rails_kms_credentials 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1722bd0996c3a1be492c2bfa72531791a1ac30ed88cb159102a6661e60e3270
-  data.tar.gz: 0d9f6bcd5bcddc442e1712b2dfb247c5c71c85fb6636b7777be345e05bb1e2df
+  metadata.gz: 44bc978f5ac247ec65a51df713cc84366e80c7ae27dcfe2e5c13f29eef1761f3
+  data.tar.gz: b91a33f301098c11373a5d9fa8516f53ac93c3799fc9ec94348d6bb9c6c49881
 SHA512:
-  metadata.gz: c443e4a5aa075dcf08c675bcfccbc1d49e781b17451370f0bb26f7803dc636df09c4644b4e85a4c6e20675787e97bfa959a19eef045d831f8c2a81f9112663ed
-  data.tar.gz: 8db14c441562ee1438df718fd7700f57f86d0967ff364471cfb60e8b770e0a6c47b8d258b24a3aafeeb9a0ab722ab8bca79eb8de0990c2098401f03c7389fbb5
+  metadata.gz: 50fd05f387be1c04f35098e771f37ec22f78ca52ea2cd06ac74221a4196ee43a34c4426df9064245edf584ed75a3f666bef3c1f67731e247e352ecd815f4f4b2
+  data.tar.gz: b5a23437fd1ddfa0f13783a6fb2ccee860f7f4b0a89cfcb37073c1ac34af1ff267a4706fe1f45ed69e17b484dcfcabf2814813f6a47993211f731dc0d72b11be

data/README.md

@@ -1 +1,65 @@
 # rails-kms-credentials
+
+This gem expands the capabilities of `Rails.application.credentials` to support fetching the credentials from a Key Management System.
+
+## Configuration
+This gem will read `config/kms_credentials.yml` using `Rails.application.config_for`.
+
+Key | Description
+---|---
+`store` | [Stores](#stores) The Key Managedment System to use.
+
+## Stores
+
+Key Management System | Config Value
+---|---
+[Azure Key Vault](#azure-key-vault) | `azure_key_vault`
+
+### Azure Key Vault
+Credentials will be loaded from a Key Vault's Secrets.
+
+All hyphens (`-`) in a secret name will be replaced with underscores (`_`) when put into credentials (ex. `foo-bar` -> `foo_bar`).
+
+Credentials can be nested by separating the parent key from the child key with `--` (ex. secret `foo--bar--baz` with a value of `test` will become `{foo: {bar: {baz: "test"}}}`.
+
+Since Secrets cannot be empty in Azure Key Vault, if you need a key to show up in credentials, but need its value to be empty, then set the Secret's value to `--EMPTY--`.
+
+#### Config
+Key | Description
+---|---
+`vault` | The name of the Key Vault
+`client` | Client specific configuration. See [Client Types](#client-types).
+`client.type` | The [Client Type](#client-types) to use.
+`client.secret_prefix` | The prefix that all secrets for this application will have. See [Secret Prefix](#secret-prefix).
+
+#### Secret Prefix
+The prefix along with `----` will be added to the beginning of the secret name (ex. `prefix: abc123` -> `abc123----some-secret`)
+
+#### Client Types
+
+How to connect/authenticate to Azure Ket Vault.
+
+Client | `client.type`
+---|---
+[Managed Identity](#managed-identity) | `managed_identity`
+[Client Credentials](#client-credentials) | `client_credentials`
+
+
+##### Managed Identity
+This is the client to use when running on an [Azure VM](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token).
+
+**Config:**
+Key | Description
+---|---
+`client.type` | `managed_identity`
+
+
+##### Client Credentials
+This is the client to use when connecting from outside of Azure. [See here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
+
+**Config**
+Key | Description
+---|---
+`client.tenant_id` | The directory tenant the application plans to operate against, in GUID or domain-name format.
+`client.client_id` | The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
+`client.client_secret` | The client secret that you generated for your app in the app registration portal.

