secret_config 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce78920783d826865d118ba93de56be3e428d766efd502070999f7a5b1ebb069
-  data.tar.gz: 69bf56d09a5e20e3966531a9e75591c44376c6e5d0413d429a79dbfad11d4823
+  metadata.gz: 67325636265a59114b4ff33575572d931c337a0796def120ca68ef7ebfbd340e
+  data.tar.gz: 0b3280f1aab15a4301af120dcf1001757d998fc76b0141eebe66c778e8e6b665
 SHA512:
-  metadata.gz: dee07a19a4728594c49f9c207d2006dde24ce2d87e25654c274efa11de4a9e0c274b9c66c6e31b4d8043c756fa007df8a2e5db84a189bf36b5ebeef2c596138c
-  data.tar.gz: 3a1eb219305927565c9920943bbde78b34bb4a1ad2cc7c703cb53bef9a1c7a35a3b9d82736d7969af4c08562de85dc05bc4224f76d6c2f38474ea0d479297ec2
+  metadata.gz: f06a83adb1211924f4fca6e73976e8f23bf9bf2784da3bd98a6428327acccfa831b2dd9d1ab735f636e239f8db730210a0fd0d5c8370344145b86a22b47fe66e
+  data.tar.gz: 674f8ea7d0f0b7340d462f8d90992edd6c93fe14e2979ad6b347992a472ef2fae75e9ea184291281368e45c407e61c661b1b309b4877f168339eb22909836143

data/README.md

@@ -136,6 +136,89 @@ production:
 
 Since the secrets are externalized the configuration between environments is simpler.
 
+## Configuration
+
+Add the following line to Gemfile
+
+    gem "secret_config"
+
+Out of the box Secret Config will look in the local file system for the file `config/application.yml`
+as covered above. By default it will use env var `RAILS_ENV` to define the root path to look under for settings.
+
+The default settings are great for getting started in development and test, but should not be used in production. 
+
+Add the setting to `config/environments/production.rb` to make it fetch its settings from 
+AWS System Manager Parameter Store:
+
+~~~ruby
+Rails.application.configure do
+  # Read configuration from AWS Parameter Store
+  config.secret_config.use :ssm, root: '/production/my_application'
+end
+~~~
+
+`root` is the path from which the configuration data will be read. This path uniquely identifies the
+configuration for this instance of the application.
+
+If we need 2 completely separate instances of the application running in a single AWS account then we could use
+multiple paths. For example:
+
+    /production1/my_application
+    /production2/my_application
+    
+    /production/instance1/my_application
+    /production/instance2/my_application
+    
+The root path is completely flexible, but must be unique for every AWS account under which the application will run.
+The same root path can be used in different AWS accounts though. It is also not replicated across regions.
+
+When writing settings to the parameter store, it is recommended to use a custom KMS key to encrypt the values.
+To supply the key to encrypt the values with, add the `key_id` parameter: 
+
+~~~ruby
+Rails.application.configure do
+  # Read configuration from AWS Parameter Store
+  config.secret_config.use :ssm,
+                           key_id: 'alias/production/myapplication',
+                           root: '/production/my_application'
+end
+~~~
+
+Note: The relevant KMS key must be created first prior to using it here.
+
+The `key_id` is only used when writing settings to the AWS Parameter store and can be left off when that instance
+will only read from the parameter store.
+
+### Authorization
+
+The following policy needs to be added to the AMI Group under which the application will be running:
+
+~~~json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "ssm:PutParameter",
+                "ssm:GetParametersByPath",
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+~~~
+
+The above policy restricts read and write access to just the Parameter Store capabilities of AWS System Manager.
+
+These additional Actions are not used by Secret Config, but may be useful for anyone using the AWS Console directly
+to view and modify parameters:
+- `ssm:DescribeParameters`
+- `ssm:GetParameterHistory`
+- `ssm:GetParameters`
+- `ssm:GetParameter`
+
 ## Versioning
 
 This project adheres to [Semantic Versioning](http://semver.org/).

data/lib/secret_config.rb

@@ -1,7 +1,8 @@
-require 'sync_attr'
+require 'forwardable'
 require 'secret_config/version'
 require 'secret_config/errors'
 require 'secret_config/registry'
+require 'secret_config/railtie' if defined?(Rails)
 
