secrets_cli 0.4.0 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/README.md +6 -12
- data/exe/secrets +8 -10
- data/lib/secrets_cli/check/vault.rb +17 -1
- data/lib/secrets_cli/configuration.rb +1 -1
- data/lib/secrets_cli/vault/auth.rb +10 -5
- data/lib/secrets_cli/vault/base.rb +3 -8
- data/lib/secrets_cli/vault/pull.rb +7 -3
- data/lib/secrets_cli/vault/push.rb +3 -1
- data/lib/secrets_cli/vault/read.rb +4 -1
- data/lib/secrets_cli/version.rb +1 -1
- data/lib/secrets_cli.rb +3 -2
- data/secrets_cli.gemspec +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4118924f144c963dee59107590614d200c292885
|
4
|
+
data.tar.gz: 345e252e99f89ddc81576c37ac2921ae1860e157
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 43b93238ba31eb5e30d5a336b8d7d3905f252bc8b93b2360553071475d31d66d2f0e8195ef6023878d968d185f9f39f58cf721335c98cf0d01b6c924e0dfee4e
|
7
|
+
data.tar.gz: 945a6e09d1a74943b820749ae92a9933793bef3d61c76d31c1657a1fa98d88b4c4bb6fc1e02a204bd42edd14098a3e657dd4f5202cc0f370d6de80dad998332c
|
data/.gitignore
CHANGED
data/README.md
CHANGED
@@ -24,8 +24,6 @@ Or install it yourself as:
|
|
24
24
|
|
25
25
|
## Prerequisites
|
26
26
|
|
27
|
-
`vault` must be installed on system. This gem adds a dependency to `vault-binaries` which will install `vault` for you.
|
28
|
-
|
29
27
|
The following environment variables need to be set:
|
30
28
|
|
31
29
|
For `vault` itself:
|
@@ -34,8 +32,10 @@ For `vault` itself:
|
|
34
32
|
|
35
33
|
For `secrets_cli`:
|
36
34
|
|
37
|
-
VAULT_AUTH_METHOD - this is auth method ('github' or '
|
35
|
+
VAULT_AUTH_METHOD - this is auth method ('github', 'token' or 'app_id' supported for now)
|
38
36
|
VAULT_AUTH_TOKEN - this is vault auth token
|
37
|
+
VAULT_AUTH_APP_ID - machine app_id
|
38
|
+
VAULT_AUTH_USER_ID - machine user_id which matches app_id
|
39
39
|
|
40
40
|
For github token you only need `read:org` permissions.
|
41
41
|
|
@@ -57,12 +57,11 @@ Example of the `.secrets`:
|
|
57
57
|
:secrets_file: config/application.yml # file where your secrets are kept, depending on your environment gem (figaro, dotenv, etc)
|
58
58
|
:secrets_storage_key: rails/my_project/ # vault 'storage_key' where your secrets will be kept.
|
59
59
|
|
60
|
-
###
|
60
|
+
### Policies
|
61
61
|
|
62
|
-
$ secrets
|
62
|
+
$ secrets policies
|
63
63
|
|
64
|
-
|
65
|
-
Needs to be done only _once_ for specific token.
|
64
|
+
To get all the policies your auth grants please use this command.
|
66
65
|
|
67
66
|
### storage_keys and environments
|
68
67
|
|
@@ -79,10 +78,6 @@ Environment is `development` by default, but it can be overwriten by passing `--
|
|
79
78
|
|
80
79
|
This will only read from vault.
|
81
80
|
|
82
|
-
Example of executed command:
|
83
|
-
|
84
|
-
vault read rails/my_project/development
|
85
|
-
|
86
81
|
### Pull
|
87
82
|
|
88
83
|
$ secrets pull
|
@@ -109,4 +104,3 @@ Bug storage_keyrts and pull requests are welcome on GitHub at https://github.com
|
|
109
104
|
## License
|
110
105
|
|
111
106
|
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
112
|
-
|
data/exe/secrets
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
|
3
|
-
|
3
|
+
$LOAD_PATH << 'lib'
|
4
4
|
require 'rubygems'
|
5
5
|
require 'commander/import'
|
6
6
|
require 'secrets_cli'
|
@@ -20,13 +20,11 @@ command :init do |c|
|
|
20
20
|
end
|
21
21
|
end
|
22
22
|
|
23
|
-
command :
|
24
|
-
c.syntax = 'secrets
|
25
|
-
c.summary = '
|
26
|
-
c.option '-T', '--auth_token STRING', String, 'Auth token or $SECRETS_VAULT_AUTH_TOKEN'
|
27
|
-
c.option '-m', '--auth_method STRING', String, 'github or token'
|
23
|
+
command :policies do |c|
|
24
|
+
c.syntax = 'secrets policies'
|
25
|
+
c.summary = 'Check what policies your auth has'
|
28
26
|
c.action do |_args, options|
|
29
|
-
|
27
|
+
options.default verbose: true
|
30
28
|
SecretsCli::Vault::Auth.new(options).call
|
31
29
|
end
|
32
30
|
end
|
@@ -39,7 +37,7 @@ command :pull do |c|
|
|
39
37
|
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
40
38
|
c.option '-d', '--secrets_dir STRING', String, 'Override secrets_dir, default: "."'
