kryptos 1.0.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +19 -41
- data/kryptos.gemspec +2 -2
- data/lib/kryptos/secret.rb +31 -12
- data/lib/kryptos/version.rb +1 -1
- data/lib/kryptos.rb +1 -6
- metadata +14 -17
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 142fc66be80d6e4a602c0478ca358379c56e2b9b
|
4
|
+
data.tar.gz: de4806b2f1035b65a1090e6c82b4b41e7fa4dbbe
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: b9b6cb688dd09e6a06bd24c1e84a4d5d8559406067f8250a743ec49262c7ffde51c39e239e163fab6a072c32ab2ef61cfc7ffc3a223cc0ca3269802e6d34583e
|
7
|
+
data.tar.gz: b7504adfff38e829d45407709b0d67c5846c755aeb8de31ee3085a0f918a0f26b322995fb174d3a71fb11d6177d3d85e7d6596a026fa800b530e3a2d17121e7a
|
data/README.md
CHANGED
@@ -1,11 +1,15 @@
|
|
1
1
|
# Kryptos
|
2
2
|
|
3
|
-
Kryptos provides a way to avoid checking in unencrypted application secrets such as
|
3
|
+
Kryptos provides a way to avoid checking in unencrypted application secrets such as
|
4
|
+
API keys. The secrets will be encrypted using a file based key stored on your
|
5
|
+
development machine.
|
4
6
|
|
5
|
-
Your typical workflow should be unaffected, as Kryptos handles decryption and
|
7
|
+
Your typical workflow should be unaffected, as Kryptos handles decryption and
|
8
|
+
encryption automatically. The encrypted file will be version controlled and deployed.
|
6
9
|
|
7
|
-
Kryptos depends on Rails and has one gem dependency - the 'gibberish' library, which
|
8
|
-
|
10
|
+
Kryptos depends on Rails and has one gem dependency - the 'gibberish' library, which
|
11
|
+
has no other dependencies. Kryptos itself is less than 100 lines of code and does
|
12
|
+
not do any weird monkeypatching. So overhead should be quite light.
|
9
13
|
|
10
14
|
|
11
15
|
## Installation
|
@@ -16,59 +20,33 @@ Add this line to your application's Gemfile:
|
|
16
20
|
|
17
21
|
And then execute:
|
18
22
|
|
19
|
-
$ bundle
|
23
|
+
$ bundle install
|
20
24
|
|
21
25
|
Or install it yourself as:
|
22
26
|
|
23
27
|
$ gem install kryptos
|
24
28
|
|
29
|
+
Next, remove config/secrets.yml from git and add the following entries to your .gitignore:
|
25
30
|
|
26
|
-
|
27
|
-
|
28
|
-
Add a migration for the KryptosSecrets table. This table will contain one row with your randomly generated secret. The migration should look like:
|
29
|
-
|
30
|
-
class AddKryptosSecrets < ActiveRecord::Migration
|
31
|
-
def change
|
32
|
-
create_table :kryptos_secrets do |t|
|
33
|
-
t.string :secret
|
34
|
-
end
|
35
|
-
end
|
36
|
-
end
|
31
|
+
config/secrets.yml
|
32
|
+
config/kryptos.key
|
37
33
|
|
38
34
|
You can use OpenSSL or an equivalent tool to generate a random password.
|
39
35
|
|
40
|
-
$ openssl rand -base64
|
41
|
-
RANDOMSECRET
|
36
|
+
$ openssl rand -base64 48 > config/kryptos.key
|
42
37
|
|
43
|
-
|
44
|
-
|
45
|
-
$ rails console
|
46
|
-
> KryptosSecret.create({ :secret => 'RANDOMSECRET'}, :without_protection => true)
|
38
|
+
Now put your secrets into config/secrets.yml (which should not be tracked by git any more).
