ejson_wrapper 0.3.1 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +69 -12
- data/ejson_wrapper.gemspec +1 -1
- data/exe/ejson_wrapper +10 -1
- data/lib/ejson_wrapper.rb +5 -1
- data/lib/ejson_wrapper/decrypt_private_key_with_kms.rb +1 -1
- data/lib/ejson_wrapper/version.rb +1 -1
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 03540eb1e0282e58213d51685b2737acf75b7ee9d93ffe8f6fe9fe2f271e7cc6
|
4
|
+
data.tar.gz: 5f243301d52eeac7ddc77212669b4cdfcb0487d0b92a42bb08ccc1d5a32777fa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fbd749781614f53594e33de22e97cf2e93b47f9267d6a8dfb7b2919668bfb18fcdc7320de17a1ce8a6195eff69c51283a0116a0f6c492e79754a6f6524d14fb5
|
7
|
+
data.tar.gz: 18d62cd0be9556d80c38057882d1ba414d93497e1c9a3c1c5cbb259471ad4e107a625f229178c39af02c9932ef2bf7841671e443d4370c4200a4a897217f81e3
|
data/README.md
CHANGED
@@ -1,6 +1,11 @@
|
|
1
|
-
#
|
1
|
+
# EJSON Wrapper
|
2
2
|
|
3
|
-
Wraps the
|
3
|
+
Wraps the [`ejson`](https://github.com/Shopify/ejson) program to safely execute it and parse the resulting JSON. Additionally it offers a feature to encrypt/decrypt secrets with encrypted private key using AWS KMS.
|
4
|
+
|
5
|
+
## Prerequisites
|
6
|
+
|
7
|
+
* [`ejson`](https://github.com/Shopify/ejson) application
|
8
|
+
* Path to `ejson` binary is included in `PATH` environment variable
|
4
9
|
|
5
10
|
## Installation
|
6
11
|
|
@@ -12,17 +17,23 @@ gem 'ejson_wrapper'
|
|
12
17
|
|
13
18
|
And then execute:
|
14
19
|
|
15
|
-
|
20
|
+
```
|
21
|
+
$ bundle
|
22
|
+
```
|
16
23
|
|
17
24
|
Or install it yourself as:
|
18
25
|
|
19
|
-
|
26
|
+
```
|
27
|
+
$ gem install ejson_wrapper
|
28
|
+
```
|
20
29
|
|
21
30
|
## Usage
|
22
31
|
|
23
32
|
### Decrypting EJSON files
|
24
33
|
|
25
|
-
|
34
|
+
Ensure your application has [AWS IAM Permission to decrypt with KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks).
|
35
|
+
|
36
|
+
In Ruby code:
|
26
37
|
|
27
38
|
```
|
28
39
|
# Private key is in /opt/ejson/keys
|
@@ -48,24 +59,70 @@ Command line:
|
|
48
59
|
# decrypt all
|
49
60
|
$ ejson_wrapper decrypt --file file.ejson --region us-east-1
|
50
61
|
{
|
51
|
-
"
|
62
|
+
"my_api_key": "[secret]"
|
52
63
|
}
|
53
64
|
|
54
65
|
# decrypt & extract a specific secret
|
55
|
-
$ ejson_wrapper decrypt --file file.ejson --region us-east-1 --secret
|
56
|
-
[
|
66
|
+
$ ejson_wrapper decrypt --file file.ejson --region us-east-1 --secret my_api_key
|
67
|
+
[secret]
|
57
68
|
```
|
58
69
|
|
59
70
|
### Generating EJSON files
|
60
71
|
|
72
|
+
Ensure your application has [AWS IAM Permission to encrypt with KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks).
|
73
|
+
|
74
|
+
Firstly, the EJSON is generated to have public key and Base64 encoded & encrypted private key in `_public_key` and `_private_key_enc` respectively with:
|
75
|
+
|
76
|
+
Using CLI:
|
77
|
+
|
78
|
+
```
|
79
|
+
$ ejson_wrapper generate --region $AWS_REGION --kms-key-id [key_id] --file myfile.ejson
|
80
|
+
Generated EJSON file myfile.ejson
|
61
81
|
```
|
62
|
-
$ ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file file.ejson
|
63
|
-
Generated EJSON file file.ejson
|
64
82
|
|
65
|
-
|
83
|
+
OR Ruby code:
|
84
|
+
|
85
|
+
```
|
86
|
+
# Generate encrypted EJSON file (overwritting the unencrypted EJSON file)
|
87
|
+
EJSONWrapper.generate(region: ENV['AWS_REGION'], kms_key_id: 'key_id', file: 'myfile.ejson')
|
88
|
+
=> Generated EJSON file myfile.ejson
|
89
|
+
```
|
90
|
+
|
91
|
+
Verify to ensure the new file contain the two required keys:
|
92
|
+
|
93
|
+
```
|
94
|
+
$ cat myfile.ejson
|
95
|
+
{
|
96
|
+
"_public_key": "[public_key]",
|
97
|
+
"_private_key_enc":"[base64_encoded_encrypted_private_key]",
|
98
|
+
}
|
99
|
+
```
|
100
|
+
|
101
|
+
You now can add secrets into the EJSON file, in following example `my_api_key` in plaintext entry is added:
|
102
|
+
|
103
|
+
```
|
104
|
+
# myfile.ejson
|
105
|
+
{
|
106
|
+
"_public_key": "[public_key]",
|
107
|
+
"_private_key_enc":"[base64_encoded_encrypted_private_key]",
|
108
|
+
"my_api_key": "plaintext"
|
109
|
