eyaml 0.4.2 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3db8844c2bbddc8461708c26243e51830e6caabb0863b51a255dcef05f762842
4
- data.tar.gz: bc1103be88e0418663ce58bfc7f4b497466a9fe98a08b5ddddafae76d18667ce
3
+ metadata.gz: 00bde71da67e58726c900ee6a7136634ae077bec36610404aeb2ed79f6879408
4
+ data.tar.gz: 43c9ccc56469095c1c3f3e9fec7ef3d0f81506e0779729cac3f868131f96d72d
5
5
  SHA512:
6
- metadata.gz: 5b6f9ebcae7c5a2b7920abb7ec5e75e06c1ac2e51eff9b8ea7f61a00305c80e06b60bcc3219a5b94700a6d4af6ba6915f92c646573d00a4fb1a43732aa331ec1
7
- data.tar.gz: 4d6359cad8b3514dd4fdc8ecfe9ccfed07bd9e18a5d5bd6033633696111754e522001a18cc8c9746da0f065ee14bc8a2f6a7b009bd2bd7926293e2b658a9ccdc
6
+ metadata.gz: bc297dd8373669826b9573d81657656a29dfcd57bfad2d549c7c3b6e8e79087b8c5035083bdb99f53ef5579fb0b384b60f8c6c72f6ccdfce9a103beab36a2e9a
7
+ data.tar.gz: 277e8b83fafa73c21e3136684d648fc0b6ebff29c7656e25d26594490da18635af4ae84bf6db06895c8372180816f056f746303a27642463886a599ed5165eda
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- eyaml (0.4.0)
4
+ eyaml (0.4.3)
5
5
  rbnacl (~> 7.1)
6
6
  thor (~> 1.1)
7
7
 
data/README.md CHANGED
@@ -169,6 +169,22 @@ If you're using the new Apple M1, you need to ensure that you're using a `ffi` t
169
169
  gem "ffi", github: "cheddar-me/ffi", branch: "apple-m1", submodules: true
170
170
  ```
171
171
 
172
+ ### Underscored vs de-underscored keys
173
+
174
+ Keys that start with an underscore are treated as-is and are assumed unencrypted in the secrets/credentials files.
175
+ To make our lives a little easier in calling them in the application they are callable without the underscore. So a `_secret` can be called with
176
+
177
+ ```ruby
178
+ Rails.application.credentials.secret
179
+ ```
180
+ and
181
+ ```ruby
182
+ Rails.application.credentials._secret
183
+ ```
184
+
185
+ To prevent conflicts with having the same name underscored and not, we don't allow that and the gem will raise an exception.
186
+ This makes sense since we believe it could be a security hazard to have an encrypted key also unencrypted. The best solution is to give either a different name to make the intention clear.
187
+
172
188
  ## Development
173
189
 
174
190
  To get started, make sure you have a working version of Ruby locally. Then clone the repo, and run `bin/setup` (this will install `libsodium` if you're on a Mac and setup bundler). Running `bundle exec rake` or `bundle exec rake spec` will run the test suite.
@@ -87,7 +87,6 @@ module EYAML
87
87
  if value.is_a?(Hash)
88
88
  next [key, traverse(value, &block)]
89
89
  end
90
- # TODO(es): Add tests for keys with an underscore prefix not doing a nested skip
91
90
  if key.start_with?("_")
92
91
  next [key, value]
93
92
  end
data/lib/eyaml/railtie.rb CHANGED
@@ -35,8 +35,9 @@ module EYAML
35
35
  # for a public/private key in the key directory (either $EJSON_KEYDIR, if set, or /opt/ejson/keys)
36
36
  cipherdata = YAML.load_file(file)
37
37
  secrets = EYAML.decrypt(cipherdata, private_key: ENV[PRIVATE_KEY_ENV_VAR])
38
+ .except("_public_key")
39
+ secrets = EYAML::Util.with_deep_deundescored_keys(secrets)
38
40
  .deep_symbolize_keys
39
- .except(:_public_key)
40
41
 
41
42
  break Rails.application.send(secrets_or_credentials).deep_merge!(secrets)
42
43
  end
data/lib/eyaml/util.rb CHANGED
@@ -6,6 +6,26 @@ module EYAML
6
6
  def pretty_yaml(some_hash)
7
7
  some_hash.to_yaml.delete_prefix("---\n")
8
8
  end
9
+
10
+ # This will look for any keys that starts with an underscore and duplicates that key-value pair
11
+ # but without the starting underscore.
12
+ # So {_a: "abab"} will become {_a: "abab", a: "abab"}
13
+ # This so we can easilly access our unencrypted secrets without having to add an underscore
14
+ def with_deep_deundescored_keys(hash)
15
+ hash.each_with_object({}) do |(key, value), total|
16
+ value = with_deep_deundescored_keys(value) if value.is_a?(Hash)
17
+
18
+ if key.start_with?("_")
19
+ deunderscored_key = key[1..]
20
+ # We don't want to have an underscored and de-underscored key with the same name, so raise. This could be a security issue
21
+ raise KeyError, "De-underscored key '#{key[1..]}' already exists." if total.key?(deunderscored_key)
22
+
23
+ total[deunderscored_key] = value unless total.key?(deunderscored_key)
24
+ end
25
+
26
+ total[key] = value
27
+ end
28
+ end
9
29
  end
10
30
  end
11
31
  end
data/lib/eyaml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module EYAML
4
- VERSION = "0.4.2"
4
+ VERSION = "0.4.3"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: eyaml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.2
4
+ version: 0.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Emil Stolarsky
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-11 00:00:00.000000000 Z
11
+ date: 2024-07-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor