dry-credentials 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '059c7a02cdb5b067ad93852c53e2249da715146753df8257eb0f64263f80a392'
-  data.tar.gz: 54ab5c829f2f9bdf0543832f0f8eb292d586a4e5a0ad41d95a9e10696428312e
+  metadata.gz: 428ea0b2385819b812ad62af920ee88b852e1306560aa15fb680d2b3a5edae08
+  data.tar.gz: aecced4b5e35e8ebaa987dbffd0a71ac19e2d444db812cd4605701938e9131e7
 SHA512:
-  metadata.gz: '063048e5fec98ca9cde997657b3a3afd1ef58040a4536cb9721cfe4c0f0a5f5e4d453db754aa147c2900b9045c8ad9ce9115f436d44cc769c2b81d65677bc053'
-  data.tar.gz: 5b9203d7e779263e1faa8ec810882aa8bb51da7e663cc7667e9284549925a861aa96a56334c0c23c34f97d560a86468cb82a66a7f35797cf6d3dab50820df531
+  metadata.gz: c2fd0a0324bbea4a1ddf74fef14d64b269912eb209cf4154fe97354231408e71955ac95d6927f9d38741e148a7a047e401f5c22ca6baad6cf449035ed751807f
+  data.tar.gz: ab0dc642e603123d8d2c53575c1dd7a5cb632fcc3f1fd5f3352ecf1b7a2569371fe1aead616bcb09312912993b9a0b8f320c69efb86a97615ef7a15fdfdbf8da

checksums.yaml.gz.sig

@@ -1 +1 @@
-o�j=��]Vdw2�']D�$U��݌����hvhzI��U�v�A�{.2�HCԟ����Q�g֨�����Q���\M�GF��k�U���m�ВT��b��Rj��B)͒}�8��@;ۮ-	��t���
ǚ]7n����3�<�kA�b�3R���i6�w� G��v�c�>$e
[��{7����ؐj7�#L:
+�rҗ$�:/|��s��IO2+9���ALq[���j���*�T�@��&W�_���������x���SCU>K�s��-����{�b�l"���i�q4���f��,z$���FF��7H���ʑh,RW���$�ui�� d�	3�y'�!���"(9 si�$F�y.N~_])�!y8R�ɏb�K�2�rz�j[����BKpv���&��pp�6�C6��yq���|�#`���)�UB7�颠u����/سnI��

data/CHANGELOG.md

@@ -2,39 +2,38 @@
 
 Nothing so far
 
+## 0.4.0
+
+#### Additions
+* Dynamic secrets
+
 ## 0.3.1
 
-Nothing so far
+#### Changes
+* Update Ruby to 3.4
 
 ## 0.3.0
 
 #### Additions
-
 * Support generic fallback environment variable +CREDENTIALS_KEY+
 
 ## 0.2.1
 
-## 0.2.1
-
 #### Additions
-
 * Add square brackets setter for settings
 * Explain integrations for Bridgetown, Hanami 2 and Rodbot
 
 ## 0.2.0
 
 #### Breaking changes
-
 * Fall back to `APP_ENV` instead of `RACK_ENV`
 
 #### Fixes
-
 * Don't re-encrypt if credentials haven't been modified
 
 ## 0.1.0
 
 #### Initial implementation
-
 * Require Ruby 3.0 or newer
 * Class mixin featuring the `credentials` macro:
   * Block to change (default) settings such as the cipher

data/README.md

@@ -122,7 +122,7 @@ By default, the current environment is read from `APP_ENV`. You shouldn't use `R
 
 ⚠️ For safety reasons, don't share the same key across multiple environments!
 
-## Reload Credentials
+## Reload credentials
 
 The credentials are lazy loaded when queried for the first time. After that, changes in the encrypted credentials files are not taken into account at runtime for efficiency reasons.
 
@@ -134,7 +134,7 @@ App.credentials.reload!
 
 The reload is not done immediately but the next time credentials are queried.
 
-## Edit Credentials
+## Edit credentials
 
 This gem does not provide any CLI tools to edit the credentials. You should integrate it into your app instead e.g. with a Rake task or an extension to the CLI tool of the app framework you're using.
 
@@ -146,6 +146,40 @@ App.credentials.edit! "production"
 
 Editing credentials implicitly schedules a `reload!`.
 
+## Dynamic secrets
+
+In case you have to partition secrets beyond environments, you can set dynamic secrets which are composed on the fly. Here's an example.
+
+You want to be able to connect to a shared database for the test environment, but the database URL differs whether you run the tests locally or on your favourite CI platform. To differ between the two, you set an environment variable `CONTEXT` which is either `local` or `ci` and you defined the secrets accordingly:
+
+```yaml
+database_url:
+  local: postgres://localhost:5432/example
+  ci: postgres://testuser:testpassword@remote.db.example.com:5432/example
+```
+
+To get the actual database URL, you have to:
+
+```ruby
+App.credentials.database_url.send(ENV['CONTEXT'])
+```
+
+This is okay, but it may grow a lot longer and less readable in a real app. Enter dynamic secrets which are composed according to your needs:
+
+```ruby
+App.credentials.define! :current_database_url do |credentials|
+  credentials.database_url.send(ENV['CONTEXT'])
+end
+```
+
+Dynamic secrets are then available like any other secret, however, the block is called every time you query the dynamic secret:
+
+```ruby
+App.credentials.current_database_url   # => "postgres://localhost..."
+```
+
+⚠️ Don't try to use the same key for a dynamic secret as for an existing regular one since this could create an endless loop and therefore any such attempt will raise a `Dry::Credentials::DefineError`.
+
 ## Settings
 
 If you have to, you can access the settings programmatically:
@@ -180,7 +214,9 @@ To use credentials in a [Hanami 2](https//hanami.org) app, first add this gem to
 Hanami.app.register_provider :credentials do
   prepare do
     require "dry-credentials"
+  end
 
+  start do
     Dry::Credentials::Extension.new.then do |credentials|
       credentials[:env] = Hanami.env
       credentials[:dir] = Hanami.app.root.join(credentials[:dir])
@@ -263,7 +299,7 @@ end
 
 ### Ruby on Rails
 
-ActiveSupport implements [encrypted configuration](https://www.rubydoc.info/gems/activesupport/ActiveSupport/EncryptedConfiguration) which is used by `rails credentials:edit` [out of the box]((https://guides.rubyonrails.org/security.html#custom-credentials)). There's no benefit from introducing an additional dependency like Dry::Credentials.
+ActiveSupport implements [encrypted configuration](https://www.rubydoc.info/gems/activesupport/ActiveSupport/EncryptedConfiguration) which is used by `rails credentials:edit` [out of the box]((https://guides.rubyonrails.org/security.html#custom-credentials)). There not much benefit from introducing Dry::Credentials as an additional dependency.
 
 ### Rodbot
 

data/lib/dry/credentials/errors.rb

@@ -21,5 +21,9 @@ module Dry
     class YAMLFormatError < StandardError
       def initialize(msg='top level must be a dictionary') = super
     end
+
+    class DefineError < StandardError
+      def initialize(msg='cowardly refusing to redefine existing key') = super
+    end
   end
 end

data/lib/dry/credentials/extension.rb

@@ -47,6 +47,20 @@ module Dry
         end
       end
 
+      # Define a dynamic secret
+      #
+      # @param key [Symbol, String] name of the dynamic secret
+      # @yield [Dry::Credentials::Extension] compose the dynamic secret using
+      #   the static credentials yielded and other inputs such as `ENV`
+      # @yieldreturn [Object] dynamic secret
+      # @raise [Types] description
+      # @return [self]
+      def define!(key, &block)
+        fail Dry::Credentials::DefineError if respond_to? key
+        define_singleton_method(key) { block.call(self) }
+        self
+      end
+
       # Query settings
       #
       # @param setting [String] name of the setting

data/lib/dry/credentials/version.rb

@@ -2,6 +2,6 @@
 
 module Dry
   module Credentials
-    VERSION = "0.3.1"
+    VERSION = "0.4.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dry-credentials
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Sven Schwyn
@@ -28,7 +28,7 @@ cert_chain:
   jTyRsT1gymASS2KHe+BaCTwD74GqO8q4woYLZgXnJ/PvgcFgY2FEi2Kn/sXLp4JE
   boIgxQCMT+nxBHCD
   -----END CERTIFICATE-----
-date: 2024-12-25 00:00:00.000000000 Z
+date: 2025-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64