-vault" do |spec|
   spec.require_paths = ["lib"]
 
 	spec.add_dependency "dotenv"
+	spec.add_dependency "lockbox"
 
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"

data/lib/dotenv-vault/rails.rb

@@ -1,4 +1,4 @@
-require "dotenv-rails"
+require "dotenv-vault"
 
 # Fix for rake tasks loading in development
 #
@@ -16,7 +16,7 @@ if defined?(Rake.application)
   end
 end
 
-DotenvVault.instrumenter = ActiveSupport::Notifications
+Dotenv.instrumenter = ActiveSupport::Notifications
 
 # Watch all loaded env files with Spring
 begin
@@ -30,34 +30,13 @@ rescue LoadError, ArgumentError
 end
 
 module DotenvVault
-  class Railtie < Rails::Railtie
+  class Railtie < ::Dotenv::Railtie
     def load
-      Dotenv.load(*dotenv_files)
+      DotenvVault.load(*dotenv_files)
     end
 
     def overload
-      Dotenv.overload(*dotenv_files)
+      DotenvVault.overload(*dotenv_files)
     end
-
-    def root
-      Rails.root || Pathname.new(ENV["RAILS_ROOT"] || Dir.pwd)
-    end
-
-    def self.load
-      instance.load
-    end
-
-    private
-
-    def dotenv_files
-      [
-        root.join(".env.#{Rails.env}.local"),
-        (root.join(".env.local") unless Rails.env.test?),
-        root.join(".env.#{Rails.env}"),
-        root.join(".env")
-      ].compact
-    end
-
-    config.before_configuration { load }
   end
 end

data/lib/dotenv-vault/version.rb

@@ -1,3 +1,3 @@
 module DotenvVault
-  VERSION = "0.3.2"
+  VERSION = "0.4.0"
 end

data/lib/dotenv-vault.rb

@@ -1,8 +1,15 @@
 require "dotenv"
+require "lockbox"
 require "dotenv-vault/version"
 
 module DotenvVault
-  class Error < StandardError; end
+  class NotFoundDotenvKey < ArgumentError; end
+  class NotFoundDotenvEnvironment < ArgumentError; end
+  class NotFoundDotenvVault < ArgumentError; end
+  class InvalidDotenvKey < ArgumentError; end
+  class DecryptionFailed < StandardError; end
+
+  include ::Dotenv
 
   class << self
     attr_accessor :instrumenter
@@ -11,27 +18,47 @@ module DotenvVault
   module_function
 
   def load(*filenames)
-    Dotenv.load(*filenames)
+    if using_vault?
+      load_vault(*filenames)
+    else
+      Dotenv.load(*filenames) # fallback
+    end
   end
 
   # same as `load`, but raises Errno::ENOENT if any files don't exist
   def load!(*filenames)
-    Dotenv.load!(*filenames)
+    if using_vault?
+      load_vault(*filenames)
+    else
+      Dotenv.load!(*filenames)
+    end
   end
 
   # same as `load`, but will override existing values in `ENV`
   def overload(*filenames)
-    Dotenv.overload(*filenames)
+    if using_vault?
+      overload_vault(*filenames)
+    else
+      Dotenv.overload(*filenames)
+    end
   end
 
   # same as `overload`, but raises Errno:ENOENT if any files don't exist
   def overload!(*filenames)
-    Dotenv.overload!(*filenames)
+    if using_vault?
+      overload_vault(*filenames)
+    else
+      Dotenv.overload!(*filenames)
+    end
   end
 
   # returns a hash of parsed key/value pairs but does not modify ENV
   def parse(*filenames)
-    Dotenv.parse(*filenames)
+    if using_vault?
+      parse_vault(*filenames)
+    else
+      Dotenv.parse(*filenames)
+    end
   end
 
   # Internal: Helper to expand list of filenames.
@@ -52,4 +79,75 @@ module DotenvVault
   def ignoring_nonexistent_files
     Dotenv.ignoring_nonexistent_files
   end
+
+  # Vault: Load from .env.vault
+  #
+  # Decrypts and loads to ENV
+  def load_vault(*filenames)
+    parsed = parse_vault(*filenames)
+    
+    # Set ENV
+    parsed.each { |k, v| ENV[k] ||= v }
+
+    { parsed: parsed }
+  end
+
+  # Vault: Overload from .env.vault
+  #
+  # Decrypts and overloads to ENV
+  def overload_vault(*filenames)
+    parsed = parse_vault(*filenames)
+    
+    # Set ENV
+    parsed.each { |k, v| ENV[k] = v }
+
+    { parsed: parsed }
+  end
+
+  def parse_vault(*filenames)
+    # Warn the developer unless both are set
+    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(ENV["DOTENV_KEY"])
+    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot find ENV['DOTENV_ENVIRONMENT']" unless present?(ENV["DOTENV_ENVIRONMENT"])
+
+    # Locate .env.vault
+    vault_path = ".env.vault"
+    raise NotFoundDotenvVault, "NotFoundDotenvVault: Cannot find .env.vault at ${vaultPath}" unless File.file?(vault_path)
+
+    # Parse .env.vault
+    parsed = Dotenv.parse(vault_path)
+
+    # Get ciphertext
+    environment_key = "DOTENV_VAULT_#{ENV["DOTENV_ENVIRONMENT"].upcase}"
+    ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
+    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
+
+    # Decrypt ciphertext
+    decrypted = decrypt(ciphertext)
+
+    # Parse decrypted .env string
+    Dotenv::Parser.call(decrypted, true)
+  end
+
+  def using_vault?
+    present?(ENV["DOTENV_ENVIRONMENT"]) && present?(ENV["DOTENV_KEY"])
+  end
+
+  def present?(str)
+    !(str.nil? || str.empty?)
+  end
+
+  def decrypt(ciphertext)
+    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(ENV["DOTENV_KEY"])
+
+    key = ENV["DOTENV_KEY"][-64..-1] # last 64 characters. allows for passing keys with preface like key_*****
+
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: It must be 64 characters long (or more)" unless key.to_s.length == 64
+
+    lockbox = Lockbox.new(key: key, encode: true)
+    begin
+      lockbox.decrypt(ciphertext)
+    rescue Lockbox::Error
+      raise DecryptionFailed, "DECRYPTION_FAILED: Please check your DOTENV_KEY"
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dotenv-vault-rails
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - motdotla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-09-15 00:00:00.000000000 Z
+date: 2022-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dotenv-rails
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: 0.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.3.2
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: spring
   requirement: !ruby/object:Gem::Requirement