secret_config 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6ac6f9526e20dd9f6b39762ff6363ec3090fa51db2dfa0726351742d7abe5f3e
+  data.tar.gz: 78e69dd6f2bed35f5dde021a0ef247d392fee388ae5d3b3c3f41ca551928ec0c
+SHA512:
+  metadata.gz: 3f8fd6c22492f28bf71b1938792fe1cc392bfd073a0e541645dfd7869fe41f12f54e53575eabb9252440f34a137cce1b2bad89667dba84f80fec3183ef17de8f
+  data.tar.gz: f2ea35ffbb3acecacff2eca9ca16c73f3e6b1de15a78b3c19e8f2b59b6425fccc01c8c06779167ae3470d7fb5688bd7cbb5ec4e652f31841518bb824662417c9

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,161 @@
+# Secret Config
+[![Gem Version](https://img.shields.io/gem/v/secret_config.svg)](https://rubygems.org/gems/secret_config) [![Build Status](https://travis-ci.org/rocketjob/secret_config.svg?branch=master)](https://travis-ci.org/rocketjob/secret_config) [![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](http://opensource.org/licenses/Apache-2.0) ![](https://img.shields.io/badge/status-Beta-yellow.svg) [![Gitter chat](https://img.shields.io/badge/IRC%20(gitter)-Support-brightgreen.svg)](https://gitter.im/rocketjob/support)
+
+Centralized Configuration and Secrets Management for Ruby and Rails applications.
+
+Securely store configuration information centrally.
+
+## Project Status
+
+Early development.
+
+## Features
+
+Supports storing configuration information in:
+* File
+    * Development and testing use.
+* AWS System Manager Parameter Store
+    * Encrypt and store secrets such as passwords centrally. 
+
+## Benefits
+
+Benefits of moving sensitive configuration information into AWS System Manager Parameter Store:
+
+  * Hierarchical structure is maintained.
+    * Environment variables force all config into a single level.
+  * Reduces the number of environment variables.
+    * In a large application the number of secrets can grow dramatically.
+  * Removes the need to encrypt sensitive data config files.
+    * Including securing and managing encryption keys.
+  * When encryption keys change, such as during a key rotation, config files don;t have to be changed.
+  * Removes security concerns with placing passwords in the clear into environment variables.
+  * AWS System Manager Parameter Store does not charge for parameters.
+    * Still recommend using a custom KMS key that charges only $1 per month.
+    * Amounts as of 4/2019. Confirm what AWS charges you for these services.
+  * AWS Secrets Manager charges for every secret being managed, which can accumulate quickly with large projects. 
+  
+## Development and Test use
+
+In the development environment create the file `config/application.yml` within which to store local development credentials.
+Depending on your team setup you may want to use the same file for all developers so can check it into you change control system. 
+
+For example: `config/application.yml`
+
+~~~yaml
+development:
+  mysql:
+    database:   secret_config_development
+    username:   secret_config
+    password:   secret_configrules
+    host:       127.0.0.1
+
+  mongo:
+    database:   secret_config_development
+    primary:    127.0.0.1:27017
+    secondary:  127.0.0.1:27018
+
+  secrets:
+    secret_key_base: somereallylongstring
+
+test:
+  mysql:
+    database:   secret_config_test
+    username:   secret_config
+    password:   secret_configrules
+    host:       127.0.0.1
+
+  mongo:
+    database:   secret_config_test
+    primary:    127.0.0.1:27017
+    secondary:  127.0.0.1:27018
+
+  secrets:
+    secret_key_base: somereallylongteststring
+~~~
+
+Note how the hierarchical nature of configuration values is maintained. Typical environment variable approaches have
+to flatten everything into a single level.
+
+Note: Do not put any production credentials into this file.
+
+### Usage
+
+Go through all the configuration files and look for sensitive data such as passwords:
+
+Example `database.yml`:
+
+~~~yaml
+defaults: &defaults
+  encoding: utf8
+  adapter:  mysql2
+
+development:
+  <<:       *defaults
+  database: secure_config_development
+  username: jack
+  password: jackrules
+  host:     localhost
+
+test:
+  <<:       *defaults
+  database: secure_config_test
+  username: tester
+  password: khjsdjhdsjhdsr32
+  host:     test.server
+
+production:
+  <<:       *defaults
+  database: secure_config_production
+  username: product
+  password: donotexpose45
+  host:     production.server
+~~~
+
+Replace the sensitive data with a `SecureConfig.fetch`:
+
+Updated `database.yml`:
+
+~~~yaml
+configuration: &configuration
+  database: <%= SecretConfig.fetch("mysql/database") %>
+  username: <%= SecretConfig.fetch("mysql/username") %>
+  password: <%= SecretConfig.fetch("mysql/password") %>
+  host:     <%= SecretConfig.fetch("mysql/host") %>
+  encoding: utf8
+  adapter:  mysql2
+
+development:
+  <<:       *configuration
+
+test:
+  <<:       *configuration
+
+production:
+  <<:       *configuration
+~~~
+
+Since the secrets are externalized the configuration between environments is simpler.
+
+## Versioning
+
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## Author
+
+[Reid Morrison](https://github.com/reidmorrison)
+
+## License
+
+Copyright 2019 Reid Morrison
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,21 @@
+require 'rake/testtask'
+require_relative 'lib/secret_config/version'
+
+task :gem do
+  system 'gem build secret_config.gemspec'
+end
+
+task :publish => :gem do
+  system "git tag -a v#{SecretConfig::VERSION} -m 'Tagging #{SecretConfig::VERSION}'"
+  system 'git push --tags'
+  system "gem push secret_config-#{SecretConfig::VERSION}.gem"
+  system "rm secret_config-#{SecretConfig::VERSION}.gem"
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+  t.warning = true
+end
+
+task :default => :test

data/lib/secret_config.rb

@@ -0,0 +1,48 @@
+require 'sync_attr'
+require 'secret_config/version'
+require 'secret_config/errors'
+require 'secret_config/registry'
+
+# Centralized Configuration and Secrets Management for Ruby and Rails applications.
+module SecretConfig
+  module Providers
+    autoload :File, 'secret_config/providers/file'
+    autoload :Ssm, 'secret_config/providers/ssm'
+  end
+
+  class << self
+    extend Forwardable
+
+    def_delegator :registry, :fetch
+    def_delegator :registry, :configuration
+    def_delegator :registry, :[]
+    def_delegator :registry, :[]=
+    def_delegator :registry, :key?
+    def_delegator :registry, :fetch
+    def_delegator :registry, :set
+    def_delegator :registry, :refresh!
+  end
+
+  def self.root
+    @root ||= ENV["SECRETCONFIG_ROOT"] ||
+      raise(UndefinedRootError, "Either set env var 'SECRETCONFIG_ROOT' or call SecretConfig.root=")
+  end
+
+  def self.root=(root)
+    @root     = root
+    @registry = nil if @registry
+  end
+
+  def self.provider #(provider, **args)
+    @provider ||= (ENV["SECRETCONFIG_PROVIDER"] || :file).to_sym
+  end
+
+  def self.provider=(provider)
+    @provider = provider
+    @registry = nil if @registry
+  end
+
+  def self.registry
+    @registry ||= SecretConfig::Registry.new(root: root, provider: provider)
+  end
+end

data/lib/secret_config/errors.rb

@@ -0,0 +1,13 @@
+module SecretConfig
+  class Error < StandardError
+  end
+
+  class MissingMandatoryKey < Error
+  end
+
+  class UndefinedRootError < Error
+  end
+
+  class ConfigurationError < Error
+  end
+end

data/lib/secret_config/providers/file.rb

@@ -0,0 +1,45 @@
+require 'yaml'
+require 'erb'
+
+module SecretConfig
+  module Providers
+    # Read configuration from a local file
+    class File
+      attr_reader :file_name
+
+      def initialize(file_name: ENV['SECRETCONFIG_FILE_NAME'] || "config/application.yml")
+        @file_name = file_name
+        raise(ConfigurationError, "Cannot find config file: #{file_name}") unless ::File.exist?(file_name)
+      end
+
+      def each(path, &block)
+        config = YAML.load(ERB.new(::File.new(file_name).read).result)
+
+        paths    = path.sub(/\A\/*/, '').sub(/\/*\Z/, '').split("/")
+        settings = config.dig(*paths)
+
+        raise(ConfigError, "Path #{paths.join(".")} not found in file: #{file_name}") unless settings
+
+        flatten_each(path, settings, &block)
+        nil
+      end
+
+      def set(key, value)
+        raise NotImplementedError
+      end
+
+      private
+
+      def flatten_each(path, hash, &block)
+        hash.each_pair do |key, value|
+          if value.is_a?(Hash)
+            flatten_each("#{path}/#{key}", value, &block)
+          else
+            key = "#{path}/#{key}" unless key.start_with?('/')
+            yield(key, value)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/secret_config/providers/ssm.rb

@@ -0,0 +1,41 @@
+require 'aws-sdk-ssm'
+
+module SecretConfig
+  module Providers
+    # Use the AWS System Manager Parameter Store for Centralized Configuration / Secrets Management
+    class Ssm
+      attr_reader :client, :key_id
+
+      def initialize(key_id: ENV["SECRETCONFIG_KEY_ID"])
+        @key_id = key_id
+        logger  = SemanticLogger['Aws::SSM'] if defined?(SemanticLogger)
+        @client = Aws::SSM::Client.new(logger: logger)
+      end
+
+      def each(path)
+        token = nil
+        loop do
+          resp = client.get_parameters_by_path(
+            path:            path,
+            recursive:       true,
+            with_decryption: true,
+            next_token:      token
+          )
+          resp.parameters.each { |param| yield(param.name, param.value) }
+          token = resp.next_token
+          break if token.nil?
+        end
+      end
+
+      def set(key, value, encrypt: true)
+        client.put_parameter(
+          name:      key,
+          value:     value.to_s,
+          type:      encrypt ? "SecureString" : "String",
+          key_id:    key_id,
+          overwrite: true
+        )
+      end
+    end
+  end
+end

data/lib/secret_config/registry.rb

@@ -0,0 +1,112 @@
+require 'base64'
+
+module SecretConfig
+  # Centralized configuration with values stored in AWS System Manager Parameter Store
+  #
+  # Values are fetched from the central store on startup. Only those values starting with the specified
+  # root are loaded, supply multiple paths using the env var SECRETCONFIG_PATHS.
+  #
+  # Existing event mechanisms can be used to force a reload of the cached copy.
+  class Registry
+    attr_reader :provider
+    attr_accessor :root
+
+    def initialize(root:, provider: :ssm)
+      # TODO: Validate root starts with /, etc
+      @root     = root
+      @provider = provider
+      refresh!
+    end
+
+    # Returns [Hash] a copy of the in memory configuration data.
+    def configuration
+      h = {}
+      registry.each_pair { |key, value| h[key] = value }
+      h
+    end
+
+    # Returns [String] configuration value for the supplied key, or nil when missing.
+    def [](key)
+      registry[expand_key(key)]
+    end
+
+    # Returns [String] configuration value for the supplied key, or nil when missing.
+    def key?(key)
+      registry.key?(expand_key(key))
+    end
+
+    # Returns [String] configuration value for the supplied key
+    def fetch(key, default: nil, type: :string, encoding: nil)
+      value = self[key]
+      if value.nil?
+        raise(MissingMandatoryKey, "Missing configuration value for #{root}/#{key}") unless default
+
+        value = default.respond_to?(:call) ? default.call : default
+      end
+
+      value = convert_encoding(encoding, value) if encoding
+      type == :string ? value : convert_type(type, value)
+    end
+
+    def set(key:, value:, encrypt: true)
+      SSM.new(key_id: key_id).set(expand_key(key), value, encrypt: encrypt)
+    end
+
+    def refresh!
+      h = {}
+      implementation.each(root) { |k, v| h[k] = v }
+      @registry = h
+    end
+
+    private
+
+    attr_reader :registry
+
+    def expand_key(key)
+      key.start_with?('/') ? key : "#{root}/#{key}"
+    end
+
+    def implementation
+      @implementation ||= constantize_symbol(provider).new
+    end
+
+    def convert_encoding(encoding, value)
+      case encoding
+      when :base64
+        Base64.decode64(value)
+      else
+        value
+      end
+    end
+
+    def convert_type(type, value)
+      case type
+      when :integer
+        value.to_i
+      when :float
+        value.to_f
+      when :string
+        value
+      end
+    end
+
+    def constantize_symbol(symbol, namespace = 'SecretConfig::Providers')
+      klass = "#{namespace}::#{camelize(symbol.to_s)}"
+      begin
+        Object.const_get(klass)
+      rescue NameError
+        raise(ArgumentError, "Could not convert symbol: #{symbol.inspect} to a class in: #{namespace}. Looking for: #{klass}")
+      end
+    end
+
+    # Borrow from Rails, when not running Rails
+    def camelize(term)
+      string = term.to_s
+      string = string.sub(/^[a-z\d]*/, &:capitalize)
+      string.gsub!(/(?:_|(\/))([a-z\d]*)/i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
+      string.gsub!('/'.freeze, '::'.freeze)
+      string
+    end
+
+  end
+end

