secrets_cli 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +32 -12
- data/exe/secrets +4 -8
- data/lib/secrets_cli/check/secrets.rb +3 -8
- data/lib/secrets_cli/check/vault.rb +4 -4
- data/lib/secrets_cli/configuration.rb +2 -6
- data/lib/secrets_cli/init.rb +5 -10
- data/lib/secrets_cli/prompts/{secrets_repo.rb → secrets_storage_key.rb} +2 -2
- data/lib/secrets_cli/vault/auth.rb +2 -2
- data/lib/secrets_cli/vault/base.rb +3 -3
- data/lib/secrets_cli/vault/push.rb +4 -5
- data/lib/secrets_cli/vault/read.rb +3 -4
- data/lib/secrets_cli/version.rb +1 -1
- data/lib/secrets_cli.rb +2 -2
- metadata +3 -4
- data/lib/secrets_cli/prompts/secrets_field.rb +0 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 22a95b837aa93312338a6a7a12efa1a25ff15ddf
|
4
|
+
data.tar.gz: 2aace8541c14b4c3311ea71ffa63c44d93cf07f9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 60a7b0bc704533b79dc133cae819e22082c48a4dade9c38faead72ecee6232ea185bec57f674594111c76c857583138ed2eda1ee98565b670c43df0d1637cb85
|
7
|
+
data.tar.gz: 855216c1e7864e74d4ee44b80242b1ab697f2402855d63bae270f2d76982387f9a34f54f5ac28217fb750094f4ec6bf69799e2810935c94d6177e6a1103eb25f
|
data/README.md
CHANGED
@@ -4,6 +4,8 @@
|
|
4
4
|
|
5
5
|
This is a CLI for easier use of [vault](https://www.vaultproject.io/)
|
6
6
|
|
7
|
+
There is also a mina plugin [mina-secrets](https://github.com/infinum/mina-secrets)
|
8
|
+
|
7
9
|
## Installation
|
8
10
|
|
9
11
|
Add this line to your application's Gemfile:
|
@@ -22,11 +24,16 @@ Or install it yourself as:
|
|
22
24
|
|
23
25
|
## Prerequisites
|
24
26
|
|
25
|
-
`vault` must be installed on system. This gem adds a
|
27
|
+
`vault` must be installed on system. This gem adds a dependency to `vault-binaries` which will install `vault` for you.
|
28
|
+
|
29
|
+
The following environment variables need to be set:
|
30
|
+
|
31
|
+
For `vault` itself:
|
26
32
|
|
27
|
-
|
33
|
+
VAULT_ADDR - this is an address to your vault server
|
34
|
+
|
35
|
+
For `secrets_cli`:
|
28
36
|
|
29
|
-
VAULT_ADDR - this is an address to vault server
|
30
37
|
SECRETS_VAULT_AUTH_METHOD - this is auth method ('github' or 'token' supported for now)
|
31
38
|
SECRETS_VAULT_AUTH_TOKEN - this is vault auth token
|
32
39
|
|
@@ -44,37 +51,50 @@ Some of the commands have `--verbose` switch which will print out the commands i
|
|
44
51
|
This will create `.secrets` file with project configuration. The command will ask you all it needs to know if you do not
|
45
52
|
supply the config through options.
|
46
53
|
|
47
|
-
|
54
|
+
Example of the `.secrets`:
|
48
55
|
|
49
|
-
|
50
|
-
|
51
|
-
|
56
|
+
---
|
57
|
+
:secrets_file: config/application.yml # file where your secrets are kept, depending on your environment gem (figaro, dotenv, etc)
|
58
|
+
:secrets_repo: rails/my_project/ # vault 'repo' where your secrets will be kept.
|
59
|
+
:secrets_field: secrets # a field in vault repo where the contents of secrets_file will be written
|
52
60
|
|
53
61
|
### Auth
|
54
62
|
|
55
63
|
$ secrets auth
|
56
64
|
|
57
65
|
You need to first authenticate yourself on vault server to be able to read and write.
|
58
|
-
Needs to be done only _once_ for token.
|
66
|
+
Needs to be done only _once_ for specific token.
|
67
|
+
|
68
|
+
### Repos and environments
|
69
|
+
|
70
|
+
Next 3 commands read and write to your project repo in vault. The value of the repo is generated by
|
71
|
+
secrets_repo + environment. Example:
|
72
|
+
|
73
|
+
`rails/my_project/development`
|
74
|
+
|
75
|
+
Environment is `development` by default, but it can be overwriten by passing `--environment` option, or setting `RAILS_ENV` environment variable.
