rails_key_rotator 0.1.3 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.projections.json +3 -0
- data/.vscode/extensions.json +5 -0
- data/README.md +24 -28
- data/Rakefile +7 -0
- data/lib/rails_key_rotator/railtie.rb +4 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +54 -8
- data/lib/tasks/key_rotator.rake +11 -0
- data/rails_key_rotator.gemspec +1 -1
- metadata +7 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 29eb6c4fb0ee94eb94483058e009c91b40bc017ff13da75d90f60249c51df5c7
|
|
4
|
+
data.tar.gz: cb203507ac300b69adac536d0aee9685c42a09c78b0b3a9d391bfbc4a0ba77c2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 87a8d7106191f090426e9d9d6a7d997fa5b972c1a840c76fef0250adab92e56a309bc0a9ca1a127e7ceeecf9195e10a57006adee2748e0d5e9e30e14315162cf
|
|
7
|
+
data.tar.gz: 74cb11e1eb92733a54fa3e2051ade59b108578b1b41e02e7e8105297cec4fd96978bbec962214a6b4e8606f358630f333028c7fb0bc1c226b18413811ff84007
|
data/.projections.json
ADDED
data/README.md
CHANGED
|
@@ -12,33 +12,22 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
12
12
|
|
|
13
13
|
## Usage
|
|
14
14
|
|
|
15
|
-
>
|
|
16
|
-
>
|
|
17
|
-
|
|
18
|
-
1.
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
# Backup current key
|
|
28
|
-
mv -i config/credentials/development.key config/credentials/development.key.bak-$(date "+%Y-%m-%d-%H%M")
|
|
29
|
-
# Save the new key into file
|
|
30
|
-
echo d92599b046b58ab2d4158212e6d27162 > config/credentials/development.key
|
|
31
|
-
# Create new credentials file w/
|
|
32
|
-
dip credentials -e development
|
|
33
|
-
# Verify content
|
|
34
|
-
dip credentials show -e development
|
|
35
|
-
```
|
|
36
|
-
|
|
37
|
-
3. Commit to Github and deploy new encrypted file.
|
|
15
|
+
> **Warning**
|
|
16
|
+
> **DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES!**
|
|
17
|
+
|
|
18
|
+
1. Run the rake taks
|
|
19
|
+
|
|
20
|
+
bundle rake key_rotator:rotate
|
|
21
|
+
|
|
22
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
|
23
|
+
|
|
24
|
+
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
25
|
+
|
|
26
|
+
3. Commit and deploy new encrypted file.
|
|
38
27
|
|
|
39
28
|
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
40
29
|
|
|
41
|
-
|
|
30
|
+
## Process
|
|
42
31
|
|
|
43
32
|
When we've defined `RAILS_MASTER_KEY_NEW` it means we are rotating the encryption key for our credentials. What we want to do then is:
|
|
44
33
|
|
|
@@ -53,13 +42,20 @@ See: https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credenti
|
|
|
53
42
|
|
|
54
43
|
## Development
|
|
55
44
|
|
|
56
|
-
|
|
45
|
+
This project uses docker and [dip](https://github.com/bibendi/dip), a.k.a. the _Docker Interaction Program._
|
|
46
|
+
|
|
47
|
+
To use it:
|
|
48
|
+
```shell
|
|
49
|
+
gem install dip
|
|
50
|
+
dip provision
|
|
51
|
+
dip guard # run specs
|
|
52
|
+
```
|
|
57
53
|
|
|
58
|
-
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
54
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `dip bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
59
55
|
|
|
60
56
|
## Contributing
|
|
61
57
|
|
|
62
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/
|
|
58
|
+
Bug reports and pull requests are welcome on GitHub at <https://github.com/LeipeLeon/rails_key_rotator>. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
|
63
59
|
|
|
64
60
|
## License
|
|
65
61
|
|
|
@@ -67,4 +63,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
67
63
|
|
|
68
64
|
## Code of Conduct
|
|
69
65
|
|
|
70
|
-
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/
|
|
66
|
+
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
data/Rakefile
CHANGED
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -9,9 +9,9 @@ require "rails_key_rotator/railtie" if defined?(Rails)
|
|
|
9
9
|
|
|
10
10
|
module RailsKeyRotator
|
|
11
11
|
class Error < StandardError; end
|
|
12
|
-
|
|
12
|
+
|
|
13
13
|
class << self
|
|
14
|
-
def
|
|
14
|
+
def rotated?
|
|
15
15
|
return if ENV["RAILS_MASTER_KEY"].blank?
|
|
16
16
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
@@ -24,23 +24,39 @@ module RailsKeyRotator
|
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
+
def rotate
|
|
28
|
+
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
|
+
backup_file(key_path) # Backup key
|
|
30
|
+
backup_file(credentials_path) # Backup credentials
|
|
31
|
+
File.write(key_path, new_key) # Save new key
|
|
32
|
+
write(decrypted) # Save new credentials
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def credentials_path
|
|
36
|
+
File.join(root, "config", "credentials", "#{env}.yml.enc")
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def key_path
|
|
40
|
+
File.join(root, "config", "credentials", "#{env}.key")
|
|
41
|
+
end
|
|
42
|
+
|
|
27
43
|
private
|
|
28
44
|
|
|
45
|
+
def root
|
|
46
|
+
defined?(Rails) ? Rails.root : Dir.pwd
|
|
47
|
+
end
|
|
48
|
+
|
|
29
49
|
def can_read_credentials!
