eyaml 0.3.0 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e4b127ccafc6ab14c9da7266669041481c0403b562d95bb7cc672daab58c48b
-  data.tar.gz: 2489ecf885a7fbb225b4c50da2fe99cdea277c548268cd81df372d149585e0ac
+  metadata.gz: 3db8844c2bbddc8461708c26243e51830e6caabb0863b51a255dcef05f762842
+  data.tar.gz: bc1103be88e0418663ce58bfc7f4b497466a9fe98a08b5ddddafae76d18667ce
 SHA512:
-  metadata.gz: 974db15344c1a5ba71d3691b6e99f70d39aeb2d74f71c9bd0e9ee372b8ccac392af538e7516457c692a824385348cea3102e4e5100f57814136d234d598e2793
-  data.tar.gz: dbcaf11b7dfdf87276f4e9a70f13132d7910b2f69544f16238d6f51354ea03ac2994def24251aec36dd7b37fbe822c5c1a8cb6ded423572191e7e15f7433b701
+  metadata.gz: 5b6f9ebcae7c5a2b7920abb7ec5e75e06c1ac2e51eff9b8ea7f61a00305c80e06b60bcc3219a5b94700a6d4af6ba6915f92c646573d00a4fb1a43732aa331ec1
+  data.tar.gz: 4d6359cad8b3514dd4fdc8ecfe9ccfed07bd9e18a5d5bd6033633696111754e522001a18cc8c9746da0f065ee14bc8a2f6a7b009bd2bd7926293e2b658a9ccdc

data/.github/workflows/test.yml

@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.1.1
 
       - name: Run with fresh bundle
         run: rm Gemfile.lock

data/.ruby-version

@@ -1 +1 @@
-3.0.0
+3.2.2

data/Gemfile.lock

@@ -1,89 +1,127 @@
 PATH
   remote: .
   specs:
-    eyaml (0.3.0)
+    eyaml (0.4.0)
       rbnacl (~> 7.1)
       thor (~> 1.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.0.1)
-      actionview (= 7.0.1)
-      activesupport (= 7.0.1)
-      rack (~> 2.0, >= 2.2.0)
+    actionpack (7.1.3)
+      actionview (= 7.1.3)
+      activesupport (= 7.1.3)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.1)
-      activesupport (= 7.0.1)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3)
+      activesupport (= 7.1.3)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (7.0.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.6)
     builder (3.2.4)
     coderay (1.1.3)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.2.3)
+    connection_pool (2.4.1)
     crass (1.0.6)
-    diff-lcs (1.5.0)
-    erubi (1.10.0)
-    fakefs (1.4.0)
+    debug (1.9.2)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
+    diff-lcs (1.5.1)
+    drb (2.2.0)
+      ruby2_keywords
+    erubi (1.12.0)
+    fakefs (1.8.0)
     ffi (1.15.5)
-    i18n (1.8.11)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    loofah (2.13.0)
+    io-console (0.7.2)
+    irb (1.11.1)
+      rdoc
+      reline (>= 0.4.2)
+    loofah (2.22.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
     method_source (1.0.0)
-    minitest (5.15.0)
-    nokogiri (1.13.4-arm64-darwin)
+    minitest (5.21.2)
+    mutex_m (0.2.0)
+    nokogiri (1.16.0-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.13.4-x86_64-linux)
+    nokogiri (1.16.0-x86_64-linux)
       racc (~> 1.4)
-    pry (0.14.1)
+    pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    racc (1.6.0)
-    rack (2.2.3)
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    psych (5.1.2)
+      stringio
+    racc (1.7.3)
+    rack (3.0.8)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rackup (2.1.0)
+      rack (>= 3)
+      webrick (~> 1.8)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
-      loofah (~> 2.3)
-    railties (7.0.1)
-      actionpack (= 7.0.1)
-      activesupport (= 7.0.1)
-      method_source
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    railties (7.1.3)
+      actionpack (= 7.1.3)
+      activesupport (= 7.1.3)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
-    rake (13.0.6)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
+    rake (13.1.0)
     rbnacl (7.1.1)
       ffi
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rdoc (6.6.2)
+      psych (>= 4.0.0)
+    reline (0.4.2)
+      io-console (~> 0.5)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.3)
-    thor (1.2.1)
-    tzinfo (2.0.4)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    ruby2_keywords (0.0.5)
+    stringio (3.1.0)
+    thor (1.3.0)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    zeitwerk (2.5.3)
+    webrick (1.8.1)
+    zeitwerk (2.6.12)
 