|
41
39
|
c.action do |_args, options|
|
42
|
-
SecretsCli::
|
40
|
+
SecretsCli::Vault::Auth.new(options).call
|
43
41
|
SecretsCli::Vault::Pull.new(options).call
|
44
42
|
end
|
45
43
|
end
|
@@ -52,7 +50,7 @@ command :push do |c|
|
|
52
50
|
c.option '-f', '--secrets_file STRING', String, 'Override secrets_file'
|
53
51
|
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
54
52
|
c.action do |_args, options|
|
55
|
-
SecretsCli::
|
53
|
+
SecretsCli::Vault::Auth.new(options).call
|
56
54
|
SecretsCli::Vault::Push.new(options).call
|
57
55
|
end
|
58
56
|
end
|
@@ -63,7 +61,7 @@ command :read do |c|
|
|
63
61
|
c.option '-e', '--environment STRING', String, 'Set environment, default: development'
|
64
62
|
c.option '-k', '--secrets_storage_key STRING', String, 'Override secrets_storage_key'
|
65
63
|
c.action do |_args, options|
|
66
|
-
SecretsCli::
|
64
|
+
SecretsCli::Vault::Auth.new(options).call
|
67
65
|
SecretsCli::Vault::Read.new(options).call
|
68
66
|
end
|
69
67
|
end
|
@@ -12,8 +12,12 @@ module SecretsCli
|
|
12
12
|
def call
|
13
13
|
error! 'Missing vault' if TTY::Which.which('vault').nil?
|
14
14
|
error! 'Missing VAULT_ADDR env' if ENV['VAULT_ADDR'].nil?
|
15
|
-
error! 'Missing VAULT_AUTH_TOKEN env' if missing_auth_token?
|
16
15
|
error! 'Missing VAULT_AUTH_METHOD env' if missing_auth_method?
|
16
|
+
if auth_method == 'app_id'
|
17
|
+
error! 'Missing VAULT_AUTH_APP_ID' if missing_auth_app_id?
|
18
|
+
error! 'Missing VAULT_AUTH_USER_ID' if missing_auth_user_id?
|
19
|
+
end
|
20
|
+
error! 'Missing VAULT_AUTH_TOKEN env' if missing_auth_token?
|
17
21
|
end
|
18
22
|
|
19
23
|
private
|
@@ -25,6 +29,18 @@ module SecretsCli
|
|
25
29
|
def missing_auth_method?
|
26
30
|
options.auth_method.nil? && ENV['VAULT_AUTH_METHOD'].nil?
|
27
31
|
end
|
32
|
+
|
33
|
+
def missing_auth_app_id?
|
34
|
+
options.auth_app_id.nil? && ENV['VAULT_AUTH_APP_ID'].nil?
|
35
|
+
end
|
36
|
+
|
37
|
+
def missing_auth_user_id?
|
38
|
+
options.auth_user_id.nil? && ENV['VAULT_AUTH_USER_ID'].nil?
|
39
|
+
end
|
40
|
+
|
41
|
+
def auth_method
|
42
|
+
ENV['VAULT_AUTH_METHOD']
|
43
|
+
end
|
28
44
|
end
|
29
45
|
end
|
30
46
|
end
|
@@ -5,20 +5,25 @@ module SecretsCli
|
|
5
5
|
|
6
6
|
def initialize(options)
|
7
7
|
super
|
8
|
-
|
9
|
-
@auth_method =
|
8
|
+
SecretsCli::Check::Vault.new(options).call
|
9
|
+
@auth_method = ENV['VAULT_AUTH_METHOD']
|
10
|
+
@auth_token = ENV['VAULT_AUTH_TOKEN']
|
11
|
+
@auth_app_id = ENV['VAULT_AUTH_APP_ID']
|
12
|
+
@auth_user_id = ENV['VAULT_AUTH_USER_ID']
|
10
13
|
end
|
11
14
|
|
12
15
|
private
|
13
16
|
|
14
|
-
attr_reader :auth_token, :auth_method
|
17
|
+
attr_reader :auth_token, :auth_method, :auth_app_id, :auth_user_id
|
15
18
|
|
16
19
|
def command
|
17
20
|
case auth_method
|
18
21
|
when 'github'
|
19
|
-
|
22
|
+
::Vault.auth.github(auth_token).auth[:policies]
|
20
23
|
when 'token'
|
21
|
-
|
24
|
+
::Vault.auth.token(auth_token).auth[:policies]
|
25
|
+
when 'app_id'
|
26
|
+
::Vault.auth.app_id(auth_app_id, auth_user_id).auth[:policies]
|
22
27
|
else
|
23
28
|
error! "Unknown auth method #{auth_method}"
|
24
29
|
end
|
@@ -10,14 +10,9 @@ module SecretsCli
|
|
10
10
|
end
|
11
11
|
|
12
12
|
def call
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
prompt.ok(stdout_and_stderr.read)
|
17
|
-
else
|
18
|
-
error(stdout_and_stderr.read)
|
19
|
-
end
|
20
|
-
end
|
13
|
+
options.verbose ? prompt.ok(command) : command
|
14
|
+
rescue => exception
|
15
|
+
error!(exception.message)
|
21
16
|
end
|
22
17
|
|
23
18
|
private
|
@@ -5,14 +5,18 @@ module SecretsCli
|
|
5
5
|
|
6
6
|
def initialize(options)
|
7
7
|
super
|
8
|
+
SecretsCli::Check::Secrets.new(options).call
|
8
9
|
@secrets_file = options.secrets_file || config.secrets_file
|
9
10
|
@secrets_dir = options.secrets_dir || '.'
