eyaml 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/test.yml +1 -1
- data/.ruby-version +1 -1
- data/Gemfile.lock +87 -52
- data/README.md +15 -2
- data/lib/eyaml/railtie.rb +20 -7
- data/lib/eyaml/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 99ad0ac7614ce464c44623e271371bad722452f5e0fc1d8fd1e0c60d7516b715
|
4
|
+
data.tar.gz: 83e6571f04e5552ef626466dcad9deb8201c091225867ba1e5bd7807473948de
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8bed58a4aff4c38b7282528cf39bc34446e4c9c203ebc14ce690a5b265c4bc9dff737c4ad5af73997fdec15c75413a38bc84d6b40a15bf8f254f942084585b29
|
7
|
+
data.tar.gz: b220b9015b016ce95411304ad702ba618893deaed0a3c5eca9ee98c2e7a6166823df1127d457af9ec28a160fdde9a1bfc79b074ca7bca2e9955ec1c7e0846912
|
data/.github/workflows/test.yml
CHANGED
data/.ruby-version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.2.2
|
data/Gemfile.lock
CHANGED
@@ -1,89 +1,124 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
eyaml (0.
|
4
|
+
eyaml (0.4.0)
|
5
5
|
rbnacl (~> 7.1)
|
6
6
|
thor (~> 1.1)
|
7
7
|
|
8
8
|
GEM
|
9
9
|
remote: https://rubygems.org/
|
10
10
|
specs:
|
11
|
-
actionpack (7.
|
12
|
-
actionview (= 7.
|
13
|
-
activesupport (= 7.
|
14
|
-
|
11
|
+
actionpack (7.1.3)
|
12
|
+
actionview (= 7.1.3)
|
13
|
+
activesupport (= 7.1.3)
|
14
|
+
nokogiri (>= 1.8.5)
|
15
|
+
racc
|
16
|
+
rack (>= 2.2.4)
|
17
|
+
rack-session (>= 1.0.1)
|
15
18
|
rack-test (>= 0.6.3)
|
16
|
-
rails-dom-testing (~> 2.
|
17
|
-
rails-html-sanitizer (~> 1.
|
18
|
-
actionview (7.
|
19
|
-
activesupport (= 7.
|
19
|
+
rails-dom-testing (~> 2.2)
|
20
|
+
rails-html-sanitizer (~> 1.6)
|
21
|
+
actionview (7.1.3)
|
22
|
+
activesupport (= 7.1.3)
|
20
23
|
builder (~> 3.1)
|
21
|
-
erubi (~> 1.
|
22
|
-
rails-dom-testing (~> 2.
|
23
|
-
rails-html-sanitizer (~> 1.
|
24
|
-
activesupport (7.
|
24
|
+
erubi (~> 1.11)
|
25
|
+
rails-dom-testing (~> 2.2)
|
26
|
+
rails-html-sanitizer (~> 1.6)
|
27
|
+
activesupport (7.1.3)
|
28
|
+
base64
|
29
|
+
bigdecimal
|
25
30
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
31
|
+
connection_pool (>= 2.2.5)
|
32
|
+
drb
|
26
33
|
i18n (>= 1.6, < 2)
|
27
34
|
minitest (>= 5.1)
|
35
|
+
mutex_m
|
28
36
|
tzinfo (~> 2.0)
|
37
|
+
base64 (0.2.0)
|
38
|
+
bigdecimal (3.1.6)
|
29
39
|
builder (3.2.4)
|
30
40
|
coderay (1.1.3)
|
31
|
-
concurrent-ruby (1.
|
41
|
+
concurrent-ruby (1.2.3)
|
42
|
+
connection_pool (2.4.1)
|
32
43
|
crass (1.0.6)
|
33
44
|
diff-lcs (1.5.0)
|
34
|
-
|
35
|
-
|
45
|
+
drb (2.2.0)
|
46
|
+
ruby2_keywords
|
47
|
+
erubi (1.12.0)
|
48
|
+
fakefs (1.8.0)
|
36
49
|
ffi (1.15.5)
|
37
|
-
i18n (1.
|
50
|
+
i18n (1.14.1)
|
38
51
|
concurrent-ruby (~> 1.0)
|
39
|
-
|
52
|
+
io-console (0.7.2)
|
53
|
+
irb (1.11.1)
|
54
|
+
rdoc
|
55
|
+
reline (>= 0.4.2)
|
56
|
+
loofah (2.22.0)
|
40
57
|
crass (~> 1.0.2)
|
41
|
-
nokogiri (>= 1.
|
58
|
+
nokogiri (>= 1.12.0)
|
42
59
|
method_source (1.0.0)
|
43
|
-
minitest (5.
