eyaml 0.4.0 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99ad0ac7614ce464c44623e271371bad722452f5e0fc1d8fd1e0c60d7516b715
-  data.tar.gz: 83e6571f04e5552ef626466dcad9deb8201c091225867ba1e5bd7807473948de
+  metadata.gz: 3db8844c2bbddc8461708c26243e51830e6caabb0863b51a255dcef05f762842
+  data.tar.gz: bc1103be88e0418663ce58bfc7f4b497466a9fe98a08b5ddddafae76d18667ce
 SHA512:
-  metadata.gz: 8bed58a4aff4c38b7282528cf39bc34446e4c9c203ebc14ce690a5b265c4bc9dff737c4ad5af73997fdec15c75413a38bc84d6b40a15bf8f254f942084585b29
-  data.tar.gz: b220b9015b016ce95411304ad702ba618893deaed0a3c5eca9ee98c2e7a6166823df1127d457af9ec28a160fdde9a1bfc79b074ca7bca2e9955ec1c7e0846912
+  metadata.gz: 5b6f9ebcae7c5a2b7920abb7ec5e75e06c1ac2e51eff9b8ea7f61a00305c80e06b60bcc3219a5b94700a6d4af6ba6915f92c646573d00a4fb1a43732aa331ec1
+  data.tar.gz: 4d6359cad8b3514dd4fdc8ecfe9ccfed07bd9e18a5d5bd6033633696111754e522001a18cc8c9746da0f065ee14bc8a2f6a7b009bd2bd7926293e2b658a9ccdc

data/.github/workflows/test.yml

@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v4.1.1
 
       - name: Run with fresh bundle
         run: rm Gemfile.lock

data/Gemfile.lock

@@ -41,7 +41,10 @@ GEM
     concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
     crass (1.0.6)
-    diff-lcs (1.5.0)
+    debug (1.9.2)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
+    diff-lcs (1.5.1)
     drb (2.2.0)
       ruby2_keywords
     erubi (1.12.0)
@@ -99,19 +102,19 @@ GEM
       psych (>= 4.0.0)
     reline (0.4.2)
       io-console (~> 0.5)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
     ruby2_keywords (0.0.5)
     stringio (3.1.0)
     thor (1.3.0)
@@ -126,6 +129,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  debug
   eyaml!
   fakefs
   ffi (~> 1.15.5)

data/README.md

@@ -55,12 +55,13 @@ Options:
 ```shell
 -> % eyaml encrypt config/secrets.production.eyaml
 Wrote 517 bytes to config/secrets.production.eyaml.
-```
 
+Note: entries starting with an `_` won't be encrypted. This has to be the case for the `_public_key`, but can be handy if you want to add keys in there that you dont't want to encrypt. Like a public key for ex.
+```
 
 #### `eyaml decrypt`
 
-Decrypts the provided EYAML file.
+Decrypts the whole provided EYAML file.
 
 ```shell
 -> % eyaml decrypt config/secrets.production.eyaml
@@ -78,7 +79,7 @@ _public_key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
 my_secret: 85d1fca99d98c4e7b83b868f75f809e1e33346317b0c354b593cdcdc8793ad4e
 ```
 
-The private key must be saved in the default key directory (`/opt/ejson/keys`) with the filename being the public key and the contents, the private key, a key directory you'll provide later, or just pass the `--write` flag for `eyaml` to handle it for you.
+The private key must be saved in the default key directory (`/opt/ejson/keys`) or the `EJSON_PRIVATE_KEY` must point to the right directory, with the filename being the public key and the contents, the private key, a key directory you'll provide later, or just pass the `--write` flag for `eyaml` to handle it for you.
 
 ```shell
 -> % eyaml keygen
@@ -96,7 +97,12 @@ b01592942ba10f152bcf7c6b6734f6392554c578ff24cebcc62f9e3da6fcf302
 
 ### Rails
 
-`eyaml` comes with baked in Rails support. It will search for a secrets or credentials file in `config/`, decrypt, and load the first valid one it finds.
+`eyaml` comes with baked in Rails support.
+It will search for a rails secrets or credentials file in `config/`, decrypt, and load the first valid one it finds.
+
+For this a public-private keyfile needs to be present, which you can generate with `eyaml keygen`. For a development/test environment you can keep this in your
+version control, but on production you want to take the proper precautions since this can contain your rails master key as well.
+
 Credential files have priority over secrets before rails 7.2:
 `credentials.{eyaml|eyml|ejson}` (e.g. `config/credentials.eyaml`) then `credentials.$env.{eyaml|eyml|ejson}` (e.g. `credentials.production.eyml`).
 Then if no credentials are found it will look for a secrets file:
@@ -106,6 +112,55 @@ Note: From rails 7.2 onwards secrets are deprecated and eyaml will only look for
 
 Instead of needing a private key locally, you can provide it to EYAML by setting `EJSON_PRIVATE_KEY` and it'll be automatically used for decrypting the secrets file.
 
+If you put your rails master key encrypted in the eyaml file, make sure you don't have another `master.key` file somewhere, since that can interfere.
+
+### Example setup
+
+To add encryption + credentials to a rails project do the following things:
+
+- Generate a private-public keypair with (or add the --write flag and a keypair file will be written to `/opt/ejson/keys/`):
+  ```shell
+  eyaml keygen
+
+  Public Key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
+  Private Key: b01592942ba10f152bcf7c6b6734f6392554c578ff24cebcc62f9e3da6fcf302
+  ```
+
+  For this example I show you a dev setup, but for test, production etc. it works the same.
+
+- Create a file with the name of the public key that contains the private key.
+  If you don't want to add the file to the `/opt/ejson/keys/` (for for example a dev/test environment) so you can check it in with your version management you can set the `EJSON_KEYDIR` to the keypair file
+  in rails `application.rb` like so:
+  ```ruby
+  ENV["EJSON_KEYDIR"] = File.expand_path("../dev/ejson-keys", __dir__) unless Rails.env.production?
+  ```
+  and rails will look there for the file decryption when the environment loads.
+  You can test this by calling
+  ```ruby
+  Rails.application.credentials.secret_key_base
+  ```
+  in a rails console and it should give you back the unencrypted key.
+
+  Note that you should not have a `config/master.key` file present (created by rails when using it's credentials management like for ex when calling `rails credentials:edit`) when using eyaml.
+  Eyaml is a replacement for rails's credentials management and currently conflicts with it. Eyaml will raise when a master.key is present.
+
+- Create a `config/credentials.development.eyaml` file
+- In the credentials file add:
+  ```yaml
+  _public_key: a3dbdef9efd1e52a34588de56a6cf9b03bbc2aaf0edda145cfbd9a6370a0a849
+  ```
+  on top
+- You can then add your rails `secret_key_base` like so:
+  ```yaml
+  secret_key_base: <secret>
+  ```
+  And any other key you need in there.
+- Then every time you edit your eyaml file(s) run (for ex for development):
+  ```shell
+  eyaml encrypt config/credentials.development.eyaml
+  ```
+  And you can see that the key put in there is encrypted afterwards (except the ones starting with an `_`).
+
 ### Apple M1 Support
 
 If you're using the new Apple M1, you need to ensure that you're using a `ffi` that is working. We've temporarily been including a fork with a fix in any `Gemfile` where we've included `eyaml`:

data/eyaml.gemspec

@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency("rake", "~> 13.0")
   spec.add_development_dependency("rspec", "~> 3.0")
+  spec.add_development_dependency("debug")
 end

data/lib/eyaml/railtie.rb

@@ -8,7 +8,13 @@ module EYAML
     class Railtie < Rails::Railtie
       PRIVATE_KEY_ENV_VAR = "EJSON_PRIVATE_KEY"
 
+      class ConflictError < StandardError
+      end
+
       config.before_configuration do
+        if File.exist?(Rails.root.join("config", "master.key"))
+          raise ConflictError, "A config/master.key has been found. The rails credentials lookup conflicts with eyaml. Please remove rails credentials management by removing the master.key file to keep using eyaml."
+        end
         secret_files_present = Dir.glob(auth_files(:secrets)).any?
         credential_files_present = Dir.glob(auth_files(:credentials)).any?
 

data/lib/eyaml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module EYAML
-  VERSION = "0.4.0"
+  VERSION = "0.4.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: eyaml
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.2
 platform: ruby
 authors:
 - Emil Stolarsky
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Secret management by encrypting values in a YAML file with a public/private
   keypair
 email: