secretfile 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ac96b297cfbea1520060b9cd6a64293f820ef59dd7a9761b20fa92d155c6116d
4
- data.tar.gz: e158820858b542598aa9bf6e86771791225e61800786d18043845e53fe97f6ea
3
+ metadata.gz: 95caa9eefe3f9bb4f31e9ce708c5f99214a65b2b0c34337626e2ec6e90a92dd4
4
+ data.tar.gz: 6162a919731194f74b403535c6948bc67fb244e51e9f37eb56d0827ea08f8476
5
5
  SHA512:
6
- metadata.gz: ac4e9b55d023d18d3c8685ee81af85a76926a59476afa086c5efac313590da278ed6fbc0c52c3fb918796f9933b830a3dd204df9899e37f8f09bdaeeb7f5eaac
7
- data.tar.gz: f386f6057d8df44393e698d63ad609f7baf57902a7ea290cd70066bb4f17a2c4cab527de2815e471a22505646e509ce05bfd2d5007d90c9a919891988f6816cb
6
+ metadata.gz: 0e295258504e57ff1f7bf3251db27d11d82f9080fa7714d8c732e2d299dc8661b87391bebe83b5cfab9cb6d1e9079d3a1978189956f468ecbd9c33b11458f716
7
+ data.tar.gz: 4cd67553464dca3e61ab9a39044c62395520a6de49dd25e00bceac7743c075aee3eb11268226e06d4ec1a7d1c26dcf188592777c55a17e77260396e8b822bc40
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ 1.0.1 / 2019-07-24
2
+
3
+ * Enhancements
4
+
5
+ * Support Amazon STS with Secretfile.group {}
6
+ * Support dashes in vault paths
7
+
1
8
  1.0.0 / 2019-07-24
2
9
 
3
10
  Initial release - inspired by https://github.com/erithmetic/secret_garden
data/README.md CHANGED
@@ -31,6 +31,11 @@ The initial implementation of Secretfile in ruby was [`secret_garden`](https://g
31
31
  <td>Yes - you <code>require 'secret_garden/vault'</code> etc.</td>
32
32
  <td>No - you only get vault, and it's required by default</td>
33
33
  </tr>
34
+ <tr>
35
+ <td>Supports dynamic vault secrets (e.g. Amazon STS)?</td>
36
+ <td>No - they are never refreshed</td>
37
+ <td>Yes - they are pulled together, but not cached. Use <code>Secretfile.group { Secretfile.get(x); Secretfile.get(y) }</code>.</td>
38
+ </tr>
34
39
  </Table>
35
40
 
36
41
  ## Installation
@@ -55,6 +60,9 @@ In your Secretfile:
55
60
 
56
61
  ```
57
62
  DATABASE_URL secrets/$VAULT_ENV/database:url
63
+ AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
64
+ AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
65
+ AWS_SESSION_TOKEN aws/sts/myrole:security_token
58
66
  ```
59
67
 
60
68
  Then you call
@@ -63,6 +71,16 @@ Then you call
63
71
  Secretfile.get('DATABASE_URL') # looks for ENV['DATABASE_URL'], falling back to secrets/$VAULT_ENV/database:url
64
72
  ```
65
73
 
74
+ To use dynamic creds like [Amazon STS](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) with the [Vault AWS Secrets engine](https://www.vaultproject.io/docs/secrets/aws/index.html), do this:
75
+
76
+ ```
77
+ Secretfile.group do
78
+ akid = Secretfile.get('AWS_ACCESS_KEY_ID')
79
+ sk = Secretfile.get('AWS_SECRET_ACCESS_KEY')
80
+ st = Secretfile.get('AWS_SESSION_TOKEN')
81
+ end
82
+ ```
83
+
66
84
  ## Development
67
85
 
68
86
  After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
data/Secretfile CHANGED
@@ -3,3 +3,7 @@
3
3
  SECRET1 not/in/vault:set_in_env
4
4
  SECRET2 secret/test:value
5
5
  SECRET3 not/in/vault:expected_to_raise
6
+ # amazon sts, for example, requires these all to be gotten at once
7
+ AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
8
+ AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
9
+ AWS_SESSION_TOKEN aws/sts/myrole:security_token
data/lib/secretfile.rb CHANGED
@@ -10,9 +10,19 @@ class Secretfile
10
10
  def get(k)
11
11
  instance.get k
12
12
  end
13
+
14
+ def group
15
+ begin
16
+ instance.group ||= {}
17
+ yield
18
+ ensure
19
+ instance.group = nil
20
+ end
21
+ end
13
22
  end
14
23
 
15
24
  attr_reader :spec
25
+ attr_accessor :group
16
26
 
17
27
  def initialize
18
28
  super # singleton magic i guess
@@ -28,7 +38,13 @@ class Secretfile
28
38
  ENV[k]
29
39
  else
30
40
  path, field = spec.fetch k
31
- payload = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
41
+ payload = if group&.has_key?(path)
42
+ group[path]
43
+ else
44
+ memo = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
45
+ group[path] = memo if group
46
+ memo
47
+ end
32
48
  payload.data[field.to_sym] or raise("Secret #{k.inspect} not found in Vault at #{path}:#{field}")
33
49
  end
34
50
  end
@@ -39,7 +55,7 @@ class Secretfile
39
55
  ENV.fetch('SECRETFILE_PATH', 'Secretfile')
40
56
  end
41
57
 
42
- VALID_LINE = /\A\w+\s+[\w\/]+:\w+\z/
58
+ VALID_LINE = /\A\w+\s+[\w\-\/]+:\w+\z/
43
59
  def read_spec
44
60
  raise "Expected Secretfile" unless File.readable?(spec_path)
45
61
  @spec = IO.readlines(spec_path).inject({}) do |memo, line|
@@ -1,3 +1,3 @@
1
1
  class Secretfile
2
- VERSION = '1.0.0'
2
+ VERSION = '1.0.1'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: secretfile
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Seamus Abshere