|
44
|
-
|
60
|
+
minitest (5.21.2)
|
61
|
+
mutex_m (0.2.0)
|
62
|
+
nokogiri (1.16.0-arm64-darwin)
|
45
63
|
racc (~> 1.4)
|
46
|
-
nokogiri (1.
|
64
|
+
nokogiri (1.16.0-x86_64-linux)
|
47
65
|
racc (~> 1.4)
|
48
|
-
pry (0.14.
|
66
|
+
pry (0.14.2)
|
49
67
|
coderay (~> 1.1)
|
50
68
|
method_source (~> 1.0)
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
69
|
+
psych (5.1.2)
|
70
|
+
stringio
|
71
|
+
racc (1.7.3)
|
72
|
+
rack (3.0.8)
|
73
|
+
rack-session (2.0.0)
|
74
|
+
rack (>= 3.0.0)
|
75
|
+
rack-test (2.1.0)
|
76
|
+
rack (>= 1.3)
|
77
|
+
rackup (2.1.0)
|
78
|
+
rack (>= 3)
|
79
|
+
webrick (~> 1.8)
|
80
|
+
rails-dom-testing (2.2.0)
|
81
|
+
activesupport (>= 5.0.0)
|
82
|
+
minitest
|
57
83
|
nokogiri (>= 1.6)
|
58
|
-
rails-html-sanitizer (1.
|
59
|
-
loofah (~> 2.
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
84
|
+
rails-html-sanitizer (1.6.0)
|
85
|
+
loofah (~> 2.21)
|
86
|
+
nokogiri (~> 1.14)
|
87
|
+
railties (7.1.3)
|
88
|
+
actionpack (= 7.1.3)
|
89
|
+
activesupport (= 7.1.3)
|
90
|
+
irb
|
91
|
+
rackup (>= 1.0.0)
|
64
92
|
rake (>= 12.2)
|
65
|
-
thor (~> 1.0)
|
66
|
-
zeitwerk (~> 2.
|
67
|
-
rake (13.0
|
93
|
+
thor (~> 1.0, >= 1.2.2)
|
94
|
+
zeitwerk (~> 2.6)
|
95
|
+
rake (13.1.0)
|
68
96
|
rbnacl (7.1.1)
|
69
97
|
ffi
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
rspec
|
75
|
-
rspec-
|
76
|
-
|
98
|
+
rdoc (6.6.2)
|
99
|
+
psych (>= 4.0.0)
|
100
|
+
reline (0.4.2)
|
101
|
+
io-console (~> 0.5)
|
102
|
+
rspec (3.12.0)
|
103
|
+
rspec-core (~> 3.12.0)
|
104
|
+
rspec-expectations (~> 3.12.0)
|
105
|
+
rspec-mocks (~> 3.12.0)
|
106
|
+
rspec-core (3.12.2)
|
107
|
+
rspec-support (~> 3.12.0)
|
108
|
+
rspec-expectations (3.12.3)
|
77
109
|
diff-lcs (>= 1.2.0, < 2.0)
|
78
|
-
rspec-support (~> 3.
|
79
|
-
rspec-mocks (3.
|
110
|
+
rspec-support (~> 3.12.0)
|
111
|
+
rspec-mocks (3.12.6)
|
80
112
|
diff-lcs (>= 1.2.0, < 2.0)
|
81
|
-
rspec-support (~> 3.
|
82
|
-
rspec-support (3.
|
83
|
-
|
84
|
-
|
113
|
+
rspec-support (~> 3.12.0)
|
114
|
+
rspec-support (3.12.1)
|
115
|
+
ruby2_keywords (0.0.5)
|
116
|
+
stringio (3.1.0)
|
117
|
+
thor (1.3.0)
|
118
|
+
tzinfo (2.0.6)
|
85
119
|
concurrent-ruby (~> 1.0)
|
86
|
-
|
120
|
+
webrick (1.8.1)
|
121
|
+
zeitwerk (2.6.12)
|
87
122
|
|
88
123
|
PLATFORMS
|
89
124
|
arm64-darwin-20
|
data/README.md
CHANGED
@@ -70,7 +70,15 @@ secret: password
|
|
70
70
|
|
71
71
|
#### `eyaml keygen`
|
72
72
|
|
73
|
-
Generates the keypair for the encryption flow to work. The public key must be placed into the file at `_public_key`
|
73
|
+
Generates the keypair for the encryption flow to work. The public key must be placed into the file at `_public_key` like this:
|
74
|
+
e.g.