+
}
|
110
|
+
```
|
111
|
+
|
112
|
+
to encrypt the secrets, run following command:
|
113
|
+
|
114
|
+
```
|
115
|
+
$ ejson encrypt myfile.ejson
|
116
|
+
```
|
117
|
+
|
118
|
+
Verify to ensure the secret is encrypted correctly:
|
119
|
+
|
120
|
+
```
|
121
|
+
$ cat myfile.ejson
|
66
122
|
{
|
67
123
|
"_public_key": "[public_key]",
|
68
|
-
"_private_key_enc":"[
|
124
|
+
"_private_key_enc":"[base64_encoded_encrypted_private_key]",
|
125
|
+
"my_api_key": "encrypted_secret"
|
69
126
|
}
|
70
127
|
```
|
71
128
|
|
data/ejson_wrapper.gemspec
CHANGED
@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
|
|
29
29
|
|
30
30
|
spec.add_dependency "ejson"
|
31
31
|
spec.add_dependency "aws-sdk-kms"
|
32
|
-
spec.add_development_dependency "bundler"
|
32
|
+
spec.add_development_dependency "bundler"
|
33
33
|
spec.add_development_dependency "rake", "~> 10.0"
|
34
34
|
spec.add_development_dependency "rspec", "~> 3.0"
|
35
35
|
spec.add_development_dependency "pry"
|
data/exe/ejson_wrapper
CHANGED
@@ -10,7 +10,7 @@ options = {
|
|
10
10
|
kms_key_id: nil
|
11
11
|
}
|
12
12
|
option_parser = OptionParser.new do |opts|
|
13
|
-
opts.banner = 'Usage: ejson_wrapper generate [options]'
|
13
|
+
opts.banner = 'Usage: ejson_wrapper {generate,decrypt,reveal_key} [options]'
|
14
14
|
|
15
15
|
opts.on('--region R', String, 'AWS Region') do |v|
|
16
16
|
options[:region] = v
|
@@ -68,6 +68,15 @@ when 'decrypt'
|
|
68
68
|
else
|
69
69
|
puts JSON.pretty_generate(decrypted_secrets)
|
70
70
|
end
|
71
|
+
|
72
|
+
when 'reveal_key'
|
73
|
+
begin
|
74
|
+
puts EJSONWrapper.private_key_decrypted(options[:file], region: options[:region])
|
75
|
+
rescue Errno::ENOENT
|
76
|
+
STDERR.puts "Secrets file not found"
|
77
|
+
exit 1
|
78
|
+
end
|
79
|
+
|
71
80
|
else
|
72
81
|
STDERR.puts option_parser.banner
|
73
82
|
exit 1
|
data/lib/ejson_wrapper.rb
CHANGED
@@ -6,7 +6,7 @@ require "ejson_wrapper/generate"
|
|
6
6
|
module EJSONWrapper
|
7
7
|
def self.decrypt(file_path, key_dir: nil, private_key: nil, use_kms: false, region: nil)
|
8
8
|
if use_kms
|
9
|
-
private_key =
|
9
|
+
private_key = private_key_decrypted(file_path, region: region)
|
10
10
|
end
|
11
11
|
DecryptEJSONFile.call(file_path, key_dir: key_dir, private_key: private_key)
|
12
12
|
end
|
@@ -14,4 +14,8 @@ module EJSONWrapper
|
|
14
14
|
def self.generate(**args)
|
15
15
|
Generate.new.call(**args)
|
16
16
|
end
|
17
|
+
|
18
|
+
def self.private_key_decrypted(file_path, region: nil)
|
19
|
+
DecryptPrivateKeyWithKMS.call(file_path, region: region)
|
20
|
+
end
|
17
21
|
end
|
@@ -14,7 +14,7 @@ module EJSONWrapper
|
|
14
14
|
def call(ejson_file_path, region:)
|
15
15
|
ejson_hash = JSON.parse(File.read(ejson_file_path))
|
16
16
|
encrypted_private_key = ejson_hash.fetch(KEY) do
|
17
|
-
raise PrivateKeyNotFound, "Private key was not found in ejson file under key #{
|
17
|
+
raise PrivateKeyNotFound, "Private key was not found in ejson file under key #{KEY}"
|
18
18
|
end
|
19
19
|
decrypt(Base64.decode64(encrypted_private_key), region: region)
|
20
20
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ejson_wrapper
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Steve Hodgkiss
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-08-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ejson
|
@@ -42,16 +42,16 @@ dependencies:
|
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - "
|
45
|
+
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '
|
47
|
+
version: '0'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- - "
|
52
|
+
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '
|
54
|
+
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rake
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -137,7 +137,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
137
137
|
version: '0'
|
138
138
|
requirements: []
|
139
139
|
rubyforge_project:
|
140
|
-
rubygems_version: 2.7.6
|
140
|
+
rubygems_version: 2.7.6.2
|
141
141
|
signing_key:
|
142
142
|
specification_version: 4
|
143
143
|
summary: Invoke EJSON from Ruby
|