rails_kms_credentials 0.0.1 → 0.0.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb +26 -2
  3. data/lib/rails_kms_credentials/store/azure_key_vault.rb +12 -4
  4. data/lib/rails_kms_credentials/version.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d9002ffd4c1c4c037cfefa42fa524a68c695d6fdfa7010a966e5d6a0ed1c0130
4
- data.tar.gz: cd9410a02314fcc000d5e5e44f1947aa8aa0e5a50a8e434fc29775073ced335c
3
+ metadata.gz: 75b923804031caddd3be015d207c02cdb9758d2dc98ebe527ee5ecd163823478
4
+ data.tar.gz: 98fef79cee6c7910b8e665de1c99ce886159b4c903095321e751f0e1339e801d
5
5
  SHA512:
6
- metadata.gz: 14fc42d0dc79b8da2b0458a8109bf7aa224230e9cb76975fbed7412c32d795c7cfea449a9d75ee62406c9bbbf7995a2776f6bf1281ae3192cee43184b50671ad
7
- data.tar.gz: 4bd8c88b3788508b5ba3e1b3223aceebb862a6595ec76b96b00e70370bb8d2f0e9b43c77b0cd9c2463c4270da17cca0b2bab65e125115c035dc14fd4ff0a4c1c
6
+ metadata.gz: 14f001897a77ad3664c9125a493992ec2586ee467e2b15c39beaa4ece0685ea29e2ed7281dc8258a17768884431f2dac8e38c0c630ea3ef7b92d1be28cebcbcf
7
+ data.tar.gz: 257fddec2f37904ef64e578a1bb93e57c8573cf3dee5749fcac565801a79edd2d417669a6b979de3b76ed72618c6aa5da049212d37d3b08829b32126384766ac
data/lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb CHANGED
@@ -6,13 +6,37 @@ module RailsKmsCredentials
6
6
  module Client
7
7
  class ManagedIdentity < Base
8
8
  def get_secrets_list(url)
9
- HTTParty.get url
9
+ HTTParty.get(
10
+ url,
11
+ headers: {
12
+ Authorization: "Bearer #{access_token}",
13
+ },
14
+ )
10
15
  end
11
16
 
12
17
  def get_secret(url)
13
- HTTParty.get url
18
+ HTTParty.get(
19
+ url,
20
+ headers: {
21
+ Authorization: "Bearer #{access_token}",
22
+ },
23
+ )
14
24
  end
15
25
 
26
+ private
27
+
28
+ def access_token
29
+ return @access_token if instance_variable_defined?(:@access_token)
30
+ @_access_token_response = HTTParty.get(
31
+ 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net',
32
+ {
33
+ headers: { Metadata: 'true' },
34
+ }
35
+ )
36
+ raise 'KmsCredentials AzureKeyVault ClientCredentials unable to get access token' unless @_access_token_response.ok?
37
+ @access_token = @_access_token_response['access_token']
38
+ end
39
+
16
40
  end
17
41
 
18
42
  add(:managed_identity, ManagedIdentity)
data/lib/rails_kms_credentials/store/azure_key_vault.rb CHANGED
@@ -5,13 +5,13 @@ module RailsKmsCredentials
5
5
  module AzureKeyVault
6
6
 
7
7
  class Store < Base::Store
8
- attr_reader :vault, :vault_url, :client
8
+ attr_reader :vault, :vault_url, :client, :secret_prefix, :loaded
9
9
 
10
10
  SECRETS_API_VERSION = '7.3'
11
11
 
12
12
  EMPTY_VALUE = '--EMPTY--'
13
13
 
14
- def initialize(*) # rubocop:disable Metrics/AbcSize
14
+ def initialize(*) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
15
15
  super
16
16
  @vault = config['vault']
17
17
  raise 'Missing KmsCredentials AzureKeyVault vault' if vault.blank?
@@ -21,6 +21,13 @@ module RailsKmsCredentials
21
21
  raise 'Missing KmsCredentials AzureKeyVault client.type' if config['client']['type'].blank?
22
22
  @_client_klass = Client.get config['client']['type']
23
23
  @client = @_client_klass.new self
24
+ @secret_prefix = case config['client']['secret_prefix']
25
+ when true
26
+ Rails.application.class.parent.to_s.underscore.dasherize
27
+ when String
28
+ config['client']['secret_prefix']
29
+ end
30
+ @_secret_prefix = @secret_prefix ? Regexp.new("^#{@secret_prefix}----") : ''
24
31
  @loaded = false
25
32
  end
26
33
 
@@ -28,7 +35,7 @@ module RailsKmsCredentials
28
35
  return @credentials if instance_variable_defined?(:@credentials)
29
36
  load_secrets
30
37
  @credentials = @_secrets.values.each_with_object(ActiveSupport::OrderedOptions.new) do |secret, memo|
31
- name = secret['name'].split('--')
38
+ name = secret['name'].remove(@_secret_prefix).split('--')
32
39
  name.each { |x| x.gsub!('-', '_') }
33
40
  parent = name[0..-2].inject(memo) do |h, key|
34
41
  if h.key?(key) && !h[key].is_a?(ActiveSupport::OrderedOptions)
@@ -47,7 +54,7 @@ module RailsKmsCredentials
47
54
  load_secrets_list
48
55
  end
49
56
 
50
- def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
57
+ def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
51
58
  @_get_secrets_list_responses ||= []
52
59
  @_secrets ||= {}
53
60
  url ||= "#{vault_url}/secrets?api-version=#{SECRETS_API_VERSION}"
@@ -56,6 +63,7 @@ module RailsKmsCredentials
56
63
  raise "KmsCredentials AzureKeyVault unable to get list of secrets: #{url}" unless response.ok?
57
64
  response['value'].each do |secret|
58
65
  secret_name = secret['id'].split('/').last
66
+ next unless secret_name =~ @_secret_prefix
59
67
  secret['name'] = secret_name
60
68
  @_secrets[secret_name] = secret
61
69
  load_secret secret_name
data/lib/rails_kms_credentials/version.rb CHANGED
@@ -5,7 +5,7 @@ module RailsKmsCredentials
5
5
  module Version
6
6
  MAJOR = 0
7
7
  MINOR = 0
8
- PATCH = 1
8
+ PATCH = 3
9
9
 
10
10
  end
11
11
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_kms_credentials
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.1
4
+ version: 0.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Taylor Yelverton
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-11-01 00:00:00.000000000 Z
11
+ date: 2022-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport