rails_kms_credentials 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d9002ffd4c1c4c037cfefa42fa524a68c695d6fdfa7010a966e5d6a0ed1c0130
+  data.tar.gz: cd9410a02314fcc000d5e5e44f1947aa8aa0e5a50a8e434fc29775073ced335c
+SHA512:
+  metadata.gz: 14fc42d0dc79b8da2b0458a8109bf7aa224230e9cb76975fbed7412c32d795c7cfea449a9d75ee62406c9bbbf7995a2776f6bf1281ae3192cee43184b50671ad
+  data.tar.gz: 4bd8c88b3788508b5ba3e1b3223aceebb862a6595ec76b96b00e70370bb8d2f0e9b43c77b0cd9c2463c4270da17cca0b2bab65e125115c035dc14fd4ff0a4c1c

data/README.md

@@ -0,0 +1 @@
+# rails-kms-credentials

data/lib/rails_kms_credentials/application.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Application
+    extend ActiveSupport::Concern
+
+    included do
+      def credentials
+        kms_credentials.store.credentials
+      end
+
+      def kms_credentials
+        @kms_credentials ||= Credentials.new(config.kms_credentials)
+      end
+    end
+
+  end
+end

data/lib/rails_kms_credentials/configuration.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  class CredentialsConfig < ActiveSupport::OrderedOptions
+  end
+
+  module Configuration
+    extend ActiveSupport::Concern
+
+    def kms_credentials
+      @kms_credentials ||= Rails.application.config_for(:kms_credentials).with_indifferent_access
+    end
+
+  end
+end

data/lib/rails_kms_credentials/credentials.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  class Credentials
+    attr_reader :config, :store
+
+    def initialize(config)
+      @config = config
+      @_store_klass = Store.get config['store']
+      @store = @_store_klass.new self
+    end
+
+  end
+end

data/lib/rails_kms_credentials/railtie.rb

@@ -0,0 +1,12 @@
+require 'rails'
+
+module RailsKmsCredentials
+  class Railtie < Rails::Railtie
+    railtie_name :rails_kms_credentials
+
+    rake_tasks do
+      load 'tasks/credentials.rake'
+    end
+
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client/base.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        class Base
+          attr_reader :store
+
+          delegate :config, to: :store
+
+          def initialize(store)
+            @store = store
+          end
+
+          def get_secrets_list(url)
+            raise NotImplementedError
+          end
+
+          def get_secret(url)
+            raise NotImplementedError
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client/client_credentials.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        class ClientCredentials < Base
+          attr_reader :tenant_id, :client_id, :client_secret
+
+          def initialize(*)
+            super
+            @tenant_id = client_config['tenant_id']
+            raise 'Missing KmsCredentials AzureKeyVault ClientCredentials tenant_id' if tenant_id.blank?
+            @client_id = client_config['client_id']
+            raise 'Missing KmsCredentials AzureKeyVault ClientCredentials client_id' if client_id.blank?
+            @client_secret = client_config['client_secret']
+            raise 'Missing KmsCredentials AzureKeyVault ClientCredentials client_secret' if client_secret.blank?
+          end
+
+          def get_secrets_list(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          def get_secret(url)
+            HTTParty.get(
+              url,
+              headers: {
+                Authorization: "Bearer #{access_token}",
+              },
+            )
+          end
+
+          private
+
+            def client_config
+              config['client']
+            end
+
+            def access_token
+              return @access_token if instance_variable_defined?(:@access_token)
+              @_access_token_response = HTTParty.post(
+                "https://login.microsoftonline.com/#{client_config['tenant_id']}/oauth2/v2.0/token",
+                {
+                  body: {
+                    client_id: client_config['client_id'],
+                    client_secret: client_config['client_secret'],
+                    scope: 'https://vault.azure.net/.default',
+                    grant_type: 'client_credentials',
+                  }
+                }
+              )
+              raise 'KmsCredentials AzureKeyVault ClientCredentials unable to get access token' unless @_access_token_response.ok?
+              @access_token = @_access_token_response['access_token']
+            end
+
+        end
+
+        add(:client_credentials, ClientCredentials)
+
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        class ManagedIdentity < Base
+          def get_secrets_list(url)
+            HTTParty.get url
+          end
+
+          def get_secret(url)
+            HTTParty.get url
+          end
+
+        end
+
+        add(:managed_identity, ManagedIdentity)
+
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store/azure_key_vault/client.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+      module Client
+        @map = {}.with_indifferent_access
+
+        class << self
+          attr_reader :map
+
+          def get(client)
+            map[client] || raise("KmsCredentials AzureKeyVault unknown client: `#{client}`")
+          end
+
+          def add(name, klass)
+            map[name] = klass
+          end
+
+        end
+
+      end
+    end
+  end
+end
+
+require 'rails_kms_credentials/store/azure_key_vault/client/base'
+require 'rails_kms_credentials/store/azure_key_vault/client/client_credentials'
+require 'rails_kms_credentials/store/azure_key_vault/client/managed_identity'

