rails_kms_credentials 0.0.1 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 75b923804031caddd3be015d207c02cdb9758d2dc98ebe527ee5ecd163823478
|
|
4
|
+
data.tar.gz: 98fef79cee6c7910b8e665de1c99ce886159b4c903095321e751f0e1339e801d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 14f001897a77ad3664c9125a493992ec2586ee467e2b15c39beaa4ece0685ea29e2ed7281dc8258a17768884431f2dac8e38c0c630ea3ef7b92d1be28cebcbcf
|
|
7
|
+
data.tar.gz: 257fddec2f37904ef64e578a1bb93e57c8573cf3dee5749fcac565801a79edd2d417669a6b979de3b76ed72618c6aa5da049212d37d3b08829b32126384766ac
|
|
@@ -6,13 +6,37 @@ module RailsKmsCredentials
|
|
|
6
6
|
module Client
|
|
7
7
|
class ManagedIdentity < Base
|
|
8
8
|
def get_secrets_list(url)
|
|
9
|
-
HTTParty.get
|
|
9
|
+
HTTParty.get(
|
|
10
|
+
url,
|
|
11
|
+
headers: {
|
|
12
|
+
Authorization: "Bearer #{access_token}",
|
|
13
|
+
},
|
|
14
|
+
)
|
|
10
15
|
end
|
|
11
16
|
|
|
12
17
|
def get_secret(url)
|
|
13
|
-
HTTParty.get
|
|
18
|
+
HTTParty.get(
|
|
19
|
+
url,
|
|
20
|
+
headers: {
|
|
21
|
+
Authorization: "Bearer #{access_token}",
|
|
22
|
+
},
|
|
23
|
+
)
|
|
14
24
|
end
|
|
15
25
|
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def access_token
|
|
29
|
+
return @access_token if instance_variable_defined?(:@access_token)
|
|
30
|
+
@_access_token_response = HTTParty.get(
|
|
31
|
+
'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net',
|
|
32
|
+
{
|
|
33
|
+
headers: { Metadata: 'true' },
|
|
34
|
+
}
|
|
35
|
+
)
|
|
36
|
+
raise 'KmsCredentials AzureKeyVault ClientCredentials unable to get access token' unless @_access_token_response.ok?
|
|
37
|
+
@access_token = @_access_token_response['access_token']
|
|
38
|
+
end
|
|
39
|
+
|
|
16
40
|
end
|
|
17
41
|
|
|
18
42
|
add(:managed_identity, ManagedIdentity)
|
|
@@ -5,13 +5,13 @@ module RailsKmsCredentials
|
|
|
5
5
|
module AzureKeyVault
|
|
6
6
|
|
|
7
7
|
class Store < Base::Store
|
|
8
|
-
attr_reader :vault, :vault_url, :client
|
|
8
|
+
attr_reader :vault, :vault_url, :client, :secret_prefix, :loaded
|
|
9
9
|
|
|
10
10
|
SECRETS_API_VERSION = '7.3'
|
|
11
11
|
|
|
12
12
|
EMPTY_VALUE = '--EMPTY--'
|
|
13
13
|
|
|
14
|
-
def initialize(*) # rubocop:disable Metrics/AbcSize
|
|
14
|
+
def initialize(*) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
15
15
|
super
|
|
16
16
|
@vault = config['vault']
|
|
17
17
|
raise 'Missing KmsCredentials AzureKeyVault vault' if vault.blank?
|
|
@@ -21,6 +21,13 @@ module RailsKmsCredentials
|
|
|
21
21
|
raise 'Missing KmsCredentials AzureKeyVault client.type' if config['client']['type'].blank?
|
|
22
22
|
@_client_klass = Client.get config['client']['type']
|
|
23
23
|
@client = @_client_klass.new self
|
|
24
|
+
@secret_prefix = case config['client']['secret_prefix']
|
|
25
|
+
when true
|
|
26
|
+
Rails.application.class.parent.to_s.underscore.dasherize
|
|
27
|
+
when String
|
|
28
|
+
config['client']['secret_prefix']
|
|
29
|
+
end
|
|
30
|
+
@_secret_prefix = @secret_prefix ? Regexp.new("^#{@secret_prefix}----") : ''
|
|
24
31
|
@loaded = false
|
|
25
32
|
end
|
|
26
33
|
|
|
@@ -28,7 +35,7 @@ module RailsKmsCredentials
|
|
|
28
35
|
return @credentials if instance_variable_defined?(:@credentials)
|
|
29
36
|
load_secrets
|
|
30
37
|
@credentials = @_secrets.values.each_with_object(ActiveSupport::OrderedOptions.new) do |secret, memo|
|
|
31
|
-
name = secret['name'].split('--')
|
|
38
|
+
name = secret['name'].remove(@_secret_prefix).split('--')
|
|
32
39
|
name.each { |x| x.gsub!('-', '_') }
|
|
33
40
|
parent = name[0..-2].inject(memo) do |h, key|
|
|
34
41
|
if h.key?(key) && !h[key].is_a?(ActiveSupport::OrderedOptions)
|
|
@@ -47,7 +54,7 @@ module RailsKmsCredentials
|
|
|
47
54
|
load_secrets_list
|
|
48
55
|
end
|
|
49
56
|
|
|
50
|
-
def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
57
|
+
def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
|
|
51
58
|
@_get_secrets_list_responses ||= []
|
|
52
59
|
@_secrets ||= {}
|
|
53
60
|
url ||= "#{vault_url}/secrets?api-version=#{SECRETS_API_VERSION}"
|
|
@@ -56,6 +63,7 @@ module RailsKmsCredentials
|
|
|
56
63
|
raise "KmsCredentials AzureKeyVault unable to get list of secrets: #{url}" unless response.ok?
|
|
57
64
|
response['value'].each do |secret|
|
|
58
65
|
secret_name = secret['id'].split('/').last
|
|
66
|
+
next unless secret_name =~ @_secret_prefix
|
|
59
67
|
secret['name'] = secret_name
|
|
60
68
|
@_secrets[secret_name] = secret
|
|
61
69
|
load_secret secret_name
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_kms_credentials
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Taylor Yelverton
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-11-
|
|
11
|
+
date: 2022-11-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|