|
10
11
|
end
|
11
12
|
|
12
|
-
|
13
|
-
|
13
|
+
private
|
14
|
+
|
15
|
+
def command
|
16
|
+
secrets = super
|
14
17
|
print_verbose("Writing to #{secrets_file}")
|
15
|
-
File.open(File.join(secrets_dir, secrets_file), 'w') { |
|
18
|
+
File.open(File.join(secrets_dir, secrets_file), 'w') { |file| file.write(secrets) }
|
19
|
+
secrets
|
16
20
|
end
|
17
21
|
end
|
18
22
|
end
|
@@ -5,6 +5,7 @@ module SecretsCli
|
|
5
5
|
|
6
6
|
def initialize(options)
|
7
7
|
super
|
8
|
+
SecretsCli::Check::Secrets.new(options).call
|
8
9
|
@secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
|
9
10
|
@secrets_file = options.secrets_file || config.secrets_file
|
10
11
|
@secrets = File.read(secrets_file)
|
@@ -18,7 +19,8 @@ module SecretsCli
|
|
18
19
|
private
|
19
20
|
|
20
21
|
def command
|
21
|
-
|
22
|
+
::Vault.logical.write(secrets_full_storage_key, SECRETS_FIELD => secrets)
|
23
|
+
secrets
|
22
24
|
end
|
23
25
|
|
24
26
|
def are_you_sure?
|
@@ -3,6 +3,8 @@ module SecretsCli
|
|
3
3
|
class Read < SecretsCli::Vault::Base
|
4
4
|
def initialize(options)
|
5
5
|
super
|
6
|
+
options.default verbose: true
|
7
|
+
SecretsCli::Check::Secrets.new(options).call
|
6
8
|
@secrets_storage_key = options.secrets_storage_key || config.secrets_storage_key
|
7
9
|
end
|
8
10
|
|
@@ -11,7 +13,8 @@ module SecretsCli
|
|
11
13
|
attr_reader :secrets_storage_key
|
12
14
|
|
13
15
|
def command
|
14
|
-
|
16
|
+
secret = ::Vault.logical.read(secrets_full_storage_key)
|
17
|
+
secret.data[SECRETS_FIELD]
|
15
18
|
end
|
16
19
|
end
|
17
20
|
end
|
data/lib/secrets_cli/version.rb
CHANGED
data/lib/secrets_cli.rb
CHANGED
@@ -3,6 +3,7 @@ require 'tty-prompt'
|
|
3
3
|
require 'tty-which'
|
4
4
|
require 'open3'
|
5
5
|
require 'singleton'
|
6
|
+
require 'vault'
|
6
7
|
require 'secrets_cli/helpers'
|
7
8
|
require 'secrets_cli/configuration'
|
8
9
|
require 'secrets_cli/init'
|
@@ -17,9 +18,9 @@ require 'secrets_cli/vault/pull'
|
|
17
18
|
require 'secrets_cli/vault/push'
|
18
19
|
require 'secrets_cli/version'
|
19
20
|
|
20
|
-
|
21
|
+
require 'pry'
|
21
22
|
|
22
23
|
module SecretsCli
|
23
24
|
SECRETS_CONFIG_FILE = '.secrets'
|
24
|
-
SECRETS_FIELD =
|
25
|
+
SECRETS_FIELD = :secrets
|
25
26
|
end
|
data/secrets_cli.gemspec
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: secrets_cli
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Stjepan Hadjic
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-04-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -95,7 +95,7 @@ dependencies:
|
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: 0.4.0
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
|
-
name: vault
|
98
|
+
name: vault
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
101
|
- - ">="
|