secret-keeper 0.2.2 → 0.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +17 -7
- data/lib/secret-keeper.rb +23 -5
- data/spec/secret-keeper_spec.rb +11 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7c87b79fcce67c78b028bb3b187cc066aa23f271
|
|
4
|
+
data.tar.gz: 9d81e3628a1e4ed04633804eee39824a5330e98b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ba69873cbefe49a2b42313860f81c329090c0e403348d168b927f4e3fcb36d2e48194dbf591f989c3ea8b8bd33aa9e9769c1613df163b79c3438c583d0a98f7e
|
|
7
|
+
data.tar.gz: 6dbf25fe77afd394ecd481e409d24fc4afdafb6aa910432a1bef9f0a5b179521f9270a8de58f06d959b1911e2eff1862822edbdda9706d1ff5fb0f4d352dc36a
|
data/README.md
CHANGED
|
@@ -13,7 +13,7 @@ with bundler, write follwing line in your Gemfile
|
|
|
13
13
|
gem 'secret-keeper', require: false
|
|
14
14
|
|
|
15
15
|
## Usage
|
|
16
|
-
|
|
16
|
+
setup files need to be encrypted in config/secret-keeper.yml
|
|
17
17
|
|
|
18
18
|
# config/secret-keeper.yml example
|
|
19
19
|
development:
|
|
@@ -31,29 +31,39 @@ with bundler, write follwing line in your Gemfile
|
|
|
31
31
|
# decrypt_from: example/secrets.yml.enc
|
|
32
32
|
decrypt_to: example/secrets.yml
|
|
33
33
|
|
|
34
|
-
|
|
34
|
+
using environment variable SECRET_KEEPER to be your key of cipher
|
|
35
35
|
|
|
36
36
|
$> SECRET_KEEPER=[YOUR-CIPHER-KEY-HERE] irb
|
|
37
37
|
|
|
38
|
-
|
|
38
|
+
require on demand
|
|
39
39
|
|
|
40
40
|
irb> require 'secret-keeper'
|
|
41
41
|
|
|
42
|
-
|
|
42
|
+
encrypt files based on your tasks defined in config/secret-keeper.yml
|
|
43
43
|
|
|
44
44
|
irb> SecretKeeper.encrypt_files
|
|
45
45
|
# Encrypting...
|
|
46
46
|
# * example/database.yml --> example/database.yml.enc, ok
|
|
47
47
|
# * example/secrets.yml --> example/secrets.yml.enc, ok
|
|
48
|
-
#
|
|
48
|
+
# Done!
|
|
49
49
|
|
|
50
|
-
|
|
50
|
+
decrypt files based on your tasks defined in config/secret-keeper.yml
|
|
51
51
|
|
|
52
52
|
irb> SecretKeeper.decrypt_files
|
|
53
53
|
# Decrypting...
|
|
54
54
|
# * example/database.yml.enc --> example/database.yml, ok
|
|
55
55
|
# * example/secrets.yml.enc --> example/secrets.yml, ok
|
|
56
|
-
#
|
|
56
|
+
# Done!
|
|
57
|
+
|
|
58
|
+
decrypt files based on your tasks defined in config/secret-keeper.yml
|
|
59
|
+
|
|
60
|
+
irb> SecretKeeper.decrypt_files
|
|
61
|
+
# Decrypting...
|
|
62
|
+
# remove production configs after decrypted
|
|
63
|
+
# * example/database.yml.enc --> example/database.yml, ok
|
|
64
|
+
# * example/secrets.yml.enc --> example/secrets.yml, ok
|
|
65
|
+
# Done!
|
|
66
|
+
result = SecretKeeper.decrypt_files(ENV['RAILS_ENV'] != 'production')
|
|
57
67
|
|
|
58
68
|
## Available Ciphers
|
|
59
69
|
|
data/lib/secret-keeper.rb
CHANGED
|
@@ -19,15 +19,21 @@ class SecretKeeper
|
|
|
19
19
|
success
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
def self.decrypt_files
|
|
22
|
+
def self.decrypt_files(remove_production=false)
|
|
23
23
|
sk = SecretKeeper.new
|
|
24
24
|
puts 'Decrypting...'
