RubyGems - envault - Versions diffs - 0.1.2 → 0.2.0 - Mend

envault 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +4 -3
data/lib/envault.rb +2 -0
data/lib/envault/cli.rb +2 -2
data/lib/envault/core.rb +29 -9
data/lib/envault/cryptor/kms.rb +25 -0
data/lib/envault/cryptor/simple.rb +28 -0
data/lib/envault/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 757090d8bcabe91360234365ab3116b6aa3f6415
-  data.tar.gz: 682ef720920077640cdaba1038f14fec6cf52152
+  metadata.gz: 316e360329e9b109ad2c92d4f95a9ca5b3983f3b
+  data.tar.gz: 7f0d76ce9190ea1a60c4ff6d23b7c630d13e3c22
 SHA512:
-  metadata.gz: 7f9f85124f55d31e47375d550858ee79cd380588a3f8993bc2f6e46c53cecb52f7a5a49f61e9ad72e80ca72dbf0a7ab2ff6b7c2c86bfac1ed71cf8ad4d0a9dfa
-  data.tar.gz: 91262c6073fee7cfe8ca87d30db6b3c21e9f3300b357c6148839ef219b52d198811bb6902990307e0e91662a3e5c35cade1e083c3d07f912cae5d4cb1b7cd530
+  metadata.gz: 43259b1f5f5d8471b65a297482cb5c4cb9306f85e9f54e8cdb422032bbea82d7f321d2dab205b82ff9195ce42684b2c47502a9f6c85b07277223dda53fd497ab
+  data.tar.gz: bcd15899f969ac39f8b18b8314fd5c2ac645ba433a395d883ecc7f86406b2c32a88c72c0499b2e2f865256e6decd8a7be915d2108519f2945d2cc3cdb3383e24

data/README.md CHANGED

@@ -26,12 +26,13 @@ staging:
   prefix: ENVAULT_
 production:
-  passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
-  sign_passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
-  salt: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
+  provider: kms
+  key_id: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
   prefix: ENVAULT_
 ```
+* AWS KMS support.
 ## Encrypt and Decrypt
 ```bash
 $ cat .env

data/lib/envault.rb CHANGED

@@ -4,6 +4,8 @@ require 'envault/core'
 require 'envault/cli'
 require 'envault/environment'
 require 'envault/formatter'
+require 'envault/cryptor/kms'
+require 'envault/cryptor/simple'
 module Envault
   def self.load(*source_files)

data/lib/envault/cli.rb CHANGED

@@ -31,13 +31,13 @@ module Envault
     desc "encrypt", "encrypt string. exp: envault encrypt -s hoge"
     option :source, aliases: '-s', type: :string, required: true, desc: 'source', banner: 'source'
     def encrypt
-      puts @core.cryptor.encrypt_and_sign(options[:source])
+      puts @core.cryptor.encrypt(options[:source])
     end
     desc "decrypt", "decrypt string. exp: envault decrypt -s hoge"
     option :source, aliases: '-s', type: :string, required: true, desc: 'source'
     def decrypt
-      puts @core.cryptor.decrypt_and_verify(options[:source])
+      puts @core.cryptor.decrypt(options[:source])
     end
     desc "-r", "reencrypt file. exp: envault -r -s .env.encrypt -c ~/.envault --from_profile staging --to_profile production"

data/lib/envault/core.rb CHANGED

@@ -12,7 +12,11 @@ module Envault
       @logger = Logger.new(STDOUT)
       @logger.level = debug ? Logger::DEBUG : Logger::INFO
       profile = get_profile(config, profile)
-      @cryptor = get_cryptor(profile[:passphrase] || '', profile[:sign_passphrase], profile[:salt] || '')
+      @cryptor = if profile[:provider] == 'kms'
+        Cryptor::Kms.new(profile)
+      else
+        Cryptor::Simple.new(profile)
+      end
       @prefix = prefix || profile[:prefix] || DEFAULT_ENV_PREFIX
     end
@@ -25,7 +29,7 @@ module Envault
       cipher_keys = get_cipher_keys(hash, keys)
       encrypted = hash.map do |k, v|
         if cipher_keys.include?(k)
-          [@prefix + k, @cryptor.encrypt_and_sign(v)]
+          encrypt_value(@prefix + k, v)
         else
           [k, v]
         end
@@ -33,6 +37,10 @@ module Envault
       Hash[encrypted]
     end
+    def encrypt_value(key, value)
+      [key, @cryptor.encrypt(value)]
+    end
     def decrypt_yaml(path)
       hash = YAML.load_file(path)
       decrypt_process(hash)
@@ -42,7 +50,7 @@ module Envault
       cipher_keys = get_cipher_keys(hash)
       decrypted = hash.map do |k, v|
         if cipher_keys.include?(k)
-          [k.gsub(/^#{@prefix}/, ''), @cryptor.decrypt_and_verify(v)]
+          decrypt_value(k.gsub(/^#{@prefix}/, ''), v)
         else
           [k, v]
         end
@@ -50,6 +58,10 @@ module Envault
       Hash[decrypted]
     end
+    def decrypt_value(key, value)
+      [key, @cryptor.decrypt(value)]
+    end
     def get_cipher_keys(hash, keys = ["^#{@prefix}.*"])
       all_keys = hash.keys
       if keys
@@ -98,12 +110,20 @@ module Envault
       unless profile
         raise %Q{invalid profile [#{profile_name}].}
       end
-      {
-        passphrase: profile['passphrase'],
-        sign_passphrase: profile['sign_passphrase'],
-        salt: profile['salt'],
-        prefix: profile['prefix']
-      }
+      if profile['provider'] == 'kms'
+        {
+          provider: profile['provider'],
+          key_id: profile['key_id'],
+          prefix: profile['prefix']
+        }
+      else
+        {
+          passphrase: profile['passphrase'],
+          sign_passphrase: profile['sign_passphrase'],
+          salt: profile['salt'],
+          prefix: profile['prefix']
+        }
+      end
     end
     def get_profile_form_env

data/lib/envault/cryptor/kms.rb ADDED

@@ -0,0 +1,25 @@
+module Envault
+  module Cryptor
+    class Kms
+      def initialize(profile)
+        require 'aws-sdk'
+        options = {}
+        options[:region] = profile[:region] if profile[:region]
+        options[:access_key_id] = profile[:aws_access_key_id] if profile[:aws_access_key_id]
+        options[:secret_access_key] = profile[:aws_secret_access_key] if profile[:aws_secret_access_key]
+        @client = Aws::KMS::Client.new(options)
+        @key_id = profile[:key_id]
+      end
+      def encrypt(value)
+        resp = @client.encrypt(key_id: @key_id, plaintext: value)
+        Base64.strict_encode64(resp.ciphertext_blob)
+      end
+      def decrypt(value)
+        resp = @client.decrypt(ciphertext_blob: Base64.strict_decode64(value))
+        resp.plaintext
+      end
+    end
+  end
+end

data/lib/envault/cryptor/simple.rb ADDED

@@ -0,0 +1,28 @@
+module Envault
+  module Cryptor
+    class Simple
+      def initialize(profile)
+        passphrase = profile[:passphrase] || ''
+        sign_passphrase = profile[:sign_passphrase]
+        salt = profile[:salt] || ''
+        key = ActiveSupport::KeyGenerator.new(passphrase).generate_key(salt, 32)
+        signature_key = ActiveSupport::KeyGenerator.new(sign_passphrase).generate_key(salt, 32) if sign_passphrase
+        if signature_key
+          @cryptor = ActiveSupport::MessageEncryptor.new(key, signature_key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
+        else
+          @cryptor = ActiveSupport::MessageEncryptor.new(key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
+        end
+      end
+      def encrypt(value)
+        @cryptor.encrypt_and_sign(value)
+      end
+      def decrypt(value)
+        @cryptor.decrypt_and_verify(value)
+      end
+    end
+  end
+end

data/lib/envault/version.rb CHANGED

@@ -1,4 +1,4 @@
 module Envault
   # envault version
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: envault
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - toyama0919
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-03-28 00:00:00.000000000 Z
+date: 2017-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -172,6 +172,8 @@ files:
 - lib/envault/cli.rb
 - lib/envault/constants.rb
 - lib/envault/core.rb
+- lib/envault/cryptor/kms.rb
+- lib/envault/cryptor/simple.rb
 - lib/envault/environment.rb
 - lib/envault/formatter.rb
 - lib/envault/version.rb