dotenv-vault-rails 0.9.0 → 0.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7e0c2103206875df405a757362cb6ad28f71a6716045ec859b8eab82eb428560
-  data.tar.gz: 5d81aa5eb40ef25c348bcd0ecdd9e9c42011c66829e7f223ebb838fc99f04e0b
+  metadata.gz: 3c427666c300e27340a880bc3887b0d4685091edb6cbf6132071cbcf1ea8949f
+  data.tar.gz: b89a020c71593919e103f37a0e53ab16842bf8355566a68f456b7816369f1dc9
 SHA512:
-  metadata.gz: f594709ca94a2bbf1cf9e82ff5a101cfc0ceb3bc9ce45a1869f768fc70e4a49e73fbd819a0f555aa5157a56051e626d0232d9235792627fe3e74628db1efabc7
-  data.tar.gz: 2dbb138e3221fac27c8dadf5a1a6453f90d93e7889db9e84b6b86c2f610ed84d3094c18c437db1eab6b29c4666d837a17d0188d449e3e42dfe5daf60d1783d80
+  metadata.gz: 378b6eb7c0b3f9276cb34a286da3d5a178cb5e2120b98eefddbbb40dd64b381d346bec57ae9a238a08124b4631004e9f9842217180f3c04ed46199a834fa2ce0
+  data.tar.gz: c393277233b3e191d654f4390e0796aa1d2431d72b44919380fac590bd6de52c7148790bf5aaba85adbc18864e257052adf7443fc51bc5df6bb423c62d15d777

data/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenv-org/dotenv-vault-ruby/compare/v0.9.0...master)
+## [Unreleased](https://github.com/dotenv-org/dotenv-vault-ruby/compare/v0.10.1...master)
+
+## 0.10.1
+
+### Changed
+
+- Modify the log message to `Loading env from encrypted .env.vault`.
+
+## 0.10.0
+
+### Added
+
+- Support key rotation. Added comma separated capability to `DOTENV_KEY`. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma. [#2](https://github.com/dotenv-org/dotenv-vault-ruby/pull/2)
 
 ## 0.9.0
 

data/Gemfile.lock

@@ -1,68 +1,70 @@
 PATH
   remote: .
   specs:
-    dotenv-vault (0.9.0)
+    dotenv-vault (0.10.1)
       dotenv
       lockbox
-    dotenv-vault-rails (0.9.0)
+    dotenv-vault-rails (0.10.1)
       dotenv-rails
-      dotenv-vault (= 0.9.0)
+      dotenv-vault (= 0.10.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.4)
-      actionview (= 7.0.4)
-      activesupport (= 7.0.4)
-      rack (~> 2.0, >= 2.2.0)
+    actionpack (7.0.6)
+      actionview (= 7.0.6)
+      activesupport (= 7.0.6)
+      rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.4)
-      activesupport (= 7.0.4)
+    actionview (7.0.6)
+      activesupport (= 7.0.6)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.4)
+    activesupport (7.0.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
     builder (3.2.4)
     byebug (11.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     crass (1.0.6)
     diff-lcs (1.5.0)
     dotenv (2.8.1)
     dotenv-rails (2.8.1)
       dotenv (= 2.8.1)
       railties (>= 3.2)
-    erubi (1.11.0)
-    i18n (1.12.0)
+    erubi (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    lockbox (1.1.0)
-    loofah (2.19.0)
+    lockbox (1.3.0)
+    loofah (2.21.3)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
     method_source (1.0.0)
-    mini_portile2 (2.8.0)
-    minitest (5.16.3)
-    nokogiri (1.13.9)
-      mini_portile2 (~> 2.8.0)
+    mini_portile2 (2.8.4)
+    minitest (5.19.0)
+    nokogiri (1.15.3)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    racc (1.6.0)
-    rack (2.2.4)
-    rack-test (2.0.2)
+    racc (1.7.1)
+    rack (2.2.7)
+    rack-test (2.1.0)
       rack (>= 1.3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.1.1)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
-    railties (7.0.4)
-      actionpack (= 7.0.4)
-      activesupport (= 7.0.4)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    railties (7.0.6)
+      actionpack (= 7.0.6)
+      activesupport (= 7.0.6)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -82,10 +84,10 @@ GEM
       rspec-support (~> 3.11.0)
     rspec-support (3.11.0)
     spring (4.0.0)
-    thor (1.2.1)
-    tzinfo (2.0.5)
+    thor (1.2.2)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    zeitwerk (2.6.1)
+    zeitwerk (2.6.9)
 
 PLATFORMS
   ruby

data/README.md

@@ -2,22 +2,25 @@
 
 <img src="https://raw.githubusercontent.com/motdotla/dotenv/master/dotenv.svg" alt="dotenv-vault" align="right" width="200" />
 
-Dotenv Vault extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with a `.env.vault` file.
+Extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with `.env.vault` file support.
 
