eyaml 0.4.2 → 0.4.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +16 -0
- data/lib/eyaml/encryption_manager.rb +0 -1
- data/lib/eyaml/railtie.rb +2 -1
- data/lib/eyaml/util.rb +20 -0
- data/lib/eyaml/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 00bde71da67e58726c900ee6a7136634ae077bec36610404aeb2ed79f6879408
|
|
4
|
+
data.tar.gz: 43c9ccc56469095c1c3f3e9fec7ef3d0f81506e0779729cac3f868131f96d72d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bc297dd8373669826b9573d81657656a29dfcd57bfad2d549c7c3b6e8e79087b8c5035083bdb99f53ef5579fb0b384b60f8c6c72f6ccdfce9a103beab36a2e9a
|
|
7
|
+
data.tar.gz: 277e8b83fafa73c21e3136684d648fc0b6ebff29c7656e25d26594490da18635af4ae84bf6db06895c8372180816f056f746303a27642463886a599ed5165eda
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -169,6 +169,22 @@ If you're using the new Apple M1, you need to ensure that you're using a `ffi` t
|
|
|
169
169
|
gem "ffi", github: "cheddar-me/ffi", branch: "apple-m1", submodules: true
|
|
170
170
|
```
|
|
171
171
|
|
|
172
|
+
### Underscored vs de-underscored keys
|
|
173
|
+
|
|
174
|
+
Keys that start with an underscore are treated as-is and are assumed unencrypted in the secrets/credentials files.
|
|
175
|
+
To make our lives a little easier in calling them in the application they are callable without the underscore. So a `_secret` can be called with
|
|
176
|
+
|
|
177
|
+
```ruby
|
|
178
|
+
Rails.application.credentials.secret
|
|
179
|
+
```
|
|
180
|
+
and
|
|
181
|
+
```ruby
|
|
182
|
+
Rails.application.credentials._secret
|
|
183
|
+
```
|
|
184
|
+
|
|
185
|
+
To prevent conflicts with having the same name underscored and not, we don't allow that and the gem will raise an exception.
|
|
186
|
+
This makes sense since we believe it could be a security hazard to have an encrypted key also unencrypted. The best solution is to give either a different name to make the intention clear.
|
|
187
|
+
|
|
172
188
|
## Development
|
|
173
189
|
|
|
174
190
|
To get started, make sure you have a working version of Ruby locally. Then clone the repo, and run `bin/setup` (this will install `libsodium` if you're on a Mac and setup bundler). Running `bundle exec rake` or `bundle exec rake spec` will run the test suite.
|
data/lib/eyaml/railtie.rb
CHANGED
|
@@ -35,8 +35,9 @@ module EYAML
|
|
|
35
35
|
# for a public/private key in the key directory (either $EJSON_KEYDIR, if set, or /opt/ejson/keys)
|
|
36
36
|
cipherdata = YAML.load_file(file)
|
|
37
37
|
secrets = EYAML.decrypt(cipherdata, private_key: ENV[PRIVATE_KEY_ENV_VAR])
|
|
38
|
+
.except("_public_key")
|
|
39
|
+
secrets = EYAML::Util.with_deep_deundescored_keys(secrets)
|
|
38
40
|
.deep_symbolize_keys
|
|
39
|
-
.except(:_public_key)
|
|
40
41
|
|
|
41
42
|
break Rails.application.send(secrets_or_credentials).deep_merge!(secrets)
|
|
42
43
|
end
|
data/lib/eyaml/util.rb
CHANGED
|
@@ -6,6 +6,26 @@ module EYAML
|
|
|
6
6
|
def pretty_yaml(some_hash)
|
|
7
7
|
some_hash.to_yaml.delete_prefix("---\n")
|
|
8
8
|
end
|
|
9
|
+
|
|
10
|
+
# This will look for any keys that starts with an underscore and duplicates that key-value pair
|
|
11
|
+
# but without the starting underscore.
|
|
12
|
+
# So {_a: "abab"} will become {_a: "abab", a: "abab"}
|
|
13
|
+
# This so we can easilly access our unencrypted secrets without having to add an underscore
|
|
14
|
+
def with_deep_deundescored_keys(hash)
|
|
15
|
+
hash.each_with_object({}) do |(key, value), total|
|
|
16
|
+
value = with_deep_deundescored_keys(value) if value.is_a?(Hash)
|
|
17
|
+
|
|
18
|
+
if key.start_with?("_")
|
|
19
|
+
deunderscored_key = key[1..]
|
|
20
|
+
# We don't want to have an underscored and de-underscored key with the same name, so raise. This could be a security issue
|
|
21
|
+
raise KeyError, "De-underscored key '#{key[1..]}' already exists." if total.key?(deunderscored_key)
|
|
22
|
+
|
|
23
|
+
total[deunderscored_key] = value unless total.key?(deunderscored_key)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
total[key] = value
|
|
27
|
+
end
|
|
28
|
+
end
|
|
9
29
|
end
|
|
10
30
|
end
|
|
11
31
|
end
|
data/lib/eyaml/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: eyaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Emil Stolarsky
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-07-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|