rails_outofband_keys 0.1.1 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +24 -9
- data/lib/rails_outofband_keys/railtie.rb +14 -11
- data/lib/rails_outofband_keys/version.rb +1 -1
- metadata +14 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 36a784436805d0003b9202eee28f1a6fdce3d461f1bd897d35d83c5a19fc1738
|
|
4
|
+
data.tar.gz: da58352c65fdc7e632485518e7430798ff4d8ea9b1b324dbc00149f0d9aa7540
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f18708b2c0ca5d7e3c3250cbb324a631e9adbcf69cdbffd3d528ae8be18c90e774fd191f0b706dd5aff06496c48acf02c4708ee4c7af80f926f00dbeced96dde
|
|
7
|
+
data.tar.gz: 61b7df727a378c470e8fab0bb813f6b9603854804c55f16ddd4b0626c9b8876d564612410d10d8908de8b480671bbbc098ef75d981dedd8a790fd3cd99f0c499
|
data/README.md
CHANGED
|
@@ -1,21 +1,36 @@
|
|
|
1
1
|
# rails_outofband_keys
|
|
2
2
|
|
|
3
|
-
`rails_outofband_keys` is a Rails plugin that changes **how Rails finds your credentials key files** (e.g., `production.key` or `master.key`). It allows you to keep these sensitive keys **outside of your project directory and git tree** (
|
|
3
|
+
`rails_outofband_keys` is a Rails plugin that changes **how Rails finds your credentials key files** (e.g., `production.key` or `master.key`). It allows you to keep these sensitive keys **outside of your project directory and git tree** (for example, under `~/.config/`).
|
|
4
4
|
|
|
5
|
-
It does **not** replace Rails credentials, change where `credentials.yml.enc` lives, or alter how encryption works. It only
|
|
5
|
+
It does **not** replace Rails credentials, change where `credentials.yml.enc` lives, or alter how encryption works. It only configures `config.credentials.key_path` during the boot process.
|
|
6
|
+
|
|
7
|
+
## Why did I make this?
|
|
8
|
+
|
|
9
|
+
Encrypted credentials are a solid default. They simplify onboarding, move teams away from risky `.env` files, and give Rails a single, consistent way to manage secrets.
|
|
10
|
+
|
|
11
|
+
But the system is only as strong as how the encryption keys are handled.
|
|
12
|
+
|
|
13
|
+
In Rails, it’s standard practice to store credentials keys next to the encrypted files and rely on `.gitignore` to keep them out of version control. That works — until it doesn’t. It assumes perfect developer hygiene and assumes your tooling will always respect ignore rules.
|
|
14
|
+
|
|
15
|
+
Modern AI assistants and agentic tools break that assumption. These tools upload project files to the cloud and often execute commands directly inside your repo. Even ignored files are now a single `grep` or accidental read away from exposure.
|
|
16
|
+
|
|
17
|
+
Moving encryption keys out of the project directory is a simple, effective risk reduction. It’s one of the baseline requirements I set before allowing agentic tooling on my team, alongside credential redaction in logs and exceptions.
|
|
18
|
+
|
|
19
|
+
This gem exists to make that safer pattern easy and boring.
|
|
6
20
|
|
|
7
21
|
## Resolution Order
|
|
8
22
|
|
|
9
23
|
1. If `RAILS_MASTER_KEY` is set in the environment, Rails uses it (this gem does nothing).
|
|
10
24
|
2. If `RAILS_CREDENTIALS_KEY_DIR` is set, it is used as the base directory for the app.
|
|
11
25
|
3. If `RAILS_OUTOFBAND_BASE_DIR` is set, it is used as the global base directory.
|
|
12
|
-
4. Otherwise, the gem
|
|
13
|
-
|
|
14
|
-
|
|
26
|
+
4. Otherwise, the gem falls back to OS defaults:
|
|
27
|
+
- **Linux/macOS**: XDG config directory (`~/.config` fallback)
|
|
28
|
+
- **Windows**: `%AppData%`
|
|
15
29
|
|
|
16
30
|
The final path is constructed as:
|
|
17
|
-
|
|
18
|
-
`base_directory / root_subdir / credentials_subdir /
|
|
31
|
+
|
|
32
|
+
- `base_directory / root_subdir / credentials_subdir / <environment>.key`
|
|
33
|
+
- `base_directory / root_subdir / credentials_subdir / master.key`
|
|
19
34
|
|
|
20
35
|
## Configuration
|
|
21
36
|
|
|
@@ -41,9 +56,9 @@ On Unix-like systems, key files **must** have secure permissions. They must be o
|
|
|
41
56
|
Add the gem to your Gemfile:
|
|
42
57
|
|
|
43
58
|
```ruby
|
|
44
|
-
gem "rails_outofband_keys"
|
|
59
|
+
gem "rails_outofband_keys"
