secret_garden 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 3ce8d3fe0db1ee091033726364760e4b63fc0c45
4
+ data.tar.gz: 0c0d3395947f0ed502084b2941bf152ca5ac0664
5
+ SHA512:
6
+ metadata.gz: 057a3570da5517e556252a3d973a44044d008f09f86ce481e3476bbee6373d51f813d605527b2455b21148bfa265f995a80de8ebc73202b9db6f75b0591e19dd
7
+ data.tar.gz: fb9a1a045ab7c5e33837e49c98c21baeecba137f141b6b9c3f95335547de141e2e46aebaae420595e5ceaf88e93bc3f46e33dd4b1a6b9c87b4644f1c643ff4fd
data/.gitignore ADDED
@@ -0,0 +1,9 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /Gemfile.lock
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
data/.rspec ADDED
@@ -0,0 +1,2 @@
1
+ --format documentation
2
+ --color
data/.travis.yml ADDED
@@ -0,0 +1,4 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.3.0
4
+ before_install: gem install bundler -v 1.11.2
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in secret_garden.gemspec
4
+ gemspec
data/README.md ADDED
@@ -0,0 +1,63 @@
1
+ # SecretGarden
2
+
3
+ You have a [12 factor app](http://12factor.net/). You want to [configure it
4
+ using environment variables](http://12factor.net/config). But you don't want the
5
+ world to know your secrets. Or, better yet, you want your secrets to have
6
+ limited-time access.
7
+
8
+ What you really want is a way to be able to configure your app via the
9
+ envornment, but fall back to a secret storage service like
10
+ [vault](https://www.vaultproject.io/)!
11
+
12
+ This gem does just that.
13
+
14
+ ## Installation
15
+
16
+ Add this line to your application's Gemfile:
17
+
18
+ ```ruby
19
+ gem 'secret_garden'
20
+ ```
21
+
22
+ And then execute:
23
+
24
+ $ bundle
25
+
26
+ Or install it yourself as:
27
+
28
+ $ gem install secret_garden
29
+
30
+ ## Usage
31
+
32
+ First, define a `Secretfile` for your project that maps environment variable
33
+ names to secret key paths in your vault:
34
+
35
+ ```
36
+ # Secretfile
37
+ AWS_ACCESS_KEY_ID secrets/services/aws:id
38
+ AWS_ACCESS_KEY_SECRET secrets/services/aws:secret
39
+ ```
40
+
41
+ In your app, instead of always consulting `ENV['AWS_ACCESS_KEY_ID]`, you can use
42
+ SecretGarden:
43
+
44
+ ``` ruby
45
+ # In future we will move each backend out to a gem, so that you don't need to
46
+ # download a million gems like you do with Fog.
47
+ require 'secret_garden/vault'
48
+
49
+ SecretGarden.add_backend :vault
50
+
51
+ s3 = AWS::S3.new access_key_id: SecretGarden.fetch('AWS_ACCESS_KEY_ID')
52
+ ```
53
+
54
+ ## Development
55
+
56
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
57
+
58
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
59
+
60
+ ## Contributing
61
+
62
+ Bug reports and pull requests are welcome on GitHub at https://github.com/dkastner/secret_garden.
63
+
data/Rakefile ADDED
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "secret_garden"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,44 @@
1
+ require "secret_garden/version"
2
+
3
+ require 'secret_garden/env'
4
+ require 'secret_garden/map'
5
+
6
+ module SecretGarden
7
+
8
+ class SecretNotDefined < StandardError; end
9
+
10
+ def self.add_backend(val)
11
+ klass = SecretGarden.const_get(val.to_s.capitalize)
12
+ @backends = backends + [klass.new(map)]
13
+ nil
14
+ end
15
+
16
+ def self.backends
17
+ @backends ||= [Env.new(map)]
18
+ end
19
+
20
+ def self.fetch(name)
21
+ backends.inject(nil) do |value, backend|
22
+ value ||= backend.fetch_and_cache(name)
23
+ end
24
+ end
25
+
26
+ def self.map
27
+ @map ||= SecretGarden::Map.new root: secret_file_path, env: env
28
+ end
29
+
30
+ def self.secret_file_path=(val)
31
+ @secret_file_path = val
32
+ end
33
+ def self.secret_file_path
34
+ @secret_file_path ||= Dir.pwd
35
+ end
36
+
37
+ def self.env=(val)
38
+ @env = val
39
+ end
40
+ def self.env
41
+ @env ||= 'development' # sane default?
42
+ end
43
+
44
+ end
@@ -0,0 +1,25 @@
1
+ require 'secret_garden'
2
+
3
+ module SecretGarden
4
+
5
+ class Backend
6
+
7
+ attr_accessor :map, :cache
8
+
9
+ def initialize(map)
10
+ self.map = map
11
+ self.cache = {}
12
+ end
13
+
14
+ def fetch_and_cache(name)
15
+ unless map.defined?(name)
16
+ raise SecretGarden::SecretNotDefined,
17
+ "There is no secret #{name.inspect} defined in #{map.secretfile_path}"
18
+ end
19
+ secret = map[name]
20
+ self.cache[name] ||= fetch(secret)
21
+ end
22
+
23
+ end
24
+
25
+ end
@@ -0,0 +1,13 @@
1
+ require 'secret_garden/backend'
2
+
3
+ module SecretGarden
4
+
5
+ class Env < Backend
6
+
7
+ def fetch(secret)
8
+ ENV[secret.name]
9
+ end
10
+
11
+ end
12
+
13
+ end
@@ -0,0 +1,45 @@
1
+ require 'secret_garden/secret'
2
+
3
+ module SecretGarden
4
+
5
+ class Map
6
+
7
+ attr_accessor :root
8
+
9
+ def initialize(root: Dir.pwd, env: nil)
10
+ self.root = root
11
+ end
12
+
13
+ def defined?(name)
14
+ entries.key?(name)
15
+ end
16
+
17
+ def [](name)
18
+ entries[name]
19
+ end
20
+
21
+ def secretfile_path
22
+ @secretfile_path ||= File.join(root, 'Secretfile')
23
+ end
24
+
25
+ def entries
26
+ @entries ||= File.readlines(secretfile_path).