data/lib/secret_config/version.rb

@@ -0,0 +1,3 @@
+module SecretConfig
+  VERSION = '0.1.0'
+end

data/test/config/application.yml

@@ -0,0 +1,47 @@
+# Local application config goes here.  Do not check in production secrets.
+# These are for development and test only.
+
+#
+# Development - Local - Root: '/development/connect'
+#
+development:
+  connect:
+    symmetric_encryption:
+      key:     QUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4OTA=
+      iv:      QUJDREVGMTIzNDU2Nzg5MA==
+      version: 2
+
+    mysql:
+      database:   secret_config_development
+      username:   secret_config
+      password:   secret_configrules
+      host:       127.0.0.1
+
+    mongo:
+      database:   secret_config_development
+      primary:    127.0.0.1:27017
+      secondary:  127.0.0.1:27018
+
+    secrets:
+      secret_key_base: somereallylongstring
+
+test:
+  connect:
+    symmetric_encryption:
+      key:     QUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4OTA=
+      iv:      QUJDREVGMTIzNDU2Nzg5MA==
+      version: 2
+
+    mysql:
+      database:   secret_config_test
+      username:   secret_config
+      password:   secret_configrules
+      host:       127.0.0.1
+
+    mongo:
+      database:   secret_config_test
+      primary:    127.0.0.1:27017
+      secondary:  127.0.0.1:27018
+
+    secrets:
+      secret_key_base: somereallylongteststring

data/test/providers/file_test.rb

@@ -0,0 +1,43 @@
+require_relative '../test_helper'
+
+module Providers
+  class FileTest < Minitest::Test
+    describe SecretConfig::Providers::File do
+      let :file_name do
+        File.join(File.dirname(__FILE__), '..', 'config', 'application.yml')
+      end
+
+      let :root do
+        "/development/connect"
+      end
+
+      let :expected do
+        {
+          "/development/connect/mongo/database"               => "secret_config_development",
+          "/development/connect/mongo/primary"                => "127.0.0.1:27017",
+          "/development/connect/mongo/secondary"              => "127.0.0.1:27018",
+          "/development/connect/mysql/database"               => "secret_config_development",
+          "/development/connect/mysql/password"               => "secret_configrules",
+          "/development/connect/mysql/username"               => "secret_config",
+          "/development/connect/mysql/host"                   => "127.0.0.1",
+          "/development/connect/secrets/secret_key_base"      => "somereallylongstring",
+          "/development/connect/symmetric_encryption/key"     => "QUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4OTA=",
+          "/development/connect/symmetric_encryption/version" => 2,
+          "/development/connect/symmetric_encryption/iv"      => "QUJDREVGMTIzNDU2Nzg5MA=="
+        }
+      end
+
+      describe '#each' do
+        it 'file' do
+          file_provider = SecretConfig::Providers::File.new(file_name: file_name)
+          paths         = {}
+          file_provider.each(root) { |key, value| paths[key] = value }
+
+          expected.each_pair do |key, value|
+            assert_equal value, paths[key], "Path: #{key}"
+          end
+        end
+      end
+    end
+  end
+end

