dotenv-vault-rails 0.8.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81836f8e99d481c8ae8dc9ab69c6be7c9bc2275d86ab29025db14ad9a31c4a67
-  data.tar.gz: e9e4296b3dd37d4b27f9d2ebc0d3bb9965c1aeb2e33377aaad02ad76527b6a4c
+  metadata.gz: 4f612aee9f093299bc8f9ffc6d62927f5a90146982add8cf9c5efd9f58c16f13
+  data.tar.gz: 06ccf7aa83cd740991576ff3c2a0bdacf1668b3a706feb2014b8d7a59c91208e
 SHA512:
-  metadata.gz: bf1c763c3304ae0a6e8275298187c6a836578e6e6fe6941d4f1fb7276d158c215e4a9347b28e4ae012b02a52da710dc289f04bcf7c631b6ad9dd3281dde24caf
-  data.tar.gz: 03d12b9d8dfe69f723394076b20cae13a4fc1d7daa550f3b8322bc6ff7ca71735c5368600adf62bdbdea27eeafcad3f048541b135ebefec4a27c6901e64118cb
+  metadata.gz: 9680ab3bb4852d5ac11107c19c90b5ff05b7c5c7218c04134c3005fd4de8421ca4b0b5ef84b348c041749892be1cbc1750bde365bf78034cfef0be907b4c009c
+  data.tar.gz: cdf203edcce1452dc5d4666849de31cfb35621cc167d1a7d70e86c083be987119f8f06c65ebac4e10f54e791f0bf15015b345013fe85a65e54a2b2de96c580cd

data/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenv-org/dotenv-vault-ruby/compare/v0.8.0...master)
+## [Unreleased](https://github.com/dotenv-org/dotenv-vault-ruby/compare/v0.9.0...master)
+
+## 0.10.0
+
+### Added
+
+- Support key rotation. Added comma separated capability to `DOTENV_KEY`. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma. [#2](https://github.com/dotenv-org/dotenv-vault-ruby/pull/2)
+
+## 0.9.0
+
+### Changed
+
+- Do not raise stacktrace error if missing .env.vault file [#1](https://github.com/dotenv-org/dotenv-vault-ruby/pull/1)
 
 ## 0.8.0
 

data/Gemfile.lock

@@ -1,12 +1,12 @@
 PATH
   remote: .
   specs:
-    dotenv-vault (0.8.0)
+    dotenv-vault (0.10.0)
       dotenv
       lockbox
-    dotenv-vault-rails (0.8.0)
+    dotenv-vault-rails (0.10.0)
       dotenv-rails
-      dotenv-vault (= 0.8.0)
+      dotenv-vault (= 0.10.0)
 
 GEM
   remote: https://rubygems.org/
@@ -41,14 +41,14 @@ GEM
     erubi (1.11.0)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    lockbox (1.0.0)
+    lockbox (1.1.0)
     loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
     mini_portile2 (2.8.0)
     minitest (5.16.3)
-    nokogiri (1.13.8)
+    nokogiri (1.13.9)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     racc (1.6.0)
@@ -85,7 +85,7 @@ GEM
     thor (1.2.1)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
-    zeitwerk (2.6.0)
+    zeitwerk (2.6.1)
 
 PLATFORMS
   ruby

data/README.md

@@ -2,9 +2,9 @@
 
 <img src="https://raw.githubusercontent.com/motdotla/dotenv/master/dotenv.svg" alt="dotenv-vault" align="right" width="200" />
 
-Dotenv Vault extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with a `.env.vault` file.
+Extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with a `.env.vault` file.
 
-This new standard lets you sync your .env files – quickly & securely. Stop sharing them over insecure channels like Slack and email, and never lose an important .env file again.
+The extended standard lets you sync your `.env` files – quickly & securely. Stop sharing them over insecure channels like Slack and email, and never lose an important `.env` file again.
 
 ## Installation
 
@@ -22,11 +22,29 @@ And then execute:
 $ bundle
 ```
 
+### Sinatra or Plain ol' Ruby
+
+Install the gem:
+
+```shell
+$ gem install dotenv-vault
+```
+
+As early as possible in your application bootstrap process, load `.env`:
+
+```ruby
+require 'dotenv-vault/load'
+
+# or
+require 'dotenv-vault'
+DotenvVault.load
+```
+
 ## Usage
 
 ### `.env`
 
-Basic usage begins just like [dotenv](https://github.com/bkeepers/dotenv).
+Basic usage works just like [dotenv](https://github.com/bkeepers/dotenv).
 
 Add your application configuration to your `.env` file in the root of your project:
 
@@ -35,7 +53,7 @@ S3_BUCKET=YOURS3BUCKET
 SECRET_KEY=YOURSECRETKEYGOESHERE
 ```
 