-The extended standard lets you sync your `.env` files – quickly & securely. Stop sharing them over insecure channels like Slack and email, and never lose an important `.env` file again.
+The extended standard lets you load encrypted secrets from your `.env.vault` file in production (and other) environments. Brought to you by the same people that pioneered [dotenv-nodejs](https://github.com/motdotla/dotenv).
 
-You need a [Dotenv Account](https://dotenv.org) to use Dotenv Vault. It is free to use with premium features.
+* [🌱 Install](#-install)
+* [🏗️ Usage (.env)](#%EF%B8%8F-usage)
+* [🚀 Deploying (.env.vault) 🆕](#-deploying)
+* [🌴 Multiple Environments](#-manage-multiple-environments)
+* [❓ FAQ](#-faq)
+* [⏱️ Changelog](./CHANGELOG.md)
 
-**[Create your account](https://dotenv.org/signup)**
-
-## Installation
+## 🌱 Install
 
 ### Rails
 
 Add this line to the top of your application's Gemfile:
 
 ```ruby
-gem 'dotenv-vault-rails'
+gem "dotenv-vault-rails", require: "dotenv-vault/rails-now"
 ```
 
 And then execute:
@@ -37,18 +40,16 @@ $ gem install dotenv-vault
 As early as possible in your application bootstrap process, load `.env`:
 
 ```ruby
-require 'dotenv-vault/load'
+require "dotenv-vault/load"
 
 # or
-require 'dotenv-vault'
+require "dotenv-vault"
 DotenvVault.load
 ```
 
-## Usage
-
-### `.env`
+## 🏗️ Usage
 
-Basic usage works just like [dotenv](https://github.com/bkeepers/dotenv).
+Development usage works just like [dotenv](https://github.com/bkeepers/dotenv).
 
 Add your application configuration to your `.env` file in the root of your project:
 
@@ -60,95 +61,55 @@ SECRET_KEY=YOURSECRETKEYGOESHERE
 When your application loads, these variables will be available in `ENV`:
 
 ```ruby
-config.fog_directory  = ENV['S3_BUCKET']
+config.fog_directory  = ENV["S3_BUCKET"]
 ```
 
-### `.env.vault`
+## 🚀 Deploying
 
-Extended usage uses a `.env.vault` file that allows you to sync your secrets across machines, team members, and environments.
+Encrypt your `.env.vault` file.
 
-Usage is similar to git. In the same directory as your `.env` file, run the command:
-
-```shell
-npx dotenv-vault new
+```bash
+$ npx dotenv-vault build
 ```
 
-Follow those instructions and then run:
+Fetch your production `DOTENV_KEY`.
 
-```shell
-$ npx dotenv-vault login
+```bash
+$ npx dotenv-vault keys production
 ```
 
-Then run push and pull:
+Set `DOTENV_KEY` on your server.
 
-```shell
-$ npx dotenv-vault push
-$ npx dotenv-vault pull
+```bash
+# heroku example
+heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
 ```
 
-That's it!
+That's it! On deploy, your `.env.vault` file will be decrypted and its secrets injected as environment variables – just in time.
 
-You just synced your `.env` file. Commit your `.env.vault` file to code, and tell your teammates to run `npx dotenv-vault pull`.
+*ℹ️ A note from [Mot](https://github.com/motdotla): Until recently, we did not have an opinion on how and where to store your secrets in production. We now strongly recommend generating a `.env.vault` file. It's the best way to prevent your secrets from being scattered across multiple servers and cloud providers – protecting you from breaches like the [CircleCI breach](https://techcrunch.com/2023/01/05/circleci-breach/). Also it unlocks interoperability WITHOUT native third-party integrations. Third-party integrations are [increasingly risky](https://coderpad.io/blog/development/heroku-github-breach/) to our industry. They may be the 'du jour' of today, but we imagine a better future.*
 
-## Multiple Environments
+<a href="https://github.com/dotenv-org/dotenv-vault#dotenv-vault-">Learn more at dotenv-vault: Deploying</a>
 
-Run the command:
+## 🌴 Manage Multiple Environments
 
-```shell
+Edit your production environment variables.
+
+```bash
 $ npx dotenv-vault open production
 ```
 
-It will open up an interface to manage your production environment variables.
-
-## Build & Deploy Anywhere
+Regenerate your `.env.vault` file.
 
