secretfile 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/README.md +18 -0
  4. data/Secretfile +4 -0
  5. data/lib/secretfile.rb +18 -2
  6. data/lib/secretfile/version.rb +1 -1
  7. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ac96b297cfbea1520060b9cd6a64293f820ef59dd7a9761b20fa92d155c6116d
4
- data.tar.gz: e158820858b542598aa9bf6e86771791225e61800786d18043845e53fe97f6ea
3
+ metadata.gz: 95caa9eefe3f9bb4f31e9ce708c5f99214a65b2b0c34337626e2ec6e90a92dd4
4
+ data.tar.gz: 6162a919731194f74b403535c6948bc67fb244e51e9f37eb56d0827ea08f8476
5
5
  SHA512:
6
- metadata.gz: ac4e9b55d023d18d3c8685ee81af85a76926a59476afa086c5efac313590da278ed6fbc0c52c3fb918796f9933b830a3dd204df9899e37f8f09bdaeeb7f5eaac
7
- data.tar.gz: f386f6057d8df44393e698d63ad609f7baf57902a7ea290cd70066bb4f17a2c4cab527de2815e471a22505646e509ce05bfd2d5007d90c9a919891988f6816cb
6
+ metadata.gz: 0e295258504e57ff1f7bf3251db27d11d82f9080fa7714d8c732e2d299dc8661b87391bebe83b5cfab9cb6d1e9079d3a1978189956f468ecbd9c33b11458f716
7
+ data.tar.gz: 4cd67553464dca3e61ab9a39044c62395520a6de49dd25e00bceac7743c075aee3eb11268226e06d4ec1a7d1c26dcf188592777c55a17e77260396e8b822bc40
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ 1.0.1 / 2019-07-24
2
+
3
+ * Enhancements
4
+
5
+ * Support Amazon STS with Secretfile.group {}
6
+ * Support dashes in vault paths
7
+
1
8
  1.0.0 / 2019-07-24
2
9
 
3
10
  Initial release - inspired by https://github.com/erithmetic/secret_garden
data/README.md CHANGED
@@ -31,6 +31,11 @@ The initial implementation of Secretfile in ruby was [`secret_garden`](https://g
31
31
  <td>Yes - you <code>require 'secret_garden/vault'</code> etc.</td>
32
32
  <td>No - you only get vault, and it's required by default</td>
33
33
  </tr>
34
+ <tr>
35
+ <td>Supports dynamic vault secrets (e.g. Amazon STS)?</td>
36
+ <td>No - they are never refreshed</td>
37
+ <td>Yes - they are pulled together, but not cached. Use <code>Secretfile.group { Secretfile.get(x); Secretfile.get(y) }</code>.</td>
38
+ </tr>
34
39
  </Table>
35
40
 
36
41
  ## Installation
@@ -55,6 +60,9 @@ In your Secretfile:
55
60
 
56
61
  ```
57
62
  DATABASE_URL secrets/$VAULT_ENV/database:url
63
+ AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
64
+ AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
65
+ AWS_SESSION_TOKEN aws/sts/myrole:security_token
58
66
  ```
59
67
 
60
68
  Then you call
@@ -63,6 +71,16 @@ Then you call
63
71
  Secretfile.get('DATABASE_URL') # looks for ENV['DATABASE_URL'], falling back to secrets/$VAULT_ENV/database:url
64
72
  ```
65
73
 
74
+ To use dynamic creds like [Amazon STS](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) with the [Vault AWS Secrets engine](https://www.vaultproject.io/docs/secrets/aws/index.html), do this:
75
+
76
+ ```
77
+ Secretfile.group do
78
+ akid = Secretfile.get('AWS_ACCESS_KEY_ID')
79
+ sk = Secretfile.get('AWS_SECRET_ACCESS_KEY')
80
+ st = Secretfile.get('AWS_SESSION_TOKEN')
81
+ end
82
+ ```
83
+
66
84
  ## Development
67
85
 
68
86
  After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
data/Secretfile CHANGED
@@ -3,3 +3,7 @@
3
3
  SECRET1 not/in/vault:set_in_env
4
4
  SECRET2 secret/test:value
5
5
  SECRET3 not/in/vault:expected_to_raise
6
+ # amazon sts, for example, requires these all to be gotten at once
7
+ AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
8
+ AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
9
+ AWS_SESSION_TOKEN aws/sts/myrole:security_token
data/lib/secretfile.rb CHANGED
@@ -10,9 +10,19 @@ class Secretfile
10
10
  def get(k)
11
11
  instance.get k
12
12
  end
13
+
14
+ def group
15
+ begin
16
+ instance.group ||= {}
17
+ yield
18
+ ensure
19
+ instance.group = nil
20
+ end
21
+ end
13
22
  end
14
23
 
15
24
  attr_reader :spec
25
+ attr_accessor :group
16
26
 
17
27
  def initialize
18
28
  super # singleton magic i guess
@@ -28,7 +38,13 @@ class Secretfile
28
38
  ENV[k]
29
39
  else
30
40
  path, field = spec.fetch k
31
- payload = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
41
+ payload = if group&.has_key?(path)
42
+ group[path]
43
+ else
44
+ memo = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
45
+ group[path] = memo if group
46
+ memo
47
+ end
32
48
  payload.data[field.to_sym] or raise("Secret #{k.inspect} not found in Vault at #{path}:#{field}")
33
49
  end
34
50
  end
@@ -39,7 +55,7 @@ class Secretfile
39
55
  ENV.fetch('SECRETFILE_PATH', 'Secretfile')
40
56
  end
41
57
 
42
- VALID_LINE = /\A\w+\s+[\w\/]+:\w+\z/
58
+ VALID_LINE = /\A\w+\s+[\w\-\/]+:\w+\z/
43
59
  def read_spec
44
60
  raise "Expected Secretfile" unless File.readable?(spec_path)
45
61
  @spec = IO.readlines(spec_path).inject({}) do |memo, line|
data/lib/secretfile/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  class Secretfile
2
- VERSION = '1.0.0'
2
+ VERSION = '1.0.1'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secretfile
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Seamus Abshere