rails_environment_credentials 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8831db67391191047589682a975a189698cf6ba971835a9057b3d9e308938b50
+  data.tar.gz: 7879944840d8771d97098524cb9792ea66049365cc3f92a7db75581f7bcc61e9
+SHA512:
+  metadata.gz: 7898632f7087e6e5b922c5b29c61e1410287efa114ec67512cc81caf9f6297149bb4243baf6b25b5e74f645334cc8eeaef5a2eda5a1c9f6679cd89a17bd6f7b2
+  data.tar.gz: ac3c92f5610a920d5c0b46f172a72fb75cf0e4a573e58b77277d5d5dba6cd92487f89307b208b73369a2dfbed3683eff383ee0bdbf50362439ebd2612c4d60a4

data/README.md

@@ -0,0 +1 @@
+# rails-environment-credentials

data/lib/rails_environment_credentials/application.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module Application
+    extend ActiveSupport::Concern
+
+    included do
+      def credentials
+        @credentials ||= encrypted(config.credentials.content_path, key_path: config.credentials.key_path, key: credentials_key)
+      end
+
+      def encrypted(path, key_path: 'config/master.key', env_key: 'RAILS_MASTER_KEY', key: nil)
+        ActiveSupport::EncryptedConfiguration.new(
+          config_path: Rails.root.join(path),
+          key_path: Rails.root.join(key_path),
+          env_key: env_key,
+          key: key,
+          raise_if_missing_key: config.require_master_key
+        )
+      end
+    end
+
+    def credentials_key_strategy
+      @credentials_key_strategy ||= RailsEnvironmentCredentials::KeyStrategies.
+        get(config.credentials.key_strategy).
+        new(config.credentials.key_strategy_options)
+    end
+
+    def credentials_key
+      @credentials_key ||= credentials_key_strategy.key
+    end
+
+  end
+end

data/lib/rails_environment_credentials/configuration.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module Configuration
+    extend ActiveSupport::Concern
+
+    included do
+      attr_accessor :credentials
+    end
+
+    def initialize(*)
+      super
+      @credentials = ActiveSupport::OrderedOptions.new
+      @credentials.merge! credentials_config
+      @credentials.environment ||= default_credentials_environment
+      @credentials.content_path ||= default_credentials_content_path
+      @credentials.key_path ||= default_credentials_key_path
+    end
+
+    private
+
+      def credentials_config
+        path = root.join('config/credentials.yml')
+        @credentials_config ||= (path.exist? ? YAML.safe_load(path.read) : {}).symbolize_keys
+      end
+
+      def default_credentials_environment
+        ENV.fetch('RAILS_CREDENTIALS_ENV') { Rails.env }
+      end
+
+      def default_credentials_content_path
+        root.join('config', 'credentials', "#{credentials.environment}.yml.enc")
+      end
+
+      def default_credentials_key_path
+        root.join('config', 'credentials', "#{credentials.environment}.key")
+      end
+
+  end
+end

data/lib/rails_environment_credentials/encrypted_configuration.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module EncryptedConfiguration
+    extend ActiveSupport::Concern
+
+    included do
+      def initialize(config_path:, key_path:, env_key:, raise_if_missing_key:, key: nil)
+        super(content_path: config_path, key_path: key_path, env_key: env_key, raise_if_missing_key: raise_if_missing_key, key: key)
+      end
+    end
+
+  end
+end

data/lib/rails_environment_credentials/encrypted_file.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module EncryptedFile
+    extend ActiveSupport::Concern
+
+    included do
+      def initialize(content_path:, key_path:, env_key:, raise_if_missing_key:, key: nil)
+        @content_path = Pathname.new(content_path)
+        @key_path = Pathname.new(key_path)
+        @env_key = env_key
+        @raise_if_missing_key = raise_if_missing_key
+        @key = key unless key.nil?
+      end
+
+      def key
+        @key || read_env_key || read_key_file || handle_missing_key
+      end
+    end
+
+  end
+end