 # Centralized Configuration and Secrets Management for Ruby and Rails applications.
 module SecretConfig
@@ -23,45 +24,65 @@ module SecretConfig
     def_delegator :registry, :refresh!
   end
 
-  def self.root
-    @root ||= ENV["SECRET_CONFIG_ROOT"] ||
-      raise(UndefinedRootError, "Either set env var 'SECRET_CONFIG_ROOT' or call SecretConfig.root=")
-  end
-
-  def self.root=(root)
-    @root     = root
+  # Which provider to use along with any arguments
+  # The root will be overriden by env var `SECRET_CONFIG_ROOT` if present.
+  def self.use(provider, root: nil, **args)
+    @provider = create_provider(provider, args)
+    @root     = ENV["SECRET_CONFIG_ROOT"] || root
     @registry = nil if @registry
   end
 
-  # When provider is not supplied, returns the current provider instance
-  # When provider is supplied, sets the new provider and stores any arguments
-  def self.provider(provider = nil, **args)
-    if provider.nil?
-      return @provider ||= create_provider((ENV["SECRET_CONFIG_PROVIDER"] || :file).to_sym)
+  def self.root
+    @root ||= begin
+      root = ENV["SECRET_CONFIG_ROOT"] || ENV["RAILS_ENV"]
+      raise(UndefinedRootError, "Either set env var 'SECRET_CONFIG_ROOT' or call SecretConfig.use") unless root
+      root = "/#{root}" unless root.start_with?('/')
+      root
     end
-
-    @provider      = create_provider(provider, args)
-    @registry      = nil if @registry
   end
 
-  def self.provider=(provider)
-    @provider = provider
-    @registry = nil if @registry
+  # Returns the current provider.
+  # If `SecretConfig.use` was not called previously it automatically use the file based provider.
+  def self.provider
+    @provider ||= begin
+      create_provider(:file)
+    end
   end
 
   def self.registry
     @registry ||= SecretConfig::Registry.new(root: root, provider: provider)
   end
 
+  # Filters to apply when returning the configuration
+  def self.filters
+    @filters
+  end
+
+  def self.filters=(filters)
+    @filters = filters
+  end
+
+  # Check the environment variables for a matching key and override the value returned from
+  # the central registry.
+  def self.check_env_var?
+    @check_env_var
+  end
+
+  def self.check_env_var=(check_env_var)
+    @check_env_var = check_env_var
+  end
+
   private
 
+  @check_env_var = true
+  @filters       = [/password/, 'key', /secret_key/]
+
+  # Create a new provider instance unless it is alread a provider instance.
   def self.create_provider(provider, args = nil)
+    return provider if provider.respond_to?(:each) && provider.respond_to?(:set)
+
     klass = constantize_symbol(provider)
-    if args && args.size > 0
-      klass.new(**args)
-    else
-      klass.new
-    end
+    args && args.size > 0 ? klass.new(**args) : klass.new
   end
 
   def implementation

data/lib/secret_config/railtie.rb

@@ -0,0 +1,13 @@
+module SecretConfig
+  class Railtie < Rails::Railtie
+    # Exposes Secret Config's configuration to the Rails application configuration.
+    #
+    # @example Set up configuration in the Rails app.
+    #   module MyApplication
+    #     class Application < Rails::Application
+    #       config.secret_config.use :file, root: '/development'
+    #     end
+    #   end
+    config.secret_config = SecretConfig
+  end
+end

data/lib/secret_config/registry.rb

@@ -1,4 +1,5 @@
 require 'base64'
+require 'concurrent-ruby'
 
 module SecretConfig
   # Centralized configuration with values stored in AWS System Manager Parameter Store
@@ -10,13 +11,18 @@ module SecretConfig
       # TODO: Validate root starts with /, etc
       @root     = root
       @provider = provider
+      @registry = Concurrent::Map.new
       refresh!
     end
 
     # Returns [Hash] a copy of the in memory configuration data.
-    def configuration
+    def configuration(relative: true, filters: SecretConfig.filters)
       h = {}
-      registry.each_pair { |k, v| decompose(k, v, h) }
+      registry.each_pair do |key, value|
+        key   = relative_key(key) if relative
+        value = filter_value(key, value, filters)
+        decompose(key, value, h)
+      end
       h
     end
 
