ejson_wrapper 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4da8151cb31c1a65a18b01e0e16833567bccd5d44c5bd31a9a0bd03e51b363ff
-  data.tar.gz: 297da1cbce75a75deb42110631903c342f372fb28beee2da8ace8863cefa7bcc
+  metadata.gz: 03540eb1e0282e58213d51685b2737acf75b7ee9d93ffe8f6fe9fe2f271e7cc6
+  data.tar.gz: 5f243301d52eeac7ddc77212669b4cdfcb0487d0b92a42bb08ccc1d5a32777fa
 SHA512:
-  metadata.gz: 444befc48197ce281f1ff2e1887375fb50aded70e4d39d84dca4749137f7a8755b0b8b2686cd2888d1395b1b2ceda7389f0ee6380071ad7c99e3471fe1e39eef
-  data.tar.gz: 0131ad60f86e89efa9872b310aa10557047af9e74099d1c928a20a17c832150ff4ad5ad616f7c1616abe3fcfccbeaa4e7b4ec879b28e491ddc2089118ff7d9be
+  metadata.gz: fbd749781614f53594e33de22e97cf2e93b47f9267d6a8dfb7b2919668bfb18fcdc7320de17a1ce8a6195eff69c51283a0116a0f6c492e79754a6f6524d14fb5
+  data.tar.gz: 18d62cd0be9556d80c38057882d1ba414d93497e1c9a3c1c5cbb259471ad4e107a625f229178c39af02c9932ef2bf7841671e443d4370c4200a4a897217f81e3

data/README.md

@@ -1,6 +1,11 @@
-# EjsonWrapper
+# EJSON Wrapper
 
-Wraps the EJSON go program to safely execute it and parse the resulting JSON.
+Wraps the [`ejson`](https://github.com/Shopify/ejson) program to safely execute it and parse the resulting JSON. Additionally it offers a feature to encrypt/decrypt secrets with encrypted private key using AWS KMS.
+
+## Prerequisites
+
+* [`ejson`](https://github.com/Shopify/ejson) application
+* Path to `ejson` binary is included in `PATH` environment variable
 
 ## Installation
 
@@ -12,17 +17,23 @@ gem 'ejson_wrapper'
 
 And then execute:
 
-    $ bundle
+```
+$ bundle
+```
 
 Or install it yourself as:
 
-    $ gem install ejson_wrapper
+```
+$ gem install ejson_wrapper
+```
 
 ## Usage
 
 ### Decrypting EJSON files
 
-From Ruby:
+Ensure your application has [AWS IAM Permission to decrypt with KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks).
+
+In Ruby code:
 
 ```
 # Private key is in /opt/ejson/keys
@@ -48,24 +59,70 @@ Command line:
 # decrypt all
 $ ejson_wrapper decrypt --file file.ejson --region us-east-1
 {
-  "datadog_api_token": "[datadog_api_token]"
+  "my_api_key": "[secret]"
 }
 
 # decrypt & extract a specific secret
-$ ejson_wrapper decrypt --file file.ejson --region us-east-1 --secret datadog_api_token
-[datadog_api_token]
+$ ejson_wrapper decrypt --file file.ejson --region us-east-1 --secret my_api_key
+[secret]
 ```
 
