RubyGems - one_secret - Versions diffs - 1.0.0 - Mend

one_secret 1.0.0

Files changed (19) hide show

checksums.yaml +7 -0
data/.gitignore +22 -0
data/Gemfile +4 -0
data/LICENSE.txt +22 -0
data/README.md +88 -0
data/Rakefile +6 -0
data/lib/one_secret/key_resolution.rb +49 -0
data/lib/one_secret/railtie.rb +15 -0
data/lib/one_secret/secret.rb +28 -0
data/lib/one_secret/secrets_yaml.rb +21 -0
data/lib/one_secret/tasks.rake +31 -0
data/lib/one_secret/version.rb +3 -0
data/lib/one_secret.rb +30 -0
data/one-secret.gemspec +27 -0
data/spec/one_secret/key_resolution_spec.rb +71 -0
data/spec/one_secret/secret_spec.rb +66 -0
data/spec/one_secret/secrets_yaml_spec.rb +49 -0
data/spec/spec_helper.rb +27 -0
metadata +149 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0c8a5942cb4fc9c9d963c5c864bd010f99654383
+  data.tar.gz: b6de107225f64c0352e8021c36b95a994ee72f86
+SHA512:
+  metadata.gz: 1e47321d197d53553fc6a6341275acc0501d2aab999e5364a773852e157c7219ea7dcb4abb68f16a9535631177ed7131b45aa1c5a501555b44779d9821d6b584
+  data.tar.gz: 73d9e80006eedbebc63cda314ec99e870d5d4239e4d4e17d433d12888b249692c7f339679b657621e58ed7b10d6540e2a206aa6178a0547af66f49b3f5acb905

data/.gitignore ADDED Viewed

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile ADDED Viewed

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+# Specify your gem's dependencies in one_secret.gemspec
+gemspec

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Omer Rauchwerger
+MIT License
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,88 @@
+# OneSecret
+If you're storing your application keys, passwords and other secrets apart
+from your main git repository and you are working in a team, you
+probably know that managing those secrets across the team is a pain in
+the ass.
+OneSecret aims to remedy that by encrypting all your secrets
+inside Rails' secrets.yml and decrypting them on the fly so that they are freely
+available to your application.
+OneSecret uses Rails' `secret_key_base` as a key for encrypting your
+secrets, so the only thing you need to set in your Production servers is the `secret_key_base` (you should be doing that even if you don't use OneSecret).
+## Installation
+Add this line to your application's Gemfile:
+    gem 'one_secret'
+And then execute:
+    $ bundle
+Or install it yourself as:
+    $ gem install one_secret
+## Usage
+### Setting a new secret
+To set a new secret, simply call the `one_secret:set` task:
+    $ rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+That's it! This will encrypt the value and keep it inside
+`config/secrets.yml`. Feel free to commit that file to your git
+repository.
+### Accessing secrets
+Inside your app, secrets are decrypted automatically, so you can use them freely:
+    Rails.application.secrets.aws_secret_key # => aba41f7bea276da49ef50aa33474fee4
+Also, all secrets are copied to `ENV`, so you can also use this:
+    ENV['aws_secret_key'] # => aba41f7bea276da49ef50aa33474fee4
+If you want to access secrets outside Rails, use the `one_secret:get`
+task:
+    $ rake one_secret:get aws_secret_key
+    > aba41f7bea276da49ef50aa33474fee4
+### Setting secrets for the Production environment
+Since the Production `secret_key_base` is only available in your Production servers, you should provide the `secret_key_base` to the `one_secret:set` Rake task when setting Production secrets. This could be done in one of the following ways:
+#### Pass `secret_key_base` In
+If your app is on Heroku, you can wire `heroku config:get`:
+    $ RAILS_ENV=production SECRET_KEY_BASE=`heroku config:get SECRET_KEY_BASE` rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+If you're not on Heroku, you can pass your Production `secret_key_base` to Rake:
+    $  RAILS_ENV=production SECRET_KEY_BASE=<your production secret> rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+**Important** - note that there is an extra space at the beginning of this command. Make sure you prefix your command with that extra space so it doesn't get saved in your shell history.
+#### Type `secret_key_base` In
+If your running environment doesn't have a `secret_key_base`, OneSecret will simply prompt for it.
+    $ RAILS_ENV=production rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+    > <OneSecret> Please enter your secret key: <paste your production secret here>
+Accessing secrets is the same for Production, as your Production machines would typically have `ENV['secret_key_base']` present.
+## Contributing
+1. Fork it ( https://github.com/rauchy/one_secret/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile ADDED Viewed

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end

data/lib/one_secret/key_resolution.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require "active_support/core_ext"
+module OneSecret
+  module KeyResolution
+    def self.try(*strategies)
+      strategies.each do |strategy|
+        klass_name = "OneSecret::KeyResolution::#{strategy.to_s.capitalize}"
+        klass = klass_name.constantize
+        instance = klass.new
+        key = instance.key
+        return key if key
+      end
+      raise OneSecret.message("Cannot resolve key.")
+    end
+    class Env
+      def initialize(env = ENV)
+        @env = env
+      end
+      def key
+        @env["secret_key_base"] || @env["SECRET_KEY_BASE"]
+      end
+    end
+    class Rails
+      def key
+        ::Rails.application.secrets.secret_key_base
+      end
+    end
+    class Stdin
+      require 'io/console'
+      def initialize(output = STDOUT, input = STDIN)
+        @output = output
+        @input = input
+      end
+      def key
+        @output.print OneSecret.message("Please enter your secret key: ")
+        key = @input.noecho(&:gets).chomp
+        @output.puts
+        key unless key.blank?
+      end
+    end
+  end
+end

data/lib/one_secret/railtie.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module OneSecret
+  class Railtie < Rails::Railtie
+    config.before_initialize do
+      Secret.key = KeyResolution.try(:env, :rails, :stdin)
+      Rails.application.secrets.each_pair do |key, value|
+        Rails.application.secrets[key] = ENV[key.to_s] = Secret.load(value)
+      end
+    end
+    rake_tasks do
+      load "one_secret/tasks.rake"
+    end
+  end
+end if defined?(Rails)

data/lib/one_secret/secret.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module OneSecret
+  class Secret
+    class << self
+      def key=(key)
+        Encryptor.default_options.merge!({key: key})
+      end
+    end
+    def initialize(value)
+      @iv = SecureRandom.hex(16)
+      @salt = Time.now.to_i.to_s
+      @value = Encryptor.encrypt(to_hash.merge(value: value))
+    end
+    def to_hash
+      {
+        value: @value,
+        iv: @iv,
+        salt: @salt,
+        algorithm: Encryptor.default_options[:algorithm]
+      }
+    end
+    def self.load(encrypted_value)
+      Encryptor.decrypt(encrypted_value) rescue encrypted_value
+    end
+  end
+end

data/lib/one_secret/secrets_yaml.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'yaml'
+require 'erb'
+module OneSecret
+  class SecretsYAML
+    attr_reader :values
+    def initialize(path)
+      @path = path
+      @values = YAML.load(IO.read(path))
+    end
+    def set(environment, key, value)
+      @values[environment][key] = value
+    end
+    def save
+      File.write(@path, @values.to_yaml)
+    end
+  end
+end

data/lib/one_secret/tasks.rake ADDED Viewed

@@ -0,0 +1,31 @@
+namespace :one_secret do
+  desc "Encrypts and sets a new secret in config/secrets.yml under the current environment"
+  task :set => :environment do
+    key, value = *ARGV[1..2]
+    OneSecret.set(Rails.env, key, value)
+    disable_tasks(key, value)
+  end
+  desc "Encrypts and displays a new secret, but does not store it in config/secrets.yml"
+  task :build => :environment do
+    value = ARGV[1]
+    puts OneSecret.build(value).to_hash
+    disable_tasks(value)
+  end
+  desc "Decrypts and gets a secret from the current environment in config/secrets.yml"
+  task :get => :environment do
+    key = ARGV[1]
+    puts OneSecret.get(Rails.env, key)
+    disable_tasks(key)
+  end
+  def disable_tasks(*tasks)
+    tasks.each do |task_name|
+      task task_name.to_sym do ; end
+    end
+  end
+end

data/lib/one_secret/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module OneSecret
+  VERSION = "1.0.0"
+end

data/lib/one_secret.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require "one_secret/version"
+require "one_secret/key_resolution"
+require "one_secret/secret"
+require "one_secret/secrets_yaml"
+require "encryptor"
+require "one_secret/railtie"
+module OneSecret
+  def self.build(value)
+    Secret.new(value)
+  end
+  def self.set(environment, key, value)
+    secrets = SecretsYAML.new("config/secrets.yml")
+    build(value).tap do |secret|
+      secrets.set(Rails.env, key, secret.to_hash)
+      secrets.save
+    end
+  end
+  def self.get(environment, key)
+    secrets = SecretsYAML.new("config/secrets.yml")
+    secret = secrets.values[Rails.env][key]
+    Secret.load(secret)
+  end
+  def self.message(text)
+    "\e[33m<OneSecret>\e[0m #{text}"
+  end
+end

data/one-secret.gemspec ADDED Viewed

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'one_secret/version'
+Gem::Specification.new do |spec|
+  spec.name          = "one_secret"
+  spec.version       = OneSecret::VERSION
+  spec.authors       = ["Omer Lachish-Rauchwerger"]
+  spec.email         = ["omer@rauchy.net"]
+  spec.summary       = %q{Keep application secrets easily and securely as part of your Rails app.}
+  spec.description   = %q{}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec-mocks", "~> 3.0.2"
+  spec.add_dependency "activesupport"
+  spec.add_dependency "encryptor"
+end

data/spec/one_secret/key_resolution_spec.rb ADDED Viewed

@@ -0,0 +1,71 @@
+require './spec/spec_helper'
+module OneSecret
+  describe KeyResolution do
+    it "instantiates strategies" do
+      KeyResolution::Foo = double("FooKeyResolution")
+      expect(KeyResolution::Foo).to receive(:new).and_return(double(key: true))
+      KeyResolution.try(:foo)
+    end
+    it "uses strategies" do
+      KeyResolution::Bar = double(new: double(key: 5))
+      KeyResolution.try(:bar).must_equal 5
+    end
+    it "tries all strategies until some key is returned" do
+      KeyResolution::Bar = double(new: double(key: nil))
+      KeyResolution::Baz = double(new: double(key: 5))
+      KeyResolution::Qux = double(new: double(key: 6))
+      KeyResolution.try(:bar, :baz, :qux).must_equal 5
+    end
+    it "raises an error if no key was found using all strategies" do
+      KeyResolution::Bar = double(new: double(key: nil))
+      -> { KeyResolution.try(:bar) }.must_raise RuntimeError
+    end
+    describe KeyResolution::Env do
+      it "resolves a key using an environment variable called 'secret_key_base'" do
+        KeyResolution::Env.new({"secret_key_base" => "hola"}).key.must_equal "hola"
+      end
+      it "resolves a key using an environment variable called 'SECRET_KEY_BASE'" do
+        KeyResolution::Env.new({"SECRET_KEY_BASE" => "amigo"}).key.must_equal "amigo"
+      end
+      it "fails to resolve a key otherwise" do
+        KeyResolution::Env.new({}).key.must_be_nil
+      end
+    end
+    describe KeyResolution::Rails do
+      it "resolves a key using Rails' application secrets" do
+        ::Rails = double
+        ::Rails.stub_chain(:application, :secrets, :secret_key_base).and_return("hola")
+        KeyResolution::Rails.new.key.must_equal "hola"
+      end
+      it "fails to resolve a key otherwise" do
+        ::Rails = double
+        ::Rails.stub_chain(:application, :secrets, :secret_key_base)
+        KeyResolution::Rails.new.key.must_be_nil
+      end
+    end
+    describe KeyResolution::Stdin do
+      it "asks the user to type in the secret key" do
+        output = double(print: true, puts: true)
+        input = double(noecho: "hola")
+        KeyResolution::Stdin.new(output, input).key.must_equal "hola"
+      end
+      it "fails to resolve a secret key if entered empty" do
+        output = double(print: true, puts: true)
+        input = double(noecho: "")
+        KeyResolution::Stdin.new(output, input).key.must_be_nil
+      end
+    end
+  end
+end

data/spec/one_secret/secret_spec.rb ADDED Viewed

@@ -0,0 +1,66 @@
+require './spec/spec_helper'
+module OneSecret
+  describe Secret do
+    def with_iv(iv)
+      SecureRandom.stub(:hex, iv) { yield }
+    end
+    def with_salt(salt)
+      Time.stub(:now, salt) { yield }
+    end
+    before do
+      Secret.key = "f3bbdba9485ac1ee1412d2c839be0a0f"
+    end
+    it "encrypts a string" do
+      with_iv "I am a random iv" do
+        with_salt Time.at(0) do
+          secret = Secret.new("Encrypt me!")
+          secret.to_hash.keys.must_include :value
+          secret.to_hash[:value].must_be :!=, "Encrypt me!"
+        end
+      end
+    end
+    it "uses a random iv" do
+      with_iv "I am a random iv" do
+        secret = Secret.new("Encrypt me!")
+        secret.to_hash.keys.must_include :iv
+        secret.to_hash[:iv].must_equal "I am a random iv"
+      end
+    end
+    it "uses now as a salt" do
+      with_salt Time.at(0) do
+        secret = Secret.new("Encrypt me!")
+        secret.to_hash.keys.must_include :salt
+        secret.to_hash[:salt].must_equal "0"
+      end
+    end
+    it "specifies the algorithm being used" do
+      secret = Secret.new("Encrypt me!")
+      secret.to_hash.keys.must_include :algorithm
+      secret.to_hash[:algorithm].must_equal "aes-256-cbc"
+    end
+    describe ".load" do
+      it "returns the same value when a non-encrypted hash is provided" do
+        Secret.load("I am not encrypted").must_equal "I am not encrypted"
+      end
+      it "decrypts encrypted hashes" do
+        encrypted_hash = {
+          value: "\xE6N\x9DF\xDA%\xC2nR\n\x1D\x9F\xE0l\xB1\x1F",
+          iv: "b511f7ffa666467c1c55f466886277b8",
+          salt: "12be65aafdd78c0540146f2f995c95c7",
+          algorithm: "aes-256-cbc"
+        }
+        Secret.load(encrypted_hash).must_equal "I am encrypted"
+      end
+    end
+  end
+end

data/spec/one_secret/secrets_yaml_spec.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require './spec/spec_helper'
+require 'tempfile'
+module OneSecret
+  describe SecretsYAML do
+    def temp_file(content)
+      file = Tempfile.new('foo')
+      file.write(content)
+      file.flush
+      file.path
+    end
+    it "sets new values in the correct environment" do
+      path = temp_file """---
+development:
+  foo: bar
+test:
+  bar: baz
+production:
+  baz: qux
+"""
+      secrets = SecretsYAML.new(path)
+      secrets.set("test", "bar", "barness")
+      secrets.save
+      File.readlines(path).join("\n").must_equal """---
+development:
+  foo: bar
+test:
+  bar: barness
+production:
+  baz: qux
+"""
+    end
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,27 @@
+require './lib/one_secret'
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride'
+require 'rspec/mocks'
+require 'minitest/autorun'
+require 'rspec/mocks'
+module MinitestRSpecMocksIntegration
+  include ::RSpec::Mocks::ExampleMethods
+  def before_setup
+    ::RSpec::Mocks.setup
+    super
+  end
+  def after_teardown
+    super
+    ::RSpec::Mocks.verify
+  ensure
+    ::RSpec::Mocks.teardown
+  end
+end
+Minitest::Spec.send(:include, MinitestRSpecMocksIntegration)

metadata ADDED Viewed

@@ -0,0 +1,149 @@
+--- !ruby/object:Gem::Specification
+name: one_secret
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Omer Lachish-Rauchwerger
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-07-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.2
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ''
+email:
+- omer@rauchy.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/one_secret.rb
+- lib/one_secret/key_resolution.rb
+- lib/one_secret/railtie.rb
+- lib/one_secret/secret.rb
+- lib/one_secret/secrets_yaml.rb
+- lib/one_secret/tasks.rake
+- lib/one_secret/version.rb
+- one-secret.gemspec
+- spec/one_secret/key_resolution_spec.rb
+- spec/one_secret/secret_spec.rb
+- spec/one_secret/secrets_yaml_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.1.11
+signing_key:
+specification_version: 4
+summary: Keep application secrets easily and securely as part of your Rails app.
+test_files:
+- spec/one_secret/key_resolution_spec.rb
+- spec/one_secret/secret_spec.rb
+- spec/one_secret/secrets_yaml_spec.rb
+- spec/spec_helper.rb