dotenv-vault-rails 0.9.0 → 0.10.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7e0c2103206875df405a757362cb6ad28f71a6716045ec859b8eab82eb428560
4
- data.tar.gz: 5d81aa5eb40ef25c348bcd0ecdd9e9c42011c66829e7f223ebb838fc99f04e0b
3
+ metadata.gz: 4f612aee9f093299bc8f9ffc6d62927f5a90146982add8cf9c5efd9f58c16f13
4
+ data.tar.gz: 06ccf7aa83cd740991576ff3c2a0bdacf1668b3a706feb2014b8d7a59c91208e
5
5
  SHA512:
6
- metadata.gz: f594709ca94a2bbf1cf9e82ff5a101cfc0ceb3bc9ce45a1869f768fc70e4a49e73fbd819a0f555aa5157a56051e626d0232d9235792627fe3e74628db1efabc7
7
- data.tar.gz: 2dbb138e3221fac27c8dadf5a1a6453f90d93e7889db9e84b6b86c2f610ed84d3094c18c437db1eab6b29c4666d837a17d0188d449e3e42dfe5daf60d1783d80
6
+ metadata.gz: 9680ab3bb4852d5ac11107c19c90b5ff05b7c5c7218c04134c3005fd4de8421ca4b0b5ef84b348c041749892be1cbc1750bde365bf78034cfef0be907b4c009c
7
+ data.tar.gz: cdf203edcce1452dc5d4666849de31cfb35621cc167d1a7d70e86c083be987119f8f06c65ebac4e10f54e791f0bf15015b345013fe85a65e54a2b2de96c580cd
data/CHANGELOG.md CHANGED
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. See [standa
4
4
 
5
5
  ## [Unreleased](https://github.com/dotenv-org/dotenv-vault-ruby/compare/v0.9.0...master)
6
6
 
7
+ ## 0.10.0
8
+
9
+ ### Added
10
+
11
+ - Support key rotation. Added comma separated capability to `DOTENV_KEY`. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma. [#2](https://github.com/dotenv-org/dotenv-vault-ruby/pull/2)
12
+
7
13
  ## 0.9.0
8
14
 
9
15
  ### Changed
data/Gemfile.lock CHANGED
@@ -1,12 +1,12 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dotenv-vault (0.9.0)
4
+ dotenv-vault (0.10.0)
5
5
  dotenv
6
6
  lockbox
7
- dotenv-vault-rails (0.9.0)
7
+ dotenv-vault-rails (0.10.0)
8
8
  dotenv-rails
9
- dotenv-vault (= 0.9.0)
9
+ dotenv-vault (= 0.10.0)
10
10
 
11
11
  GEM
12
12
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -2,14 +2,10 @@
2
2
 
3
3
  <img src="https://raw.githubusercontent.com/motdotla/dotenv/master/dotenv.svg" alt="dotenv-vault" align="right" width="200" />
4
4
 
5
- Dotenv Vault extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with a `.env.vault` file.
5
+ Extends the proven & trusted foundation of [dotenv](https://github.com/bkeepers/dotenv), with a `.env.vault` file.
6
6
 
7
7
  The extended standard lets you sync your `.env` files – quickly & securely. Stop sharing them over insecure channels like Slack and email, and never lose an important `.env` file again.
8
8
 
9
- You need a [Dotenv Account](https://dotenv.org) to use Dotenv Vault. It is free to use with premium features.
10
-
11
- **[Create your account](https://dotenv.org/signup)**
12
-
13
9
  ## Installation
14
10
 
15
11
  ### Rails
@@ -65,12 +61,12 @@ config.fog_directory = ENV['S3_BUCKET']
65
61
 
66
62
  ### `.env.vault`
67
63
 
68
- Extended usage uses a `.env.vault` file that allows you to sync your secrets across machines, team members, and environments.
64
+ The `.env.vault` extends `.env`. It facilitates syncing your `.env` file across machines, team members, and environments.
69
65
 
70
66
  Usage is similar to git. In the same directory as your `.env` file, run the command:
71
67
 
