dry-credentials 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24deb6ca2d926a11c530c6e81821af802fe1ac36e4fafb8c2273619afdd4ff8e
-  data.tar.gz: 5be212ecb261ab3134b80f14d93a8ca9b7492be642b7a129b16239b0b727410f
+  metadata.gz: 2d4a73f1a9d55f7e32296e39d78e7ff5a6273226c25d10e97b0d2a10b9a00f1c
+  data.tar.gz: 56f39f76baf2a18dbc4bf163d5d12697687a2a026fcc9d01f6b632fef7dcf633
 SHA512:
-  metadata.gz: a4e0f03fa13561dbc97b110b2d3f660889f0fe76d98615b981af07bf5b44481669f9b176692f77508d71d3629a8cf05c98262601cef5db4a5ee04b0d04de158a
-  data.tar.gz: a0258c2537012e92dfa82ec88d1881a740d04eb9fae617fbafc79a3dabb9e0ff526e51856218a0316c5d99a1c357edb681d404cd2f831f7f79e183659de2dde3
+  metadata.gz: caac2559ad90fadce9f4b56923d556687d8da8c54eaf16de502e5c2598c10fbb49c57ef5acf8bbe7aaf87434e17bf66d816b25a2cd282ab920b1da5e45b25a21
+  data.tar.gz: a443919baad7138e75beedb23709a45526a986be9225ff6f4f3456cde71c41d03b220de32c6e27ab489839f35d5e467b54a9531f075c1cea80b41f4d64a25dd1

data/CHANGELOG.md

@@ -2,9 +2,26 @@
 
 Nothing so far
 
+## 0.2.1
+
+## 0.2.1
+
+* Add square brackets setter for settings
+* Explain integrations for Bridgetown, Hanami 2 and Rodbot
+
+## 0.2.0
+
+#### Breaking Changes
+
+* Fall back to `APP_ENV` instead of `RACK_ENV`
+
+#### Fixes
+
+* Don't re-encrypt if credentials haven't been modified
+
 ## 0.1.0
 
-#### Initial implementation
+#### Initial Implementation
 
 * Require Ruby 3.0 or newer
 * Class mixin featuring the `credentials` macro:

data/README.md

@@ -37,6 +37,8 @@ And then install the bundle:
 bundle install --trust-policy MediumSecurity
 ```
 
+See [Integrations](#integrations) below for how to integrate Dry::Credentials into frameworks.
+
 ## Usage
 
 Extend any class with `Dry::Credentials` to use the [default settings](#defaults):
@@ -108,7 +110,7 @@ App.credentials.otp.meta.realm
 
 Credentials are isolated into environments which most likely will, but don't necessarily have to align with the environments of the app framework you're using.
 
-By default, the current environment is read from `RACK_ENV`.
+By default, the current environment is read from `APP_ENV`. You shouldn't use `RACK_ENV` for this, [here's why](https://github.com/rack/rack/issues/1546).
 
 ⚠️ For safety reasons, don't share the same key across multiple environments!
 
@@ -148,12 +150,115 @@ App.credentials[:env]   # => "production"
 
 Setting | Default | Description
 --------|---------|------------
-`env` | `-> { ENV["RACK_ENV"] }` | environment such as `development`
+`env` | `-> { ENV["APP_ENV"] }` | environment such as `development`
 `dir` | `"config/credentials"` | directory where encrypted credentials are stored
 `cipher` | `"aes-256-gcm"` | any of `OpenSSL::Cipher.ciphers`
 `digest` | `"sha256"` | sign digest used if the cipher doesn't support AEAD
 `serializer` | `Marshal` | serializer responding to `dump` and `load`
 
+## Integrations
+
+### Bridgetown
+
+The [bridgetown_credentials gem](https://github.com/svoop/bridgetown_credentials) integrates Dry::Credentials into your [Bridgetown](https://www.bridgetownrb.com) site.
+
+### Hanami 2
+
+To use credentials in a [Hanami 2](https//hanami.org) app, first add this gem to the gemfile of the app and then  create a provider `config/providers/credentials.rb`:
+
+```ruby
+# frozen_string_literal: true
+
+Hanami.app.register_provider :credentials do
+  prepare do
+    require "dry-credentials"
+
+    Dry::Credentials::Extension.new.then do |credentials|
+      credentials[:env] = Hanami.env
+      credentials.load!
+      register "credentials", credentials
+    end
+  end
+end
+```
+
+You might want to add a Rake task `lib/tasks/credentials.rake` as well:
+
+```ruby
+namespace :credentials do
+  desc "Edit (or create) the encrypted credentials file"
+  task :edit, [:env] => [:environment] do |_, args|
+    Hanami.app.prepare(:credentials)
+    Hanami.app['credentials'].edit! args[:env]
+  end
+end
+```
+
+(As of Hanami 2.1, you have to [explicitly load such tasks in the Rakefile](https://github.com/hanami/hanami/issues/1375) yourself.)
+
+You can now create a new credentials file for the development environment:
+
+```
+rake credentials:edit
+```
+
+This prints the credentials key you have to set in `.env`:
+
+```
+DEVELOPMENT_CREDENTIALS_KEY=...
+```
+
+The credentials are now available anywhere you inject them:
+
+```ruby
+module MyHanamiApp
+  class ApiKeyPrinter
+    include Deps[
+      "credentials"
+    ]
+
+    def call
+      puts credentials.api_key
+    end
+  end
+end
+```
+
+You can use the credentials in other providers. Say, you want to pass the [ROM](https://rom-rb.org/) database URL (which contains the connection password) using credentials instead of settings. Simply replace `target["settings"].database_url` with `target["credentials"].database_url` and you're good to go:
+
+```ruby
+Hanami.app.register_provider :persistence, namespace: true do
+  prepare do
+    require "rom"
+
+    config = ROM::Configuration.new(:sql, target["credentials"].database_url)
+
+    register "config", config
+    register "db", config.gateways[:default].connection
+  end
+
+  (...)
+end
+```
+
+Finally, if you have trouble using the credentials in slices, you might have to [share this app component](https://www.rubydoc.info/gems/hanami/Hanami/Config#shared_app_component_keys-instance_method) in `config/app.rb`:
+
+```ruby
+module MyHanamiApp
+  class App < Hanami::App
+    config.shared_app_component_keys += ["credentials"]
+  end
+end
+```
+
+### Ruby on Rails
+
+ActiveSupport implements [encrypted configuration](https://www.rubydoc.info/gems/activesupport/ActiveSupport/EncryptedConfiguration) which is used by `rails credentials:edit` [out of the box]((https://guides.rubyonrails.org/security.html#custom-credentials)). There's no benefit from introducing an additional dependency like Dry::Credentials.
+
+### Rodbot
+
+Dry::Credentials is integrated into [Rodbot](https://github.com/svoop/rodbot) out of the box, see [the README for more](https://github.com/svoop/rodbot/blob/main/README.md#credentials).
+
 ## Development
 
 To install the development dependencies and then run the test suite:
@@ -164,4 +269,4 @@ bundle exec rake    # run tests once
 bundle exec guard   # run tests whenever files are modified
 ```
 
-You're welcome to [submit issues](https://github.com/svoop/dry-credentials/issues) and contribute code by [forking the project and submitting pull requests](https://docs.github.com/en/get-started/quickstart/fork-a-repo).
+You're welcome to join the [discussion forum](https://github.com/svoop/dry-credentials/discussions) to ask questions or drop feature ideas, [submit issues](https://github.com/svoop/dry-credentials/issues) you may encounter or contribute code by [forking this project and submitting pull requests](https://docs.github.com/en/get-started/quickstart/fork-a-repo).

data/lib/dry/credentials/encryptor.rb

@@ -12,8 +12,6 @@ module Dry
       DEFAULT_SERIALIZER = Marshal
       SEPARATOR = '--'
 
-      attr_reader :cipher
-
       # @param cipher [String] any of +OpenSSL::Cipher.ciphers+
       # @param digest [String] any of +openssl list+
       # @param serializer [Class] must respond to +dump+ and +load+
@@ -22,12 +20,12 @@ module Dry
         @digest, @serializer = digest, serializer
       end
 
-      # Generate a random key with the length requird by the current cipher,
+      # Generate a random key with the length required by the current cipher,
       # then Base64 encodes and unpacks all bytes to hex.
       #
       # @return [String] key
       def generate_key
-        unpack(encode(SecureRandom.bytes(cipher.key_len)))
+        unpack(encode(SecureRandom.bytes(@cipher.key_len)))
       end
 