data/lib/rails_kms_credentials/railtie.rb

@@ -4,9 +4,5 @@ module RailsKmsCredentials
   class Railtie < Rails::Railtie
     railtie_name :rails_kms_credentials
 
-    rake_tasks do
-      load 'tasks/credentials.rake'
-    end
-
   end
 end

data/lib/rails_kms_credentials/store/azure_key_vault.rb

@@ -5,13 +5,13 @@ module RailsKmsCredentials
     module AzureKeyVault
 
       class Store < Base::Store
-        attr_reader :vault, :vault_url, :client
+        attr_reader :vault, :vault_url, :client, :secret_prefix, :loaded
 
         SECRETS_API_VERSION = '7.3'
 
         EMPTY_VALUE = '--EMPTY--'
 
-        def initialize(*) # rubocop:disable Metrics/AbcSize
+        def initialize(*) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           super
           @vault = config['vault']
           raise 'Missing KmsCredentials AzureKeyVault vault' if vault.blank?
@@ -21,6 +21,13 @@ module RailsKmsCredentials
           raise 'Missing KmsCredentials AzureKeyVault client.type' if config['client']['type'].blank?
           @_client_klass = Client.get config['client']['type']
           @client = @_client_klass.new self
+          @secret_prefix =  case config['client']['secret_prefix']
+                            when true
+                              Rails.application.class.parent.to_s.underscore.dasherize
+                            when String
+                              config['client']['secret_prefix']
+                            end
+          @_secret_prefix = @secret_prefix ? Regexp.new("^#{@secret_prefix}----") : ''
           @loaded = false
         end
 
@@ -28,7 +35,7 @@ module RailsKmsCredentials
           return @credentials if instance_variable_defined?(:@credentials)
           load_secrets
           @credentials = @_secrets.values.each_with_object(ActiveSupport::OrderedOptions.new) do |secret, memo|
-            name = secret['name'].split('--')
+            name = secret['name'].remove(@_secret_prefix).split('--')
             name.each { |x| x.gsub!('-', '_') }
             parent = name[0..-2].inject(memo) do |h, key|
               if h.key?(key) && !h[key].is_a?(ActiveSupport::OrderedOptions)
@@ -47,7 +54,7 @@ module RailsKmsCredentials
             load_secrets_list
           end
 
-          def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+          def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
             @_get_secrets_list_responses ||= []
             @_secrets ||= {}
             url ||= "#{vault_url}/secrets?api-version=#{SECRETS_API_VERSION}"
@@ -56,6 +63,7 @@ module RailsKmsCredentials
             raise "KmsCredentials AzureKeyVault unable to get list of secrets: #{url}" unless response.ok?
             response['value'].each do |secret|
               secret_name = secret['id'].split('/').last
+              next unless secret_name =~ @_secret_prefix
               secret['name'] = secret_name
               @_secrets[secret_name] = secret
               load_secret secret_name

data/lib/rails_kms_credentials/version.rb

@@ -4,8 +4,8 @@ module RailsKmsCredentials
 
   module Version
     MAJOR = 0
-    MINOR = 0
-    PATCH = 2
+    MINOR = 1
+    PATCH = 0
 
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_kms_credentials
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Taylor Yelverton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-11-01 00:00:00.000000000 Z
+date: 2022-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -72,7 +72,6 @@ files:
 - lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb
 - lib/rails_kms_credentials/store/base.rb
 - lib/rails_kms_credentials/version.rb
-- lib/tasks/credentials.rake
 - rails_kms_credentials.gemspec
 homepage: https://github.com/ComplyMD/rails_kms_credentials
 licenses:

data/lib/tasks/credentials.rake

@@ -1,8 +0,0 @@
-namespace :kms_creds do
-  task :show, [:environment] do |_, args|
-  end
-
-  task :edit, [:environment] do |_, args|
-    ENV['EDITOR'] += ' --wait' if ENV['EDITOR'].present? && (ENV['EDITOR'] == 'code' || ENV['EDITOR'].ends_with?('/code')) # Stupid fix for vscode exiting too quickly
-  end
-end