-Build your encrypted `.env.vault`:
-
-```shell
+```bash
 $ npx dotenv-vault build
 ```
 
-Safely commit and push your changes:
+*ℹ️  🔐 Vault Managed vs 💻 Locally Managed: The above example, for brevity's sake, used the 🔐 Vault Managed solution to manage your `.env.vault` file. You can instead use the 💻 Locally Managed solution. [Read more here](https://github.com/dotenv-org/dotenv-vault#how-do-i-use--locally-managed-dotenv-vault). Our vision is that other platforms and orchestration tools adopt the `.env.vault` standard as they did the `.env` standard. We don't expect to be the only ones providing tooling to manage and generate `.env.vault` files.*
 
-```shell
-$ git commit -am "Updated .env.vault"
-$ git push
-```
+<a href="https://github.com/dotenv-org/dotenv-vault#-manage-multiple-environments">Learn more at dotenv-vault: Manage Multiple Environments</a>
 
-Obtain your `DOTENV_KEY`:
-
-```shell
-$ npx dotenv-vault keys
-```
-
-Set `DOTENV_KEY` on your infrastructure. For example, on Heroku:
-
-```shell
-$ heroku config:set DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production"
-```
-
-All set! When your app boots, it will recognize a `DOTENV_KEY` is set, decrypt the `.env.vault` file, and load the variables to `ENV`.
-
-Made a change to your production envs? Run `npx dotenv-vault build`, commit that safely to code, and deploy. It's simple and safe like that.
-
-## Dotenv.org
-
-**[Create your account](https://dotenv.org/signup)**
-
-You need a [Dotenv Account](https://dotenv.org) to use Dotenv Vault. It is free to use with premium features.
-
-![](https://api.checklyhq.com/v1/badges/checks/c2fee99a-38e7-414e-89b8-9766ceeb1927?style=flat&theme=dark&responseTime=true)
-![](https://api.checklyhq.com/v1/badges/checks/4f557967-1ed1-486a-b762-39a63781d752?style=flat&theme=dark&responseTime=true)
-<br>
-![](https://api.checklyhq.com/v1/badges/checks/804eb6fa-6599-4688-a649-7ff3c39a64b9?style=flat&theme=dark&responseTime=true)
-![](https://api.checklyhq.com/v1/badges/checks/6a94504e-e936-4f07-bc0b-e08fee2734b3?style=flat&theme=dark&responseTime=true)
-<br>
-![](https://api.checklyhq.com/v1/badges/checks/06ac4f4e-3e0e-4501-9987-580b4d2a6b06?style=flat&theme=dark&responseTime=true)
-![](https://api.checklyhq.com/v1/badges/checks/0ffc1e55-7ef0-4c2c-8acc-b6311871f41c?style=flat&theme=dark&responseTime=true)
-
-Visit [health.dotenv.org](https://health.dotenv.org) for more information.
-
-## FAQ
+## ❓ FAQ
 
 #### What happens if `DOTENV_KEY` is not set?
 
@@ -178,6 +139,11 @@ No. It is the key that unlocks your encrypted environment variables. Be very car
 
 See [CHANGELOG.md](CHANGELOG.md)
 
+## Development
+
+1. Bump and tag version
+2. rake release
+
 ## License
 
 MIT

data/dotenv-vault-rails.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault-rails" do |spec|
   spec.authors       = ["motdotla"]
   spec.email         = ["mot@mot.la"]
 
-  spec.summary       = %q{dotenv-vault-rails}
-  spec.description   = %q{dotenv-vault-rails}
+  spec.summary       = %q{Decrypt .env.vault file.}
+  spec.description   = %q{Decrypt .env.vault file.}
   spec.homepage      = "https://github.com/dotenv-org/dotenv-vault-ruby"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")

data/dotenv-vault.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault" do |spec|
   spec.authors       = ["motdotla"]
   spec.email         = ["mot@mot.la"]
 
-  spec.summary       = %q{dotenv-vault}
-  spec.description   = %q{dotenv-vault}
+  spec.summary       = %q{Decrypt .env.vault file.}
+  spec.description   = %q{Decrypt .env.vault file.}
   spec.homepage      = "https://github.com/dotenv-org/dotenv-vault-ruby"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")

data/lib/dotenv-vault/version.rb

@@ -1,3 +1,3 @@
 module DotenvVault
-  VERSION = "0.9.0"
+  VERSION = "0.10.1"
 end

data/lib/dotenv-vault.rb

@@ -90,7 +90,7 @@ module DotenvVault
   #
   # Decrypts and loads to ENV
   def load_vault(*filenames)
-    DotenvVault.logger.info("[dotenv-vault] Loading encrypted .env.vault to environment variables") if DotenvVault.logger
+    DotenvVault.logger.info("[dotenv-vault] Loading env from encrypted .env.vault") if DotenvVault.logger
 
     parsed = parse_vault(*filenames)
     
@@ -104,7 +104,7 @@ module DotenvVault
   #
   # Decrypts and overloads to ENV
   def overload_vault(*filenames)
-    DotenvVault.logger.info("[dotenv-vault] Overloading encrypted .env.vault to environment variables") if DotenvVault.logger
+    DotenvVault.logger.info("[dotenv-vault] Overloading env from encrypted .env.vault") if DotenvVault.logger
 
     parsed = parse_vault(*filenames)
     