|
|
45
60
|
```
|
|
46
61
|
|
|
47
62
|
## License
|
|
48
63
|
|
|
49
|
-
MIT
|
|
64
|
+
MIT
|
|
@@ -10,12 +10,15 @@ module RailsOutofbandKeys
|
|
|
10
10
|
|
|
11
11
|
config.before_configuration do |app|
|
|
12
12
|
# Load file-based configuration.
|
|
13
|
-
config_file =
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
app.config.rails_outofband_keys.
|
|
13
|
+
config_file = app.root.join("config", "rails_outofband_keys.yml")
|
|
14
|
+
if config_file.file?
|
|
15
|
+
data = YAML.safe_load_file(config_file.to_s, permitted_classes: [], aliases: false)
|
|
16
|
+
data = {} unless data.is_a?(Hash)
|
|
17
|
+
|
|
18
|
+
app.config.rails_outofband_keys.root_subdir = data["root_subdir"]
|
|
19
|
+
if data.key?("credentials_subdir")
|
|
20
|
+
app.config.rails_outofband_keys.credentials_subdir = data["credentials_subdir"]
|
|
21
|
+
end
|
|
19
22
|
end
|
|
20
23
|
|
|
21
24
|
# Identify the app name for path resolution.
|
|
@@ -28,12 +31,12 @@ module RailsOutofbandKeys
|
|
|
28
31
|
)
|
|
29
32
|
|
|
30
33
|
key_path = resolver.resolve_key_path
|
|
31
|
-
|
|
32
|
-
app.config.credentials.key_path = key_path
|
|
34
|
+
next unless key_path
|
|
33
35
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
36
|
+
app.config.credentials.key_path = key_path
|
|
37
|
+
|
|
38
|
+
# Clear any early-cached credentials object to ensure the new path is used.
|
|
39
|
+
app.remove_instance_variable(:@credentials) if app.instance_variable_defined?(:@credentials)
|
|
37
40
|
end
|
|
38
41
|
end
|
|
39
42
|
end
|
metadata
CHANGED
|
@@ -1,13 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rails_outofband_keys
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lori Holden
|
|
8
|
+
autorequire:
|
|
8
9
|
bindir: bin
|
|
9
10
|
cert_chain: []
|
|
10
|
-
date:
|
|
11
|
+
date: 2025-12-24 00:00:00.000000000 Z
|
|
11
12
|
dependencies:
|
|
12
13
|
- !ruby/object:Gem::Dependency
|
|
13
14
|
name: railties
|
|
@@ -38,8 +39,11 @@ dependencies:
|
|
|
38
39
|
- !ruby/object:Gem::Version
|
|
39
40
|
version: '2.2'
|
|
40
41
|
description: |
|
|
41
|
-
Configures Rails
|
|
42
|
-
|
|
42
|
+
Configures Rails to load credentials master and environment key files from an out-of-band location
|
|
43
|
+
(XDG on Linux/macOS, AppData on Windows) instead of the project directory.
|
|
44
|
+
|
|
45
|
+
This reduces the risk of key exposure from tooling that reads or executes within your repo,
|
|
46
|
+
including modern AI assistants and agentic tools.
|
|
43
47
|
email:
|
|
44
48
|
- git@loriholden.com
|
|
45
49
|
executables: []
|
|
@@ -58,6 +62,9 @@ licenses:
|
|
|
58
62
|
- MIT
|
|
59
63
|
metadata:
|
|
60
64
|
rubygems_mfa_required: 'true'
|
|
65
|
+
homepage_uri: https://github.com/lholden/rails_outofband_keys
|
|
66
|
+
source_code_uri: https://github.com/lholden/rails_outofband_keys
|
|
67
|
+
post_install_message:
|
|
61
68
|
rdoc_options: []
|
|
62
69
|
require_paths:
|
|
63
70
|
- lib
|
|
@@ -72,8 +79,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
72
79
|
- !ruby/object:Gem::Version
|
|
73
80
|
version: '0'
|
|
74
81
|
requirements: []
|
|
75
|
-
rubygems_version:
|
|
82
|
+
rubygems_version: 3.5.23
|
|
83
|
+
signing_key:
|
|
76
84
|
specification_version: 4
|
|
77
|
-
summary:
|
|
78
|
-
+ overrides).
|
|
85
|
+
summary: Load Rails credentials keys from outside your repo.
|
|
79
86
|
test_files: []
|