rails_key_rotator 0.1.2 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.projections.json +3 -0
- data/.rubocop.yml +3 -0
- data/.vscode/extensions.json +5 -0
- data/README.md +11 -22
- data/Rakefile +7 -0
- data/lib/rails_key_rotator/railtie.rb +4 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +54 -8
- data/lib/tasks/key_rotator.rake +11 -0
- data/rails_key_rotator.gemspec +1 -1
- metadata +7 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f84724ed7fe7912f91c8b7af53830ca4c40e009cda1a5f043742b4bc458dad3a
|
|
4
|
+
data.tar.gz: dfe5ff6f821255b4ea655a148dd0a4f95fc5826223962188b7e8cda33ab6e77d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9078bc0711fa537185f7acb8fec193dd49afa3dd11c65d013667885234dd8181e633696b1e5cc508e31ac1424637f861b0a36656190a84be2659679c71cfbbc7
|
|
7
|
+
data.tar.gz: 7591f74ea9d7b724d23b1473cdc532c6913172ccdcc58c4f88f051ae778b8b736804309d1922f65a137150720daae7f20b31bf4192452e947fc454533b5de211
|
data/.projections.json
ADDED
data/.rubocop.yml
CHANGED
data/README.md
CHANGED
|
@@ -15,28 +15,17 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
15
15
|
> _*⚠️ !!! WARNING !!! ⚠️*_
|
|
16
16
|
> _*⚠️ DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES! ⚠️*_
|
|
17
17
|
|
|
18
|
-
1.
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
# Save the new key into file
|
|
30
|
-
echo d92599b046b58ab2d4158212e6d27162 > config/credentials/development.key
|
|
31
|
-
# Create new credentials file w/
|
|
32
|
-
dip credentials -e development
|
|
33
|
-
# Verify content
|
|
34
|
-
dip credentials show -e development
|
|
35
|
-
```
|
|
36
|
-
|
|
37
|
-
3. Commit to Github and deploy new encrypted file.
|
|
38
|
-
|
|
39
|
-
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
18
|
+
1. run the rake taks
|
|
19
|
+
|
|
20
|
+
bundle rake key_rotator:rotate
|
|
21
|
+
|
|
22
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
|
23
|
+
|
|
24
|
+
1. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
25
|
+
|
|
26
|
+
1. Commit and deploy new encrypted file.
|
|
27
|
+
|
|
28
|
+
1. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
40
29
|
|
|
41
30
|
### Process
|
|
42
31
|
|
data/Rakefile
CHANGED
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -9,9 +9,9 @@ require "rails_key_rotator/railtie" if defined?(Rails)
|
|
|
9
9
|
|
|
10
10
|
module RailsKeyRotator
|
|
11
11
|
class Error < StandardError; end
|
|
12
|
-
|
|
12
|
+
|
|
13
13
|
class << self
|
|
14
|
-
def
|
|
14
|
+
def rotated?
|
|
15
15
|
return if ENV["RAILS_MASTER_KEY"].blank?
|
|
16
16
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
@@ -24,23 +24,39 @@ module RailsKeyRotator
|
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
+
def rotate
|
|
28
|
+
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
|
+
backup_file(key_path) # Backup key
|
|
30
|
+
backup_file(credentials_path) # Backup credentials
|
|
31
|
+
File.write(key_path, new_key) # Save new key
|
|
32
|
+
write(decrypted) # Save new credentials
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def credentials_path
|
|
36
|
+
File.join(root, "config", "credentials", "#{env}.yml.enc")
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def key_path
|
|
40
|
+
File.join(root, "config", "credentials", "#{env}.key")
|
|
41
|
+
end
|
|
42
|
+
|
|
27
43
|
private
|
|
28
44
|
|
|
45
|
+
def root
|
|
46
|
+
defined?(Rails) ? Rails.root : Dir.pwd
|
|
47
|
+
end
|
|
48
|
+
|
|
29
49
|
def can_read_credentials!
