one_secret 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3e6ecced2b2fd28691b954df6e31da6a1725ecab
-  data.tar.gz: e9d53b25fe331ce481a88274d376e18ee5ca27b5
+  metadata.gz: d92e86e4a1e7f67523a826c713580a6a9e2f897c
+  data.tar.gz: feacc094ab2ff27e542041c468bf37108a0fae94
 SHA512:
-  metadata.gz: 00fcfd0525e727279170cac1263b213869bb0897cc2fc0e53518463b1b88e9dce7b67720b64014bc889be38d6301243e87e77c27225dacf21f70164d6c0c429a
-  data.tar.gz: d7596da0e82404965fb5f003886efc2e3c147577b0396f3382d791ff8143eb6e80f682d296ba9f1aa129eaba9d6866f06b12b22cb9c610a4aca993d7f578293e
+  metadata.gz: 3ef3b84b365791adf3438ab3fff989f41c760c1657d0b06c2836158dc45d898005c91b5f66dceb2cca6433c03c1bb01b78793d71e7b5ef9214cd95b5baaa009e
+  data.tar.gz: 28bc13b6226b169ace616c81b58ca2fe44f28de3fceaeba74b964d4bebcbf9b87e3af780438329b2d40fb9615b4ae80fe3a6236fab0680d58845ab6db5ac6fcc

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.1.2

data/README.md

@@ -1,4 +1,4 @@
-# OneSecret
+# OneSecret [![Build Status](https://travis-ci.org/rauchy/one-secret.svg)](https://travis-ci.org/rauchy/one-secret)
 
 If you're storing your application keys, passwords and other secrets apart
 from your main git repository and you are working in a team, you
@@ -6,67 +6,109 @@ probably know that managing those secrets across the team is a pain in
 the ass.
 
 OneSecret aims to remedy that by encrypting all your secrets
-inside Rails' secrets.yml and decrypting them on the fly so that they are freely
-available to your application.
+inside Rails' `config/secrets.yml` and decrypting them on the fly so that they are freely
+available in your application.
 
 OneSecret uses Rails' `secret_key_base` as a key for encrypting your
-secrets, so the only thing you need to set in your Production servers is the `secret_key_base` (you should be doing that even if you don't use OneSecret).
+secrets, so the only thing you need to set in your Production servers is the `secret_key_base` (you should be doing this even if you don't use OneSecret).
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
-    gem 'one_secret'
+```ruby
+gem 'one_secret'
+```
 
 And then execute:
 
-    $ bundle
+```sh
+$ bundle
+```
 
-Or install it yourself as:
+## Requirements
 
-    $ gem install one_secret
+This gem only works with Rails >= 4.1, since it tightly integrates with the `secrets.yml` which was added by Rails 4.1
 
 ## Usage
 
 ### Setting a new secret
 
-To set a new secret, simply call the `one_secret:set` task:
+To set a new secret, simply call the `one_secret:set` task with a key and value to encrypt:
 
-    $ rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```sh
+rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```
 
 That's it! This will encrypt the value and keep it inside
-`config/secrets.yml`. Feel free to commit that file to your git
-repository.
+`config/secrets.yml`. **Feel free to commit this file to your git
+repository.**
 
 ### Accessing secrets
 
-Inside your app, secrets are decrypted automatically, so you can use them freely:
+There are 3 ways to access your secrets:
 
-    Rails.application.secrets.aws_secret_key # => aba41f7bea276da49ef50aa33474fee4
+1. Inside your app, secrets are decrypted automatically, so you can use them freely:
 
-Also, all secrets are copied to `ENV`, so you can also use this:
+```ruby
+Rails.application.secrets.aws_secret_key # => aba41f7bea276da49ef50aa33474fee4
+```
 
-    ENV['aws_secret_key'] # => aba41f7bea276da49ef50aa33474fee4
+2. If you wish to, you can access all secrets through `ENV`:
 
-If you want to access secrets outside Rails, use the `one_secret:get`
+```ruby
+ENV['aws_secret_key'] # => aba41f7bea276da49ef50aa33474fee4
+```
+
+To enable access through `ENV`, add this configuration block to
+`application.rb`:
+
+```ruby
+# application.rb
+OneSecret.configure do
+  decrypt_into_env!
+end
+```
+
+3. If you want to access secrets outside Rails, use the `one_secret:get`
 task:
 
-    $ rake one_secret:get aws_secret_key
-    > aba41f7bea276da49ef50aa33474fee4
-    
+```sh
+rake one_secret:get aws_secret_key
+> aba41f7bea276da49ef50aa33474fee4
+```
+
+or you could use the `one_secret:get_all` task to get a hash of all
+decrypted values.
+
+### Determining the secret_key_base
+
+The above commands work in development since you have the `secret_key_base` set in `config/secrets.yml`. OneSecret
+will use the following strategy to determine what the value of `secret_key_base` should be:
+
+* ENV['SECRET_KEY_BASE']
+* Rails.application.secrets.secret_key_base
+* STDIN prompt
+
 ### Setting secrets for the Production environment
 