|
75
|
+
```shell
|
76
|
+
-> % cat config/credentials.development.eyaml
|
77
|
+
_public_key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
|
78
|
+
my_secret: 85d1fca99d98c4e7b83b868f75f809e1e33346317b0c354b593cdcdc8793ad4e
|
79
|
+
```
|
80
|
+
|
81
|
+
The private key must be saved in the default key directory (`/opt/ejson/keys`) with the filename being the public key and the contents, the private key, a key directory you'll provide later, or just pass the `--write` flag for `eyaml` to handle it for you.
|
74
82
|
|
75
83
|
```shell
|
76
84
|
-> % eyaml keygen
|
@@ -88,9 +96,14 @@ b01592942ba10f152bcf7c6b6734f6392554c578ff24cebcc62f9e3da6fcf302
|
|
88
96
|
|
89
97
|
### Rails
|
90
98
|
|
91
|
-
`eyaml` comes with baked in Rails support. It will search for a secrets file in `config/`, decrypt, and load the first valid one it finds.
|
99
|
+
`eyaml` comes with baked in Rails support. It will search for a secrets or credentials file in `config/`, decrypt, and load the first valid one it finds.
|
100
|
+
Credential files have priority over secrets before rails 7.2:
|
101
|
+
`credentials.{eyaml|eyml|ejson}` (e.g. `config/credentials.eyaml`) then `credentials.$env.{eyaml|eyml|ejson}` (e.g. `credentials.production.eyml`).
|
102
|
+
Then if no credentials are found it will look for a secrets file:
|
92
103
|
`secrets.{eyaml|eyml|ejson}` (e.g. `config/secrets.eyaml`) then `secrets.$env.{eyaml|eyml|ejson}` (e.g. `secrets.production.eyml`).
|
93
104
|
|
105
|
+
Note: From rails 7.2 onwards secrets are deprecated and eyaml will only look for credential files.
|
106
|
+
|
94
107
|
Instead of needing a private key locally, you can provide it to EYAML by setting `EJSON_PRIVATE_KEY` and it'll be automatically used for decrypting the secrets file.
|
95
108
|
|
96
109
|
### Apple M1 Support
|
data/lib/eyaml/railtie.rb
CHANGED
@@ -9,7 +9,20 @@ module EYAML
|
|
9
9
|
PRIVATE_KEY_ENV_VAR = "EJSON_PRIVATE_KEY"
|
10
10
|
|
11
11
|
config.before_configuration do
|
12
|
-
|
12
|
+
secret_files_present = Dir.glob(auth_files(:secrets)).any?
|
13
|
+
credential_files_present = Dir.glob(auth_files(:credentials)).any?
|
14
|
+
|
15
|
+
secrets_or_credentials = if Rails.version >= "7.2"
|
16
|
+
:credentials
|
17
|
+
else
|
18
|
+
if credential_files_present
|
19
|
+
:credentials
|
20
|
+
elsif secret_files_present
|
21
|
+
:secrets
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
auth_files(secrets_or_credentials).each do |file|
|
13
26
|
next unless valid?(file)
|
14
27
|
|
15
28
|
# If private_key is nil (i.e. when $EJSON_PRIVATE_KEY is not set), EYAML will search
|
@@ -19,7 +32,7 @@ module EYAML
|
|
19
32
|
.deep_symbolize_keys
|
20
33
|
.except(:_public_key)
|
21
34
|
|
22
|
-
break Rails.application.
|
35
|
+
break Rails.application.send(secrets_or_credentials).deep_merge!(secrets)
|
23
36
|
end
|
24
37
|
end
|
25
38
|
|
@@ -30,13 +43,13 @@ module EYAML
|
|
30
43
|
pathname.exist?
|
31
44
|
end
|
32
45
|
|
33
|
-
def
|
34
|
-
EYAML::SUPPORTED_EXTENSIONS.
|
46
|
+
def auth_files(secrets_or_credentials)
|
47
|
+
EYAML::SUPPORTED_EXTENSIONS.flat_map do |ext|
|
35
48
|
[
|
36
|
-
Rails.root.join("config", "
|
37
|
-
Rails.root.join("config", "
|
49
|
+
Rails.root.join("config", "#{secrets_or_credentials}.#{ext}"),
|
50
|
+
Rails.root.join("config", "#{secrets_or_credentials}.#{Rails.env}.#{ext}")
|
38
51
|
]
|
39
|
-
end
|
52
|
+
end
|
40
53
|
end
|
41
54
|
end
|
42
55
|
end
|
data/lib/eyaml/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: eyaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Emil Stolarsky
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-02-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -115,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
115
115
|
- !ruby/object:Gem::Version
|
116
116
|
version: '0'
|
117
117
|
requirements: []
|
118
|
-
rubygems_version: 3.
|
118
|
+
rubygems_version: 3.4.21
|
119
119
|
signing_key:
|
120
120
|
specification_version: 4
|
121
121
|
summary: Asymmetric keywise encryption for YAML
|