-Whenever your application loads, these variables will be available in `ENV`:
+When your application loads, these variables will be available in `ENV`:
 
 ```ruby
 config.fog_directory  = ENV['S3_BUCKET']
@@ -43,10 +61,12 @@ config.fog_directory  = ENV['S3_BUCKET']
 
 ### `.env.vault`
 
+The `.env.vault` extends `.env`. It facilitates syncing your `.env` file across machines, team members, and environments.
+
 Usage is similar to git. In the same directory as your `.env` file, run the command:
 
 ```shell
-npx dotenv-vault new
+$ npx dotenv-vault new
 ```
 
 Follow those instructions and then run:
@@ -66,6 +86,8 @@ That's it!
 
 You just synced your `.env` file. Commit your `.env.vault` file to code, and tell your teammates to run `npx dotenv-vault pull`.
 
+[Learn more](https://www.dotenv.org/docs/tutorials/sync)
+
 ## Multiple Environments
 
 Run the command:
@@ -76,7 +98,9 @@ $ npx dotenv-vault open production
 
 It will open up an interface to manage your production environment variables.
 
-## Deploy Anywhere
+[Learn more](https://www.dotenv.org/docs/tutorials/environments)
+
+## Integrate Anywhere™
 
 Build your encrypted `.env.vault`:
 
@@ -105,6 +129,25 @@ $ heroku config:set DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?e
 
 All set! When your app boots, it will recognize a `DOTENV_KEY` is set, decrypt the `.env.vault` file, and load the variables to `ENV`.
 
+Made a change to your production envs? Run `npx dotenv-vault build`, commit that safely to code, and deploy. It's simple and safe like that.
+
+[Learn more](https://www.dotenv.org/docs/tutorials/integrations)
+
+## Dotenv.org
+
+You need a [Dotenv Account](https://dotenv.org) to use Dotenv Vault. It is free to use with premium features.
+
+![](https://api.checklyhq.com/v1/badges/checks/c2fee99a-38e7-414e-89b8-9766ceeb1927?style=flat&theme=dark&responseTime=true)
+![](https://api.checklyhq.com/v1/badges/checks/4f557967-1ed1-486a-b762-39a63781d752?style=flat&theme=dark&responseTime=true)
+<br>
+![](https://api.checklyhq.com/v1/badges/checks/804eb6fa-6599-4688-a649-7ff3c39a64b9?style=flat&theme=dark&responseTime=true)
+![](https://api.checklyhq.com/v1/badges/checks/6a94504e-e936-4f07-bc0b-e08fee2734b3?style=flat&theme=dark&responseTime=true)
+<br>
+![](https://api.checklyhq.com/v1/badges/checks/06ac4f4e-3e0e-4501-9987-580b4d2a6b06?style=flat&theme=dark&responseTime=true)
+![](https://api.checklyhq.com/v1/badges/checks/0ffc1e55-7ef0-4c2c-8acc-b6311871f41c?style=flat&theme=dark&responseTime=true)
+
+Visit [health.dotenv.org](https://health.dotenv.org) for more information.
+
 ## FAQ
 
 #### What happens if `DOTENV_KEY` is not set?
@@ -117,7 +160,7 @@ No. We **strongly** recommend against committing your `.env` file to version con
 
 #### Should I commit my `.env.vault` file?
 
-Yes. It is safe and recommended to do so. It contains your vault identifier at the vault provider (in this case [dotenv.org](https://dotenv.org)) and contains your encrypted values.
+Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.
 
 #### Can I share the `DOTENV_KEY`?
 

data/dotenv-vault-rails.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault-rails" do |spec|
   spec.authors       = ["motdotla"]
   spec.email         = ["mot@mot.la"]
 
-  spec.summary       = %q{dotenv-vault-rails}
-  spec.description   = %q{dotenv-vault-rails}
+  spec.summary       = %q{Decrypt .env.vault file.}
+  spec.description   = %q{Decrypt .env.vault file.}
   spec.homepage      = "https://github.com/dotenv-org/dotenv-vault-ruby"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")

data/dotenv-vault.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault" do |spec|
   spec.authors       = ["motdotla"]
   spec.email         = ["mot@mot.la"]
 
-  spec.summary       = %q{dotenv-vault}
-  spec.description   = %q{dotenv-vault}
+  spec.summary       = %q{Decrypt .env.vault file.}
+  spec.description   = %q{Decrypt .env.vault file.}
   spec.homepage      = "https://github.com/dotenv-org/dotenv-vault-ruby"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")

data/lib/dotenv-vault/version.rb

@@ -1,3 +1,3 @@
 module DotenvVault
-  VERSION = "0.8.0"
+  VERSION = "0.10.0"
 end

data/lib/dotenv-vault.rb

@@ -117,42 +117,60 @@ module DotenvVault
   def parse_vault(*filenames)
     # DOTENV_KEY=development/key_1234
     #
-    # Warn the developer unless formatted correctly
-    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(ENV["DOTENV_KEY"])