|
59
76
|
|
60
77
|
### Read
|
61
78
|
|
62
79
|
$ secrets read
|
63
80
|
|
64
|
-
This will only read from vault
|
65
|
-
|
81
|
+
This will only read from vault.
|
82
|
+
|
83
|
+
Example of executed command:
|
84
|
+
|
85
|
+
vault read rails/my_project/development
|
66
86
|
|
67
87
|
### Pull
|
68
88
|
|
69
89
|
$ secrets pull
|
70
90
|
|
71
|
-
This will pull from vault and write to your secrets file.
|
91
|
+
This will pull from vault and write to your secrets file.
|
72
92
|
|
73
93
|
### Push
|
74
94
|
|
75
95
|
$ secrets push
|
76
96
|
|
77
|
-
This will push from your secrets file to vault.
|
97
|
+
This will push from your secrets file to vault.
|
78
98
|
|
79
99
|
## Development
|
80
100
|
|
data/exe/secrets
CHANGED
@@ -14,8 +14,7 @@ command :init do |c|
|
|
14
14
|
c.syntax = 'secrets init [options]'
|
15
15
|
c.summary = 'Use to initialize project, create .secrets file'
|
16
16
|
c.option '-f', '--secrets_file STRING', String, 'Define secrets file'
|
17
|
-
c.option '-
|
18
|
-
c.option '-F', '--secrets_field STRING', String, 'Define secrets field'
|
17
|
+
c.option '-k', '--secrets_storage_key STRING', String, 'Define secrets storage_key'
|
19
18
|
c.action do |_args, options|
|
20
19
|
SecretsCli::Init.new(options).call
|
21
20
|
end
|
@@ -37,8 +36,7 @@ command :pull do |c|
|
|
37
36
|
c.summary = 'Use to read from vault server to secrets file'
|
38
37
|
c.option '-e', '--environment STRING', String, 'Set environment, default: development'
|
39
38
|
c.option '-f', '--secrets_file STRING', String, 'Override secrets_file'
|
40
|
-
c.option '-
|
41
|
-
c.option '-F', '--secrets_field STRING', String, 'Override secrets_field'
|
39
|
+
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
42
40
|
c.option '-d', '--secrets_dir STRING', String, 'Override secrets_dir, default: "."'
|
43
41
|
c.action do |_args, options|
|
44
42
|
SecretsCli::Check::Secrets.new(options).call
|
@@ -52,8 +50,7 @@ command :push do |c|
|
|
52
50
|
c.option '-y', '--without_prompt', 'Push without prompt'
|
53
51
|
c.option '-e', '--environment STRING', String, 'Set environment, default: development'
|
54
52
|
c.option '-f', '--secrets_file STRING', String, 'Override secrets_file'
|
55
|
-
c.option '-
|
56
|
-
c.option '-F', '--secrets_field STRING', String, 'Override secrets_field'
|
53
|
+
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
57
54
|
c.action do |_args, options|
|
58
55
|
SecretsCli::Check::Secrets.new(options).call
|
59
56
|
SecretsCli::Vault::Push.new(options).call
|
@@ -64,8 +61,7 @@ command :read do |c|
|
|
64
61
|
c.syntax = 'secrets read [options]'
|
65
62
|
c.summary = 'Use to only read from vault server without writing to secrets file'
|
66
63
|
c.option '-e', '--environment STRING', String, 'Set environment, default: development'
|
67
|
-
c.option '-
|
68
|
-
c.option '-F', '--secrets_field STRING', String, 'Override secrets_field'
|
64
|
+
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
69
65
|
c.action do |_args, options|
|
70
66
|
SecretsCli::Check::Secrets.new(options).call
|
71
67
|
SecretsCli::Vault::Read.new(options).call
|
@@ -12,8 +12,7 @@ module SecretsCli
|
|
12
12
|
def call
|
13
13
|
error! 'Missing .secrets' unless File.exist?('.secrets')
|
14
14
|
error! 'Missing secrets_file' if missing_secret_file?
|
15
|
-
error! 'Missing
|
16
|
-
error! 'Missing secrets_field' if missing_secret_field?
|
15
|
+
error! 'Missing secrets_storage_key' if missing_secret_storage_key?
|
17
16
|
end
|
18
17
|
|
19
18
|
private
|
@@ -22,12 +21,8 @@ module SecretsCli
|
|
22
21
|
options.secrets_file.nil? && config.secrets_file.nil?
|
23
22
|
end
|
24
23
|
|
25
|
-
def
|
26
|
-
options.
|
27
|
-
end
|
28
|
-
|
29
|
-
def missing_secret_field?
