rails_key_rotator 0.2.0 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +33 -13
- data/lib/rails_key_rotator/railtie.rb +1 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +27 -6
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4716f503c795d3a21fe6fb7eff53ec6ebb0d003e34bad0dc2a68d6e652dfc7c9
|
|
4
|
+
data.tar.gz: 194d519cf4e0278adb5cb60c183980712d027fc8ae8f85a8d7b4fe88df78a1ed
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '04485eed8bc71a9d664b0e4c8348cca4f4a8ba3c4d79fc29ac585f1c2fc2c7bc792bfc0b5e881643c0399dae0f7ea197a5d7f6b08ba00fa696b9d45e049659ca'
|
|
7
|
+
data.tar.gz: 7bec424314fdc836d644547f08dd9299a6c34a615585168847f6c7e5b77fceafbe909d0fb7e581f827a2c0ea5bb7506e2ed780aa9628e75f349d0f85d63197b9
|
data/README.md
CHANGED
|
@@ -12,22 +12,35 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
12
12
|
|
|
13
13
|
## Usage
|
|
14
14
|
|
|
15
|
-
>
|
|
16
|
-
>
|
|
15
|
+
> **Warning**
|
|
16
|
+
> **DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES!**
|
|
17
17
|
|
|
18
|
-
1.
|
|
18
|
+
1. Run the rake taks
|
|
19
19
|
|
|
20
|
-
bundle rake key_rotator:rotate
|
|
20
|
+
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
21
|
|
|
22
|
-
|
|
22
|
+
Starting process:
|
|
23
|
+
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
|
+
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
+
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
23
26
|
|
|
24
|
-
|
|
27
|
+
Finished! The next steps are:
|
|
25
28
|
|
|
26
|
-
|
|
29
|
+
- Deploy `RAILS_MASTER_KEY_NEW=774ef137809953c633f03233d3ec5d35` to your infrastructure
|
|
30
|
+
- Share the new key w/ your colleagues
|
|
31
|
+
- Commit changes in config/credentials/production.yml.enc
|
|
32
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
27
33
|
|
|
28
|
-
|
|
34
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
29
35
|
|
|
30
|
-
|
|
36
|
+
|
|
37
|
+
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
38
|
+
|
|
39
|
+
3. Commit and deploy new encrypted file.
|
|
40
|
+
|
|
41
|
+
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
42
|
+
|
|
43
|
+
## Process
|
|
31
44
|
|
|
32
45
|
When we've defined `RAILS_MASTER_KEY_NEW` it means we are rotating the encryption key for our credentials. What we want to do then is:
|
|
33
46
|
|
|
@@ -42,13 +55,20 @@ See: https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credenti
|
|
|
42
55
|
|
|
43
56
|
## Development
|
|
44
57
|
|
|
45
|
-
|
|
58
|
+
This project uses docker and [dip](https://github.com/bibendi/dip), a.k.a. the _Docker Interaction Program._
|
|
59
|
+
|
|
60
|
+
To use it:
|
|
61
|
+
```shell
|
|
62
|
+
gem install dip
|
|
63
|
+
dip provision
|
|
64
|
+
dip guard # run specs
|
|
65
|
+
```
|
|
46
66
|
|
|
47
|
-
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
67
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `dip bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
|
48
68
|
|
|
49
69
|
## Contributing
|
|
50
70
|
|
|
51
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/
|
|
71
|
+
Bug reports and pull requests are welcome on GitHub at <https://github.com/LeipeLeon/rails_key_rotator>. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
|
52
72
|
|
|
53
73
|
## License
|
|
54
74
|
|
|
@@ -56,4 +76,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
56
76
|
|
|
57
77
|
## Code of Conduct
|
|
58
78
|
|
|
59
|
-
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/
|
|
79
|
+
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -17,19 +17,30 @@ module RailsKeyRotator
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
18
18
|
if can_read_credentials!
|
|
19
19
|
ENV["RAILS_MASTER_KEY"] = ENV.fetch("RAILS_MASTER_KEY_NEW")
|
|
20
|
-
|
|
20
|
+
say_loud "Using NEW key"
|
|
21
21
|
else
|
|
22
|
-
|
|
22
|
+
say_loud "Using OLD key"
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def rotate
|
|
28
|
+
puts "Starting process:"
|
|
28
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
30
|
backup_file(key_path) # Backup key
|
|
30
31
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
-
|
|
32
|
-
|
|
32
|
+
write_key # Save new key
|
|
33
|
+
write_credentials(decrypted) # Save new credentials
|
|
34
|
+
puts <<~PROCEDURE
|
|
35
|
+
|
|
36
|
+
Finished! The next steps are:
|
|
37
|
+
|
|
38
|
+
- Deploy `RAILS_MASTER_KEY_NEW=#{new_key}` to your infrastructure
|
|
39
|
+
- Share the new key w/ your colleagues
|
|
40
|
+
- Commit changes in #{credentials_path}
|
|
41
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
42
|
+
|
|
43
|
+
PROCEDURE
|
|
33
44
|
end
|
|
34
45
|
|
|
35
46
|
def credentials_path
|
|
@@ -58,7 +69,11 @@ module RailsKeyRotator
|
|
|
58
69
|
end
|
|
59
70
|
|
|
60
71
|
def say(message)
|
|
61
|
-
|
|
72
|
+
puts "-> #{message}"
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def say_loud(message)
|
|
76
|
+
warn "\e[41;37;1m\n\n\tKeyRotator(#{env}): #{message}\n\e[0m"
|
|
62
77
|
end
|
|
63
78
|
|
|
64
79
|
def env
|
|
@@ -74,6 +89,7 @@ module RailsKeyRotator
|
|
|
74
89
|
end
|
|
75
90
|
|
|
76
91
|
def backup_file(original)
|
|
92
|
+
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
77
93
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
94
|
end
|
|
79
95
|
|
|
@@ -86,7 +102,7 @@ module RailsKeyRotator
|
|
|
86
102
|
).read
|
|
87
103
|
end
|
|
88
104
|
|
|
89
|
-
def
|
|
105
|
+
def write_credentials(contents) # the new configuration
|
|
90
106
|
ActiveSupport::EncryptedConfiguration.new(
|
|
91
107
|
config_path: credentials_path,
|
|
92
108
|
key_path: key_path,
|
|
@@ -94,5 +110,10 @@ module RailsKeyRotator
|
|
|
94
110
|
raise_if_missing_key: true
|
|
95
111
|
).write(contents)
|
|
96
112
|
end
|
|
113
|
+
|
|
114
|
+
def write_key
|
|
115
|
+
say "Writing #{new_key} to #{key_path}"
|
|
116
|
+
File.write(key_path, new_key)
|
|
117
|
+
end
|
|
97
118
|
end
|
|
98
119
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|