@@ -43,24 +49,62 @@ module SecretConfig
       type == :string ? value : convert_type(type, value)
     end
 
+    # Set the value for a key in the centralized configuration store.
     def set(key:, value:, encrypt: true)
-      SSM.new(key_id: key_id).set(expand_key(key), value, encrypt: encrypt)
+      key = expand_key(key)
+      provider.set(key, value, encrypt: true)
+      registry[key] = value
     end
 
+    # Refresh the in-memory cached copy of the centralized configuration information.
+    # Environment variable values will take precendence over the central store values.
     def refresh!
-      h = {}
-      provider.each(root) { |k, v| h[k] = v }
-      @registry = h
+      existing_keys = registry.keys
+      updated_keys  = []
+      provider.each(root) do |key, value|
+        registry[key] = env_var_override(key, value)
+        updated_keys << key
+      end
+
+      # Remove keys deleted from the registry.
+      (existing_keys - updated_keys).each { |key| registry.delete(key) }
+
+      true
     end
 
     private
 
     attr_reader :registry
 
+    # Returns the value from an env var if it is present,
+    # Otherwise the value is returned unchanged.
+    def env_var_override(key, value)
+      env_var_name = relative_key(key).upcase.gsub('/', '_')
+      ENV[env_var_name] || value
+    end
+
+    # Add the root to the path if it is a relative path.
     def expand_key(key)
       key.start_with?('/') ? key : "#{root}/#{key}"
     end
 
+    # Convert the key to a relative path by removing the
+    # root path.
+    def relative_key(key)
+      key.start_with?('/') ? key.sub("#{root}/", '') : key
+    end
+
+    def filter_value(key, value, filters)
+      return value unless filters
+
+      _, name = File.split(key)
+      filter = filters.any? do |filter|
+        filter.is_a?(Regexp) ? name =~ filter : name == filter
+      end
+
+      filter ? '[FILTERED]' : value
+    end
+
     def decompose(key, value, h = {})
       path, name = File.split(key)
       last       = path.split('/').reduce(h) do |target, path|

data/lib/secret_config/version.rb

@@ -1,3 +1,3 @@
 module SecretConfig
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

data/test/registry_test.rb

@@ -36,7 +36,15 @@ class RegistryTest < Minitest::Test
 
     describe '#configuration' do
       it 'returns a copy of the config' do
-        assert_equal "127.0.0.1", registry.configuration.dig("development", "my_application", "mysql", "host")
+        assert_equal "127.0.0.1", registry.configuration.dig("mysql", "host")
+      end
+
+      it 'filters passwords' do
+        assert_equal "[FILTERED]", registry.configuration.dig("mysql", "password")
+      end
+
+      it 'filters key' do
+        assert_equal "[FILTERED]", registry.configuration.dig("symmetric_encryption", "key")
       end
     end
 

data/test/secret_config_test.rb

@@ -11,13 +11,12 @@ class SecretConfigTest < Minitest::Test
     end
 
     before do
-      SecretConfig.root = root
-      SecretConfig.provider :file, file_name: file_name
+      SecretConfig.use :file, root: root, file_name: file_name
     end
 
     describe '#configuration' do
       it 'returns a copy of the config' do
-        assert_equal "127.0.0.1", SecretConfig.configuration.dig("development", "my_application", "mysql", "host")
+        assert_equal "127.0.0.1", SecretConfig.configuration.dig("mysql", "host")
       end
     end
 
@@ -37,6 +36,12 @@ class SecretConfigTest < Minitest::Test
       it 'fetches values' do
         assert_equal "secret_config_development", SecretConfig.fetch("mysql/database")
       end
+
+      it 'can be overridden by an environment variable' do
+        ENV['MYSQL_DATABASE'] = 'other'
+        assert_equal "other", SecretConfig.fetch("mysql/database")
+        ENV['MYSQL_DATABASE'] = nil
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secret_config
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Reid Morrison
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-15 00:00:00.000000000 Z
+date: 2019-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: sync_attr
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ssm
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +52,7 @@ files:
 - lib/secret_config/errors.rb
 - lib/secret_config/providers/file.rb
 - lib/secret_config/providers/ssm.rb
+- lib/secret_config/railtie.rb
 - lib/secret_config/registry.rb
 - lib/secret_config/version.rb
 - test/config/application.yml