eyaml 0.4.2 → 0.4.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/README.md +16 -0
  4. data/lib/eyaml/encryption_manager.rb +0 -1
  5. data/lib/eyaml/railtie.rb +2 -1
  6. data/lib/eyaml/util.rb +20 -0
  7. data/lib/eyaml/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3db8844c2bbddc8461708c26243e51830e6caabb0863b51a255dcef05f762842
4
- data.tar.gz: bc1103be88e0418663ce58bfc7f4b497466a9fe98a08b5ddddafae76d18667ce
3
+ metadata.gz: 00bde71da67e58726c900ee6a7136634ae077bec36610404aeb2ed79f6879408
4
+ data.tar.gz: 43c9ccc56469095c1c3f3e9fec7ef3d0f81506e0779729cac3f868131f96d72d
5
5
  SHA512:
6
- metadata.gz: 5b6f9ebcae7c5a2b7920abb7ec5e75e06c1ac2e51eff9b8ea7f61a00305c80e06b60bcc3219a5b94700a6d4af6ba6915f92c646573d00a4fb1a43732aa331ec1
7
- data.tar.gz: 4d6359cad8b3514dd4fdc8ecfe9ccfed07bd9e18a5d5bd6033633696111754e522001a18cc8c9746da0f065ee14bc8a2f6a7b009bd2bd7926293e2b658a9ccdc
6
+ metadata.gz: bc297dd8373669826b9573d81657656a29dfcd57bfad2d549c7c3b6e8e79087b8c5035083bdb99f53ef5579fb0b384b60f8c6c72f6ccdfce9a103beab36a2e9a
7
+ data.tar.gz: 277e8b83fafa73c21e3136684d648fc0b6ebff29c7656e25d26594490da18635af4ae84bf6db06895c8372180816f056f746303a27642463886a599ed5165eda
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- eyaml (0.4.0)
4
+ eyaml (0.4.3)
5
5
  rbnacl (~> 7.1)
6
6
  thor (~> 1.1)
7
7
 
data/README.md CHANGED
@@ -169,6 +169,22 @@ If you're using the new Apple M1, you need to ensure that you're using a `ffi` t
169
169
  gem "ffi", github: "cheddar-me/ffi", branch: "apple-m1", submodules: true
170
170
  ```
171
171
 
172
+ ### Underscored vs de-underscored keys
173
+
174
+ Keys that start with an underscore are treated as-is and are assumed unencrypted in the secrets/credentials files.
175
+ To make our lives a little easier in calling them in the application they are callable without the underscore. So a `_secret` can be called with
176
+
177
+ ```ruby
178
+ Rails.application.credentials.secret
179
+ ```
180
+ and
181
+ ```ruby
182
+ Rails.application.credentials._secret
183
+ ```
184
+
185
+ To prevent conflicts with having the same name underscored and not, we don't allow that and the gem will raise an exception.
186
+ This makes sense since we believe it could be a security hazard to have an encrypted key also unencrypted. The best solution is to give either a different name to make the intention clear.
187
+
172
188
  ## Development
173
189
 
174
190
  To get started, make sure you have a working version of Ruby locally. Then clone the repo, and run `bin/setup` (this will install `libsodium` if you're on a Mac and setup bundler). Running `bundle exec rake` or `bundle exec rake spec` will run the test suite.
data/lib/eyaml/encryption_manager.rb CHANGED
@@ -87,7 +87,6 @@ module EYAML
87
87
  if value.is_a?(Hash)
88
88
  next [key, traverse(value, &block)]
89
89
  end
90
- # TODO(es): Add tests for keys with an underscore prefix not doing a nested skip
91
90
  if key.start_with?("_")
92
91
  next [key, value]
93
92
  end
data/lib/eyaml/railtie.rb CHANGED
@@ -35,8 +35,9 @@ module EYAML
35
35
  # for a public/private key in the key directory (either $EJSON_KEYDIR, if set, or /opt/ejson/keys)
36
36
  cipherdata = YAML.load_file(file)
37
37
  secrets = EYAML.decrypt(cipherdata, private_key: ENV[PRIVATE_KEY_ENV_VAR])
38
+ .except("_public_key")
39
+ secrets = EYAML::Util.with_deep_deundescored_keys(secrets)
38
40
  .deep_symbolize_keys
39
- .except(:_public_key)
40
41
 
41
42
  break Rails.application.send(secrets_or_credentials).deep_merge!(secrets)
42
43
  end
data/lib/eyaml/util.rb CHANGED
@@ -6,6 +6,26 @@ module EYAML
6
6
  def pretty_yaml(some_hash)
7
7
  some_hash.to_yaml.delete_prefix("---\n")
8
8
  end
9
+
10
+ # This will look for any keys that starts with an underscore and duplicates that key-value pair
11
+ # but without the starting underscore.
12
+ # So {_a: "abab"} will become {_a: "abab", a: "abab"}
13
+ # This so we can easilly access our unencrypted secrets without having to add an underscore
14
+ def with_deep_deundescored_keys(hash)
15
+ hash.each_with_object({}) do |(key, value), total|
16
+ value = with_deep_deundescored_keys(value) if value.is_a?(Hash)
17
+
18
+ if key.start_with?("_")
19
+ deunderscored_key = key[1..]
20
+ # We don't want to have an underscored and de-underscored key with the same name, so raise. This could be a security issue
21
+ raise KeyError, "De-underscored key '#{key[1..]}' already exists." if total.key?(deunderscored_key)
22
+
23
+ total[deunderscored_key] = value unless total.key?(deunderscored_key)
24
+ end
25
+
26
+ total[key] = value
27
+ end
28
+ end
9
29
  end
10
30
  end
11
31
  end
data/lib/eyaml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module EYAML
4
- VERSION = "0.4.2"
4
+ VERSION = "0.4.3"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: eyaml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.2
4
+ version: 0.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Emil Stolarsky
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-11 00:00:00.000000000 Z
11
+ date: 2024-07-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor