envault 0.1.2 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -3
- data/lib/envault.rb +2 -0
- data/lib/envault/cli.rb +2 -2
- data/lib/envault/core.rb +29 -9
- data/lib/envault/cryptor/kms.rb +25 -0
- data/lib/envault/cryptor/simple.rb +28 -0
- data/lib/envault/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 316e360329e9b109ad2c92d4f95a9ca5b3983f3b
|
4
|
+
data.tar.gz: 7f0d76ce9190ea1a60c4ff6d23b7c630d13e3c22
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 43259b1f5f5d8471b65a297482cb5c4cb9306f85e9f54e8cdb422032bbea82d7f321d2dab205b82ff9195ce42684b2c47502a9f6c85b07277223dda53fd497ab
|
7
|
+
data.tar.gz: bcd15899f969ac39f8b18b8314fd5c2ac645ba433a395d883ecc7f86406b2c32a88c72c0499b2e2f865256e6decd8a7be915d2108519f2945d2cc3cdb3383e24
|
data/README.md
CHANGED
@@ -26,12 +26,13 @@ staging:
|
|
26
26
|
prefix: ENVAULT_
|
27
27
|
|
28
28
|
production:
|
29
|
-
|
30
|
-
|
31
|
-
salt: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
|
29
|
+
provider: kms
|
30
|
+
key_id: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
|
32
31
|
prefix: ENVAULT_
|
33
32
|
```
|
34
33
|
|
34
|
+
* AWS KMS support.
|
35
|
+
|
35
36
|
## Encrypt and Decrypt
|
36
37
|
```bash
|
37
38
|
$ cat .env
|
data/lib/envault.rb
CHANGED
data/lib/envault/cli.rb
CHANGED
@@ -31,13 +31,13 @@ module Envault
|
|
31
31
|
desc "encrypt", "encrypt string. exp: envault encrypt -s hoge"
|
32
32
|
option :source, aliases: '-s', type: :string, required: true, desc: 'source', banner: 'source'
|
33
33
|
def encrypt
|
34
|
-
puts @core.cryptor.
|
34
|
+
puts @core.cryptor.encrypt(options[:source])
|
35
35
|
end
|
36
36
|
|
37
37
|
desc "decrypt", "decrypt string. exp: envault decrypt -s hoge"
|
38
38
|
option :source, aliases: '-s', type: :string, required: true, desc: 'source'
|
39
39
|
def decrypt
|
40
|
-
puts @core.cryptor.
|
40
|
+
puts @core.cryptor.decrypt(options[:source])
|
41
41
|
end
|
42
42
|
|
43
43
|
desc "-r", "reencrypt file. exp: envault -r -s .env.encrypt -c ~/.envault --from_profile staging --to_profile production"
|
data/lib/envault/core.rb
CHANGED
@@ -12,7 +12,11 @@ module Envault
|
|
12
12
|
@logger = Logger.new(STDOUT)
|
13
13
|
@logger.level = debug ? Logger::DEBUG : Logger::INFO
|
14
14
|
profile = get_profile(config, profile)
|
15
|
-
@cryptor =
|
15
|
+
@cryptor = if profile[:provider] == 'kms'
|
16
|
+
Cryptor::Kms.new(profile)
|
17
|
+
else
|
18
|
+
Cryptor::Simple.new(profile)
|
19
|
+
end
|
16
20
|
@prefix = prefix || profile[:prefix] || DEFAULT_ENV_PREFIX
|
17
21
|
end
|
18
22
|
|
@@ -25,7 +29,7 @@ module Envault
|
|
25
29
|
cipher_keys = get_cipher_keys(hash, keys)
|
26
30
|
encrypted = hash.map do |k, v|
|
27
31
|
if cipher_keys.include?(k)
|
28
|
-
|
32
|
+
encrypt_value(@prefix + k, v)
|
29
33
|
else
|
30
34
|
[k, v]
|
31
35
|
end
|
@@ -33,6 +37,10 @@ module Envault
|
|
33
37
|
Hash[encrypted]
|
34
38
|
end
|
35
39
|
|
40
|
+
def encrypt_value(key, value)
|
41
|
+
[key, @cryptor.encrypt(value)]
|
42
|
+
end
|
43
|
+
|
36
44
|
def decrypt_yaml(path)
|
37
45
|
hash = YAML.load_file(path)
|
38
46
|
decrypt_process(hash)
|
@@ -42,7 +50,7 @@ module Envault
|
|
42
50
|
cipher_keys = get_cipher_keys(hash)
|
43
51
|
decrypted = hash.map do |k, v|
|
44
52
|
if cipher_keys.include?(k)
|
45
|
-
|
53
|
+
decrypt_value(k.gsub(/^#{@prefix}/, ''), v)
|
46
54
|
else
|
47
55
|
[k, v]
|
48
56
|
end
|
@@ -50,6 +58,10 @@ module Envault
|
|
50
58
|
Hash[decrypted]
|
51
59
|
end
|
52
60
|
|
61
|
+
def decrypt_value(key, value)
|
62
|
+
[key, @cryptor.decrypt(value)]
|
63
|
+
end
|
64
|
+
|
53
65
|
def get_cipher_keys(hash, keys = ["^#{@prefix}.*"])
|
54
66
|
all_keys = hash.keys
|
55
67
|
if keys
|
@@ -98,12 +110,20 @@ module Envault
|
|
98
110
|
unless profile
|
99
111
|
raise %Q{invalid profile [#{profile_name}].}
|
100
112
|
end
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
113
|
+
if profile['provider'] == 'kms'
|
114
|
+
{
|
115
|
+
provider: profile['provider'],
|
116
|
+
key_id: profile['key_id'],
|
117
|
+
prefix: profile['prefix']
|
118
|
+
}
|
119
|
+
else
|
120
|
+
{
|
121
|
+
passphrase: profile['passphrase'],
|
122
|
+
sign_passphrase: profile['sign_passphrase'],
|
123
|
+
salt: profile['salt'],
|
124
|
+
prefix: profile['prefix']
|
125
|
+
}
|
126
|
+
end
|
107
127
|
end
|
108
128
|
|
109
129
|
def get_profile_form_env
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module Envault
|
2
|
+
module Cryptor
|
3
|
+
class Kms
|
4
|
+
def initialize(profile)
|
5
|
+
require 'aws-sdk'
|
6
|
+
options = {}
|
7
|
+
options[:region] = profile[:region] if profile[:region]
|
8
|
+
options[:access_key_id] = profile[:aws_access_key_id] if profile[:aws_access_key_id]
|
9
|
+
options[:secret_access_key] = profile[:aws_secret_access_key] if profile[:aws_secret_access_key]
|
10
|
+
@client = Aws::KMS::Client.new(options)
|
11
|
+
@key_id = profile[:key_id]
|
12
|
+
end
|
13
|
+
|
14
|
+
def encrypt(value)
|
15
|
+
resp = @client.encrypt(key_id: @key_id, plaintext: value)
|
16
|
+
Base64.strict_encode64(resp.ciphertext_blob)
|
17
|
+
end
|
18
|
+
|
19
|
+
def decrypt(value)
|
20
|
+
resp = @client.decrypt(ciphertext_blob: Base64.strict_decode64(value))
|
21
|
+
resp.plaintext
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Envault
|
2
|
+
module Cryptor
|
3
|
+
class Simple
|
4
|
+
def initialize(profile)
|
5
|
+
passphrase = profile[:passphrase] || ''
|
6
|
+
sign_passphrase = profile[:sign_passphrase]
|
7
|
+
salt = profile[:salt] || ''
|
8
|
+
|
9
|
+
key = ActiveSupport::KeyGenerator.new(passphrase).generate_key(salt, 32)
|
10
|
+
signature_key = ActiveSupport::KeyGenerator.new(sign_passphrase).generate_key(salt, 32) if sign_passphrase
|
11
|
+
|
12
|
+
if signature_key
|
13
|
+
@cryptor = ActiveSupport::MessageEncryptor.new(key, signature_key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
|
14
|
+
else
|
15
|
+
@cryptor = ActiveSupport::MessageEncryptor.new(key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
def encrypt(value)
|
20
|
+
@cryptor.encrypt_and_sign(value)
|
21
|
+
end
|
22
|
+
|
23
|
+
def decrypt(value)
|
24
|
+
@cryptor.decrypt_and_verify(value)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
data/lib/envault/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: envault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- toyama0919
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -172,6 +172,8 @@ files:
|
|
172
172
|
- lib/envault/cli.rb
|
173
173
|
- lib/envault/constants.rb
|
174
174
|
- lib/envault/core.rb
|
175
|
+
- lib/envault/cryptor/kms.rb
|
176
|
+
- lib/envault/cryptor/simple.rb
|
175
177
|
- lib/envault/environment.rb
|
176
178
|
- lib/envault/formatter.rb
|
177
179
|
- lib/envault/version.rb
|