dry-credentials 0.3.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '059c7a02cdb5b067ad93852c53e2249da715146753df8257eb0f64263f80a392'
-  data.tar.gz: 54ab5c829f2f9bdf0543832f0f8eb292d586a4e5a0ad41d95a9e10696428312e
+  metadata.gz: '083daca34bc70e83df585d9dc978c6ca640f6871b88be092058b33e61dfdbfc6'
+  data.tar.gz: 6f39399a6063d42e39f6f3d6128f042eb7d1c54f828deaa60f0345b3d106b2be
 SHA512:
-  metadata.gz: '063048e5fec98ca9cde997657b3a3afd1ef58040a4536cb9721cfe4c0f0a5f5e4d453db754aa147c2900b9045c8ad9ce9115f436d44cc769c2b81d65677bc053'
-  data.tar.gz: 5b9203d7e779263e1faa8ec810882aa8bb51da7e663cc7667e9284549925a861aa96a56334c0c23c34f97d560a86468cb82a66a7f35797cf6d3dab50820df531
+  metadata.gz: 42ce1b8de4cb29e0ce70a0365ff51ea7738a552e81e08fded3c530bb9fe6395f744453f7d7e9d4ac59a14ed46d8e4f04782b28e2b4eb31278182970e745ac7d0
+  data.tar.gz: 7191f924aea1f515ac35ea82236286095370904c8a1bcf4cd791a1b20e3a0571314fdc0731bf480076c97cfa2bc152508820e01bfbea0c51ef71ce1b390242ba

data/CHANGELOG.md

@@ -2,39 +2,44 @@
 
 Nothing so far
 
+## 0.5.0
+
+### Changes
+* Drop certs
+* Add action for trusted release
+
+## 0.4.0
+
+### Additions
+* Dynamic secrets
+
 ## 0.3.1
 
-Nothing so far
+### Changes
+* Update Ruby to 3.4
 
 ## 0.3.0
 
-#### Additions
-
+### Additions
 * Support generic fallback environment variable +CREDENTIALS_KEY+
 
 ## 0.2.1
 
-## 0.2.1
-
-#### Additions
-
+### Additions
 * Add square brackets setter for settings
 * Explain integrations for Bridgetown, Hanami 2 and Rodbot
 
 ## 0.2.0
 
-#### Breaking changes
-
+### Breaking changes
 * Fall back to `APP_ENV` instead of `RACK_ENV`
 
-#### Fixes
-
+### Fixes
 * Don't re-encrypt if credentials haven't been modified
 
 ## 0.1.0
 
-#### Initial implementation
-
+### Initial implementation
 * Require Ruby 3.0 or newer
 * Class mixin featuring the `credentials` macro:
   * Block to change (default) settings such as the cipher

data/README.md

@@ -17,16 +17,6 @@ Thank you for supporting free and open-source software by sponsoring on [GitHub]
 
 ## Install
 
-### Security
-
-This gem is [cryptographically signed](https://guides.rubygems.org/security/#using-gems) in order to assure it hasn't been tampered with. Unless already done, please add the author's public key as a trusted certificate now:
-
-```
-gem cert --add <(curl -Ls https://raw.github.com/svoop/dry-credentials/main/certs/svoop.pem)
-```
-
-### Bundler
-
 Add the following to the <tt>Gemfile</tt> or <tt>gems.rb</tt> of your [Bundler](https://bundler.io) powered Ruby project:
 
 ```ruby
@@ -36,7 +26,7 @@ gem 'dry-credentials'
 And then install the bundle:
 
