secretfile 1.0.0 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac96b297cfbea1520060b9cd6a64293f820ef59dd7a9761b20fa92d155c6116d
-  data.tar.gz: e158820858b542598aa9bf6e86771791225e61800786d18043845e53fe97f6ea
+  metadata.gz: 1faf0efa8e924c393fe22a8ab42edd2f42a1a91ba9925481efc88cfd9cb02696
+  data.tar.gz: 0d82ca7d5fdd714dcd591106a870831b788ea2a1419827095db333662ac66065
 SHA512:
-  metadata.gz: ac4e9b55d023d18d3c8685ee81af85a76926a59476afa086c5efac313590da278ed6fbc0c52c3fb918796f9933b830a3dd204df9899e37f8f09bdaeeb7f5eaac
-  data.tar.gz: f386f6057d8df44393e698d63ad609f7baf57902a7ea290cd70066bb4f17a2c4cab527de2815e471a22505646e509ce05bfd2d5007d90c9a919891988f6816cb
+  metadata.gz: c702a51fb30e1538d06100265281c12518e60ba74929a93c23315f75296380b6de1838ae1d97097ea4c8e9e7660307feb31b939902eb71574f04b54f5e1fe7ea
+  data.tar.gz: 664b3cf47b240b6bf6cc546969b53e2d2e01366f71aee1ca156a7fdfdeb2a84057ac528c7fd4c5146c57a12578a751015f98de57537df9b531f60355c0505c10

data/CHANGELOG.md

@@ -1,3 +1,28 @@
+1.0.4 / 2021-12-17
+
+* Enhancements
+
+  * Don't hide fs error if Secretfile not readable
+
+1.0.3 / 2021-02-24
+
+* Bug fixes
+
+  * Allow blank lines in Secretfiles
+
+1.0.2 / 2019-07-24
+
+* Enhancements
+
+  * A little protection against doing dumb things like nesting Secretfile.group
+
+1.0.1 / 2019-07-24
+
+* Enhancements
+
+  * Support Amazon STS with Secretfile.group {}
+  * Support dashes in vault paths
+
 1.0.0 / 2019-07-24
 
 Initial release - inspired by https://github.com/erithmetic/secret_garden

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    secretfile (1.0.0)
+    secretfile (1.0.1)
       vault
 
 GEM

data/README.md

@@ -31,6 +31,11 @@ The initial implementation of Secretfile in ruby was [`secret_garden`](https://g
     <td>Yes - you <code>require 'secret_garden/vault'</code> etc.</td>
     <td>No - you only get vault, and it's required by default</td>
   </tr>
+  <tr>
+    <td>Supports dynamic vault secrets (e.g. Amazon STS)?</td>
+    <td>No - they are never refreshed</td>
+    <td>Yes - they are pulled together, but not cached. Use <code>Secretfile.group { Secretfile.get(x); Secretfile.get(y) }</code>.</td>
+  </tr>
 </Table>
 
 ## Installation
@@ -55,6 +60,9 @@ In your Secretfile:
 
 ```
 DATABASE_URL secrets/$VAULT_ENV/database:url
+AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
+AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
+AWS_SESSION_TOKEN aws/sts/myrole:security_token
 ```
 
 Then you call
@@ -63,6 +71,16 @@ Then you call
 Secretfile.get('DATABASE_URL') # looks for ENV['DATABASE_URL'], falling back to secrets/$VAULT_ENV/database:url
 ```
 
+To use dynamic creds like [Amazon STS](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) with the [Vault AWS Secrets engine](https://www.vaultproject.io/docs/secrets/aws/index.html), do this:
+
+```
+Secretfile.group do
+  akid = Secretfile.get('AWS_ACCESS_KEY_ID')
+  sk = Secretfile.get('AWS_SECRET_ACCESS_KEY')
+  st = Secretfile.get('AWS_SESSION_TOKEN')
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Secretfile

@@ -3,3 +3,9 @@
 SECRET1 not/in/vault:set_in_env
 SECRET2 secret/test:value
 SECRET3 not/in/vault:expected_to_raise
+# allow empty lines like the one following this:
+     
+# amazon sts, for example, requires these all to be gotten at once 
+AWS_ACCESS_KEY_ID aws/sts/myrole:access_key
+AWS_SECRET_ACCESS_KEY aws/sts/myrole:secret_key
+AWS_SESSION_TOKEN aws/sts/myrole:security_token

data/lib/secretfile/version.rb

@@ -1,3 +1,3 @@
 class Secretfile
-  VERSION = '1.0.0'
+  VERSION = '1.0.4'
 end

data/lib/secretfile.rb

@@ -10,12 +10,27 @@ class Secretfile
     def get(k)
       instance.get k
     end
+
+    def group
+      begin
+        instance.mutex.synchronize do
+          raise "Can't nest Secretfile.group" if instance.group
+          instance.group = {}
+        end
+        yield
+      ensure
+        instance.group = nil
+      end
+    end
   end
 
   attr_reader :spec
+  attr_reader :mutex
+  attr_accessor :group
 
   def initialize
     super # singleton magic i guess
+    @mutex = Mutex.new
     read_spec
   end
 
@@ -28,7 +43,13 @@ class Secretfile
       ENV[k]
     else
       path, field = spec.fetch k
-      payload = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
+      payload = if group&.has_key?(path)
+        group[path]
+      else
+        memo = Vault.logical.read(path) or raise("Secret #{k.inspect} not found in Vault at #{path}")
+        group[path] = memo if group
+        memo
+      end
       payload.data[field.to_sym] or raise("Secret #{k.inspect} not found in Vault at #{path}:#{field}")
     end
   end
@@ -39,11 +60,11 @@ class Secretfile
     ENV.fetch('SECRETFILE_PATH', 'Secretfile')
   end
 
-  VALID_LINE = /\A\w+\s+[\w\/]+:\w+\z/
+  VALID_LINE = /\A\w+\s+[\w\-\/]+:\w+\z/
   def read_spec
-    raise "Expected Secretfile" unless File.readable?(spec_path)
     @spec = IO.readlines(spec_path).inject({}) do |memo, line|
       line.chomp!
+      next memo if line =~ /\A\s*\z/
       next memo if line =~ /\A\s*#/
       line.gsub!(/\$(\{)?([A-Z0-9_]+)(\})?/) do
         if $1 == '{' and $3 != '}'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secretfile
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.4
 platform: ruby
 authors:
 - Seamus Abshere
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2021-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -140,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Define secret mapping in a Secretfile.