data/lib/rails_environment_credentials/key_strategies/azure_key_vault_managed_identity.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module KeyStrategies
+
+    class AzureKeyVaultManagedIdentity < Base
+
+      def access_token
+        response = HTTParty.get( # rubocop:disable Style/RescueModifier
+          'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net',
+          {
+            headers: { Metadata: 'true' },
+            timeout: 1,
+            open_timeout: 1,
+            read_timeout: 1,
+          }
+        ) rescue nil
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity access_token: unable to get' unless response
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity access_token: unable to parse response' unless response.parsed_response.is_a?(Hash)
+        token = response.parsed_response['access_token']
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity access_token: fetch failed' unless token.present?
+        token
+      end
+
+      def vault_url
+        @vault_url ||= if options.key?(:vault_url)
+                         options[:vault_url]
+                       elsif options[:vault]
+                         "https://#{options[:vault]}.vault.azure.net/"
+                       else
+                         raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity vault_url: must supply either vault or vault_url'
+                       end
+      end
+
+      def secret_name
+        @secret_name ||= if options.key?(:secret_name)
+                           options[:secret_name]
+                         else
+                           raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity secret_name: must supply secret_name'
+                         end
+      end
+
+      def secret_url
+        @secret_url ||= if options.key?(:secret_url)
+                          options[:secret_url]
+                        else
+                          "#{vault_url}/secrets/#{secret_name}?api-version=2016-10-01"
+                        end
+      end
+
+      def key
+        response = HTTParty.get( # rubocop:disable Style/RescueModifier
+          secret_url,
+          {
+            headers: { Authorization: "Bearer #{access_token}" },
+            timeout: 1,
+            open_timeout: 1,
+            read_timeout: 1,
+          }
+        ) rescue nil
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity key: unable to get secret' unless response
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity key: unable to parse response' unless response.parsed_response.is_a?(Hash)
+        secret = response.parsed_response['value']
+        raise 'CredentialsKeyStrategy AzureKeyVaultManagedIdentity key: fetch failed' unless secret.present?
+        secret
+      end
+
+    end
+
+    add(:azure_key_vault_managed_identity, AzureKeyVaultManagedIdentity)
+
+  end
+end

data/lib/rails_environment_credentials/key_strategies/base.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module KeyStrategies
+    class Base
+      attr_reader :options
+
+      def initialize(opts = {})
+        @options = (opts || {}).with_indifferent_access
+      end
+
+      def key
+        nil
+      end
+
+    end
+  end
+end

data/lib/rails_environment_credentials/key_strategies/none.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module KeyStrategies
+
+    class None < Base; end
+
+    add(nil, None)
+
+  end
+end

data/lib/rails_environment_credentials/key_strategies/raw.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module KeyStrategies
+
+    class Raw < Base
+
+      def key
+        Rails.application.config.credentials.raw_key
+      end
+
+    end
+
+    add(:raw, Raw)
+
+  end
+end

data/lib/rails_environment_credentials/key_strategies.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+  module KeyStrategies
+    @map = {}.with_indifferent_access
+
+    class << self
+      attr_reader :map
+
+      def get(strategy)
+        map[strategy] || raise("CredentialsKeyStrategy unknown strategy: #{strategy}")
+      end
+
+      def add(name, klass)
+        map[name] = klass
+      end
+
+    end
+
+  end
+end
+
+require 'rails_environment_credentials/key_strategies/base'
+require 'rails_environment_credentials/key_strategies/none'
+require 'rails_environment_credentials/key_strategies/raw'
+require 'rails_environment_credentials/key_strategies/azure_key_vault_managed_identity'

data/lib/rails_environment_credentials/version.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module RailsEnvironmentCredentials
+
+  module Version
+    MAJOR = 0
+    MINOR = 0
+    PATCH = 1
+
+  end
+
+  VERSION = [
+    Version::MAJOR,
+    Version::MINOR,
+    Version::PATCH,
+  ].join('.').freeze
+
+end