+    # Warn the developer unless present
+    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(dotenv_key)
 
-    # Parse DOTENV_KEY. Format is a URI
-    uri = URI.parse(ENV["DOTENV_KEY"]) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
-
-    # Get decrypt key
-    key = uri.password
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
+    # Parse .env.vault
+    parsed = Dotenv.parse(vault_path)
 
-    # Get environment
-    params = Hash[URI::decode_www_form(uri.query.to_s)]
-    environment = params["environment"]
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
+    # handle scenario for comma separated keys - for use with key rotation
+    # example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
+    keys = dotenv_key.split(',')
 
-    # Get vault path
-    vault_path = uri.path.gsub("/vault/", "") # /vault/.env.vault => .env.vault
-    raise NotFoundDotenvVault, "NotFoundDotenvVault: Cannot find .env.vault at #{vaultPath}" unless File.file?(vault_path)
+    decrypted = nil
+    keys.each_with_index do |split_dotenv_key, index|
+      begin
+        # Get full key
+        key = split_dotenv_key.strip
 
-    # Parse .env.vault
-    parsed = Dotenv.parse(vault_path)
+        # Get instructions for decrypt
+        attrs = instructions(parsed, key)
 
-    # Get ciphertext
-    environment_key = "DOTENV_VAULT_#{environment.upcase}"
-    ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
-    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
+        # Decrypt
+        decrypted = decrypt(attrs[:ciphertext], attrs[:key])
 
-    # Decrypt ciphertext
-    decrypted = decrypt(ciphertext, key)
+        break
+      rescue => error
+        # last key
+        raise error if index >= keys.length - 1
+        # try next key
+      end
+    end
 
     # Parse decrypted .env string
     Dotenv::Parser.call(decrypted, true)
   end
 
   def using_vault?
-    present?(ENV["DOTENV_KEY"])
+    dotenv_key_present? && dotenv_vault_present?
+  end
+
+  def dotenv_key_present?
+    present?(dotenv_key) && dotenv_vault_present?
+  end
+
+  def dotenv_key
+    return ENV["DOTENV_KEY"] if present?(ENV["DOTENV_KEY"])
+
+    ""
+  end
+
+  def dotenv_vault_present?
+    File.file?(vault_path)
+  end
+
+  def vault_path
+    ".env.vault"
   end
 
   def present?(str)
@@ -162,7 +180,7 @@ module DotenvVault
   def decrypt(ciphertext, key)
     key = key[-64..-1] # last 64 characters. allows for passing keys with preface like key_*****
 
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key.bytesize == 64
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key && key.bytesize == 64
 
     lockbox = Lockbox.new(key: key, encode: true)
     begin
@@ -171,4 +189,28 @@ module DotenvVault
       raise DecryptionFailed, "DECRYPTION_FAILED: Please check your DOTENV_KEY"
     end
   end
+
+  def instructions(parsed, split_dotenv_key)
+    # Parse DOTENV_KEY. Format is a URI
+    uri = URI.parse(split_dotenv_key) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
+
+    # Get decrypt key
+    key = uri.password
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
+
+    # Get environment
+    params = Hash[URI::decode_www_form(uri.query.to_s)]
+    environment = params["environment"]
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
+
+    # Get ciphertext payload
+    environment_key = "DOTENV_VAULT_#{environment.upcase}"
+    ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
+    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
+
+    {
+      ciphertext: ciphertext,
+      key: key
+    }
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dotenv-vault-rails
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.10.0
 platform: ruby
 authors:
 - motdotla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-09-18 00:00:00.000000000 Z
+date: 2022-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dotenv-rails
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.10.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: spring
   requirement: !ruby/object:Gem::Requirement
@@ -66,7 +66,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: dotenv-vault-rails
+description: Decrypt .env.vault file.
 email:
 - mot@mot.la
 executables: []
@@ -117,5 +117,5 @@ requirements: []
 rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
-summary: dotenv-vault-rails
+summary: Decrypt .env.vault file.
 test_files: []