|
|
30
50
|
ActiveSupport::EncryptedConfiguration.new(
|
|
31
|
-
config_path:
|
|
51
|
+
config_path: credentials_path,
|
|
32
52
|
env_key: "RAILS_MASTER_KEY_NEW",
|
|
33
|
-
key_path:
|
|
53
|
+
key_path: key_path,
|
|
34
54
|
raise_if_missing_key: true
|
|
35
55
|
).read
|
|
36
56
|
rescue ActiveSupport::MessageEncryptor::InvalidMessage
|
|
37
57
|
false
|
|
38
58
|
end
|
|
39
59
|
|
|
40
|
-
def credential_path
|
|
41
|
-
Rails.root.join("config/credentials/#{env}.yml.enc")
|
|
42
|
-
end
|
|
43
|
-
|
|
44
60
|
def say(message)
|
|
45
61
|
warn "\e[41;37;1m\n\n\tKeyRotator: Using #{message} for #{env} env\n\e[0m"
|
|
46
62
|
end
|
|
@@ -48,5 +64,35 @@ module RailsKeyRotator
|
|
|
48
64
|
def env
|
|
49
65
|
defined?(Rails) ? Rails.env : (ENV["RAILS_ENV"] || "test")
|
|
50
66
|
end
|
|
67
|
+
|
|
68
|
+
def date
|
|
69
|
+
@date ||= Time.new.strftime("%Y-%m-%d-%H%M%S")
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def new_key
|
|
73
|
+
@new_key ||= ActiveSupport::EncryptedConfiguration.generate_key
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def backup_file(original)
|
|
77
|
+
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def read(credentials_path) # the old configuration
|
|
81
|
+
ActiveSupport::EncryptedConfiguration.new(
|
|
82
|
+
config_path: credentials_path,
|
|
83
|
+
key_path: key_path,
|
|
84
|
+
env_key: "",
|
|
85
|
+
raise_if_missing_key: true
|
|
86
|
+
).read
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
def write(contents) # the new configuration
|
|
90
|
+
ActiveSupport::EncryptedConfiguration.new(
|
|
91
|
+
config_path: credentials_path,
|
|
92
|
+
key_path: key_path,
|
|
93
|
+
env_key: "",
|
|
94
|
+
raise_if_missing_key: true
|
|
95
|
+
).write(contents)
|
|
96
|
+
end
|
|
51
97
|
end
|
|
52
98
|
end
|
data/rails_key_rotator.gemspec
CHANGED
|
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
|
10
10
|
|
|
11
11
|
spec.summary = "Rotate your RAILS_MASTER_KEY with ease"
|
|
12
12
|
# spec.description = "TODO: Write a longer description or delete this line."
|
|
13
|
-
spec.homepage = "https://wendbaar.nl"
|
|
13
|
+
spec.homepage = "https://www.wendbaar.nl"
|
|
14
14
|
spec.license = "MIT"
|
|
15
15
|
spec.required_ruby_version = ">= 2.6.0"
|
|
16
16
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -37,8 +37,10 @@ executables: []
|
|
|
37
37
|
extensions: []
|
|
38
38
|
extra_rdoc_files: []
|
|
39
39
|
files:
|
|
40
|
+
- ".projections.json"
|
|
40
41
|
- ".rspec"
|
|
41
42
|
- ".rubocop.yml"
|
|
43
|
+
- ".vscode/extensions.json"
|
|
42
44
|
- Appraisals
|
|
43
45
|
- CHANGELOG.md
|
|
44
46
|
- CODE_OF_CONDUCT.md
|
|
@@ -56,14 +58,15 @@ files:
|
|
|
56
58
|
- lib/rails_key_rotator.rb
|
|
57
59
|
- lib/rails_key_rotator/railtie.rb
|
|
58
60
|
- lib/rails_key_rotator/version.rb
|
|
61
|
+
- lib/tasks/key_rotator.rake
|
|
59
62
|
- rails_key_rotator.gemspec
|
|
60
63
|
- sig/rails_key_rotator.rbs
|
|
61
|
-
homepage: https://wendbaar.nl
|
|
64
|
+
homepage: https://www.wendbaar.nl
|
|
62
65
|
licenses:
|
|
63
66
|
- MIT
|
|
64
67
|
metadata:
|
|
65
68
|
rubygems_mfa_required: 'true'
|
|
66
|
-
homepage_uri: https://wendbaar.nl
|
|
69
|
+
homepage_uri: https://www.wendbaar.nl
|
|
67
70
|
source_code_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
68
71
|
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/CHANGELOG.md
|
|
69
72
|
post_install_message:
|