rails_key_rotator 0.2.2 → 0.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +20 -9
- data/lib/rails_key_rotator/railtie.rb +2 -2
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +5 -3
- data/rails_key_rotator.gemspec +3 -5
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eaa46a03f93b85091d320d81de8241cfc1f8f9151c9f6ff13c232bf17bc146a9
|
|
4
|
+
data.tar.gz: 98dc1e4cde4cc1365ed765d8142540c751709dc2ed66a8cdb48cef90f768c38a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: da389d3403d24bb9159445693fa1690d875e5ddde24f4edbee80dd10a67787ec98c359434d642b0f5541581df63a986d29f2c6fe5273e5e07030396a35c843c4
|
|
7
|
+
data.tar.gz: 465b459024d8efa98b3347febf3961ee2f14883a1201082b899a66d2527202a75f87d3f717fd02cc5cd1c552bef2171498c2a9c375495a0020c4bc7dd8aad339
|
data/README.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# RailsKeyRotator
|
|
2
2
|
|
|
3
|
+
[](https://badge.fury.io/rb/rails_key_rotator)
|
|
4
|
+
|
|
5
|
+
> **Warning**
|
|
6
|
+
> **THIS IS BETA SOFTWARE**
|
|
7
|
+
>
|
|
8
|
+
> Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.
|
|
9
|
+
> See: <https://semver.org/#spec-item-4>
|
|
10
|
+
|
|
3
11
|
## Installation
|
|
4
12
|
|
|
5
13
|
Install the gem and add to the application's Gemfile by executing:
|
|
@@ -15,14 +23,15 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
15
23
|
> **Warning**
|
|
16
24
|
> **DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES!**
|
|
17
25
|
|
|
18
|
-
1.
|
|
26
|
+
1. Run the rake taks
|
|
19
27
|
|
|
20
28
|
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
29
|
|
|
22
30
|
Starting process:
|
|
23
31
|
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
32
|
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
-
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
33
|
+
-> Writing the key "774ef137809953c633f03233d3ec5d35" to config/credentials/production.key
|
|
34
|
+
-> Writing the re-encrypted credentials to config/credentials/production.yml.enc
|
|
26
35
|
|
|
27
36
|
Finished! The next steps are:
|
|
28
37
|
|
|
@@ -33,12 +42,11 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
33
42
|
|
|
34
43
|
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
35
44
|
|
|
45
|
+
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
36
46
|
|
|
37
|
-
|
|
47
|
+
3. Commit and deploy new encrypted file.
|
|
38
48
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
49
|
+
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
42
50
|
|
|
43
51
|
## Process
|
|
44
52
|
|
|
@@ -50,14 +58,12 @@ When we've defined `RAILS_MASTER_KEY_NEW` it means we are rotating the encryptio
|
|
|
50
58
|
|
|
51
59
|
3. If not, we will fallback to the old key, thus leave `RAILS_MASTER_KEY` alone
|
|
52
60
|
|
|
53
|
-
See: https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credentials_key_without/
|
|
54
|
-
|
|
55
|
-
|
|
56
61
|
## Development
|
|
57
62
|
|
|
58
63
|
This project uses docker and [dip](https://github.com/bibendi/dip), a.k.a. the _Docker Interaction Program._
|
|
59
64
|
|
|
60
65
|
To use it:
|
|
66
|
+
|
|
61
67
|
```shell
|
|
62
68
|
gem install dip
|
|
63
69
|
dip provision
|
|
@@ -77,3 +83,8 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
77
83
|
## Code of Conduct
|
|
78
84
|
|
|
79
85
|
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
|
86
|
+
|
|
87
|
+
## Thanks to:
|
|
88
|
+
|
|
89
|
+
- The fine folks of [kerkdienstgemist.nl](https://github.com/kdgm) allowed me to extract the basics from their sourcecode.