data/lib/rails_kms_credentials/store/azure_key_vault.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module AzureKeyVault
+
+      class Store < Base::Store
+        attr_reader :vault, :vault_url, :client
+
+        SECRETS_API_VERSION = '7.3'
+
+        EMPTY_VALUE = '--EMPTY--'
+
+        def initialize(*) # rubocop:disable Metrics/AbcSize
+          super
+          @vault = config['vault']
+          raise 'Missing KmsCredentials AzureKeyVault vault' if vault.blank?
+          raise "Invalid KmsCredentials AzureKeyVault vault `#{vault}`" if vault =~ /[^0-9a-zA-Z\-]/
+          @vault_url = "https://#{vault}.vault.azure.net"
+          raise 'Missing KmsCredentials AzureKeyVault client' unless config['client'].is_a? Hash
+          raise 'Missing KmsCredentials AzureKeyVault client.type' if config['client']['type'].blank?
+          @_client_klass = Client.get config['client']['type']
+          @client = @_client_klass.new self
+          @loaded = false
+        end
+
+        def credentials # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+          return @credentials if instance_variable_defined?(:@credentials)
+          load_secrets
+          @credentials = @_secrets.values.each_with_object(ActiveSupport::OrderedOptions.new) do |secret, memo|
+            name = secret['name'].split('--')
+            name.each { |x| x.gsub!('-', '_') }
+            parent = name[0..-2].inject(memo) do |h, key|
+              if h.key?(key) && !h[key].is_a?(ActiveSupport::OrderedOptions)
+                raise "KmsCredentials AzureKeyVault credentials format issue: #{secret['name']}"
+              end
+              h[key] ||= ActiveSupport::OrderedOptions.new
+            end
+            parent[name.last] = secret['value'] == EMPTY_VALUE ? '' : secret['value']
+          end
+        end
+
+        private
+
+          def load_secrets
+            return if @loaded
+            load_secrets_list
+          end
+
+          def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+            @_get_secrets_list_responses ||= []
+            @_secrets ||= {}
+            url ||= "#{vault_url}/secrets?api-version=#{SECRETS_API_VERSION}"
+            response = client.get_secrets_list url
+            @_get_secrets_list_responses << response
+            raise "KmsCredentials AzureKeyVault unable to get list of secrets: #{url}" unless response.ok?
+            response['value'].each do |secret|
+              secret_name = secret['id'].split('/').last
+              secret['name'] = secret_name
+              @_secrets[secret_name] = secret
+              load_secret secret_name
+            end
+            if response['nextLink']
+              load_secrets_list(response['nextLink'])
+            else
+              @loaded = true
+            end
+          end
+
+          def load_secret(secret_name)
+            @_get_secret_responses ||= {}
+            return unless (secret = @_secrets[secret_name])
+            response = client.get_secret "#{secret['id']}?api-version=#{SECRETS_API_VERSION}"
+            @_get_secret_responses[secret_name] = response
+            raise "KmsCredentials AzureKeyVault unable to get secret: #{secret['id']}" unless response.ok?
+            secret['value'] = response['value']
+          end
+
+      end
+    end
+
+    add(:azure_key_vault, AzureKeyVault::Store)
+
+  end
+end
+
+require 'rails_kms_credentials/store/azure_key_vault/client'

data/lib/rails_kms_credentials/store/base.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    module Base
+      class Store
+        attr_reader :root
+
+        delegate :config, to: :root
+
+        def initialize(root)
+          @root = root
+        end
+
+        def credentials
+          raise NotImplementedError
+        end
+
+      end
+    end
+  end
+end

data/lib/rails_kms_credentials/store.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+  module Store
+    @map = {}.with_indifferent_access
+
+    class << self
+      attr_reader :map
+
+      def get(store)
+        map[store] || raise("KmsCredentials unknown store: `#{store}`")
+      end
+
+      def add(name, klass)
+        map[name] = klass
+      end
+
+    end
+
+  end
+end
+
+require 'rails_kms_credentials/store/base'
+require 'rails_kms_credentials/store/azure_key_vault'