       # Encrypts the object
@@ -39,15 +37,15 @@ module Dry
       # @param key [String] key (Base64 encoded and unpacked to hex)
       # @return [String] encrypted and authenticated/signed string
       def encrypt(object, key:)
-        cipher.encrypt
-        cipher.key = decoded_key = decode(pack(key.strip))
-        iv = cipher.random_iv
-        cipher.auth_data = '' if aead?
-        cipher.update(@serializer.dump(object)).then do |data|
-          data << cipher.final
+        @cipher.encrypt
+        @cipher.key = decoded_key = decode(pack(key.strip))
+        iv = @cipher.random_iv
+        @cipher.auth_data = '' if aead?
+        @cipher.update(@serializer.dump(object)).then do |data|
+          data << @cipher.final
           data = encode(data) + SEPARATOR + encode(iv)
           data << SEPARATOR + if aead?
-            encode(cipher.auth_tag)
+            encode(@cipher.auth_tag)
           else
             hmac(decoded_key, data)
           end
@@ -60,8 +58,8 @@ module Dry
       # @param key [String] key (Base64 encoded and unpacked to hex)
       # @return [Object] verified and decrypted object
       def decrypt(encrypted_object, key:)
-        cipher.decrypt
-        cipher.key = decoded_key = decode(pack(key.strip))
+        @cipher.decrypt
+        @cipher.key = decoded_key = decode(pack(key.strip))
         payload, iv, auth_tag = encrypted_object.strip.split(SEPARATOR)
         if auth_tag.nil? ||
           (aead? && decode(auth_tag).bytes.length != auth_tag_length) ||
@@ -69,13 +67,13 @@ module Dry
         then
           fail Dry::Credentials::InvalidEncryptedObjectError
         end
-        cipher.iv = decode(iv)
+        @cipher.iv = decode(iv)
         if aead?
-          cipher.auth_tag = decode(auth_tag)
-          cipher.auth_data = ''
+          @cipher.auth_tag = decode(auth_tag)
+          @cipher.auth_data = ''
         end
-        cipher.update(decode(payload)).then do |data|
-          data << cipher.final
+        @cipher.update(decode(payload)).then do |data|
+          data << @cipher.final
           @serializer.load(data)
         end
       rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
@@ -112,7 +110,7 @@ module Dry
       # Associated Data) or not - in which case a HMAC signature using the
       # +digest+ is used instead
       def aead?
-        @auth ||= cipher.authenticated?
+        @auth ||= @cipher.authenticated?
       end
 
       def hmac(key, string)

data/lib/dry/credentials/extension.rb

@@ -36,13 +36,15 @@ module Dry
       def edit!(env=nil)
         helpers = Dry::Credentials::Helpers.new(self, env)
         create = helpers.create?
-        yaml = helpers.read_yaml
+        yaml = read_yaml = helpers.read_yaml
         begin
           yaml = helpers.edit_yaml yaml
         end until helpers.yaml_valid? yaml
-        helpers.write_yaml yaml
-        puts [helpers.key_ev, ENV[helpers.key_ev]].join('=') if create
-        reload!
+        unless yaml == read_yaml
+          helpers.write_yaml yaml
+          puts [helpers.key_ev, ENV[helpers.key_ev]].join('=') if create
+          reload!
+        end
       end
 
       # Query settings
@@ -53,6 +55,14 @@ module Dry
         @settings.send(setting)
       end
 
+      # Change settings
+      #
+      # @param setting [String] name of the setting
+      # @param value [Object] new value of the setting
+      def []=(setting, value)
+        @settings.send(setting, value)
+      end
+
     end
   end
 end

data/lib/dry/credentials/helpers.rb

@@ -75,7 +75,7 @@ module Dry
         if create?
           ENV[key_ev] = encryptor.generate_key
         else
-          ENV[key_ev]  or fail Dry::Credentials::KeyNotSetError
+          ENV[key_ev] or fail Dry::Credentials::KeyNotSetError
         end
       end
 

data/lib/dry/credentials/settings.rb

@@ -5,7 +5,7 @@ module Dry
     class Settings
 
       DEFAULT_SETTINGS = {
-        env: -> { ENV['RACK_ENV'] },
+        env: -> { ENV['APP_ENV'] },
         dir: 'config/credentials',
         cipher: 'aes-256-gcm',
         digest: 'sha256',

data/lib/dry/credentials/version.rb

@@ -2,6 +2,6 @@
 
 module Dry
   module Credentials
-    VERSION = "0.1.0"
+    VERSION = "0.2.1"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dry-credentials
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Sven Schwyn
@@ -10,27 +10,39 @@ bindir: bin
 cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
-  MIIDODCCAiCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhydWJ5
-  L0RDPWJpdGNldGVyYS9EQz1jb20wHhcNMjIxMTA2MTIzNjUwWhcNMjMxMTA2MTIz
-  NjUwWjAjMSEwHwYDVQQDDBhydWJ5L0RDPWJpdGNldGVyYS9EQz1jb20wggEiMA0G
+  MIIC+jCCAeKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhydWJ5
+  L0RDPWJpdGNldGVyYS9EQz1jb20wHhcNMjMxMTEwMTgyMzM2WhcNMjQxMTA5MTgy
+  MzM2WjAjMSEwHwYDVQQDDBhydWJ5L0RDPWJpdGNldGVyYS9EQz1jb20wggEiMA0G
   CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcLg+IHjXYaUlTSU7R235lQKD8ZhEe
   KMhoGlSUonZ/zo1OT3KXcqTCP1iMX743xYs6upEGALCWWwq+nxvlDdnWRjF3AAv7
   ikC+Z2BEowjyeCCT/0gvn4ohKcR0JOzzRaIlFUVInlGSAHx2QHZ2N8ntf54lu7nd
   L8CiDK8rClsY4JBNGOgH9UC81f+m61UUQuTLxyM2CXfAYkj/sGNTvFRJcNX+nfdC
   hM9r2kH1+7wsa8yG7wJ2IkrzNACD8v84oE6qVusN8OLEMUI/NaEPVPbw2LUM149H
   PVa0i729A4IhroNnFNmw4wOC93ARNbM1+LW36PLMmKjKudf5Exg8VmDVAgMBAAGj
-  dzB1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBSfK8MtR62mQ6oN
-  yoX/VKJzFjLSVDAdBgNVHREEFjAUgRJydWJ5QGJpdGNldGVyYS5jb20wHQYDVR0S
-  BBYwFIEScnVieUBiaXRjZXRlcmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAYG2na
-  ye8OE2DANQIFM/xDos/E4DaPWCJjX5xvFKNKHMCeQYPeZvLICCwyw2paE7Otwk6p
-  uvbg2Ks5ykXsbk5i6vxDoeeOLvmxCqI6m+tHb8v7VZtmwRJm8so0eSX0WvTaKnIf
-  CAn1bVUggczVdNoBXw9WAILKyw9bvh3Ft740XZrR74sd+m2pGwjCaM8hzLvrVbGP
-  DyYhlBeRWyQKQ0WDIsiTSRhzK8HwSTUWjvPwx7SEdIU/HZgyrk0ETObKPakVu6bH
-  kAyiRqgxF4dJviwtqI7mZIomWL63+kXLgjOjMe1SHxfIPo/0ji6+r1p4KYa7o41v
-  fwIwU1MKlFBdsjkd
+  OTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBSfK8MtR62mQ6oN
+  yoX/VKJzFjLSVDANBgkqhkiG9w0BAQsFAAOCAQEAXhT/LpMArF3JRcZSRkJDY+dU
+  GKCRqOefi2iydqh1yIqXyTA9PGR1w5O6O+WS1FvF+sHCwh8fFjCuStg2L8V2RSeo
+  aDtfZ5s80sL8wRFxg3kek69cBuI6ozU+rf9DaXlMES4i8+zASsdv9Y4a2BsbhEdE
+  9AtuMcWn5a45TOO0S4Q8OuV0v705V38Ow15J2RDRvkFRySt+//8/Vd57XAJxPXU0
+  k/QvZU05f6HMYBrPogJgIzHC/C5N/yeE4BVEuBDn+10Zb1iu3aDk8sd0uMgukCY8
+  TUmlP5A6NeGdeDJIoLgromAKs+nvI7TWzhQq9ODs51XhxgUFRCvBqUTpjTQigw==
   -----END CERTIFICATE-----
-date: 2023-02-22 00:00:00.000000000 Z
+date: 2024-03-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -74,7 +86,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest-sound
+  name: minitest-flash
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -203,7 +215,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.7
+rubygems_version: 3.5.6
 signing_key:
 specification_version: 4
 summary: A mixin to use encrypted credentials in your classes