rails_key_rotator 0.2.1 → 0.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +15 -2
- data/lib/rails_key_rotator/railtie.rb +1 -1
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +30 -8
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c1583daf18681adbf057da6b49f0b1d31edde595911bae83460fd0ca7088d38f
|
|
4
|
+
data.tar.gz: 28024ed59be4ed43b9476eb3c0927a0a0a16370949a4c6bb1b98caf4f1ae770e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b54587fcd4c6f39ed55143893c66550222e08eb1e2a6db07a1cafa3e574e78a47ad726b4d4b7cb6c9c24a7a2218ec5ba2054206ca0e30f7830638e56424c08de
|
|
7
|
+
data.tar.gz: 1a02f4f16ebe9ca906b587d2654358282febe8ed5c17348945989a583d70475eb5418a7aaaf4dd8cb9875bd94462124221f0705ea8166e48745527c98b0ebc18
|
data/README.md
CHANGED
|
@@ -17,9 +17,22 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
17
17
|
|
|
18
18
|
1. Run the rake taks
|
|
19
19
|
|
|
20
|
-
bundle rake key_rotator:rotate
|
|
20
|
+
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
|
+
|
|
22
|
+
Starting process:
|
|
23
|
+
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
|
+
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
+
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
26
|
+
|
|
27
|
+
Finished! The next steps are:
|
|
28
|
+
|
|
29
|
+
- Deploy `RAILS_MASTER_KEY_NEW=774ef137809953c633f03233d3ec5d35` to your infrastructure
|
|
30
|
+
- Share the new key w/ your colleagues
|
|
31
|
+
- Commit changes in config/credentials/production.yml.enc
|
|
32
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
33
|
+
|
|
34
|
+
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
21
35
|
|
|
22
|
-
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key
|
|
23
36
|
|
|
24
37
|
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
25
38
|
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -17,19 +17,30 @@ module RailsKeyRotator
|
|
|
17
17
|
if ENV.fetch("RAILS_MASTER_KEY_NEW", false)
|
|
18
18
|
if can_read_credentials!
|
|
19
19
|
ENV["RAILS_MASTER_KEY"] = ENV.fetch("RAILS_MASTER_KEY_NEW")
|
|
20
|
-
|
|
20
|
+
say_loud "Using NEW key"
|
|
21
21
|
else
|
|
22
|
-
|
|
22
|
+
say_loud "Using OLD key"
|
|
23
23
|
end
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
def rotate
|
|
28
|
+
puts "Starting process:"
|
|
28
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
29
|
-
backup_file(key_path) # Backup key
|
|
30
30
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
-
|
|
32
|
-
|
|
31
|
+
backup_file(key_path) # Backup key
|
|
32
|
+
write_key # Save new key
|
|
33
|
+
write_credentials(decrypted) # Save new credentials
|
|
34
|
+
puts <<~PROCEDURE
|
|
35
|
+
|
|
36
|
+
Finished! The next steps are:
|
|
37
|
+
|
|
38
|
+
- Deploy `RAILS_MASTER_KEY_NEW=#{new_key}` to your infrastructure
|
|
39
|
+
- Share the new key w/ your colleagues
|
|
40
|
+
- Commit changes in #{credentials_path}
|
|
41
|
+
- Update `RAILS_MASTER_KEY`and remove `RAILS_MASTER_KEY_NEW` from your infrastructure
|
|
42
|
+
|
|
43
|
+
PROCEDURE
|
|
33
44
|
end
|
|
34
45
|
|
|
35
46
|
def credentials_path
|
|
@@ -58,7 +69,11 @@ module RailsKeyRotator
|
|
|
58
69
|
end
|
|
59
70
|
|
|
60
71
|
def say(message)
|
|
61
|
-
|
|
72
|
+
puts "-> #{message}"
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def say_loud(message)
|
|
76
|
+
warn "\e[41;37;1m\n\n\tKeyRotator(#{env}): #{message}\n\e[0m"
|
|
62
77
|
end
|
|
63
78
|
|
|
64
79
|
def env
|
|
@@ -74,6 +89,8 @@ module RailsKeyRotator
|
|
|
74
89
|
end
|
|
75
90
|
|
|
76
91
|
def backup_file(original)
|
|
92
|
+
raise "File does not exist: #{original}" unless File.exist?(original)
|
|
93
|
+
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
77
94
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
78
95
|
end
|
|
79
96
|
|
|
@@ -81,12 +98,12 @@ module RailsKeyRotator
|
|
|
81
98
|
ActiveSupport::EncryptedConfiguration.new(
|
|
82
99
|
config_path: credentials_path,
|
|
83
100
|
key_path: key_path,
|
|
84
|
-
env_key: "",
|
|
101
|
+
env_key: "RAILS_MASTER_KEY",
|
|
85
102
|
raise_if_missing_key: true
|
|
86
103
|
).read
|
|
87
104
|
end
|
|
88
105
|
|
|
89
|
-
def
|
|
106
|
+
def write_credentials(contents) # the new configuration
|
|
90
107
|
ActiveSupport::EncryptedConfiguration.new(
|
|
91
108
|
config_path: credentials_path,
|
|
92
109
|
key_path: key_path,
|
|
@@ -94,5 +111,10 @@ module RailsKeyRotator
|
|
|
94
111
|
raise_if_missing_key: true
|
|
95
112
|
).write(contents)
|
|
96
113
|
end
|
|
114
|
+
|
|
115
|
+
def write_key
|
|
116
|
+
say "Writing #{new_key} to #{key_path}"
|
|
117
|
+
File.write(key_path, new_key)
|
|
118
|
+
end
|
|
97
119
|
end
|
|
98
120
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|