secret_garden 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +4 -0
- data/Gemfile +4 -0
- data/README.md +63 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/lib/secret_garden.rb +44 -0
- data/lib/secret_garden/backend.rb +25 -0
- data/lib/secret_garden/env.rb +13 -0
- data/lib/secret_garden/map.rb +45 -0
- data/lib/secret_garden/secret.rb +15 -0
- data/lib/secret_garden/vault.rb +32 -0
- data/lib/secret_garden/version.rb +3 -0
- data/secret_garden.gemspec +27 -0
- metadata +116 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 3ce8d3fe0db1ee091033726364760e4b63fc0c45
|
4
|
+
data.tar.gz: 0c0d3395947f0ed502084b2941bf152ca5ac0664
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 057a3570da5517e556252a3d973a44044d008f09f86ce481e3476bbee6373d51f813d605527b2455b21148bfa265f995a80de8ebc73202b9db6f75b0591e19dd
|
7
|
+
data.tar.gz: fb9a1a045ab7c5e33837e49c98c21baeecba137f141b6b9c3f95335547de141e2e46aebaae420595e5ceaf88e93bc3f46e33dd4b1a6b9c87b4644f1c643ff4fd
|
data/.gitignore
ADDED
data/.rspec
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,63 @@
|
|
1
|
+
# SecretGarden
|
2
|
+
|
3
|
+
You have a [12 factor app](http://12factor.net/). You want to [configure it
|
4
|
+
using environment variables](http://12factor.net/config). But you don't want the
|
5
|
+
world to know your secrets. Or, better yet, you want your secrets to have
|
6
|
+
limited-time access.
|
7
|
+
|
8
|
+
What you really want is a way to be able to configure your app via the
|
9
|
+
envornment, but fall back to a secret storage service like
|
10
|
+
[vault](https://www.vaultproject.io/)!
|
11
|
+
|
12
|
+
This gem does just that.
|
13
|
+
|
14
|
+
## Installation
|
15
|
+
|
16
|
+
Add this line to your application's Gemfile:
|
17
|
+
|
18
|
+
```ruby
|
19
|
+
gem 'secret_garden'
|
20
|
+
```
|
21
|
+
|
22
|
+
And then execute:
|
23
|
+
|
24
|
+
$ bundle
|
25
|
+
|
26
|
+
Or install it yourself as:
|
27
|
+
|
28
|
+
$ gem install secret_garden
|
29
|
+
|
30
|
+
## Usage
|
31
|
+
|
32
|
+
First, define a `Secretfile` for your project that maps environment variable
|
33
|
+
names to secret key paths in your vault:
|
34
|
+
|
35
|
+
```
|
36
|
+
# Secretfile
|
37
|
+
AWS_ACCESS_KEY_ID secrets/services/aws:id
|
38
|
+
AWS_ACCESS_KEY_SECRET secrets/services/aws:secret
|
39
|
+
```
|
40
|
+
|
41
|
+
In your app, instead of always consulting `ENV['AWS_ACCESS_KEY_ID]`, you can use
|
42
|
+
SecretGarden:
|
43
|
+
|
44
|
+
``` ruby
|
45
|
+
# In future we will move each backend out to a gem, so that you don't need to
|
46
|
+
# download a million gems like you do with Fog.
|
47
|
+
require 'secret_garden/vault'
|
48
|
+
|
49
|
+
SecretGarden.add_backend :vault
|
50
|
+
|
51
|
+
s3 = AWS::S3.new access_key_id: SecretGarden.fetch('AWS_ACCESS_KEY_ID')
|
52
|
+
```
|
53
|
+
|
54
|
+
## Development
|
55
|
+
|
56
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
57
|
+
|
58
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
59
|
+
|
60
|
+
## Contributing
|
61
|
+
|
62
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/dkastner/secret_garden.