@@ -117,31 +117,35 @@ module DotenvVault
   def parse_vault(*filenames)
     # DOTENV_KEY=development/key_1234
     #
-    # Warn the developer unless formatted correctly
-    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(ENV["DOTENV_KEY"])
+    # Warn the developer unless present
+    raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(dotenv_key)
 
-    # Parse DOTENV_KEY. Format is a URI
-    uri = URI.parse(ENV["DOTENV_KEY"]) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
+    # Parse .env.vault
+    parsed = Dotenv.parse(vault_path)
 
-    # Get decrypt key
-    key = uri.password
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
+    # handle scenario for comma separated keys - for use with key rotation
+    # example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
+    keys = dotenv_key.split(',')
 
-    # Get environment
-    params = Hash[URI::decode_www_form(uri.query.to_s)]
-    environment = params["environment"]
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
+    decrypted = nil
+    keys.each_with_index do |split_dotenv_key, index|
+      begin
+        # Get full key
+        key = split_dotenv_key.strip
 
-    # Parse .env.vault
-    parsed = Dotenv.parse(vault_path)
+        # Get instructions for decrypt
+        attrs = instructions(parsed, key)
 
-    # Get ciphertext
-    environment_key = "DOTENV_VAULT_#{environment.upcase}"
-    ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
-    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
+        # Decrypt
+        decrypted = decrypt(attrs[:ciphertext], attrs[:key])
 
-    # Decrypt ciphertext
-    decrypted = decrypt(ciphertext, key)
+        break
+      rescue => error
+        # last key
+        raise error if index >= keys.length - 1
+        # try next key
+      end
+    end
 
     # Parse decrypted .env string
     Dotenv::Parser.call(decrypted, true)
@@ -152,7 +156,13 @@ module DotenvVault
   end
 
   def dotenv_key_present?
-    present?(ENV["DOTENV_KEY"]) && dotenv_vault_present?
+    present?(dotenv_key) && dotenv_vault_present?
+  end
+
+  def dotenv_key
+    return ENV["DOTENV_KEY"] if present?(ENV["DOTENV_KEY"])
+
+    ""
   end
 
   def dotenv_vault_present?
@@ -170,7 +180,7 @@ module DotenvVault
   def decrypt(ciphertext, key)
     key = key[-64..-1] # last 64 characters. allows for passing keys with preface like key_*****
 
-    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key.bytesize == 64
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key && key.bytesize == 64
 
     lockbox = Lockbox.new(key: key, encode: true)
     begin
@@ -179,4 +189,28 @@ module DotenvVault
       raise DecryptionFailed, "DECRYPTION_FAILED: Please check your DOTENV_KEY"
     end
   end
+
+  def instructions(parsed, split_dotenv_key)
+    # Parse DOTENV_KEY. Format is a URI
+    uri = URI.parse(split_dotenv_key) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
+
+    # Get decrypt key
+    key = uri.password
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
+
+    # Get environment
+    params = Hash[URI::decode_www_form(uri.query.to_s)]
+    environment = params["environment"]
+    raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
+
+    # Get ciphertext payload
+    environment_key = "DOTENV_VAULT_#{environment.upcase}"
+    ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
+    raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
+
+    {
+      ciphertext: ciphertext,
+      key: key
+    }
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dotenv-vault-rails
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.1
 platform: ruby
 authors:
 - motdotla
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-23 00:00:00.000000000 Z
+date: 2023-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dotenv-rails
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.0
+        version: 0.10.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.0
+        version: 0.10.1
 - !ruby/object:Gem::Dependency
   name: spring
   requirement: !ruby/object:Gem::Requirement
@@ -66,7 +66,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: dotenv-vault-rails
+description: Decrypt .env.vault file.
 email:
 - mot@mot.la
 executables: []
@@ -99,7 +99,7 @@ metadata:
   homepage_uri: https://github.com/dotenv-org/dotenv-vault-ruby
   source_code_uri: https://github.com/dotenv-org/dotenv-vault-ruby
   changelog_uri: https://github.com/dotenv-org/dotenv-vault-ruby
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -114,8 +114,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
-summary: dotenv-vault-rails
+summary: Decrypt .env.vault file.
 test_files: []