72
68
  ```shell
73
- npx dotenv-vault new
69
+ $ npx dotenv-vault new
74
70
  ```
75
71
 
76
72
  Follow those instructions and then run:
@@ -90,6 +86,8 @@ That's it!
90
86
 
91
87
  You just synced your `.env` file. Commit your `.env.vault` file to code, and tell your teammates to run `npx dotenv-vault pull`.
92
88
 
89
+ [Learn more](https://www.dotenv.org/docs/tutorials/sync)
90
+
93
91
  ## Multiple Environments
94
92
 
95
93
  Run the command:
@@ -100,7 +98,9 @@ $ npx dotenv-vault open production
100
98
 
101
99
  It will open up an interface to manage your production environment variables.
102
100
 
103
- ## Build & Deploy Anywhere
101
+ [Learn more](https://www.dotenv.org/docs/tutorials/environments)
102
+
103
+ ## Integrate Anywhere™
104
104
 
105
105
  Build your encrypted `.env.vault`:
106
106
 
@@ -131,9 +131,9 @@ All set! When your app boots, it will recognize a `DOTENV_KEY` is set, decrypt t
131
131
 
132
132
  Made a change to your production envs? Run `npx dotenv-vault build`, commit that safely to code, and deploy. It's simple and safe like that.
133
133
 
134
- ## Dotenv.org
134
+ [Learn more](https://www.dotenv.org/docs/tutorials/integrations)
135
135
 
136
- **[Create your account](https://dotenv.org/signup)**
136
+ ## Dotenv.org
137
137
 
138
138
  You need a [Dotenv Account](https://dotenv.org) to use Dotenv Vault. It is free to use with premium features.
139
139
 
@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault-rails" do |spec|
6
6
  spec.authors = ["motdotla"]
7
7
  spec.email = ["mot@mot.la"]
8
8
 
9
- spec.summary = %q{dotenv-vault-rails}
10
- spec.description = %q{dotenv-vault-rails}
9
+ spec.summary = %q{Decrypt .env.vault file.}
10
+ spec.description = %q{Decrypt .env.vault file.}
11
11
  spec.homepage = "https://github.com/dotenv-org/dotenv-vault-ruby"
12
12
  spec.license = "MIT"
13
13
  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
data/dotenv-vault.gemspec CHANGED
@@ -6,8 +6,8 @@ Gem::Specification.new "dotenv-vault" do |spec|
6
6
  spec.authors = ["motdotla"]
7
7
  spec.email = ["mot@mot.la"]
8
8
 
9
- spec.summary = %q{dotenv-vault}
10
- spec.description = %q{dotenv-vault}
9
+ spec.summary = %q{Decrypt .env.vault file.}
10
+ spec.description = %q{Decrypt .env.vault file.}
11
11
  spec.homepage = "https://github.com/dotenv-org/dotenv-vault-ruby"
12
12
  spec.license = "MIT"
13
13
  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
@@ -1,3 +1,3 @@
1
1
  module DotenvVault
2
- VERSION = "0.9.0"
2
+ VERSION = "0.10.0"
3
3
  end
data/lib/dotenv-vault.rb CHANGED
@@ -117,31 +117,35 @@ module DotenvVault
117
117
  def parse_vault(*filenames)
118
118
  # DOTENV_KEY=development/key_1234
119
119
  #
120
- # Warn the developer unless formatted correctly
121
- raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(ENV["DOTENV_KEY"])
120
+ # Warn the developer unless present
121
+ raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(dotenv_key)
122
122
 
123
- # Parse DOTENV_KEY. Format is a URI
124
- uri = URI.parse(ENV["DOTENV_KEY"]) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
123
+ # Parse .env.vault
124
+ parsed = Dotenv.parse(vault_path)
125
125
 
126
- # Get decrypt key
127
- key = uri.password
128
- raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
126
+ # handle scenario for comma separated keys - for use with key rotation
127
+ # example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
128
+ keys = dotenv_key.split(',')
129
129
 