|
63
|
+
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "secret_garden"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/bin/setup
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
require "secret_garden/version"
|
2
|
+
|
3
|
+
require 'secret_garden/env'
|
4
|
+
require 'secret_garden/map'
|
5
|
+
|
6
|
+
module SecretGarden
|
7
|
+
|
8
|
+
class SecretNotDefined < StandardError; end
|
9
|
+
|
10
|
+
def self.add_backend(val)
|
11
|
+
klass = SecretGarden.const_get(val.to_s.capitalize)
|
12
|
+
@backends = backends + [klass.new(map)]
|
13
|
+
nil
|
14
|
+
end
|
15
|
+
|
16
|
+
def self.backends
|
17
|
+
@backends ||= [Env.new(map)]
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.fetch(name)
|
21
|
+
backends.inject(nil) do |value, backend|
|
22
|
+
value ||= backend.fetch_and_cache(name)
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
def self.map
|
27
|
+
@map ||= SecretGarden::Map.new root: secret_file_path, env: env
|
28
|
+
end
|
29
|
+
|
30
|
+
def self.secret_file_path=(val)
|
31
|
+
@secret_file_path = val
|
32
|
+
end
|
33
|
+
def self.secret_file_path
|
34
|
+
@secret_file_path ||= Dir.pwd
|
35
|
+
end
|
36
|
+
|
37
|
+
def self.env=(val)
|
38
|
+
@env = val
|
39
|
+
end
|
40
|
+
def self.env
|
41
|
+
@env ||= 'development' # sane default?
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
require 'secret_garden'
|
2
|
+
|
3
|
+
module SecretGarden
|
4
|
+
|
5
|
+
class Backend
|
6
|
+
|
7
|
+
attr_accessor :map, :cache
|
8
|
+
|
9
|
+
def initialize(map)
|
10
|
+
self.map = map
|
11
|
+
self.cache = {}
|
12
|
+
end
|
13
|
+
|
14
|
+
def fetch_and_cache(name)
|
15
|
+
unless map.defined?(name)
|
16
|
+
raise SecretGarden::SecretNotDefined,
|
17
|
+
"There is no secret #{name.inspect} defined in #{map.secretfile_path}"
|
18
|
+
end
|
19
|
+
secret = map[name]
|
20
|
+
self.cache[name] ||= fetch(secret)
|
21
|
+
end
|
22
|
+
|
23
|
+
end
|
24
|
+
|
25
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
require 'secret_garden/secret'
|
2
|
+
|
3
|
+
module SecretGarden
|
4
|
+
|
5
|
+
class Map
|
6
|
+
|
7
|
+
attr_accessor :root
|
8
|
+
|
9
|
+
def initialize(root: Dir.pwd, env: nil)
|
10
|
+
self.root = root
|
11
|
+
end
|
12
|
+
|
13
|
+
def defined?(name)
|
14
|
+
entries.key?(name)
|
15
|
+
end
|
16
|
+
|
17
|
+
def [](name)
|
18
|
+
entries[name]
|
19
|
+
end
|
20
|
+
|
21
|
+
def secretfile_path
|
22
|
+
@secretfile_path ||= File.join(root, 'Secretfile')
|
23
|
+
end
|
24
|
+
|
25
|
+
def entries
|
26
|
+
@entries ||= File.readlines(secretfile_path).
|
27
|
+
map(&:strip).
|
28
|
+
reject { |l| l =~ /^#/ }.
|
29
|
+
map do |l|
|
30
|
+
name, path, property = parse_secret l
|
31
|
+
Secret.new name, path, property
|
32
|
+
end.
|
33
|
+
inject({}) do |hsh, secret|
|
34
|
+
hsh.merge secret.name => secret
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def parse_secret(line)
|
39
|
+
name, path, property = line.scan(/([^\s]+)\s+([^:]+)(:.*)?/).first
|
40
|
+
path.gsub! /@ENV@/, SecretGarden.env
|
41
|
+
[name, path, property.to_s[1..-1]]
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
require 'vault'
|
2
|
+
|
3
|
+
require 'secret_garden/backend'
|
4
|
+
|
5
|
+
module SecretGarden
|
6
|
+
|
7
|
+
class Vault < Backend
|
8
|
+
|
9
|
+
class SecretNotDefined < StandardError; end
|
10
|
+
class PropertyNotDefined < StandardError; end
|
11
|
+
|
12
|
+
def fetch(secret)
|
13
|
+
unless vault_secret = fetch_from_vault(secret.path)
|
14
|
+
raise SecretNotDefined,
|
15
|
+
"Vault does not have secret at #{secret.path.inspect}"
|
16
|
+
end
|
17
|
+
|
18
|
+
unless value = vault_secret.data[secret.property.to_sym]
|
19
|
+
raise PropertyNotDefined,
|
20
|
+
"Vault does not have secret at #{secret.path}:#{secret.property}"
|
21
|
+
end
|
22
|
+
|
23
|
+
value
|
24
|
+
end
|
25
|
+
|
26
|
+
def fetch_from_vault(path)
|
27
|
+
::Vault.logical.read path
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'secret_garden/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "secret_garden"
|
8
|
+
spec.version = SecretGarden::VERSION
|
9
|
+
spec.authors = ["Derek Kastner"]
|
10
|
+
spec.email = ["dkastner@gmail.com"]
|
11
|
+
|
12
|
+
spec.summary = %q{Access your 12-factor app secrets securely}
|
13
|
+
spec.description = %q{Provide secrets either via ENV or fall back to secure backends like vault}
|
14
|
+
spec.homepage = "http://github.com/dkastner/secret_garden"
|
15
|
+
|
16
|
+
spec.license = "MIT"
|
17
|
+
|
18
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
19
|
+
spec.bindir = "exe"
|
20
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
21
|
+
spec.require_paths = ["lib"]
|
22
|
+
|
23
|
+
spec.add_development_dependency "bundler", "~> 1.11"
|
24
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
25
|
+
spec.add_development_dependency "rspec", "~> 3.0"
|
26
|
+
spec.add_development_dependency "vault"
|
27
|
+
end
|
metadata
ADDED
@@ -0,0 +1,116 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: secret_garden
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Derek Kastner
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2016-03-09 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: bundler
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '1.11'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '1.11'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: rake
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '10.0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '10.0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rspec
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '3.0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '3.0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: vault
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
description: Provide secrets either via ENV or fall back to secure backends like vault
|
70
|
+
email:
|
71
|
+
- dkastner@gmail.com
|
72
|
+
executables: []
|
73
|
+
extensions: []
|
74
|
+
extra_rdoc_files: []
|
75
|
+
files:
|
76
|
+
- ".gitignore"
|
77
|
+
- ".rspec"
|
78
|
+
- ".travis.yml"
|
79
|
+
- Gemfile
|
80
|
+
- README.md
|
81
|
+
- Rakefile
|
82
|
+
- bin/console
|
83
|
+
- bin/setup
|
84
|
+
- lib/secret_garden.rb
|
85
|
+
- lib/secret_garden/backend.rb
|
86
|
+
- lib/secret_garden/env.rb
|
87
|
+
- lib/secret_garden/map.rb
|
88
|
+
- lib/secret_garden/secret.rb
|
89
|
+
- lib/secret_garden/vault.rb
|
90
|
+
- lib/secret_garden/version.rb
|
91
|
+
- secret_garden.gemspec
|
92
|
+
homepage: http://github.com/dkastner/secret_garden
|
93
|
+
licenses:
|
94
|
+
- MIT
|
95
|
+
metadata: {}
|
96
|
+
post_install_message:
|
97
|
+
rdoc_options: []
|
98
|
+
require_paths:
|
99
|
+
- lib
|
100
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
101
|
+
requirements:
|
102
|
+
- - ">="
|
103
|
+
- !ruby/object:Gem::Version
|
104
|
+
version: '0'
|
105
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
106
|
+
requirements:
|
107
|
+
- - ">="
|
108
|
+
- !ruby/object:Gem::Version
|
109
|
+
version: '0'
|
110
|
+
requirements: []
|
111
|
+
rubyforge_project:
|
112
|
+
rubygems_version: 2.5.1
|
113
|
+
signing_key:
|
114
|
+
specification_version: 4
|
115
|
+
summary: Access your 12-factor app secrets securely
|
116
|
+
test_files: []
|