 ```
-bundle install --trust-policy MediumSecurity
+bundle install
 ```
 
 See [Integrations](#integrations) below for how to integrate Dry::Credentials into frameworks.
@@ -122,7 +112,7 @@ By default, the current environment is read from `APP_ENV`. You shouldn't use `R
 
 ⚠️ For safety reasons, don't share the same key across multiple environments!
 
-## Reload Credentials
+## Reload credentials
 
 The credentials are lazy loaded when queried for the first time. After that, changes in the encrypted credentials files are not taken into account at runtime for efficiency reasons.
 
@@ -134,7 +124,7 @@ App.credentials.reload!
 
 The reload is not done immediately but the next time credentials are queried.
 
-## Edit Credentials
+## Edit credentials
 
 This gem does not provide any CLI tools to edit the credentials. You should integrate it into your app instead e.g. with a Rake task or an extension to the CLI tool of the app framework you're using.
 
@@ -146,6 +136,40 @@ App.credentials.edit! "production"
 
 Editing credentials implicitly schedules a `reload!`.
 
+## Dynamic secrets
+
+In case you have to partition secrets beyond environments, you can set dynamic secrets which are composed on the fly. Here's an example.
+
+You want to be able to connect to a shared database for the test environment, but the database URL differs whether you run the tests locally or on your favourite CI platform. To differ between the two, you set an environment variable `CONTEXT` which is either `local` or `ci` and you defined the secrets accordingly:
+
+```yaml
+database_url:
+  local: postgres://localhost:5432/example
+  ci: postgres://testuser:testpassword@remote.db.example.com:5432/example
+```
+
+To get the actual database URL, you have to:
+
+```ruby
+App.credentials.database_url.send(ENV['CONTEXT'])
+```
+
+This is okay, but it may grow a lot longer and less readable in a real app. Enter dynamic secrets which are composed according to your needs:
+
+```ruby
+App.credentials.define! :current_database_url do |credentials|
+  credentials.database_url.send(ENV['CONTEXT'])
+end
+```
+
+Dynamic secrets are then available like any other secret, however, the block is called every time you query the dynamic secret:
+
+```ruby
+App.credentials.current_database_url   # => "postgres://localhost..."
+```
+
+⚠️ Don't try to use the same key for a dynamic secret as for an existing regular one since this could create an endless loop and therefore any such attempt will raise a `Dry::Credentials::DefineError`.
+
 ## Settings
 
 If you have to, you can access the settings programmatically:
@@ -180,7 +204,9 @@ To use credentials in a [Hanami 2](https//hanami.org) app, first add this gem to
 Hanami.app.register_provider :credentials do
   prepare do
     require "dry-credentials"
+  end
 
+  start do
     Dry::Credentials::Extension.new.then do |credentials|
       credentials[:env] = Hanami.env
       credentials[:dir] = Hanami.app.root.join(credentials[:dir])
@@ -263,7 +289,7 @@ end
 
 ### Ruby on Rails
 
-ActiveSupport implements [encrypted configuration](https://www.rubydoc.info/gems/activesupport/ActiveSupport/EncryptedConfiguration) which is used by `rails credentials:edit` [out of the box]((https://guides.rubyonrails.org/security.html#custom-credentials)). There's no benefit from introducing an additional dependency like Dry::Credentials.
+ActiveSupport implements [encrypted configuration](https://www.rubydoc.info/gems/activesupport/ActiveSupport/EncryptedConfiguration) which is used by `rails credentials:edit` [out of the box]((https://guides.rubyonrails.org/security.html#custom-credentials)). There not much benefit from introducing Dry::Credentials as an additional dependency.
 
 ### Rodbot
 

data/lib/dry/credentials/errors.rb

@@ -21,5 +21,9 @@ module Dry
     class YAMLFormatError < StandardError
       def initialize(msg='top level must be a dictionary') = super
     end
+
+    class DefineError < StandardError
+      def initialize(msg='cowardly refusing to redefine existing key') = super
+    end
   end
 end

data/lib/dry/credentials/extension.rb

@@ -47,6 +47,20 @@ module Dry
         end
       end
 
+      # Define a dynamic secret
+      #
+      # @param key [Symbol, String] name of the dynamic secret
+      # @yield [Dry::Credentials::Extension] compose the dynamic secret using
+      #   the static credentials yielded and other inputs such as `ENV`
+      # @yieldreturn [Object] dynamic secret
+      # @raise [Types] description
+      # @return [self]
+      def define!(key, &block)
+        fail Dry::Credentials::DefineError if respond_to? key
+        define_singleton_method(key) { block.call(self) }
+        self
+      end
+
       # Query settings
       #
       # @param setting [String] name of the setting

data/lib/dry/credentials/version.rb

@@ -2,6 +2,6 @@
 
 module Dry
   module Credentials
-    VERSION = "0.3.1"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,34 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dry-credentials
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.5.0
 platform: ruby
 authors:
 - Sven Schwyn
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDODCCAiCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhydWJ5
-  L0RDPWJpdGNldGVyYS9EQz1jb20wHhcNMjQxMTIwMjExMDIwWhcNMjUxMTIwMjEx
-  MDIwWjAjMSEwHwYDVQQDDBhydWJ5L0RDPWJpdGNldGVyYS9EQz1jb20wggEiMA0G
-  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcLg+IHjXYaUlTSU7R235lQKD8ZhEe
-  KMhoGlSUonZ/zo1OT3KXcqTCP1iMX743xYs6upEGALCWWwq+nxvlDdnWRjF3AAv7
-  ikC+Z2BEowjyeCCT/0gvn4ohKcR0JOzzRaIlFUVInlGSAHx2QHZ2N8ntf54lu7nd
-  L8CiDK8rClsY4JBNGOgH9UC81f+m61UUQuTLxyM2CXfAYkj/sGNTvFRJcNX+nfdC
-  hM9r2kH1+7wsa8yG7wJ2IkrzNACD8v84oE6qVusN8OLEMUI/NaEPVPbw2LUM149H
-  PVa0i729A4IhroNnFNmw4wOC93ARNbM1+LW36PLMmKjKudf5Exg8VmDVAgMBAAGj
-  dzB1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBSfK8MtR62mQ6oN
-  yoX/VKJzFjLSVDAdBgNVHREEFjAUgRJydWJ5QGJpdGNldGVyYS5jb20wHQYDVR0S
-  BBYwFIEScnVieUBiaXRjZXRlcmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQDSeB1x
-  8QK8F/ML37isgvwGiQxovDUqu6Sq14cQ1qE9y5prUBmL2AsDuCBpXXctcvamFqNC
-  PgfJtj7ZZcXmY0SfKCog7T1btkr6zYxPXpxwUqB45n0I6v5qc0UCNvMEfBzxlak5
-  VW7UMNlKD9qukeN55hxuLF2F/sLldMcHUo/ATgdV4zk1t3sK6A9+02wz5K5qfWdM
-  Mi+XWXmGd57uojk3RcIXNwBRRP4DTKcKgVXhuyHb7q1vjTXrS6bw1Ortu0KmWOIk
-  jTyRsT1gymASS2KHe+BaCTwD74GqO8q4woYLZgXnJ/PvgcFgY2FEi2Kn/sXLp4JE
-  boIgxQCMT+nxBHCD
-  -----END CERTIFICATE-----
-date: 2024-12-25 00:00:00.000000000 Z
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -183,9 +162,9 @@ email:
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - CHANGELOG.md
 - LICENSE.txt
+- README.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -229,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A mixin to use encrypted credentials in your classes
 test_files: []

checksums.yaml.gz.sig

@@ -1 +0,0 @@
-o�j=��]Vdw2�']D�$U��݌����hvhzI��U�v�A�{.2�HCԟ����Q�g֨�����Q���\M�GF��k�U���m�ВT��b��Rj��B)͒}�8��@;ۮ-	��t���
ǚ]7n����3�<�kA�b�3R���i6�w� G��v�c�>$e
[��{7����ؐj7�#L:

data.tar.gz.sig

@@ -1 +0,0 @@
-�]Hr���s�y���7u��B�]�)C�x�ʁҭ��a����~���E�2�C�v*��}�Q�~�q��3C�ʕ�tG����NQ��pO��uŠC�y��EFb��'|܄W%Ȳ,��ǂ���0���2g��G�JŽ�B��d�{��R"�p��k�d�rηixa��2JgJ�z�������ID,�3(&O��I�{��쒜s)�a�r��l�-�ho�,���S>�g�*�����]��Q�`R��t33������e��