data/test/providers/ssm_test.rb

@@ -0,0 +1,51 @@
+require_relative '../test_helper'
+
+module Providers
+  class SsmTest < Minitest::Test
+    describe SecretConfig::Providers::Ssm do
+      let :file_name do
+        File.join(File.dirname(__FILE__), '..', 'config', 'application.yml')
+      end
+
+      let :root do
+        "/development/connect"
+      end
+
+      let :expected do
+        {
+          "/development/connect/mongo/database"               => "secret_config_development",
+          "/development/connect/mongo/primary"                => "127.0.0.1:27017",
+          "/development/connect/mongo/secondary"              => "127.0.0.1:27018",
+          "/development/connect/mysql/database"               => "secret_config_development",
+          "/development/connect/mysql/password"               => "secret_configrules",
+          "/development/connect/mysql/username"               => "secret_config",
+          "/development/connect/mysql/host"                   => "127.0.0.1",
+          "/development/connect/secrets/secret_key_base"      => "somereallylongstring",
+          "/development/connect/symmetric_encryption/key"     => "QUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4OTA=",
+          "/development/connect/symmetric_encryption/version" => "2",
+          "/development/connect/symmetric_encryption/iv"      => "QUJDREVGMTIzNDU2Nzg5MA=="
+        }
+      end
+
+      describe '#each' do
+        it 'fetches all keys in path' do
+          upload_settings if ENV['SECRETCONFIG_TEST_UPLOAD_SSM']
+
+          ssm   = SecretConfig::Providers::Ssm.new
+          paths = {}
+          ssm.each(root) { |key, value| paths[key] = value }
+
+          expected.each_pair do |key, value|
+            assert_equal paths[key], value, "Path: #{key}"
+          end
+        end
+      end
+
+      def upload_settings
+        file_provider = SecretConfig::Providers::File.new(file_name: file_name)
+        ssm           = SecretConfig::Providers::Ssm.new
+        file_provider.each(root) { |key, value| ap key; ssm.set(key, value) }
+      end
+    end
+  end
+end

