rails_key_rotator 0.2.1 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +15 -2
- data/lib/rails_key_rotator/railtie.rb +1 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +30 -8
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c1583daf18681adbf057da6b49f0b1d31edde595911bae83460fd0ca7088d38f
|
|
4
|
+
data.tar.gz: 28024ed59be4ed43b9476eb3c0927a0a0a16370949a4c6bb1b98caf4f1ae770e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b54587fcd4c6f39ed55143893c66550222e08eb1e2a6db07a1cafa3e574e78a47ad726b4d4b7cb6c9c24a7a2218ec5ba2054206ca0e30f7830638e56424c08de
|
|
7
|
+
data.tar.gz: 1a02f4f16ebe9ca906b587d2654358282febe8ed5c17348945989a583d70475eb5418a7aaaf4dd8cb9875bd94462124221f0705ea8166e48745527c98b0ebc18
|
data/README.md
CHANGED
|
@@ -17,9 +17,22 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
17
17
|
|
|
18
18
|
1. Run the rake taks
|
|
19
19
|
|
|
20
|
-
bundle rake key_rotator:rotate
|
|
20
|
+
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
|
+
|
|
22
|
+
Starting process:
|
|
23
|
+
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
|
+
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
+
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
26
|
+
|
|
27
|
+
Finished! The next steps are:
|
|
28
|
+
|
|
29
|
+
- Deploy `RAILS_MASTER_KEY_NEW=774ef137809953c633f03233d3ec5d35` to your infrastructure
|
|
30
|
+
- Share the new key w/ your colleagues
|
|
31
|
+
- Commit changes in config/credentials/production.yml.enc
|
|
32
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
33
|
+
|
|
34
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
21
35
|
|
|
22
|
-
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
|
23
36
|
|
|
24
37
|
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
25
38
|
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -17,19 +17,30 @@ module RailsKeyRotator
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
18
18
|
if can_read_credentials!
|
|
19
19
|
ENV["RAILS_MASTER_KEY"] = ENV.fetch("RAILS_MASTER_KEY_NEW")
|
|
20
|
-
|
|
20
|
+
say_loud "Using NEW key"
|
|
21
21
|
else
|
|
22
|
-
|
|
22
|
+
say_loud "Using OLD key"
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def rotate
|
|
28
|
+
puts "Starting process:"
|
|
28
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
|
-
backup_file(key_path) # Backup key
|
|
30
30
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
-
|
|
32
|
-
|
|
31
|
+
backup_file(key_path) # Backup key
|
|
32
|
+
write_key # Save new key
|
|
33
|
+
write_credentials(decrypted) # Save new credentials
|
|
34
|
+
puts <<~PROCEDURE
|
|
35
|
+
|
|
36
|
+
Finished! The next steps are:
|
|
37
|
+
|
|
38
|
+
- Deploy `RAILS_MASTER_KEY_NEW=#{new_key}` to your infrastructure
|
|
39
|
+
- Share the new key w/ your colleagues
|
|
40
|
+
- Commit changes in #{credentials_path}
|
|
41
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
42
|
+
|
|
43
|
+
PROCEDURE
|
|
33
44
|
end
|
|
34
45
|
|
|
35
46
|
def credentials_path
|
|
@@ -58,7 +69,11 @@ module RailsKeyRotator
|
|
|
58
69
|
end
|
|
59
70
|
|
|
60
71
|
def say(message)
|
|
61
|
-
|
|
72
|
+
puts "-> #{message}"
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def say_loud(message)
|
|
76
|
+
warn "\e[41;37;1m\n\n\tKeyRotator(#{env}): #{message}\n\e[0m"
|
|
62
77
|
end
|
|
63
78
|
|
|
64
79
|
def env
|
|
@@ -74,6 +89,8 @@ module RailsKeyRotator
|
|
|
74
89
|
end
|
|
75
90
|
|
|
76
91
|
def backup_file(original)
|
|
92
|
+
raise "File does not exist: #{original}" unless File.exist?(original)
|
|
93
|
+
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
77
94
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
95
|
end
|
|
79
96
|
|
|
@@ -81,12 +98,12 @@ module RailsKeyRotator
|
|
|
81
98
|
ActiveSupport::EncryptedConfiguration.new(
|
|
82
99
|
config_path: credentials_path,
|
|
83
100
|
key_path: key_path,
|
|
84
|
-
env_key: "",
|
|
101
|
+
env_key: "RAILS_MASTER_KEY",
|
|
85
102
|
raise_if_missing_key: true
|
|
86
103
|
).read
|
|
87
104
|
end
|
|
88
105
|
|
|
89
|
-
def
|
|
106
|
+
def write_credentials(contents) # the new configuration
|
|
90
107
|
ActiveSupport::EncryptedConfiguration.new(
|
|
91
108
|
config_path: credentials_path,
|
|
92
109
|
key_path: key_path,
|
|
@@ -94,5 +111,10 @@ module RailsKeyRotator
|
|
|
94
111
|
raise_if_missing_key: true
|
|
95
112
|
).write(contents)
|
|
96
113
|
end
|
|
114
|
+
|
|
115
|
+
def write_key
|
|
116
|
+
say "Writing #{new_key} to #{key_path}"
|
|
117
|
+
File.write(key_path, new_key)
|
|
118
|
+
end
|
|
97
119
|
end
|
|
98
120
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|