rails_key_rotator 0.1.2 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.projections.json +3 -0
- data/.rubocop.yml +3 -0
- data/.vscode/extensions.json +5 -0
- data/README.md +11 -22
- data/Rakefile +7 -0
- data/lib/rails_key_rotator/railtie.rb +4 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +54 -8
- data/lib/tasks/key_rotator.rake +11 -0
- data/rails_key_rotator.gemspec +1 -1
- metadata +7 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f84724ed7fe7912f91c8b7af53830ca4c40e009cda1a5f043742b4bc458dad3a
|
4
|
+
data.tar.gz: dfe5ff6f821255b4ea655a148dd0a4f95fc5826223962188b7e8cda33ab6e77d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9078bc0711fa537185f7acb8fec193dd49afa3dd11c65d013667885234dd8181e633696b1e5cc508e31ac1424637f861b0a36656190a84be2659679c71cfbbc7
|
7
|
+
data.tar.gz: 7591f74ea9d7b724d23b1473cdc532c6913172ccdcc58c4f88f051ae778b8b736804309d1922f65a137150720daae7f20b31bf4192452e947fc454533b5de211
|
data/.projections.json
ADDED
data/.rubocop.yml
CHANGED
data/README.md
CHANGED
@@ -15,28 +15,17 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
15
15
|
> _*⚠️ !!! WARNING !!! ⚠️*_
|
16
16
|
> _*⚠️ DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES! ⚠️*_
|
17
17
|
|
18
|
-
1.
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
# Save the new key into file
|
30
|
-
echo d92599b046b58ab2d4158212e6d27162 > config/credentials/development.key
|
31
|
-
# Create new credentials file w/
|
32
|
-
dip credentials -e development
|
33
|
-
# Verify content
|
34
|
-
dip credentials show -e development
|
35
|
-
```
|
36
|
-
|
37
|
-
3. Commit to Github and deploy new encrypted file.
|
38
|
-
|
39
|
-
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
18
|
+
1. run the rake taks
|
19
|
+
|
20
|
+
bundle rake key_rotator:rotate
|
21
|
+
|
22
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
23
|
+
|
24
|
+
1. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
25
|
+
|
26
|
+
1. Commit and deploy new encrypted file.
|
27
|
+
|
28
|
+
1. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
40
29
|
|
41
30
|
### Process
|
42
31
|
|
data/Rakefile
CHANGED
data/lib/rails_key_rotator.rb
CHANGED
@@ -9,9 +9,9 @@ require "rails_key_rotator/railtie" if defined?(Rails)
|
|
9
9
|
|
10
10
|
module RailsKeyRotator
|
11
11
|
class Error < StandardError; end
|
12
|
-
|
12
|
+
|
13
13
|
class << self
|
14
|
-
def
|
14
|
+
def rotated?
|
15
15
|
return if ENV["RAILS_MASTER_KEY"].blank?
|
16
16
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
@@ -24,23 +24,39 @@ module RailsKeyRotator
|
|
24
24
|
end
|
25
25
|
end
|
26
26
|
|
27
|
+
def rotate
|
28
|
+
decrypted = read(credentials_path) # Decrypt current credentials
|
29
|
+
backup_file(key_path) # Backup key
|
30
|
+
backup_file(credentials_path) # Backup credentials
|
31
|
+
File.write(key_path, new_key) # Save new key
|
32
|
+
write(decrypted) # Save new credentials
|
33
|
+
end
|
34
|
+
|
35
|
+
def credentials_path
|
36
|
+
File.join(root, "config", "credentials", "#{env}.yml.enc")
|
37
|
+
end
|
38
|
+
|
39
|
+
def key_path
|
40
|
+
File.join(root, "config", "credentials", "#{env}.key")
|
41
|
+
end
|
42
|
+
|
27
43
|
private
|
28
44
|
|
45
|
+
def root
|
46
|
+
defined?(Rails) ? Rails.root : Dir.pwd
|
47
|
+
end
|
48
|
+
|
29
49
|
def can_read_credentials!
|
30
50
|
ActiveSupport::EncryptedConfiguration.new(
|
31
|
-
config_path:
|
51
|
+
config_path: credentials_path,
|
32
52
|
env_key: "RAILS_MASTER_KEY_NEW",
|
33
|
-
key_path:
|
53
|
+
key_path: key_path,
|
34
54
|
raise_if_missing_key: true
|
35
55
|
).read
|
36
56
|
rescue ActiveSupport::MessageEncryptor::InvalidMessage
|
37
57
|
false
|
38
58
|
end
|
39
59
|
|
40
|
-
def credential_path
|
41
|
-
Rails.root.join("config/credentials/#{env}.yml.enc")
|
42
|
-
end
|
43
|
-
|
44
60
|
def say(message)
|
45
61
|
warn "\e[41;37;1m\n\n\tKeyRotator: Using #{message} for #{env} env\n\e[0m"
|
46
62
|
end
|
@@ -48,5 +64,35 @@ module RailsKeyRotator
|
|
48
64
|
def env
|
49
65
|
defined?(Rails) ? Rails.env : (ENV["RAILS_ENV"] || "test")
|
50
66
|
end
|
67
|
+
|
68
|
+
def date
|
69
|
+
@date ||= Time.new.strftime("%Y-%m-%d-%H%M%S")
|
70
|
+
end
|
71
|
+
|
72
|
+
def new_key
|
73
|
+
@new_key ||= ActiveSupport::EncryptedConfiguration.generate_key
|
74
|
+
end
|
75
|
+
|
76
|
+
def backup_file(original)
|
77
|
+
FileUtils.mv(original, "#{original}.bak-#{date}")
|
78
|
+
end
|
79
|
+
|
80
|
+
def read(credentials_path) # the old configuration
|
81
|
+
ActiveSupport::EncryptedConfiguration.new(
|
82
|
+
config_path: credentials_path,
|
83
|
+
key_path: key_path,
|
84
|
+
env_key: "",
|
85
|
+
raise_if_missing_key: true
|
86
|
+
).read
|
87
|
+
end
|
88
|
+
|
89
|
+
def write(contents) # the new configuration
|
90
|
+
ActiveSupport::EncryptedConfiguration.new(
|
91
|
+
config_path: credentials_path,
|
92
|
+
key_path: key_path,
|
93
|
+
env_key: "",
|
94
|
+
raise_if_missing_key: true
|
95
|
+
).write(contents)
|
96
|
+
end
|
51
97
|
end
|
52
98
|
end
|
data/rails_key_rotator.gemspec
CHANGED
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
10
10
|
|
11
11
|
spec.summary = "Rotate your RAILS_MASTER_KEY with ease"
|
12
12
|
# spec.description = "TODO: Write a longer description or delete this line."
|
13
|
-
spec.homepage = "https://wendbaar.nl"
|
13
|
+
spec.homepage = "https://www.wendbaar.nl"
|
14
14
|
spec.license = "MIT"
|
15
15
|
spec.required_ruby_version = ">= 2.6.0"
|
16
16
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails_key_rotator
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Leon Berenschot
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-10-
|
11
|
+
date: 2023-10-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -37,8 +37,10 @@ executables: []
|
|
37
37
|
extensions: []
|
38
38
|
extra_rdoc_files: []
|
39
39
|
files:
|
40
|
+
- ".projections.json"
|
40
41
|
- ".rspec"
|
41
42
|
- ".rubocop.yml"
|
43
|
+
- ".vscode/extensions.json"
|
42
44
|
- Appraisals
|
43
45
|
- CHANGELOG.md
|
44
46
|
- CODE_OF_CONDUCT.md
|
@@ -56,14 +58,15 @@ files:
|
|
56
58
|
- lib/rails_key_rotator.rb
|
57
59
|
- lib/rails_key_rotator/railtie.rb
|
58
60
|
- lib/rails_key_rotator/version.rb
|
61
|
+
- lib/tasks/key_rotator.rake
|
59
62
|
- rails_key_rotator.gemspec
|
60
63
|
- sig/rails_key_rotator.rbs
|
61
|
-
homepage: https://wendbaar.nl
|
64
|
+
homepage: https://www.wendbaar.nl
|
62
65
|
licenses:
|
63
66
|
- MIT
|
64
67
|
metadata:
|
65
68
|
rubygems_mfa_required: 'true'
|
66
|
-
homepage_uri: https://wendbaar.nl
|
69
|
+
homepage_uri: https://www.wendbaar.nl
|
67
70
|
source_code_uri: https://github.com/LeipeLeon/rails_key_rotator
|
68
71
|
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/CHANGELOG.md
|
69
72
|
post_install_message:
|