27
+ map(&:strip).
28
+ reject { |l| l =~ /^#/ }.
29
+ map do |l|
30
+ name, path, property = parse_secret l
31
+ Secret.new name, path, property
32
+ end.
33
+ inject({}) do |hsh, secret|
34
+ hsh.merge secret.name => secret
35
+ end
36
+ end
37
+
38
+ def parse_secret(line)
39
+ name, path, property = line.scan(/([^\s]+)\s+([^:]+)(:.*)?/).first
40
+ path.gsub! /@ENV@/, SecretGarden.env
41
+ [name, path, property.to_s[1..-1]]
42
+ end
43
+ end
44
+
45
+ end
@@ -0,0 +1,15 @@
1
+ module SecretGarden
2
+
3
+ class Secret
4
+
5
+ attr_accessor :name, :path, :property
6
+
7
+ def initialize(name, path, property)
8
+ self.name = name
9
+ self.path = path
10
+ self.property = property
11
+ end
12
+
13
+ end
14
+
15
+ end
@@ -0,0 +1,32 @@
1
+ require 'vault'
2
+
3
+ require 'secret_garden/backend'
4
+
5
+ module SecretGarden
6
+
7
+ class Vault < Backend
8
+
9
+ class SecretNotDefined < StandardError; end
10
+ class PropertyNotDefined < StandardError; end
11
+
12
+ def fetch(secret)
13
+ unless vault_secret = fetch_from_vault(secret.path)
14
+ raise SecretNotDefined,
15
+ "Vault does not have secret at #{secret.path.inspect}"
16
+ end
17
+
18
+ unless value = vault_secret.data[secret.property.to_sym]
19
+ raise PropertyNotDefined,
20
+ "Vault does not have secret at #{secret.path}:#{secret.property}"
21
+ end
22
+
23
+ value
24
+ end
25
+
26
+ def fetch_from_vault(path)
27
+ ::Vault.logical.read path
28
+ end
29
+
30
+ end
31
+
32
+ end
@@ -0,0 +1,3 @@
1
+ module SecretGarden
2
+ VERSION = "0.0.1"
3
+ end
@@ -0,0 +1,27 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'secret_garden/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "secret_garden"
8
+ spec.version = SecretGarden::VERSION
9
+ spec.authors = ["Derek Kastner"]
10
+ spec.email = ["dkastner@gmail.com"]
11
+
12
+ spec.summary = %q{Access your 12-factor app secrets securely}
13
+ spec.description = %q{Provide secrets either via ENV or fall back to secure backends like vault}
14
+ spec.homepage = "http://github.com/dkastner/secret_garden"
15
+
16
+ spec.license = "MIT"
17
+
18
+ spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
19
+ spec.bindir = "exe"
20
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
21
+ spec.require_paths = ["lib"]
22
+
23
+ spec.add_development_dependency "bundler", "~> 1.11"
24
+ spec.add_development_dependency "rake", "~> 10.0"
25
+ spec.add_development_dependency "rspec", "~> 3.0"
26
+ spec.add_development_dependency "vault"
27
+ end
metadata ADDED
@@ -0,0 +1,116 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: secret_garden
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Derek Kastner
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2016-03-09 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '1.11'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '1.11'
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '10.0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '10.0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rspec
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '3.0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: vault
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ description: Provide secrets either via ENV or fall back to secure backends like vault
70
+ email:
71
+ - dkastner@gmail.com
72
+ executables: []
73
+ extensions: []
74
+ extra_rdoc_files: []
75
+ files:
76
+ - ".gitignore"
77
+ - ".rspec"
78
+ - ".travis.yml"
79
+ - Gemfile
80
+ - README.md
81
+ - Rakefile
82
+ - bin/console
83
+ - bin/setup
84
+ - lib/secret_garden.rb
85
+ - lib/secret_garden/backend.rb
86
+ - lib/secret_garden/env.rb
87
+ - lib/secret_garden/map.rb
88
+ - lib/secret_garden/secret.rb
89
+ - lib/secret_garden/vault.rb
90
+ - lib/secret_garden/version.rb
91
+ - secret_garden.gemspec
92
+ homepage: http://github.com/dkastner/secret_garden
93
+ licenses:
94
+ - MIT
95
+ metadata: {}
96
+ post_install_message:
97
+ rdoc_options: []
98
+ require_paths:
99
+ - lib
100
+ required_ruby_version: !ruby/object:Gem::Requirement
101
+ requirements:
102
+ - - ">="
103
+ - !ruby/object:Gem::Version
104
+ version: '0'
105
+ required_rubygems_version: !ruby/object:Gem::Requirement
106
+ requirements:
107
+ - - ">="
108
+ - !ruby/object:Gem::Version
109
+ version: '0'
110
+ requirements: []
111
+ rubyforge_project:
112
+ rubygems_version: 2.5.1
113
+ signing_key:
114
+ specification_version: 4
115
+ summary: Access your 12-factor app secrets securely
116
+ test_files: []