 Since the Production `secret_key_base` is only available in your Production servers, you should provide the `secret_key_base` to the `one_secret:set` Rake task when setting Production secrets. This could be done in one of the following ways:
 
 #### Pass `secret_key_base` In
 
-If your app is on Heroku, you can wire `heroku config:get`:
+If your app is hosted on Heroku, you can wire `heroku config:get`:
+:a
+
 
-    $ RAILS_ENV=production SECRET_KEY_BASE=`heroku config:get SECRET_KEY_BASE` rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```sh
+$ RAILS_ENV=production SECRET_KEY_BASE=`heroku config:get SECRET_KEY_BASE` rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```
 
-If you're not on Heroku, you can pass your Production `secret_key_base` to Rake:
+If you're not hosted on Heroku, you can pass your Production `secret_key_base` to Rake:
 
-    $  RAILS_ENV=production SECRET_KEY_BASE=<your production secret> rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```sh
+ RAILS_ENV=production SECRET_KEY_BASE=<your production secret> rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+```
     
 **Important** - note that there is an extra space at the beginning of this command. Make sure you prefix your command with that extra space so it doesn't get saved in your shell history.
 
@@ -74,8 +116,10 @@ If you're not on Heroku, you can pass your Production `secret_key_base` to Rake:
 
 If your running environment doesn't have a `secret_key_base`, OneSecret will simply prompt for it.
 
-    $ RAILS_ENV=production rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
-    > <OneSecret> Please enter your secret key: <paste your production secret here>
+```sh
+$ RAILS_ENV=production rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
+> <OneSecret> Please enter your secret key: <paste your production secret here>
+```
 
 Accessing secrets is the same for Production, as your Production machines would typically have `ENV['secret_key_base']` present.
 

data/Rakefile

@@ -4,3 +4,5 @@ require 'rake/testtask'
 Rake::TestTask.new do |t|
   t.pattern = "spec/**/*_spec.rb"
 end
+
+task :default => :test

data/lib/one_secret.rb

@@ -2,26 +2,48 @@ require "one_secret/version"
 require "one_secret/key_resolution"
 require "one_secret/secret"
 require "one_secret/secrets_yaml"
+require "one_secret/configuration"
+require "one_secret/store"
 require "encryptor"
 require "one_secret/railtie"
 
 module OneSecret
+  def self.configure(&block)
+    configuration.instance_eval(&block)
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
   def self.build(value)
-    Secret.new(value)
+    Secret.unlocked {
+      return Secret.new(value)
+    }
   end
 
   def self.set(environment, key, value)
-    secrets = SecretsYAML.new("config/secrets.yml")
+    secrets = SecretsYAML.new(Rails.application.paths["config/secrets"].first)
     build(value).tap do |secret|
-      secrets.set(Rails.env, key, secret.to_hash)
+      secrets.set(environment, key, secret.to_hash)
       secrets.save
     end
   end
 
   def self.get(environment, key)
-    secrets = SecretsYAML.new("config/secrets.yml")
-    secret = secrets.values[Rails.env][key]
-    Secret.load(secret)
+    secrets = SecretsYAML.new(Rails.application.paths["config/secrets"].first)
+    secret = secrets.values[environment][key]
+
+    Secret.unlocked {
+      return Secret.load(secret)
+    }
+  end
+
+  def self.get_all(environment)
+    secrets = SecretsYAML.new(Rails.application.paths["config/secrets"].first)
+    Secret.unlocked {
+      return Hash[secrets.values[environment].map { |k, v| [k, Secret.load(v)] }]
+    }
   end
 
   def self.message(text)

data/lib/one_secret/configuration.rb

@@ -0,0 +1,11 @@
+module OneSecret
+  class Configuration
+    def decrypt_into_env!(should_decrypt=true)
+      @decrypt_into_env = should_decrypt
+    end
+
+    def decrypt_into_env?
+      !!@decrypt_into_env
+    end
+  end
+end

data/lib/one_secret/railtie.rb

@@ -2,10 +2,10 @@ module OneSecret
   class Railtie < Rails::Railtie
     config.before_initialize do
       if should_run?
-        Secret.key = KeyResolution.try(:env, :rails, :stdin)
-
-        Rails.application.secrets.each_pair do |key, value|
-          Rails.application.secrets[key] = ENV[key.to_s] = Secret.load(value)
+        Secret.unlocked do
+          each_secret do |name, secret|
+            put_in_stores(name, secret)
+          end
         end
       end
     end
@@ -16,11 +16,22 @@ module OneSecret
 
     private
 
-    def self.should_run?
-      if defined?(Rake)
-        !Rake.application.top_level_tasks.include?("assets:precompile")
-      else
-        true
+    class << self
+
+      def each_secret(&block)
+        Rails.application.secrets.each_pair(&block)
+      end
+
+      def put_in_stores(name, secret)
+        [ApplicationSecretsStore, EnvStore].each { |s| s.new.put(name, secret) }
+      end
+
+      def should_run?
+        if defined?(Rake)
+          !Rake.application.top_level_tasks.include?("assets:precompile")
+        else
+          true
+        end
       end
     end
   end

data/lib/one_secret/secret.rb

@@ -1,6 +1,12 @@
 module OneSecret
   class Secret
     class << self
+      def unlocked
+        self.key = KeyResolution.try(:env, :rails, :stdin)
+        yield
+        self.key = nil
+      end
+
       def key=(key)
         Encryptor.default_options.merge!({key: key})
       end

data/lib/one_secret/secrets_yaml.rb

@@ -1,5 +1,4 @@
 require 'yaml'
-require 'erb'
 
 module OneSecret
   class SecretsYAML

data/lib/one_secret/store.rb

@@ -0,0 +1,29 @@
+module OneSecret
+  class Store
+    def initialize(hash)
+      @hash = hash
+    end
+
+    def put(key, value)
+      decrypted_value = Secret.load(value)
+      @hash[key.to_s] = decrypted_value
+    end
+  end
+
+  class ApplicationSecretsStore < Store
+    def initialize
+      super(Rails.application.secrets)
+    end
+  end
+
+  class EnvStore < Store
+    def initialize
+      @decrypt_into_env = OneSecret.configuration.decrypt_into_env?
+      super(ENV)
+    end
+
+    def put(key, value)
+      super(key, value) if @decrypt_into_env
+    end
+  end
+end

data/lib/one_secret/tasks.rake

@@ -23,6 +23,11 @@ namespace :one_secret do
     disable_tasks(key)
   end
 
+  desc "Decrypts and gets all secrets from the current environment in config/secrets.yml"
+  task :get_all => :environment do
+    puts OneSecret.get_all(Rails.env)
+  end
+
   def disable_tasks(*tasks)
     tasks.each do |task_name|
       task task_name.to_sym do ; end

data/lib/one_secret/version.rb

@@ -1,3 +1,3 @@
 module OneSecret
-  VERSION = "1.0.1"
+  VERSION = "1.0.2"
 end

data/spec/one_secret/store_spec.rb

@@ -0,0 +1,31 @@
+require './spec/spec_helper'
+
+module OneSecret
+  describe ApplicationSecretsStore do
+    describe "#put" do
+      it "puts values in Rails.application.secrets" do
+        ::Rails = double
+        ::Rails.stub_chain(:application, :secrets).and_return(OpenStruct.new)
+
+        ApplicationSecretsStore.new.put(:foo, "bar")
+        Rails.application.secrets.foo.must_equal "bar"
+      end
+    end
+  end
+
+  describe EnvStore do
+    describe "#put" do
+      it "puts values in ENV when configured to do so" do
+        OneSecret.configure { decrypt_into_env! }
+        EnvStore.new.put(:foo, "bar")
+        ENV["foo"].must_equal "bar"
+      end
+
+      it "doesn't put values in ENV when not configured to do so" do
+        OneSecret.configure { decrypt_into_env!(false) }
+        EnvStore.new.put(:baz, "qux")
+        ENV["baz"].must_be_nil
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: one_secret
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Omer Lachish-Rauchwerger
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-28 00:00:00.000000000 Z
+date: 2014-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -102,21 +102,25 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/one_secret.rb
+- lib/one_secret/configuration.rb
 - lib/one_secret/key_resolution.rb
 - lib/one_secret/railtie.rb
 - lib/one_secret/secret.rb
 - lib/one_secret/secrets_yaml.rb
+- lib/one_secret/store.rb
 - lib/one_secret/tasks.rake
 - lib/one_secret/version.rb
 - one-secret.gemspec
 - spec/one_secret/key_resolution_spec.rb
 - spec/one_secret/secret_spec.rb
 - spec/one_secret/secrets_yaml_spec.rb
+- spec/one_secret/store_spec.rb
 - spec/spec_helper.rb
 homepage: ''
 licenses:
@@ -138,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.11
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Keep application secrets easily and securely as part of your Rails app.
@@ -146,4 +150,5 @@ test_files:
 - spec/one_secret/key_resolution_spec.rb
 - spec/one_secret/secret_spec.rb
 - spec/one_secret/secrets_yaml_spec.rb
+- spec/one_secret/store_spec.rb
 - spec/spec_helper.rb