data/test/registry_test.rb

@@ -0,0 +1,112 @@
+require_relative 'test_helper'
+
+class RegistryTest < Minitest::Test
+  describe SecretConfig::Providers::File do
+    let :file_name do
+      File.join(File.dirname(__FILE__), 'config', 'application.yml')
+    end
+
+    let :root do
+      "/development/connect"
+    end
+
+    let :registry do
+      ENV['SECRETCONFIG_FILE_NAME'] = file_name
+
+      SecretConfig::Registry.new(root: root, provider: :file)
+    end
+
+    let :expected do
+      {
+        "/development/connect/mongo/database"               => "secret_config_development",
+        "/development/connect/mongo/primary"                => "127.0.0.1:27017",
+        "/development/connect/mongo/secondary"              => "127.0.0.1:27018",
+        "/development/connect/mysql/database"               => "secret_config_development",
+        "/development/connect/mysql/password"               => "secret_configrules",
+        "/development/connect/mysql/username"               => "secret_config",
+        "/development/connect/mysql/host"                   => "127.0.0.1",
+        "/development/connect/secrets/secret_key_base"      => "somereallylongstring",
+        "/development/connect/symmetric_encryption/key"     => "QUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4OTA=",
+        "/development/connect/symmetric_encryption/version" => 2,
+        "/development/connect/symmetric_encryption/iv"      => "QUJDREVGMTIzNDU2Nzg5MA=="
+      }
+    end
+
+    describe '#configuration' do
+      it 'returns a copy of the config' do
+        paths = registry.configuration
+
+        expected.each_pair do |key, value|
+          assert_equal value, paths[key], "Path: #{key}"
+        end
+      end
+    end
+
+    describe '#key?' do
+      it 'has key' do
+        expected.each_pair do |key, value|
+          key = key.sub("#{root}/", "")
+          assert registry.key?(key), "Path: #{key}"
+        end
+      end
+
+      it 'returns false with missing relative key' do
+        refute registry.key?("invalid/path")
+      end
+
+      it 'returns nil with missing full key' do
+        refute registry.key?("/development/invalid/path")
+      end
+    end
+
+    describe '#[]' do
+      it 'returns values' do
+        expected.each_pair do |key, value|
+          key = key.sub("#{root}/", "")
+          assert_equal value, registry[key], "Path: #{key}"
+        end
+      end
+
+      it 'returns nil with missing relative key' do
+        assert_nil registry["invalid/path"]
+      end
+
+      it 'returns nil with missing full key' do
+        assert_nil registry["/development/invalid/path"]
+      end
+    end
+
+    describe '#fetch' do
+      it 'returns values' do
+        expected.each_pair do |key, value|
+          key = key.sub("#{root}/", "")
+          assert_equal value, registry.fetch(key), "Path: #{key}"
+        end
+      end
+
+      it 'exception missing relative key' do
+        assert_raises SecretConfig::MissingMandatoryKey do
+          registry.fetch("invalid/path")
+        end
+      end
+
+      it 'returns nil with missing full key' do
+        assert_raises SecretConfig::MissingMandatoryKey do
+          registry.fetch("/development/invalid/path")
+        end
+      end
+
+      it 'returns default with missing key' do
+        assert_equal "default_value", registry.fetch("/development/invalid/path", default: "default_value")
+      end
+
+      it 'converts to integer' do
+        assert_equal 2, registry.fetch("symmetric_encryption/version", type: :integer)
+      end
+
+      it 'decodes Base 64' do
+        assert_equal "ABCDEF1234567890ABCDEF1234567890", registry.fetch("symmetric_encryption/key", encoding: :base64)
+      end
+    end
+  end
+end

data/test/secret_config_test.rb

@@ -0,0 +1,43 @@
+require_relative 'test_helper'
+
+class SecretConfigTest < Minitest::Test
+  describe SecretConfig::Providers::File do
+    let :file_name do
+      File.join(File.dirname(__FILE__), 'config', 'application.yml')
+    end
+
+    let :root do
+      "/development/connect"
+    end
+
+    before do
+      ENV['SECRETCONFIG_FILE_NAME'] = file_name
+      SecretConfig.root             = root
+      SecretConfig.provider         = :file
+    end
+
+    describe '#configuration' do
+      it 'returns a copy of the config' do
+        assert_equal "127.0.0.1", SecretConfig.configuration["/development/connect/mysql/host"]
+      end
+    end
+
+    describe '#key?' do
+      it 'has key' do
+        assert SecretConfig.key?("mysql/database")
+      end
+    end
+
+    describe '#[]' do
+      it 'returns values' do
+        assert_equal "secret_config_development", SecretConfig["mysql/database"]
+      end
+    end
+
+    describe '#fetch' do
+      it 'fetches values' do
+        assert_equal "secret_config_development", SecretConfig.fetch("mysql/database")
+      end
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
+
+require 'yaml'
+require 'minitest/autorun'
+require 'minitest/reporters'
+require 'secret_config'
+require 'awesome_print'
+
+Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: secret_config
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Reid Morrison
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sync_attr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- reidmo@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- Rakefile
+- lib/secret_config.rb
+- lib/secret_config/errors.rb
+- lib/secret_config/providers/file.rb
+- lib/secret_config/providers/ssm.rb
+- lib/secret_config/registry.rb
+- lib/secret_config/version.rb
+- test/config/application.yml
+- test/providers/file_test.rb
+- test/providers/ssm_test.rb
+- test/registry_test.rb
+- test/secret_config_test.rb
+- test/test_helper.rb
+homepage: https://github.com/rocketjob/secret_config
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: Centralized Configuration and Secrets Management for Ruby and Rails applications.
+test_files:
+- test/config/application.yml
+- test/providers/ssm_test.rb
+- test/providers/file_test.rb
+- test/registry_test.rb
+- test/test_helper.rb
+- test/secret_config_test.rb