rails_key_rotator 0.2.2 → 0.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +20 -9
- data/lib/rails_key_rotator/railtie.rb +2 -2
- data/lib/rails_key_rotator/version.rb +1 -1
- data/lib/rails_key_rotator.rb +5 -3
- data/rails_key_rotator.gemspec +3 -5
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eaa46a03f93b85091d320d81de8241cfc1f8f9151c9f6ff13c232bf17bc146a9
|
|
4
|
+
data.tar.gz: 98dc1e4cde4cc1365ed765d8142540c751709dc2ed66a8cdb48cef90f768c38a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: da389d3403d24bb9159445693fa1690d875e5ddde24f4edbee80dd10a67787ec98c359434d642b0f5541581df63a986d29f2c6fe5273e5e07030396a35c843c4
|
|
7
|
+
data.tar.gz: 465b459024d8efa98b3347febf3961ee2f14883a1201082b899a66d2527202a75f87d3f717fd02cc5cd1c552bef2171498c2a9c375495a0020c4bc7dd8aad339
|
data/README.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# RailsKeyRotator
|
|
2
2
|
|
|
3
|
+
[](https://badge.fury.io/rb/rails_key_rotator)
|
|
4
|
+
|
|
5
|
+
> **Warning**
|
|
6
|
+
> **THIS IS BETA SOFTWARE**
|
|
7
|
+
>
|
|
8
|
+
> Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.
|
|
9
|
+
> See: <https://semver.org/#spec-item-4>
|
|
10
|
+
|
|
3
11
|
## Installation
|
|
4
12
|
|
|
5
13
|
Install the gem and add to the application's Gemfile by executing:
|
|
@@ -15,14 +23,15 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
15
23
|
> **Warning**
|
|
16
24
|
> **DON'T FORGET TO HANDOUT THE NEW KEY TO YOUR COLLEAGUES!**
|
|
17
25
|
|
|
18
|
-
1.
|
|
26
|
+
1. Run the rake taks
|
|
19
27
|
|
|
20
28
|
$ RAILS_ENV=production bundle exec rake key_rotator:rotate
|
|
21
29
|
|
|
22
30
|
Starting process:
|
|
23
31
|
-> Copy config/credentials/production.key -> config/credentials/production.key.bak-2023-10-15-084335
|
|
24
32
|
-> Copy config/credentials/production.yml.enc -> config/credentials/production.yml.enc.bak-2023-10-15-084335
|
|
25
|
-
-> Writing 774ef137809953c633f03233d3ec5d35 to config/credentials/production.key
|
|
33
|
+
-> Writing the key "774ef137809953c633f03233d3ec5d35" to config/credentials/production.key
|
|
34
|
+
-> Writing the re-encrypted credentials to config/credentials/production.yml.enc
|
|
26
35
|
|
|
27
36
|
Finished! The next steps are:
|
|
28
37
|
|
|
@@ -33,12 +42,11 @@ If bundler is not being used to manage dependencies, install the gem by executin
|
|
|
33
42
|
|
|
34
43
|
This will backup current key / credentials, create a new key and saves encrypts the credentails w/ this new key for the current `RAILS_ENV`
|
|
35
44
|
|
|
45
|
+
2. Deploying this variable as an env `RAILS_MASTER_KEY_NEW`
|
|
36
46
|
|
|
37
|
-
|
|
47
|
+
3. Commit and deploy new encrypted file.
|
|
38
48
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
49
|
+
4. After a while when everything is back in sync replace `RAILS_MASTER_KEY` w/ the new key and delete `RAILS_MASTER_KEY_NEW`
|
|
42
50
|
|
|
43
51
|
## Process
|
|
44
52
|
|
|
@@ -50,14 +58,12 @@ When we've defined `RAILS_MASTER_KEY_NEW` it means we are rotating the encryptio
|
|
|
50
58
|
|
|
51
59
|
3. If not, we will fallback to the old key, thus leave `RAILS_MASTER_KEY` alone
|
|
52
60
|
|
|
53
|
-
See: https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credentials_key_without/
|
|
54
|
-
|
|
55
|
-
|
|
56
61
|
## Development
|
|
57
62
|
|
|
58
63
|
This project uses docker and [dip](https://github.com/bibendi/dip), a.k.a. the _Docker Interaction Program._
|
|
59
64
|
|
|
60
65
|
To use it:
|
|
66
|
+
|
|
61
67
|
```shell
|
|
62
68
|
gem install dip
|
|
63
69
|
dip provision
|
|
@@ -77,3 +83,8 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
77
83
|
## Code of Conduct
|
|
78
84
|
|
|
79
85
|
Everyone interacting in the RailsKeyRotator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/LeipeLeon/rails_key_rotator/blob/master/CODE_OF_CONDUCT.md).
|
|
86
|
+
|
|
87
|
+
## Thanks to:
|
|
88
|
+
|
|
89
|
+
- The fine folks of [kerkdienstgemist.nl](https://github.com/kdgm) allowed me to extract the basics from their sourcecode.
|
|
90
|
+
- The [original inspirator](https://www.reddit.com/user/abuisman/) after some googling: <https://www.reddit.com/r/rails/comments/x4sujc/deploying_a_rotated_credentials_key_without/>
|
data/lib/rails_key_rotator.rb
CHANGED
|
@@ -27,8 +27,8 @@ module RailsKeyRotator
|
|
|
27
27
|
def rotate
|
|
28
28
|
puts "Starting process:"
|
|
29
29
|
decrypted = read(credentials_path) # Decrypt current credentials
|
|
30
|
-
backup_file(key_path) # Backup key
|
|
31
30
|
backup_file(credentials_path) # Backup credentials
|
|
31
|
+
backup_file(key_path) # Backup key
|
|
32
32
|
write_key # Save new key
|
|
33
33
|
write_credentials(decrypted) # Save new credentials
|
|
34
34
|
puts <<~PROCEDURE
|
|
@@ -89,6 +89,7 @@ module RailsKeyRotator
|
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
def backup_file(original)
|
|
92
|
+
raise "File does not exist: #{original}" unless File.exist?(original)
|
|
92
93
|
say "Copy #{original} -> #{original}.bak-#{date}"
|
|
93
94
|
FileUtils.mv(original, "#{original}.bak-#{date}")
|
|
94
95
|
end
|
|
@@ -97,12 +98,13 @@ module RailsKeyRotator
|
|
|
97
98
|
ActiveSupport::EncryptedConfiguration.new(
|
|
98
99
|
config_path: credentials_path,
|
|
99
100
|
key_path: key_path,
|
|
100
|
-
env_key: "",
|
|
101
|
+
env_key: "RAILS_MASTER_KEY",
|
|
101
102
|
raise_if_missing_key: true
|
|
102
103
|
).read
|
|
103
104
|
end
|
|
104
105
|
|
|
105
106
|
def write_credentials(contents) # the new configuration
|
|
107
|
+
say "Writing the re-encrypted credentials to #{credentials_path}"
|
|
106
108
|
ActiveSupport::EncryptedConfiguration.new(
|
|
107
109
|
config_path: credentials_path,
|
|
108
110
|
key_path: key_path,
|
|
@@ -112,7 +114,7 @@ module RailsKeyRotator
|
|
|
112
114
|
end
|
|
113
115
|
|
|
114
116
|
def write_key
|
|
115
|
-
say
|
|
117
|
+
say %(Writing the key "#{new_key}" to #{key_path})
|
|
116
118
|
File.write(key_path, new_key)
|
|
117
119
|
end
|
|
118
120
|
end
|
data/rails_key_rotator.gemspec
CHANGED
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
1
|
require_relative "lib/rails_key_rotator/version"
|
|
4
2
|
|
|
5
3
|
Gem::Specification.new do |spec|
|
|
@@ -10,7 +8,7 @@ Gem::Specification.new do |spec|
|
|
|
10
8
|
|
|
11
9
|
spec.summary = "Rotate your RAILS_MASTER_KEY with ease"
|
|
12
10
|
# spec.description = "TODO: Write a longer description or delete this line."
|
|
13
|
-
spec.homepage = "https://
|
|
11
|
+
spec.homepage = "https://github.com/LeipeLeon/rails_key_rotator"
|
|
14
12
|
spec.license = "MIT"
|
|
15
13
|
spec.required_ruby_version = ">= 2.6.0"
|
|
16
14
|
|
|
@@ -18,8 +16,8 @@ Gem::Specification.new do |spec|
|
|
|
18
16
|
|
|
19
17
|
spec.metadata["rubygems_mfa_required"] = "true"
|
|
20
18
|
spec.metadata["homepage_uri"] = spec.homepage
|
|
21
|
-
spec.metadata["source_code_uri"] =
|
|
22
|
-
spec.metadata["changelog_uri"] = "
|
|
19
|
+
spec.metadata["source_code_uri"] = spec.homepage
|
|
20
|
+
spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
|
|
23
21
|
|
|
24
22
|
# Specify which files should be added to the gem when it is released.
|
|
25
23
|
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_key_rotator
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Leon Berenschot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-10-
|
|
11
|
+
date: 2023-10-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -61,14 +61,14 @@ files:
|
|
|
61
61
|
- lib/tasks/key_rotator.rake
|
|
62
62
|
- rails_key_rotator.gemspec
|
|
63
63
|
- sig/rails_key_rotator.rbs
|
|
64
|
-
homepage: https://
|
|
64
|
+
homepage: https://github.com/LeipeLeon/rails_key_rotator
|
|
65
65
|
licenses:
|
|
66
66
|
- MIT
|
|
67
67
|
metadata:
|
|
68
68
|
rubygems_mfa_required: 'true'
|
|
69
|
-
homepage_uri: https://
|
|
69
|
+
homepage_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
70
70
|
source_code_uri: https://github.com/LeipeLeon/rails_key_rotator
|
|
71
|
-
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/CHANGELOG.md
|
|
71
|
+
changelog_uri: https://github.com/LeipeLeon/rails_key_rotator/blob/main/CHANGELOG.md
|
|
72
72
|
post_install_message:
|
|
73
73
|
rdoc_options: []
|
|
74
74
|
require_paths:
|