data/lib/rails_kms_credentials/version.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module RailsKmsCredentials
+
+  module Version
+    MAJOR = 0
+    MINOR = 0
+    PATCH = 1
+
+  end
+
+  VERSION = [
+    Version::MAJOR,
+    Version::MINOR,
+    Version::PATCH,
+  ].join('.').freeze
+
+end

data/lib/rails_kms_credentials.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Container Module
+module RailsKmsCredentials; end
+
+require 'active_support/concern'
+
+require 'rails_kms_credentials/application'
+require 'rails_kms_credentials/configuration'
+require 'rails_kms_credentials/credentials'
+require 'rails_kms_credentials/store'
+require 'rails_kms_credentials/railtie'
+require 'rails_kms_credentials/version'
+
+Rails::Application::Configuration.send(:include, RailsKmsCredentials::Configuration)
+Rails::Application.send(:include, RailsKmsCredentials::Application)

data/lib/tasks/credentials.rake

@@ -0,0 +1,8 @@
+namespace :kms_creds do
+  task :show, [:environment] do |_, args|
+  end
+
+  task :edit, [:environment] do |_, args|
+    ENV['EDITOR'] += ' --wait' if ENV['EDITOR'].present? && (ENV['EDITOR'] == 'code' || ENV['EDITOR'].ends_with?('/code')) # Stupid fix for vscode exiting too quickly
+  end
+end

data/rails_kms_credentials.gemspec

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+$LOAD_PATH << File.join(File.dirname(__FILE__), 'lib')
+require 'rails_kms_credentials/version'
+
+Gem::Specification.new do |s|
+  s.name        = 'rails_kms_credentials'
+  s.version     = RailsKmsCredentials::VERSION
+  s.authors     = ['Taylor Yelverton']
+  s.email       = 'rubygems@yelvert.io'
+  s.homepage    = 'https://github.com/ComplyMD/rails_kms_credentials'
+  s.summary     = 'Add support for different credentials for different kmss to Rails'
+  s.license     = 'MIT'
+  s.description = 'Add support for different credentials for different kmss to Rails'
+  s.metadata    = {
+    'bug_tracker_uri' => 'https://github.com/ComplyMD/rails_kms_credentials/issues',
+    'changelog_uri' => 'https://github.com/ComplyMD/rails_kms_credentials/commits/master',
+    'documentation_uri' => 'https://github.com/ComplyMD/rails_kms_credentials/wiki',
+    'homepage_uri' => 'https://github.com/ComplyMD/rails_kms_credentials',
+    'source_code_uri' => 'https://github.com/ComplyMD/rails_kms_credentials',
+    'rubygems_mfa_required' => 'true',
+  }
+
+  s.files = Dir['lib/**/*','README.md','MIT-LICENSE','rails_kms_credentials.gemspec']
+
+  s.require_paths = %w[ lib ]
+
+  s.required_ruby_version = '>= 2.7.0'
+
+  s.add_dependency('activesupport', '>= 5.0.0')
+  s.add_dependency('railties', '>= 5.0.0')
+
+  s.add_dependency('httparty', '~> 0.17.0')
+end

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: rails_kms_credentials
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Taylor Yelverton
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-11-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+description: Add support for different credentials for different kmss to Rails
+email: rubygems@yelvert.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/rails_kms_credentials.rb
+- lib/rails_kms_credentials/application.rb
+- lib/rails_kms_credentials/configuration.rb
+- lib/rails_kms_credentials/credentials.rb
+- lib/rails_kms_credentials/railtie.rb
+- lib/rails_kms_credentials/store.rb
+- lib/rails_kms_credentials/store/azure_key_vault.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client/base.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client/client_credentials.rb
+- lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb
+- lib/rails_kms_credentials/store/base.rb
+- lib/rails_kms_credentials/version.rb
+- lib/tasks/credentials.rake
+- rails_kms_credentials.gemspec
+homepage: https://github.com/ComplyMD/rails_kms_credentials
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/ComplyMD/rails_kms_credentials/issues
+  changelog_uri: https://github.com/ComplyMD/rails_kms_credentials/commits/master
+  documentation_uri: https://github.com/ComplyMD/rails_kms_credentials/wiki
+  homepage_uri: https://github.com/ComplyMD/rails_kms_credentials
+  source_code_uri: https://github.com/ComplyMD/rails_kms_credentials
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Add support for different credentials for different kmss to Rails
+test_files: []