|
|
25
|
+
puts 'remove production configs after decrypted' if remove_production
|
|
25
26
|
ok_queue = []
|
|
26
27
|
sk.tasks.each do |task|
|
|
27
28
|
from = task['decrypt_from'] || task['encrypt_to']
|
|
28
29
|
to = task['decrypt_to'] || task['encrypt_from']
|
|
29
30
|
|
|
30
31
|
result = sk.decrypt_file(from, to)
|
|
32
|
+
|
|
33
|
+
if result == :ok && remove_production
|
|
34
|
+
result = sk.remove_production_config(to)
|
|
35
|
+
end
|
|
36
|
+
|
|
31
37
|
ok_queue << result if result == :ok
|
|
32
38
|
puts " * #{from} --> #{to}, #{result}"
|
|
33
39
|
end
|
|
@@ -42,9 +48,10 @@ class SecretKeeper
|
|
|
42
48
|
fail 'config/secret-keeper.yml not existed nor not readable' if string.nil?
|
|
43
49
|
config = YAML.load(string)[env]
|
|
44
50
|
fail 'config/secret-keeper.yml incorrect or environment not exist' if config.nil?
|
|
45
|
-
|
|
46
|
-
fail "environment variable #{
|
|
51
|
+
ev_name = config['ev_name'] || 'SECRET_KEEPER'
|
|
52
|
+
fail "environment variable #{ev_name} not exist" if ENV[ev_name].nil?
|
|
47
53
|
|
|
54
|
+
@cipher_digest = ENV[ev_name]
|
|
48
55
|
@tasks = config['tasks']
|
|
49
56
|
@using_cipher = OpenSSL::Cipher.new(config['cipher'])
|
|
50
57
|
end
|
|
@@ -69,17 +76,28 @@ class SecretKeeper
|
|
|
69
76
|
e
|
|
70
77
|
end
|
|
71
78
|
|
|
79
|
+
def remove_production_config(file_path)
|
|
80
|
+
hash = YAML.load_file(file_path)
|
|
81
|
+
hash.delete('production')
|
|
82
|
+
File.write(file_path, YAML.dump(hash))
|
|
83
|
+
:ok
|
|
84
|
+
rescue => e
|
|
85
|
+
e
|
|
86
|
+
end
|
|
87
|
+
|
|
72
88
|
private
|
|
73
89
|
|
|
74
90
|
def encrypt(data)
|
|
75
91
|
cipher = @using_cipher.encrypt
|
|
76
|
-
|
|
92
|
+
key_size_range = 0..(cipher.key_len-1)
|
|
93
|
+
cipher.key = Digest::SHA2.hexdigest(@cipher_digest)[key_size_range]
|
|
77
94
|
cipher.update(data) + cipher.final
|
|
78
95
|
end
|
|
79
96
|
|
|
80
97
|
def decrypt(data)
|
|
81
98
|
cipher = @using_cipher.decrypt
|
|
82
|
-
|
|
99
|
+
key_size_range = 0..(cipher.key_len-1)
|
|
100
|
+
cipher.key = Digest::SHA2.hexdigest(@cipher_digest)[key_size_range]
|
|
83
101
|
cipher.update(data) + cipher.final
|
|
84
102
|
end
|
|
85
103
|
end
|
data/spec/secret-keeper_spec.rb
CHANGED
|
@@ -14,6 +14,17 @@ describe SecretKeeper do
|
|
|
14
14
|
it 'should return true' do
|
|
15
15
|
result = SecretKeeper.decrypt_files
|
|
16
16
|
expect(result).to eq(true)
|
|
17
|
+
hash = YAML.load_file('example/secrets.yml')
|
|
18
|
+
expect(hash['development']['secret_key_base']).to eq('e8310af93d52f174f475940c41fbfb90417b300ebc19e1b24bd5639f4fe35c5ffaa5775a347ace9732958f656a47f6bb8e1fd0760b12e51b0b4fe1f65ef0a1d6')
|
|
19
|
+
expect(hash['production']['secret_key_base']).to eq('339f639f4fe35c5ffaa47ace973260b12e51b0b4fe1f65effd283a5f054f47594b24bd565779e351a20dfd4ada4f777958f0417b305c06cdedbde392b8e1fd07')
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it 'should return true on remove_production true' do
|
|
23
|
+
result = SecretKeeper.decrypt_files(ENV['RAILS_ENV'] != 'production')
|
|
24
|
+
expect(result).to eq(true)
|
|
25
|
+
hash = YAML.load_file('example/secrets.yml')
|
|
26
|
+
expect(hash['development']['secret_key_base']).to eq('e8310af93d52f174f475940c41fbfb90417b300ebc19e1b24bd5639f4fe35c5ffaa5775a347ace9732958f656a47f6bb8e1fd0760b12e51b0b4fe1f65ef0a1d6')
|
|
27
|
+
expect(hash['production']).to be_nil
|
|
17
28
|
end
|
|
18
29
|
|
|
19
30
|
it 'should be false, if SECRET_KEEPER incorrect' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: secret-keeper
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ray Lee
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-07-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|