130
- # Get environment
131
- params = Hash[URI::decode_www_form(uri.query.to_s)]
132
- environment = params["environment"]
133
- raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
130
+ decrypted = nil
131
+ keys.each_with_index do |split_dotenv_key, index|
132
+ begin
133
+ # Get full key
134
+ key = split_dotenv_key.strip
134
135
 
135
- # Parse .env.vault
136
- parsed = Dotenv.parse(vault_path)
136
+ # Get instructions for decrypt
137
+ attrs = instructions(parsed, key)
137
138
 
138
- # Get ciphertext
139
- environment_key = "DOTENV_VAULT_#{environment.upcase}"
140
- ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
141
- raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
139
+ # Decrypt
140
+ decrypted = decrypt(attrs[:ciphertext], attrs[:key])
142
141
 
143
- # Decrypt ciphertext
144
- decrypted = decrypt(ciphertext, key)
142
+ break
143
+ rescue => error
144
+ # last key
145
+ raise error if index >= keys.length - 1
146
+ # try next key
147
+ end
148
+ end
145
149
 
146
150
  # Parse decrypted .env string
147
151
  Dotenv::Parser.call(decrypted, true)
@@ -152,7 +156,13 @@ module DotenvVault
152
156
  end
153
157
 
154
158
  def dotenv_key_present?
155
- present?(ENV["DOTENV_KEY"]) && dotenv_vault_present?
159
+ present?(dotenv_key) && dotenv_vault_present?
160
+ end
161
+
162
+ def dotenv_key
163
+ return ENV["DOTENV_KEY"] if present?(ENV["DOTENV_KEY"])
164
+
165
+ ""
156
166
  end
157
167
 
158
168
  def dotenv_vault_present?
@@ -170,7 +180,7 @@ module DotenvVault
170
180
  def decrypt(ciphertext, key)
171
181
  key = key[-64..-1] # last 64 characters. allows for passing keys with preface like key_*****
172
182
 
173
- raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key.bytesize == 64
183
+ raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key && key.bytesize == 64
174
184
 
175
185
  lockbox = Lockbox.new(key: key, encode: true)
176
186
  begin
@@ -179,4 +189,28 @@ module DotenvVault
179
189
  raise DecryptionFailed, "DECRYPTION_FAILED: Please check your DOTENV_KEY"
180
190
  end
181
191
  end
192
+
193
+ def instructions(parsed, split_dotenv_key)
194
+ # Parse DOTENV_KEY. Format is a URI
195
+ uri = URI.parse(split_dotenv_key) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production
196
+
197
+ # Get decrypt key
198
+ key = uri.password
199
+ raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)
200
+
201
+ # Get environment
202
+ params = Hash[URI::decode_www_form(uri.query.to_s)]
203
+ environment = params["environment"]
204
+ raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)
205
+
206
+ # Get ciphertext payload
207
+ environment_key = "DOTENV_VAULT_#{environment.upcase}"
208
+ ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
209
+ raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext
210
+
211
+ {
212
+ ciphertext: ciphertext,
213
+ key: key
214
+ }
215
+ end
182
216
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dotenv-vault-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.0
4
+ version: 0.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - motdotla
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-10-23 00:00:00.000000000 Z
11
+ date: 2022-11-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dotenv-rails
@@ -30,14 +30,14 @@ dependencies:
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 0.9.0
33
+ version: 0.10.0
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 0.9.0
40
+ version: 0.10.0
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: spring
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -66,7 +66,7 @@ dependencies:
66
66
  - - ">="
67
67
  - !ruby/object:Gem::Version
68
68
  version: '0'
69
- description: dotenv-vault-rails
69
+ description: Decrypt .env.vault file.
70
70
  email:
71
71
  - mot@mot.la
72
72
  executables: []
@@ -117,5 +117,5 @@ requirements: []
117
117
  rubygems_version: 3.1.6
118
118
  signing_key:
119
119
  specification_version: 4
120
- summary: dotenv-vault-rails
120
+ summary: Decrypt .env.vault file.
121
121
  test_files: []