|
|
90
|
+
- The [original inspirator](https://www.reddit.com/user/abuisman/) after some googling: <https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credentials_key_without/>
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -27,8 +27,8 @@ module RailsKeyRotator
|
|
|
27
27
|
def rotate
|
|
28
28
|
puts "Starting process:"
|
|
29
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
30
|
-
backup_file(key_path) # Backup key
|
|
31
30
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
+
backup_file(key_path) # Backup key
|
|
32
32
|
write_key # Save new key
|
|
33
33
|
write_credentials(decrypted) # Save new credentials
|
|
34
34
|
puts <<~PROCEDURE
|
|
@@ -89,6 +89,7 @@ module RailsKeyRotator
|
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
def backup_file(original)
|
|
92
|
+
raise "File does not exist: #{original}" unless File.exist?(original)
|
|
92
93
|
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
93
94
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
94
95
|
end
|
|
@@ -97,12 +98,13 @@ module RailsKeyRotator
|
|
|
97
98
|
ActiveSupport::EncryptedConfiguration.new(
|
|
98
99
|
config_path: credentials_path,
|
|
99
100
|
key_path: key_path,
|
|
100
|
-
env_key: "",
|
|
101
|
+
env_key: "RAILS_MASTER_KEY",
|
|
101
102
|
raise_if_missing_key: true
|
|
102
103
|
).read
|
|
103
104
|
end
|
|
104
105
|
|
|
105
106
|
def write_credentials(contents) # the new configuration
|
|
107
|
+
say "Writing the re-encrypted credentials to #{credentials_path}"
|
|
106
108
|
ActiveSupport::EncryptedConfiguration.new(
|
|
107
109
|
config_path: credentials_path,
|
|
108
110
|
key_path: key_path,
|
|
@@ -112,7 +114,7 @@ module RailsKeyRotator
|
|
|
112
114
|
end
|
|
113
115
|
|
|
114
116
|
def write_key
|
|
115
|
-
say
|
|
117
|
+
say %(Writing the key "#{new_key}" to #{key_path})
|
|
116
118
|
File.write(key_path, new_key)
|
|
117
119
|
end
|
|
118
120
|
end
|
data/rails_key_rotator.gemspec
CHANGED
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
1
|
require_relative "lib/rails_key_rotator/version"
|
|
4
2
|
|
|
5
3
|
Gem::Specification.new do |spec|
|
|
@@ -10,7 +8,7 @@ Gem::Specification.new do |spec|
|
|
|
10
8
|
|
|
11
9
|
spec.summary = "Rotate your RAILS_MASTER_KEY with ease"
|
|
12
10
|
# spec.description = "TODO: Write a longer description or delete this line."
|
|
13
|
-
spec.homepage = "https://
|
|
11
|
+
spec.homepage = "https://github.com/LeipeLeon/rails_key_rotator"
|
|
14
12
|
spec.license = "MIT"
|
|
15
13
|
spec.required_ruby_version = ">= 2.6.0"
|
|
16
14
|
|
|
@@ -18,8 +16,8 @@ Gem::Specification.new do |spec|
|
|
|
18
16
|
|
|
19
17
|
spec.metadata["rubygems_mfa_required"] = "true"
|
|
20
18
|
spec.metadata["homepage_uri"] = spec.homepage
|
|
21
|
-
spec.metadata["source_code_uri"] =
|
|
22
|
-
spec.metadata["changelog_uri"] = "
|
|
19
|
+
spec.metadata["source_code_uri"] = spec.homepage
|
|
20
|
+
spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
|
|
23
21
|
|
|
24
22
|
# Specify which files should be added to the gem when it is released.
|
|
25
23
|
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -61,14 +61,14 @@ files:
|
|
|
61
61
|
- lib/tasks/key_rotator.rake
|
|
62
62
|
- rails_key_rotator.gemspec
|
|
63
63
|
- sig/rails_key_rotator.rbs
|
|
64
|
-
homepage: https://
|
|
64
|
+
homepage: https://github.com/LeipeLeon/rails_key_rotator
|
|
65
65
|
licenses:
|
|
66
66
|
- MIT
|
|
67
67
|
metadata:
|
|
68
68
|
rubygems_mfa_required: 'true'
|
|
69
|
-
homepage_uri: https://
|
|
69
|
+
homepage_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
70
70
|
source_code_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
71
|
-
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/CHANGELOG.md
|
|
71
|
+
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/blob/main/CHANGELOG.md
|
|
72
72
|
post_install_message:
|
|
73
73
|
rdoc_options: []
|
|
74
74
|
require_paths:
|