|
|
30
50
|
ActiveSupport::EncryptedConfiguration.new(
|
|
31
|
-
config_path:
|
|
51
|
+
config_path: credentials_path,
|
|
32
52
|
env_key: "RAILS_MASTER_KEY_NEW",
|
|
33
|
-
key_path:
|
|
53
|
+
key_path: key_path,
|
|
34
54
|
raise_if_missing_key: true
|
|
35
55
|
).read
|
|
36
56
|
rescue ActiveSupport::MessageEncryptor::InvalidMessage
|
|
37
57
|
false
|
|
38
58
|
end
|
|
39
59
|
|
|
40
|
-
def credential_path
|
|
41
|
-
Rails.root.join("config/credentials/#{env}.yml.enc")
|
|
42
|
-
end
|
|
43
|
-
|
|
44
60
|
def say(message)
|
|
45
61
|
warn "\e[41;37;1m\n\n\tKeyRotator: Using #{message} for #{env} env\n\e[0m"
|
|
46
62
|
end
|
|
@@ -48,5 +64,35 @@ module RailsKeyRotator
|
|
|
48
64
|
def env
|
|
49
65
|
defined?(Rails) ? Rails.env : (ENV["RAILS_ENV"] || "test")
|
|
50
66
|
end
|
|
67
|
+
|
|
68
|
+
def date
|
|
69
|
+
@date ||= Time.new.strftime("%Y-%m-%d-%H%M%S")
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def new_key
|
|
73
|
+
@new_key ||= ActiveSupport::EncryptedConfiguration.generate_key
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def backup_file(original)
|
|
77
|
+
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def read(credentials_path) # the old configuration
|
|
81
|
+
ActiveSupport::EncryptedConfiguration.new(
|
|
82
|
+
config_path: credentials_path,
|
|
83
|
+
key_path: key_path,
|
|
84
|
+
env_key: "",
|
|
85
|
+
raise_if_missing_key: true
|
|
86
|
+
).read
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
def write(contents) # the new configuration
|
|
90
|
+
ActiveSupport::EncryptedConfiguration.new(
|
|
91
|
+
config_path: credentials_path,
|
|
92
|
+
key_path: key_path,
|
|
93
|
+
env_key: "",
|
|
94
|
+
raise_if_missing_key: true
|
|
95
|
+
).write(contents)
|
|
96
|
+
end
|
|
51
97
|
end
|
|
52
98
|
end
|
data/rails_key_rotator.gemspec
CHANGED
|
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
|
10
10
|
|
|
11
11
|
spec.summary = "Rotate your RAILS_MASTER_KEY with ease"
|
|
12
12
|
# spec.description = "TODO: Write a longer description or delete this line."
|
|
13
|
-
spec.homepage = "https://wendbaar.nl"
|
|
13
|
+
spec.homepage = "https://www.wendbaar.nl"
|
|
14
14
|
spec.license = "MIT"
|
|
15
15
|
spec.required_ruby_version = ">= 2.6.0"
|
|
16
16
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -37,8 +37,10 @@ executables: []
|
|
|
37
37
|
extensions: []
|
|
38
38
|
extra_rdoc_files: []
|
|
39
39
|
files:
|
|
40
|
+
- ".projections.json"
|
|
40
41
|
- ".rspec"
|
|
41
42
|
- ".rubocop.yml"
|
|
43
|
+
- ".vscode/extensions.json"
|
|
42
44
|
- Appraisals
|
|
43
45
|
- CHANGELOG.md
|
|
44
46
|
- CODE_OF_CONDUCT.md
|
|
@@ -56,14 +58,15 @@ files:
|
|
|
56
58
|
- lib/rails_key_rotator.rb
|
|
57
59
|
- lib/rails_key_rotator/railtie.rb
|
|
58
60
|
- lib/rails_key_rotator/version.rb
|
|
61
|
+
- lib/tasks/key_rotator.rake
|
|
59
62
|
- rails_key_rotator.gemspec
|
|
60
63
|
- sig/rails_key_rotator.rbs
|
|
61
|
-
homepage: https://wendbaar.nl
|
|
64
|
+
homepage: https://www.wendbaar.nl
|
|
62
65
|
licenses:
|
|
63
66
|
- MIT
|
|
64
67
|
metadata:
|
|
65
68
|
rubygems_mfa_required: 'true'
|
|
66
|
-
homepage_uri: https://wendbaar.nl
|
|
69
|
+
homepage_uri: https://www.wendbaar.nl
|
|
67
70
|
source_code_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
68
71
|
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/CHANGELOG.md
|
|
69
72
|
post_install_message:
|