envault 0.1.2 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +4 -3
  3. data/lib/envault.rb +2 -0
  4. data/lib/envault/cli.rb +2 -2
  5. data/lib/envault/core.rb +29 -9
  6. data/lib/envault/cryptor/kms.rb +25 -0
  7. data/lib/envault/cryptor/simple.rb +28 -0
  8. data/lib/envault/version.rb +1 -1
  9. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 757090d8bcabe91360234365ab3116b6aa3f6415
4
- data.tar.gz: 682ef720920077640cdaba1038f14fec6cf52152
3
+ metadata.gz: 316e360329e9b109ad2c92d4f95a9ca5b3983f3b
4
+ data.tar.gz: 7f0d76ce9190ea1a60c4ff6d23b7c630d13e3c22
5
5
  SHA512:
6
- metadata.gz: 7f9f85124f55d31e47375d550858ee79cd380588a3f8993bc2f6e46c53cecb52f7a5a49f61e9ad72e80ca72dbf0a7ab2ff6b7c2c86bfac1ed71cf8ad4d0a9dfa
7
- data.tar.gz: 91262c6073fee7cfe8ca87d30db6b3c21e9f3300b357c6148839ef219b52d198811bb6902990307e0e91662a3e5c35cade1e083c3d07f912cae5d4cb1b7cd530
6
+ metadata.gz: 43259b1f5f5d8471b65a297482cb5c4cb9306f85e9f54e8cdb422032bbea82d7f321d2dab205b82ff9195ce42684b2c47502a9f6c85b07277223dda53fd497ab
7
+ data.tar.gz: bcd15899f969ac39f8b18b8314fd5c2ac645ba433a395d883ecc7f86406b2c32a88c72c0499b2e2f865256e6decd8a7be915d2108519f2945d2cc3cdb3383e24
data/README.md CHANGED
@@ -26,12 +26,13 @@ staging:
26
26
  prefix: ENVAULT_
27
27
 
28
28
  production:
29
- passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
30
- sign_passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
31
- salt: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
29
+ provider: kms
30
+ key_id: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
32
31
  prefix: ENVAULT_
33
32
  ```
34
33
 
34
+ * AWS KMS support.
35
+
35
36
  ## Encrypt and Decrypt
36
37
  ```bash
37
38
  $ cat .env
data/lib/envault.rb CHANGED
@@ -4,6 +4,8 @@ require 'envault/core'
4
4
  require 'envault/cli'
5
5
  require 'envault/environment'
6
6
  require 'envault/formatter'
7
+ require 'envault/cryptor/kms'
8
+ require 'envault/cryptor/simple'
7
9
 
8
10
  module Envault
9
11
  def self.load(*source_files)
data/lib/envault/cli.rb CHANGED
@@ -31,13 +31,13 @@ module Envault
31
31
  desc "encrypt", "encrypt string. exp: envault encrypt -s hoge"
32
32
  option :source, aliases: '-s', type: :string, required: true, desc: 'source', banner: 'source'
33
33
  def encrypt
34
- puts @core.cryptor.encrypt_and_sign(options[:source])
34
+ puts @core.cryptor.encrypt(options[:source])
35
35
  end
36
36
 
37
37
  desc "decrypt", "decrypt string. exp: envault decrypt -s hoge"
38
38
  option :source, aliases: '-s', type: :string, required: true, desc: 'source'
39
39
  def decrypt
40
- puts @core.cryptor.decrypt_and_verify(options[:source])
40
+ puts @core.cryptor.decrypt(options[:source])
41
41
  end
42
42
 
43
43
  desc "-r", "reencrypt file. exp: envault -r -s .env.encrypt -c ~/.envault --from_profile staging --to_profile production"
data/lib/envault/core.rb CHANGED
@@ -12,7 +12,11 @@ module Envault
12
12
  @logger = Logger.new(STDOUT)
13
13
  @logger.level = debug ? Logger::DEBUG : Logger::INFO
14
14
  profile = get_profile(config, profile)
15
- @cryptor = get_cryptor(profile[:passphrase] || '', profile[:sign_passphrase], profile[:salt] || '')
15
+ @cryptor = if profile[:provider] == 'kms'
16
+ Cryptor::Kms.new(profile)
17
+ else
18
+ Cryptor::Simple.new(profile)
19
+ end
16
20
  @prefix = prefix || profile[:prefix] || DEFAULT_ENV_PREFIX
17
21
  end
18
22
 
@@ -25,7 +29,7 @@ module Envault
25
29
  cipher_keys = get_cipher_keys(hash, keys)
26
30
  encrypted = hash.map do |k, v|
27
31
  if cipher_keys.include?(k)
28
- [@prefix + k, @cryptor.encrypt_and_sign(v)]
32
+ encrypt_value(@prefix + k, v)
29
33
  else
30
34
  [k, v]
31
35
  end
@@ -33,6 +37,10 @@ module Envault
33
37
  Hash[encrypted]
34
38
  end
35
39
 
40
+ def encrypt_value(key, value)
41
+ [key, @cryptor.encrypt(value)]
42
+ end
43
+
36
44
  def decrypt_yaml(path)
37
45
  hash = YAML.load_file(path)
38
46
  decrypt_process(hash)
@@ -42,7 +50,7 @@ module Envault
42
50
  cipher_keys = get_cipher_keys(hash)
43
51
  decrypted = hash.map do |k, v|
44
52
  if cipher_keys.include?(k)
45
- [k.gsub(/^#{@prefix}/, ''), @cryptor.decrypt_and_verify(v)]
53
+ decrypt_value(k.gsub(/^#{@prefix}/, ''), v)
46
54
  else
47
55
  [k, v]
48
56
  end
@@ -50,6 +58,10 @@ module Envault
50
58
  Hash[decrypted]
51
59
  end
52
60
 
61
+ def decrypt_value(key, value)
62
+ [key, @cryptor.decrypt(value)]
63
+ end
64
+
53
65
  def get_cipher_keys(hash, keys = ["^#{@prefix}.*"])
54
66
  all_keys = hash.keys
55
67
  if keys
@@ -98,12 +110,20 @@ module Envault
98
110
  unless profile
99
111
  raise %Q{invalid profile [#{profile_name}].}
100
112
  end
101
- {
102
- passphrase: profile['passphrase'],
103
- sign_passphrase: profile['sign_passphrase'],
104
- salt: profile['salt'],
105
- prefix: profile['prefix']
106
- }
113
+ if profile['provider'] == 'kms'
114
+ {
115
+ provider: profile['provider'],
116
+ key_id: profile['key_id'],
117
+ prefix: profile['prefix']
118
+ }
119
+ else
120
+ {
121
+ passphrase: profile['passphrase'],
122
+ sign_passphrase: profile['sign_passphrase'],
123
+ salt: profile['salt'],
124
+ prefix: profile['prefix']
125
+ }
126
+ end
107
127
  end
108
128
 
109
129
  def get_profile_form_env
data/lib/envault/cryptor/kms.rb ADDED
@@ -0,0 +1,25 @@
1
+ module Envault
2
+ module Cryptor
3
+ class Kms
4
+ def initialize(profile)
5
+ require 'aws-sdk'
6
+ options = {}
7
+ options[:region] = profile[:region] if profile[:region]
8
+ options[:access_key_id] = profile[:aws_access_key_id] if profile[:aws_access_key_id]
9
+ options[:secret_access_key] = profile[:aws_secret_access_key] if profile[:aws_secret_access_key]
10
+ @client = Aws::KMS::Client.new(options)
11
+ @key_id = profile[:key_id]
12
+ end
13
+
14
+ def encrypt(value)
15
+ resp = @client.encrypt(key_id: @key_id, plaintext: value)
16
+ Base64.strict_encode64(resp.ciphertext_blob)
17
+ end
18
+
19
+ def decrypt(value)
20
+ resp = @client.decrypt(ciphertext_blob: Base64.strict_decode64(value))
21
+ resp.plaintext
22
+ end
23
+ end
24
+ end
25
+ end
data/lib/envault/cryptor/simple.rb ADDED
@@ -0,0 +1,28 @@
1
+ module Envault
2
+ module Cryptor
3
+ class Simple
4
+ def initialize(profile)
5
+ passphrase = profile[:passphrase] || ''
6
+ sign_passphrase = profile[:sign_passphrase]
7
+ salt = profile[:salt] || ''
8
+
9
+ key = ActiveSupport::KeyGenerator.new(passphrase).generate_key(salt, 32)
10
+ signature_key = ActiveSupport::KeyGenerator.new(sign_passphrase).generate_key(salt, 32) if sign_passphrase
11
+
12
+ if signature_key
13
+ @cryptor = ActiveSupport::MessageEncryptor.new(key, signature_key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
14
+ else
15
+ @cryptor = ActiveSupport::MessageEncryptor.new(key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
16
+ end
17
+ end
18
+
19
+ def encrypt(value)
20
+ @cryptor.encrypt_and_sign(value)
21
+ end
22
+
23
+ def decrypt(value)
24
+ @cryptor.decrypt_and_verify(value)
25
+ end
26
+ end
27
+ end
28
+ end
data/lib/envault/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module Envault
2
2
  # envault version
3
- VERSION = "0.1.2"
3
+ VERSION = "0.2.0"
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: envault
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - toyama0919
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-03-28 00:00:00.000000000 Z
11
+ date: 2017-06-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor
@@ -172,6 +172,8 @@ files:
172
172
  - lib/envault/cli.rb
173
173
  - lib/envault/constants.rb
174
174
  - lib/envault/core.rb
175
+ - lib/envault/cryptor/kms.rb
176
+ - lib/envault/cryptor/simple.rb
175
177
  - lib/envault/environment.rb
176
178
  - lib/envault/formatter.rb
177
179
  - lib/envault/version.rb