|
30
|
-
options.secrets_field && config.secrets_field.nil?
|
24
|
+
def missing_secret_storage_key?
|
25
|
+
options.secrets_storage_key && config.secrets_storage_key.nil?
|
31
26
|
end
|
32
27
|
end
|
33
28
|
end
|
@@ -12,18 +12,18 @@ module SecretsCli
|
|
12
12
|
def call
|
13
13
|
error! 'Missing vault' if TTY::Which.which('vault').nil?
|
14
14
|
error! 'Missing VAULT_ADDR env' if ENV['VAULT_ADDR'].nil?
|
15
|
-
error! 'Missing
|
16
|
-
error! 'Missing
|
15
|
+
error! 'Missing VAULT_AUTH_TOKEN env' if missing_auth_token?
|
16
|
+
error! 'Missing VAULT_AUTH_METHOD env' if missing_auth_method?
|
17
17
|
end
|
18
18
|
|
19
19
|
private
|
20
20
|
|
21
21
|
def missing_auth_token?
|
22
|
-
options.auth_token.nil? && ENV['
|
22
|
+
options.auth_token.nil? && ENV['VAULT_AUTH_TOKEN'].nil?
|
23
23
|
end
|
24
24
|
|
25
25
|
def missing_auth_method?
|
26
|
-
options.auth_method.nil? && ENV['
|
26
|
+
options.auth_method.nil? && ENV['VAULT_AUTH_METHOD'].nil?
|
27
27
|
end
|
28
28
|
end
|
29
29
|
end
|
@@ -15,12 +15,8 @@ module SecretsCli
|
|
15
15
|
config[:secrets_file]
|
16
16
|
end
|
17
17
|
|
18
|
-
def
|
19
|
-
config[:
|
20
|
-
end
|
21
|
-
|
22
|
-
def secrets_field
|
23
|
-
config[:secrets_field]
|
18
|
+
def secrets_storage_key
|
19
|
+
config[:secrets_storage_key]
|
24
20
|
end
|
25
21
|
|
26
22
|
def self.write(config)
|
data/lib/secrets_cli/init.rb
CHANGED
@@ -19,8 +19,7 @@ module SecretsCli
|
|
19
19
|
def config
|
20
20
|
{
|
21
21
|
secrets_file: secrets_file,
|
22
|
-
|
23
|
-
secrets_field: secrets_field
|
22
|
+
secrets_storage_key: secrets_storage_key
|
24
23
|
}
|
25
24
|
end
|
26
25
|
|
@@ -28,14 +27,10 @@ module SecretsCli
|
|
28
27
|
@secrets_file ||= options.secrets_file || SecretsCli::Prompts::SecretsFile.new.call
|
29
28
|
end
|
30
29
|
|
31
|
-
def
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
end
|
36
|
-
|
37
|
-
def secrets_field
|
38
|
-
options.secrets_field || SecretsCli::Prompts::SecretsField.new.call
|
30
|
+
def secrets_storage_key
|
31
|
+
storage_key = options.secrets_storage_key || SecretsCli::Prompts::SecretsStorageKey.new.call
|
32
|
+
storage_key << '/' unless storage_key.end_with?('/')
|
33
|
+
storage_key
|
39
34
|
end
|
40
35
|
end
|
41
36
|
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
module SecretsCli
|
2
2
|
module Prompts
|
3
|
-
class
|
3
|
+
class SecretsStorageKey
|
4
4
|
include SecretsCli::Helpers
|
5
5
|
|
6
6
|
def call
|
7
|
-
prompt.ask('What will the secrets
|
7
|
+
prompt.ask('What will the secrets storage key be?', default: default)
|
8
8
|
end
|
9
9
|
|
10
10
|
private
|
@@ -5,8 +5,8 @@ module SecretsCli
|
|
5
5
|
|
6
6
|
def initialize(options)
|
7
7
|
super
|
8
|
-
@auth_token = options.auth_token || ENV['
|
9
|
-
@auth_method = options.auth_method || ENV['
|
8
|
+
@auth_token = options.auth_token || ENV['_VAULT_AUTH_TOKEN']
|
9
|
+
@auth_method = options.auth_method || ENV['VAULT_AUTH_METHOD']
|
10
10
|
end
|
11
11
|
|
12
12
|
private
|
@@ -15,7 +15,7 @@ module SecretsCli
|
|
15
15
|
if wait_thr.value.success?