 PLATFORMS
   arm64-darwin-20
@@ -91,6 +129,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  debug
   eyaml!
   fakefs
   ffi (~> 1.15.5)

data/README.md

@@ -55,12 +55,13 @@ Options:
 ```shell
 -> % eyaml encrypt config/secrets.production.eyaml
 Wrote 517 bytes to config/secrets.production.eyaml.
-```
 
+Note: entries starting with an `_` won't be encrypted. This has to be the case for the `_public_key`, but can be handy if you want to add keys in there that you dont't want to encrypt. Like a public key for ex.
+```
 
 #### `eyaml decrypt`
 
-Decrypts the provided EYAML file.
+Decrypts the whole provided EYAML file.
 
 ```shell
 -> % eyaml decrypt config/secrets.production.eyaml
@@ -70,7 +71,15 @@ secret: password
 
 #### `eyaml keygen`
 
-Generates the keypair for the encryption flow to work. The public key must be placed into the file at `_public_key` and the private key must be saved in the default key directory (`/opt/ejson/keys`) with the filename being the public key and the contents, the private key, a key directory you'll provide later, or just pass the `--write` flag for `eyaml` to handle it for you.
+Generates the keypair for the encryption flow to work. The public key must be placed into the file at `_public_key` like this:
+e.g.
+```shell
+-> % cat config/credentials.development.eyaml
+_public_key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
+my_secret: 85d1fca99d98c4e7b83b868f75f809e1e33346317b0c354b593cdcdc8793ad4e
+```
+
+The private key must be saved in the default key directory (`/opt/ejson/keys`) or the `EJSON_PRIVATE_KEY` must point to the right directory, with the filename being the public key and the contents, the private key, a key directory you'll provide later, or just pass the `--write` flag for `eyaml` to handle it for you.
 
 ```shell
 -> % eyaml keygen
@@ -88,11 +97,70 @@ b01592942ba10f152bcf7c6b6734f6392554c578ff24cebcc62f9e3da6fcf302
 
 ### Rails
 
-`eyaml` comes with baked in Rails support. It will search for a secrets file in `config/`, decrypt, and load the first valid one it finds.
+`eyaml` comes with baked in Rails support.
+It will search for a rails secrets or credentials file in `config/`, decrypt, and load the first valid one it finds.
+
+For this a public-private keyfile needs to be present, which you can generate with `eyaml keygen`. For a development/test environment you can keep this in your
+version control, but on production you want to take the proper precautions since this can contain your rails master key as well.
+
+Credential files have priority over secrets before rails 7.2:
+`credentials.{eyaml|eyml|ejson}` (e.g. `config/credentials.eyaml`) then `credentials.$env.{eyaml|eyml|ejson}` (e.g. `credentials.production.eyml`).
+Then if no credentials are found it will look for a secrets file:
 `secrets.{eyaml|eyml|ejson}` (e.g. `config/secrets.eyaml`) then `secrets.$env.{eyaml|eyml|ejson}` (e.g. `secrets.production.eyml`).
 
+Note: From rails 7.2 onwards secrets are deprecated and eyaml will only look for credential files.
+
 Instead of needing a private key locally, you can provide it to EYAML by setting `EJSON_PRIVATE_KEY` and it'll be automatically used for decrypting the secrets file.
 
+If you put your rails master key encrypted in the eyaml file, make sure you don't have another `master.key` file somewhere, since that can interfere.
+
+### Example setup
+
+To add encryption + credentials to a rails project do the following things:
+
+- Generate a private-public keypair with (or add the --write flag and a keypair file will be written to `/opt/ejson/keys/`):
+  ```shell
+  eyaml keygen
+
+  Public Key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
+  Private Key: b01592942ba10f152bcf7c6b6734f6392554c578ff24cebcc62f9e3da6fcf302
+  ```
+
+  For this example I show you a dev setup, but for test, production etc. it works the same.
+
+- Create a file with the name of the public key that contains the private key.
+  If you don't want to add the file to the `/opt/ejson/keys/` (for for example a dev/test environment) so you can check it in with your version management you can set the `EJSON_KEYDIR` to the keypair file
+  in rails `application.rb` like so:
+  ```ruby
+  ENV["EJSON_KEYDIR"] = File.expand_path("../dev/ejson-keys", __dir__) unless Rails.env.production?
+  ```
+  and rails will look there for the file decryption when the environment loads.
+  You can test this by calling
+  ```ruby
+  Rails.application.credentials.secret_key_base
+  ```
+  in a rails console and it should give you back the unencrypted key.
+
+  Note that you should not have a `config/master.key` file present (created by rails when using it's credentials management like for ex when calling `rails credentials:edit`) when using eyaml.
+  Eyaml is a replacement for rails's credentials management and currently conflicts with it. Eyaml will raise when a master.key is present.
+
+- Create a `config/credentials.development.eyaml` file
+- In the credentials file add:
+  ```yaml
+  _public_key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
+  ```
+  on top
+- You can then add your rails `secret_key_base` like so:
+  ```yaml
+  secret_key_base: <secret>
+  ```
+  And any other key you need in there.
+- Then every time you edit your eyaml file(s) run (for ex for development):
+  ```shell
+  eyaml encrypt config/credentials.development.eyaml
+  ```
+  And you can see that the key put in there is encrypted afterwards (except the ones starting with an `_`).
+
 ### Apple M1 Support
 
 If you're using the new Apple M1, you need to ensure that you're using a `ffi` that is working. We've temporarily been including a fork with a fix in any `Gemfile` where we've included `eyaml`:

data/eyaml.gemspec

@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency("rake", "~> 13.0")
   spec.add_development_dependency("rspec", "~> 3.0")
+  spec.add_development_dependency("debug")
 end

data/lib/eyaml/railtie.rb

@@ -8,8 +8,27 @@ module EYAML
     class Railtie < Rails::Railtie
       PRIVATE_KEY_ENV_VAR = "EJSON_PRIVATE_KEY"
 
+      class ConflictError < StandardError
+      end
+
       config.before_configuration do
-        secrets_files.each do |file|
+        if File.exist?(Rails.root.join("config", "master.key"))
+          raise ConflictError, "A config/master.key has been found. The rails credentials lookup conflicts with eyaml. Please remove rails credentials management by removing the master.key file to keep using eyaml."
+        end
+        secret_files_present = Dir.glob(auth_files(:secrets)).any?
+        credential_files_present = Dir.glob(auth_files(:credentials)).any?
+
+        secrets_or_credentials = if Rails.version >= "7.2"
+          :credentials
+        else
+          if credential_files_present
+            :credentials
+          elsif secret_files_present
+            :secrets
+          end
+        end
+
+        auth_files(secrets_or_credentials).each do |file|
           next unless valid?(file)
 
           # If private_key is nil (i.e. when $EJSON_PRIVATE_KEY is not set), EYAML will search
@@ -19,7 +38,7 @@ module EYAML
             .deep_symbolize_keys
             .except(:_public_key)
 
-          break Rails.application.secrets.deep_merge!(secrets)
+          break Rails.application.send(secrets_or_credentials).deep_merge!(secrets)
         end
       end
 
@@ -30,13 +49,13 @@ module EYAML
           pathname.exist?
         end
 
-        def secrets_files
-          EYAML::SUPPORTED_EXTENSIONS.map do |ext|
+        def auth_files(secrets_or_credentials)
+          EYAML::SUPPORTED_EXTENSIONS.flat_map do |ext|
             [
-              Rails.root.join("config", "secrets.#{ext}"),
-              Rails.root.join("config", "secrets.#{Rails.env}.#{ext}")
+              Rails.root.join("config", "#{secrets_or_credentials}.#{ext}"),
+              Rails.root.join("config", "#{secrets_or_credentials}.#{Rails.env}.#{ext}")
             ]
-          end.flatten
+          end
         end
       end
     end

data/lib/eyaml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module EYAML
-  VERSION = "0.3.0"
+  VERSION = "0.4.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: eyaml
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.2
 platform: ruby
 authors:
 - Emil Stolarsky
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-04-25 00:00:00.000000000 Z
+date: 2024-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Secret management by encrypting values in a YAML file with a public/private
   keypair
 email:
@@ -115,7 +129,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.4.21
 signing_key:
 specification_version: 4
 summary: Asymmetric keywise encryption for YAML