|
47
39
|
|
48
|
-
|
40
|
+
development:
|
41
|
+
secret_key_base: 3b7cd727aa24e8444053437c36cc66c3
|
42
|
+
sample_api_key: DUMMY
|
49
43
|
|
50
|
-
module AppSecrets
|
51
|
-
|
52
|
-
AWS = Struct.new(:public_key, :private_key).new.tap do |s|
|
53
|
-
s.public_key = "foo"
|
54
|
-
s.private_key = "bar"
|
55
|
-
end
|
56
|
-
|
57
|
-
end
|
58
44
|
|
59
45
|
## Usage
|
60
46
|
|
61
47
|
Fire up the console again. You should be able to access the config data:
|
62
48
|
|
63
49
|
$ rails console
|
64
|
-
>
|
65
|
-
=> "
|
66
|
-
|
67
|
-
|
68
|
-
## Contributing
|
50
|
+
> Rails.application.secrets.sample_api_key
|
51
|
+
=> "DUMMY"
|
69
52
|
|
70
|
-
1. Fork it
|
71
|
-
2. Create your feature branch (`git checkout -b my-new-feature`)
|
72
|
-
3. Commit your changes (`git commit -am 'Add some feature'`)
|
73
|
-
4. Push to the branch (`git push origin my-new-feature`)
|
74
|
-
5. Create new Pull Request
|
data/kryptos.gemspec
CHANGED
@@ -8,8 +8,8 @@ Gem::Specification.new do |gem|
|
|
8
8
|
gem.version = Kryptos::VERSION
|
9
9
|
gem.authors = ["wlipa"]
|
10
10
|
gem.email = ["dojo@masterleep.com"]
|
11
|
-
gem.description = %q{Supports keeping your
|
12
|
-
gem.summary = %q{Encrypt app secrets in source control using a
|
11
|
+
gem.description = %q{Supports keeping your secrets.yml in source control, but encrypted using a key from the file system.}
|
12
|
+
gem.summary = %q{Encrypt app secrets in source control using a file based key that is not version controlled}
|
13
13
|
gem.homepage = ""
|
14
14
|
|
15
15
|
gem.files = `git ls-files`.split($/)
|
data/lib/kryptos/secret.rb
CHANGED
@@ -1,18 +1,38 @@
|
|
1
|
-
class KryptosSecret
|
2
|
-
|
1
|
+
class KryptosSecret
|
2
|
+
|
3
|
+
def initialize
|
4
|
+
end
|
5
|
+
|
3
6
|
def gitignore_path
|
4
7
|
"#{Rails.root}/.gitignore"
|
5
8
|
end
|
6
|
-
|
9
|
+
|
10
|
+
def relative_cleartext_path
|
11
|
+
"config/secrets.yml"
|
12
|
+
end
|
13
|
+
|
14
|
+
def relative_key_path
|
15
|
+
"config/kryptos.key"
|
16
|
+
end
|
17
|
+
|
7
18
|
def cleartext_path
|
8
|
-
"#{Rails.root}
|
19
|
+
"#{Rails.root}/#{relative_cleartext_path}"
|
9
20
|
end
|
10
|
-
|
21
|
+
|
11
22
|
def encrypted_path
|
12
23
|
"#{cleartext_path}.enc"
|
13
24
|
end
|
14
|
-
|
25
|
+
|
26
|
+
def key_path
|
27
|
+
"#{Rails.root}/#{relative_key_path}"
|
28
|
+
end
|
29
|
+
|
30
|
+
def secret
|
31
|
+
@secret ||= IO.read(key_path).strip
|
32
|
+
end
|
33
|
+
|
15
34
|
def clandestine_operations
|
35
|
+
raise "#{relative_key_path} does not exist" unless File.exists? key_path
|
16
36
|
check_gitignore
|
17
37
|
if File.exists? cleartext_path
|
18
38
|
# If the encrypted version is out of date, regenerate it
|
@@ -21,23 +41,22 @@ class KryptosSecret < ActiveRecord::Base
|
|
21
41
|
else
|
22
42
|
decrypt_secrets
|
23
43
|
end
|
24
|
-
require cleartext_path
|
25
44
|
end
|
26
|
-
|
45
|
+
|
27
46
|
def check_gitignore
|
28
47
|
return unless Rails.env.development?
|
29
|
-
to_ignore = "config/kryptos.rb"
|
30
48
|
ignores = IO.read(gitignore_path)
|
31
|
-
raise "gitignore must ignore #{
|
49
|
+
raise "gitignore must ignore #{relative_cleartext_path}" unless ignores =~ /^#{relative_cleartext_path}$/
|
50
|
+
raise "gitignore must ignore #{relative_key_path}" unless ignores =~ /^#{relative_key_path}$/
|
32
51
|
end
|
33
|
-
|
52
|
+
|
34
53
|
def encrypt_secrets
|
35
54
|
return unless Rails.env.development?
|
36
55
|
Rails.logger.info "kryptos encrypt_secrets"
|
37
56
|
cipher = Gibberish::AES.new(secret)
|
38
57
|
IO.write(encrypted_path, cipher.encrypt(IO.read(cleartext_path)))
|
39
58
|
end
|
40
|
-
|
59
|
+
|
41
60
|
def decrypt_secrets
|
42
61
|
Rails.logger.info "kryptos decrypt_secrets"
|
43
62
|
cipher = Gibberish::AES.new(secret)
|
data/lib/kryptos/version.rb
CHANGED
data/lib/kryptos.rb
CHANGED
@@ -7,12 +7,7 @@ module Kryptos
|
|
7
7
|
# Hook Rails init process
|
8
8
|
class Railtie < Rails::Railtie
|
9
9
|
initializer 'kryptos', :before => 'load_environment_config' do |app|
|
10
|
-
|
11
|
-
if ks
|
12
|
-
ks.clandestine_operations
|
13
|
-
else
|
14
|
-
Rails.logger.info "no kryptos secret defined -- skipping"
|
15
|
-
end
|
10
|
+
KryptosSecret.new.clandestine_operations
|
16
11
|
end
|
17
12
|
end
|
18
13
|
|
metadata
CHANGED
@@ -1,41 +1,38 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kryptos
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
5
|
-
prerelease:
|
4
|
+
version: 2.0.0
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- wlipa
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2016-08-22 00:00:00.000000000 Z
|
13
12
|
dependencies:
|
14
13
|
- !ruby/object:Gem::Dependency
|
15
14
|
name: gibberish
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
17
|
-
none: false
|
18
16
|
requirements:
|
19
|
-
- -
|
17
|
+
- - ">="
|
20
18
|
- !ruby/object:Gem::Version
|
21
19
|
version: '0'
|
22
20
|
type: :runtime
|
23
21
|
prerelease: false
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
25
|
-
none: false
|
26
23
|
requirements:
|
27
|
-
- -
|
24
|
+
- - ">="
|
28
25
|
- !ruby/object:Gem::Version
|
29
26
|
version: '0'
|
30
|
-
description: Supports keeping your
|
31
|
-
|
27
|
+
description: Supports keeping your secrets.yml in source control, but encrypted using
|
28
|
+
a key from the file system.
|
32
29
|
email:
|
33
30
|
- dojo@masterleep.com
|
34
31
|
executables: []
|
35
32
|
extensions: []
|
36
33
|
extra_rdoc_files: []
|
37
34
|
files:
|
38
|
-
- .gitignore
|
35
|
+
- ".gitignore"
|
39
36
|
- Gemfile
|
40
37
|
- LICENSE.txt
|
41
38
|
- README.md
|
@@ -46,26 +43,26 @@ files:
|
|
46
43
|
- lib/kryptos/version.rb
|
47
44
|
homepage: ''
|
48
45
|
licenses: []
|
46
|
+
metadata: {}
|
49
47
|
post_install_message:
|
50
48
|
rdoc_options: []
|
51
49
|
require_paths:
|
52
50
|
- lib
|
53
51
|
required_ruby_version: !ruby/object:Gem::Requirement
|
54
|
-
none: false
|
55
52
|
requirements:
|
56
|
-
- -
|
53
|
+
- - ">="
|
57
54
|
- !ruby/object:Gem::Version
|
58
55
|
version: '0'
|
59
56
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
60
|
-
none: false
|
61
57
|
requirements:
|
62
|
-
- -
|
58
|
+
- - ">="
|
63
59
|
- !ruby/object:Gem::Version
|
64
60
|
version: '0'
|
65
61
|
requirements: []
|
66
62
|
rubyforge_project:
|
67
|
-
rubygems_version:
|
63
|
+
rubygems_version: 2.6.6
|
68
64
|
signing_key:
|
69
|
-
specification_version:
|
70
|
-
summary: Encrypt app secrets in source control using a
|
65
|
+
specification_version: 4
|
66
|
+
summary: Encrypt app secrets in source control using a file based key that is not
|
67
|
+
version controlled
|
71
68
|
test_files: []
|