data/lib/rails_environment_credentials.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# Container Module
+module RailsEnvironmentCredentials; end
+
+require 'active_support/concern'
+
+require 'rails_environment_credentials/application'
+require 'rails_environment_credentials/configuration'
+require 'rails_environment_credentials/encrypted_configuration'
+require 'rails_environment_credentials/encrypted_file'
+require 'rails_environment_credentials/key_strategies'
+require 'rails_environment_credentials/version'
+
+Rails::Application::Configuration.send(:include, RailsEnvironmentCredentials::Configuration)
+Rails::Application.send(:include, RailsEnvironmentCredentials::Application)
+ActiveSupport::EncryptedConfiguration.send(:include, RailsEnvironmentCredentials::EncryptedConfiguration)
+ActiveSupport::EncryptedFile.send(:include, RailsEnvironmentCredentials::EncryptedFile)

data/rails_environment_credentials.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+$LOAD_PATH << File.join(File.dirname(__FILE__), 'lib')
+require 'rails_environment_credentials/version'
+
+Gem::Specification.new do |s| # rubocop:disable Metrics/BlockLength
+  s.name        = 'rails_environment_credentials'
+  s.version     = RailsEnvironmentCredentials::VERSION
+  s.authors     = ['Taylor Yelverton']
+  s.email       = 'rubygems@yelvert.io'
+  s.homepage    = 'https://github.com/ComplyMD/rails_environment_credentials'
+  s.summary     = 'Add support for different credentials for different environments to Rails'
+  s.license     = 'MIT'
+  s.description = 'Add support for different credentials for different environments to Rails'
+  s.metadata    = {
+    'bug_tracker_uri' => 'https://github.com/ComplyMD/rails_environment_credentials/issues',
+    'changelog_uri' => 'https://github.com/ComplyMD/rails_environment_credentials/commits/master',
+    'documentation_uri' => 'https://github.com/ComplyMD/rails_environment_credentials/wiki',
+    'homepage_uri' => 'https://github.com/ComplyMD/rails_environment_credentials',
+    'source_code_uri' => 'https://github.com/ComplyMD/rails_environment_credentials',
+    'rubygems_mfa_required' => 'true',
+  }
+
+  s.files = Dir['lib/**/*','README.md','MIT-LICENSE','rails_environment_credentials.gemspec']
+
+  s.require_paths = %w[ lib ]
+
+  s.required_ruby_version = '>= 2.7.0'
+
+  s.add_dependency('activesupport', '>= 5.0.0')
+  s.add_dependency('railties', '>= 5.0.0')
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: rails_environment_credentials
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Taylor Yelverton
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-08-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+description: Add support for different credentials for different environments to Rails
+email: rubygems@yelvert.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/rails_environment_credentials.rb
+- lib/rails_environment_credentials/application.rb
+- lib/rails_environment_credentials/configuration.rb
+- lib/rails_environment_credentials/encrypted_configuration.rb
+- lib/rails_environment_credentials/encrypted_file.rb
+- lib/rails_environment_credentials/key_strategies.rb
+- lib/rails_environment_credentials/key_strategies/azure_key_vault_managed_identity.rb
+- lib/rails_environment_credentials/key_strategies/base.rb
+- lib/rails_environment_credentials/key_strategies/none.rb
+- lib/rails_environment_credentials/key_strategies/raw.rb
+- lib/rails_environment_credentials/version.rb
+- rails_environment_credentials.gemspec
+homepage: https://github.com/ComplyMD/rails_environment_credentials
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/ComplyMD/rails_environment_credentials/issues
+  changelog_uri: https://github.com/ComplyMD/rails_environment_credentials/commits/master
+  documentation_uri: https://github.com/ComplyMD/rails_environment_credentials/wiki
+  homepage_uri: https://github.com/ComplyMD/rails_environment_credentials
+  source_code_uri: https://github.com/ComplyMD/rails_environment_credentials
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Add support for different credentials for different environments to Rails
+test_files: []