 ### Generating EJSON files
 
+Ensure your application has [AWS IAM Permission to encrypt with KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks).
+
+Firstly, the EJSON is generated to have public key and Base64 encoded & encrypted private key in `_public_key` and `_private_key_enc` respectively with:
+
+Using CLI:
+
+```
+$ ejson_wrapper generate --region $AWS_REGION --kms-key-id [key_id] --file myfile.ejson
+Generated EJSON file myfile.ejson
 ```
-$ ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file file.ejson
-Generated EJSON file file.ejson
 
-$ cat file.ejson
+OR Ruby code:
+
+```
+# Generate encrypted EJSON file (overwritting the unencrypted EJSON file)
+EJSONWrapper.generate(region: ENV['AWS_REGION'], kms_key_id: 'key_id', file: 'myfile.ejson')
+=> Generated EJSON file myfile.ejson
+```
+
+Verify to ensure the new file contain the two required keys:
+
+```
+$ cat myfile.ejson
+{
+  "_public_key": "[public_key]",
+  "_private_key_enc":"[base64_encoded_encrypted_private_key]",
+}
+```
+
+You now can add secrets into the EJSON file, in following example `my_api_key` in plaintext entry is added:
+
+```
+# myfile.ejson
+{
+  "_public_key": "[public_key]",
+  "_private_key_enc":"[base64_encoded_encrypted_private_key]",
+  "my_api_key": "plaintext"
+}
+```
+
+to encrypt the secrets, run following command:
+
+```
+$ ejson encrypt myfile.ejson
+```
+
+Verify to ensure the secret is encrypted correctly:
+
+```
+$ cat myfile.ejson
 {
   "_public_key": "[public_key]",
-  "_private_key_enc":"[encrypted_private_key]"
+  "_private_key_enc":"[base64_encoded_encrypted_private_key]",
+  "my_api_key": "encrypted_secret"
 }
 ```
 

data/ejson_wrapper.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "ejson"
   spec.add_dependency "aws-sdk-kms"
-  spec.add_development_dependency "bundler", "~> 1.15"
+  spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "pry"

data/exe/ejson_wrapper

@@ -10,7 +10,7 @@ options = {
   kms_key_id: nil
 }
 option_parser = OptionParser.new do |opts|
-  opts.banner = 'Usage: ejson_wrapper generate [options]'
+  opts.banner = 'Usage: ejson_wrapper {generate,decrypt,reveal_key} [options]'
 
   opts.on('--region R', String, 'AWS Region') do |v|
     options[:region] = v
@@ -68,6 +68,15 @@ when 'decrypt'
   else
     puts JSON.pretty_generate(decrypted_secrets)
   end
+
+when 'reveal_key'
+  begin
+    puts EJSONWrapper.private_key_decrypted(options[:file], region: options[:region])
+  rescue Errno::ENOENT
+    STDERR.puts "Secrets file not found"
+    exit 1
+  end
+
 else
   STDERR.puts option_parser.banner
   exit 1

data/lib/ejson_wrapper.rb

@@ -6,7 +6,7 @@ require "ejson_wrapper/generate"
 module EJSONWrapper
   def self.decrypt(file_path, key_dir: nil, private_key: nil, use_kms: false, region: nil)
     if use_kms
-      private_key = DecryptPrivateKeyWithKMS.call(file_path, region: region)
+      private_key = private_key_decrypted(file_path, region: region)
     end
     DecryptEJSONFile.call(file_path, key_dir: key_dir, private_key: private_key)
   end
@@ -14,4 +14,8 @@ module EJSONWrapper
   def self.generate(**args)
     Generate.new.call(**args)
   end
+
+  def self.private_key_decrypted(file_path, region: nil)
+    DecryptPrivateKeyWithKMS.call(file_path, region: region)
+  end
 end

data/lib/ejson_wrapper/decrypt_private_key_with_kms.rb

@@ -14,7 +14,7 @@ module EJSONWrapper
     def call(ejson_file_path, region:)
       ejson_hash = JSON.parse(File.read(ejson_file_path))
       encrypted_private_key = ejson_hash.fetch(KEY) do
-        raise PrivateKeyNotFound, "Private key was not found in ejson file under key #{key}"
+        raise PrivateKeyNotFound, "Private key was not found in ejson file under key #{KEY}"
       end
       decrypt(Base64.decode64(encrypted_private_key), region: region)
     end

data/lib/ejson_wrapper/version.rb

@@ -1,3 +1,3 @@
 module EjsonWrapper
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ejson_wrapper
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Steve Hodgkiss
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-09-06 00:00:00.000000000 Z
+date: 2019-08-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ejson
@@ -42,16 +42,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.15'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -137,7 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Invoke EJSON from Ruby