rails_key_rotator 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +15 -2
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +27 -6
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4716f503c795d3a21fe6fb7eff53ec6ebb0d003e34bad0dc2a68d6e652dfc7c9
|
|
4
|
+
data.tar.gz: 194d519cf4e0278adb5cb60c183980712d027fc8ae8f85a8d7b4fe88df78a1ed
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '04485eed8bc71a9d664b0e4c8348cca4f4a8ba3c4d79fc29ac585f1c2fc2c7bc792bfc0b5e881643c0399dae0f7ea197a5d7f6b08ba00fa696b9d45e049659ca'
|
|
7
|
+
data.tar.gz: 7bec424314fdc836d644547f08dd9299a6c34a615585168847f6c7e5b77fceafbe909d0fb7e581f827a2c0ea5bb7506e2ed780aa9628e75f349d0f85d63197b9
|
data/README.md
CHANGED
|
@@ -17,9 +17,22 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
17
17
|
|
|
18
18
|
1. Run the rake taks
|
|
19
19
|
|
|
20
|
-
bundle rake key_rotator:rotate
|
|
20
|
+
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
|
+
|
|
22
|
+
Starting process:
|
|
23
|
+
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
|
+
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
+
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
26
|
+
|
|
27
|
+
Finished! The next steps are:
|
|
28
|
+
|
|
29
|
+
- Deploy `RAILS_MASTER_KEY_NEW=774ef137809953c633f03233d3ec5d35` to your infrastructure
|
|
30
|
+
- Share the new key w/ your colleagues
|
|
31
|
+
- Commit changes in config/credentials/production.yml.enc
|
|
32
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
33
|
+
|
|
34
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
21
35
|
|
|
22
|
-
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
|
23
36
|
|
|
24
37
|
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
25
38
|
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -17,19 +17,30 @@ module RailsKeyRotator
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
18
18
|
if can_read_credentials!
|
|
19
19
|
ENV["RAILS_MASTER_KEY"] = ENV.fetch("RAILS_MASTER_KEY_NEW")
|
|
20
|
-
|
|
20
|
+
say_loud "Using NEW key"
|
|
21
21
|
else
|
|
22
|
-
|
|
22
|
+
say_loud "Using OLD key"
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def rotate
|
|
28
|
+
puts "Starting process:"
|
|
28
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
30
|
backup_file(key_path) # Backup key
|
|
30
31
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
-
|
|
32
|
-
|
|
32
|
+
write_key # Save new key
|
|
33
|
+
write_credentials(decrypted) # Save new credentials
|
|
34
|
+
puts <<~PROCEDURE
|
|
35
|
+
|
|
36
|
+
Finished! The next steps are:
|
|
37
|
+
|
|
38
|
+
- Deploy `RAILS_MASTER_KEY_NEW=#{new_key}` to your infrastructure
|
|
39
|
+
- Share the new key w/ your colleagues
|
|
40
|
+
- Commit changes in #{credentials_path}
|
|
41
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
42
|
+
|
|
43
|
+
PROCEDURE
|
|
33
44
|
end
|
|
34
45
|
|
|
35
46
|
def credentials_path
|
|
@@ -58,7 +69,11 @@ module RailsKeyRotator
|
|
|
58
69
|
end
|
|
59
70
|
|
|
60
71
|
def say(message)
|
|
61
|
-
|
|
72
|
+
puts "-> #{message}"
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def say_loud(message)
|
|
76
|
+
warn "\e[41;37;1m\n\n\tKeyRotator(#{env}): #{message}\n\e[0m"
|
|
62
77
|
end
|
|
63
78
|
|
|
64
79
|
def env
|
|
@@ -74,6 +89,7 @@ module RailsKeyRotator
|
|
|
74
89
|
end
|
|
75
90
|
|
|
76
91
|
def backup_file(original)
|
|
92
|
+
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
77
93
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
94
|
end
|
|
79
95
|
|
|
@@ -86,7 +102,7 @@ module RailsKeyRotator
|
|
|
86
102
|
).read
|
|
87
103
|
end
|
|
88
104
|
|
|
89
|
-
def
|
|
105
|
+
def write_credentials(contents) # the new configuration
|
|
90
106
|
ActiveSupport::EncryptedConfiguration.new(
|
|
91
107
|
config_path: credentials_path,
|
|
92
108
|
key_path: key_path,
|
|
@@ -94,5 +110,10 @@ module RailsKeyRotator
|
|
|
94
110
|
raise_if_missing_key: true
|
|
95
111
|
).write(contents)
|
|
96
112
|
end
|
|
113
|
+
|
|
114
|
+
def write_key
|
|
115
|
+
say "Writing #{new_key} to #{key_path}"
|
|
116
|
+
File.write(key_path, new_key)
|
|
117
|
+
end
|
|
97
118
|
end
|
|
98
119
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|