|
16
16
|
prompt.ok(stdout_and_stderr.read)
|
17
17
|
else
|
18
|
-
error
|
18
|
+
prompt.error(stdout_and_stderr.read)
|
19
19
|
end
|
20
20
|
end
|
21
21
|
end
|
@@ -26,8 +26,8 @@ module SecretsCli
|
|
26
26
|
fail NotImplementedError
|
27
27
|
end
|
28
28
|
|
29
|
-
def
|
30
|
-
File.join(
|
29
|
+
def secrets_full_storage_key
|
30
|
+
File.join(secrets_storage_key, config.environment)
|
31
31
|
end
|
32
32
|
end
|
33
33
|
end
|
@@ -1,12 +1,11 @@
|
|
1
1
|
module SecretsCli
|
2
2
|
module Vault
|
3
3
|
class Push < SecretsCli::Vault::Base
|
4
|
-
attr_reader :
|
4
|
+
attr_reader :secrets_storage_key, :secrets_field, :secrets, :secrets_file
|
5
5
|
|
6
6
|
def initialize(options)
|
7
7
|
super
|
8
|
-
@
|
9
|
-
@secrets_field = options.secrets_field || config.secrets_field
|
8
|
+
@secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
|
10
9
|
@secrets_file = options.secrets_file || config.secrets_file
|
11
10
|
@secrets = File.read(secrets_file)
|
12
11
|
end
|
@@ -19,11 +18,11 @@ module SecretsCli
|
|
19
18
|
private
|
20
19
|
|
21
20
|
def command
|
22
|
-
"vault write #{
|
21
|
+
"vault write #{secrets_full_storage_key} #{SECRETS_FIELD}=\"#{secrets}\""
|
23
22
|
end
|
24
23
|
|
25
24
|
def are_you_sure?
|
26
|
-
prompt.yes?("Are you sure you want to write #{secrets_file} to #{
|
25
|
+
prompt.yes?("Are you sure you want to write #{secrets_file} to #{secrets_full_storage_key}", default: 'Y')
|
27
26
|
end
|
28
27
|
end
|
29
28
|
end
|
@@ -3,16 +3,15 @@ module SecretsCli
|
|
3
3
|
class Read < SecretsCli::Vault::Base
|
4
4
|
def initialize(options)
|
5
5
|
super
|
6
|
-
@
|
7
|
-
@secrets_field = options.secrets_field || config.secrets_field
|
6
|
+
@secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
|
8
7
|
end
|
9
8
|
|
10
9
|
private
|
11
10
|
|
12
|
-
attr_reader :
|
11
|
+
attr_reader :secrets_storage_key
|
13
12
|
|
14
13
|
def command
|
15
|
-
"vault read --field=#{
|
14
|
+
"vault read --field=#{SECRETS_FIELD} #{secrets_full_storage_key}"
|
16
15
|
end
|
17
16
|
end
|
18
17
|
end
|
data/lib/secrets_cli/version.rb
CHANGED
data/lib/secrets_cli.rb
CHANGED
@@ -9,8 +9,7 @@ require 'secrets_cli/init'
|
|
9
9
|
require 'secrets_cli/check/secrets'
|
10
10
|
require 'secrets_cli/check/vault'
|
11
11
|
require 'secrets_cli/prompts/secrets_file'
|
12
|
-
require 'secrets_cli/prompts/
|
13
|
-
require 'secrets_cli/prompts/secrets_field'
|
12
|
+
require 'secrets_cli/prompts/secrets_storage_key'
|
14
13
|
require 'secrets_cli/vault/base'
|
15
14
|
require 'secrets_cli/vault/auth'
|
16
15
|
require 'secrets_cli/vault/read'
|
@@ -22,4 +21,5 @@ require 'secrets_cli/version'
|
|
22
21
|
|
23
22
|
module SecretsCli
|
24
23
|
SECRETS_CONFIG_FILE = '.secrets'
|
24
|
+
SECRETS_FIELD = 'secrets'
|
25
25
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secrets_cli
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Stjepan Hadjic
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-02-
|
11
|
+
date: 2016-02-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -132,9 +132,8 @@ files:
|
|
132
132
|
- lib/secrets_cli/configuration.rb
|
133
133
|
- lib/secrets_cli/helpers.rb
|
134
134
|
- lib/secrets_cli/init.rb
|
135
|
-
- lib/secrets_cli/prompts/secrets_field.rb
|
136
135
|
- lib/secrets_cli/prompts/secrets_file.rb
|
137
|
-
- lib/secrets_cli/prompts/
|
136
|
+
- lib/secrets_cli/prompts/secrets_storage_key.rb
|
138
137
|
- lib/secrets_cli/vault/auth.rb
|
139
138
|
- lib/secrets_cli/vault/base.rb
|
140
139
|
- lib/secrets_cli/vault/pull.rb
|