rails_kms_credentials 0.0.2 → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +64 -0
  3. data/lib/rails_kms_credentials/railtie.rb +0 -4
  4. data/lib/rails_kms_credentials/store/azure_key_vault.rb +12 -4
  5. data/lib/rails_kms_credentials/version.rb +2 -2
  6. metadata +2 -3
  7. data/lib/tasks/credentials.rake +0 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c1722bd0996c3a1be492c2bfa72531791a1ac30ed88cb159102a6661e60e3270
4
- data.tar.gz: 0d9f6bcd5bcddc442e1712b2dfb247c5c71c85fb6636b7777be345e05bb1e2df
3
+ metadata.gz: 44bc978f5ac247ec65a51df713cc84366e80c7ae27dcfe2e5c13f29eef1761f3
4
+ data.tar.gz: b91a33f301098c11373a5d9fa8516f53ac93c3799fc9ec94348d6bb9c6c49881
5
5
  SHA512:
6
- metadata.gz: c443e4a5aa075dcf08c675bcfccbc1d49e781b17451370f0bb26f7803dc636df09c4644b4e85a4c6e20675787e97bfa959a19eef045d831f8c2a81f9112663ed
7
- data.tar.gz: 8db14c441562ee1438df718fd7700f57f86d0967ff364471cfb60e8b770e0a6c47b8d258b24a3aafeeb9a0ab722ab8bca79eb8de0990c2098401f03c7389fbb5
6
+ metadata.gz: 50fd05f387be1c04f35098e771f37ec22f78ca52ea2cd06ac74221a4196ee43a34c4426df9064245edf584ed75a3f666bef3c1f67731e247e352ecd815f4f4b2
7
+ data.tar.gz: b5a23437fd1ddfa0f13783a6fb2ccee860f7f4b0a89cfcb37073c1ac34af1ff267a4706fe1f45ed69e17b484dcfcabf2814813f6a47993211f731dc0d72b11be
data/README.md CHANGED
@@ -1 +1,65 @@
1
1
  # rails-kms-credentials
2
+
3
+ This gem expands the capabilities of `Rails.application.credentials` to support fetching the credentials from a Key Management System.
4
+
5
+ ## Configuration
6
+ This gem will read `config/kms_credentials.yml` using `Rails.application.config_for`.
7
+
8
+ Key | Description
9
+ ---|---
10
+ `store` | [Stores](#stores) The Key Managedment System to use.
11
+
12
+ ## Stores
13
+
14
+ Key Management System | Config Value
15
+ ---|---
16
+ [Azure Key Vault](#azure-key-vault) | `azure_key_vault`
17
+
18
+ ### Azure Key Vault
19
+ Credentials will be loaded from a Key Vault's Secrets.
20
+
21
+ All hyphens (`-`) in a secret name will be replaced with underscores (`_`) when put into credentials (ex. `foo-bar` -> `foo_bar`).
22
+
23
+ Credentials can be nested by separating the parent key from the child key with `--` (ex. secret `foo--bar--baz` with a value of `test` will become `{foo: {bar: {baz: "test"}}}`.
24
+
25
+ Since Secrets cannot be empty in Azure Key Vault, if you need a key to show up in credentials, but need its value to be empty, then set the Secret's value to `--EMPTY--`.
26
+
27
+ #### Config
28
+ Key | Description
29
+ ---|---
30
+ `vault` | The name of the Key Vault
31
+ `client` | Client specific configuration. See [Client Types](#client-types).
32
+ `client.type` | The [Client Type](#client-types) to use.
33
+ `client.secret_prefix` | The prefix that all secrets for this application will have. See [Secret Prefix](#secret-prefix).
34
+
35
+ #### Secret Prefix
36
+ The prefix along with `----` will be added to the beginning of the secret name (ex. `prefix: abc123` -> `abc123----some-secret`)
37
+
38
+ #### Client Types
39
+
40
+ How to connect/authenticate to Azure Ket Vault.
41
+
42
+ Client | `client.type`
43
+ ---|---
44
+ [Managed Identity](#managed-identity) | `managed_identity`
45
+ [Client Credentials](#client-credentials) | `client_credentials`
46
+
47
+
48
+ ##### Managed Identity
49
+ This is the client to use when running on an [Azure VM](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token).
50
+
51
+ **Config:**
52
+ Key | Description
53
+ ---|---
54
+ `client.type` | `managed_identity`
55
+
56
+
57
+ ##### Client Credentials
58
+ This is the client to use when connecting from outside of Azure. [See here](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
59
+
60
+ **Config**
61
+ Key | Description
62
+ ---|---
63
+ `client.tenant_id` | The directory tenant the application plans to operate against, in GUID or domain-name format.
64
+ `client.client_id` | The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
65
+ `client.client_secret` | The client secret that you generated for your app in the app registration portal.
data/lib/rails_kms_credentials/railtie.rb CHANGED
@@ -4,9 +4,5 @@ module RailsKmsCredentials
4
4
  class Railtie < Rails::Railtie
5
5
  railtie_name :rails_kms_credentials
6
6
 
7
- rake_tasks do
8
- load 'tasks/credentials.rake'
9
- end
10
-
11
7
  end
12
8
  end
data/lib/rails_kms_credentials/store/azure_key_vault.rb CHANGED
@@ -5,13 +5,13 @@ module RailsKmsCredentials
5
5
  module AzureKeyVault
6
6
 
7
7
  class Store < Base::Store
8
- attr_reader :vault, :vault_url, :client
8
+ attr_reader :vault, :vault_url, :client, :secret_prefix, :loaded
9
9
 
10
10
  SECRETS_API_VERSION = '7.3'
11
11
 
12
12
  EMPTY_VALUE = '--EMPTY--'
13
13
 
14
- def initialize(*) # rubocop:disable Metrics/AbcSize
14
+ def initialize(*) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
15
15
  super
16
16
  @vault = config['vault']
17
17
  raise 'Missing KmsCredentials AzureKeyVault vault' if vault.blank?
@@ -21,6 +21,13 @@ module RailsKmsCredentials
21
21
  raise 'Missing KmsCredentials AzureKeyVault client.type' if config['client']['type'].blank?
22
22
  @_client_klass = Client.get config['client']['type']
23
23
  @client = @_client_klass.new self
24
+ @secret_prefix = case config['client']['secret_prefix']
25
+ when true
26
+ Rails.application.class.parent.to_s.underscore.dasherize
27
+ when String
28
+ config['client']['secret_prefix']
29
+ end
30
+ @_secret_prefix = @secret_prefix ? Regexp.new("^#{@secret_prefix}----") : ''
24
31
  @loaded = false
25
32
  end
26
33
 
@@ -28,7 +35,7 @@ module RailsKmsCredentials
28
35
  return @credentials if instance_variable_defined?(:@credentials)
29
36
  load_secrets
30
37
  @credentials = @_secrets.values.each_with_object(ActiveSupport::OrderedOptions.new) do |secret, memo|
31
- name = secret['name'].split('--')
38
+ name = secret['name'].remove(@_secret_prefix).split('--')
32
39
  name.each { |x| x.gsub!('-', '_') }
33
40
  parent = name[0..-2].inject(memo) do |h, key|
34
41
  if h.key?(key) && !h[key].is_a?(ActiveSupport::OrderedOptions)
@@ -47,7 +54,7 @@ module RailsKmsCredentials
47
54
  load_secrets_list
48
55
  end
49
56
 
50
- def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
57
+ def load_secrets_list(url = nil) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
51
58
  @_get_secrets_list_responses ||= []
52
59
  @_secrets ||= {}
53
60
  url ||= "#{vault_url}/secrets?api-version=#{SECRETS_API_VERSION}"
@@ -56,6 +63,7 @@ module RailsKmsCredentials
56
63
  raise "KmsCredentials AzureKeyVault unable to get list of secrets: #{url}" unless response.ok?
57
64
  response['value'].each do |secret|
58
65
  secret_name = secret['id'].split('/').last
66
+ next unless secret_name =~ @_secret_prefix
59
67
  secret['name'] = secret_name
60
68
  @_secrets[secret_name] = secret
61
69
  load_secret secret_name
data/lib/rails_kms_credentials/version.rb CHANGED
@@ -4,8 +4,8 @@ module RailsKmsCredentials
4
4
 
5
5
  module Version
6
6
  MAJOR = 0
7
- MINOR = 0
8
- PATCH = 2
7
+ MINOR = 1
8
+ PATCH = 0
9
9
 
10
10
  end
11
11
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_kms_credentials
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.2
4
+ version: 0.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Taylor Yelverton
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-11-01 00:00:00.000000000 Z
11
+ date: 2022-11-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -72,7 +72,6 @@ files:
72
72
  - lib/rails_kms_credentials/store/azure_key_vault/client/managed_identity.rb
73
73
  - lib/rails_kms_credentials/store/base.rb
74
74
  - lib/rails_kms_credentials/version.rb
75
- - lib/tasks/credentials.rake
76
75
  - rails_kms_credentials.gemspec
77
76
  homepage: https://github.com/ComplyMD/rails_kms_credentials
78
77
  licenses:
data/lib/tasks/credentials.rake DELETED
@@ -1,8 +0,0 @@
1
- namespace :kms_creds do
2
- task :show, [:environment] do |_, args|
3
- end
4
-
5
- task :edit, [:environment] do |_, args|
6
- ENV['EDITOR'] += ' --wait' if ENV['EDITOR'].present? && (ENV['EDITOR'] == 'code' || ENV['EDITOR'].ends_with?('/code')) # Stupid fix for vscode exiting too quickly
7
- end
8
- end