secrets_manager 0.1.0.rc1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 591fa8a47b755504c95eaa952c9b5fbe1242c1f22d32258846b57b2bd02a922e
+  data.tar.gz: 8412a6e7b76eb42744ad8f5506f003cbc71081de6f653190cb12f8793527bb5f
+SHA512:
+  metadata.gz: e50276d674daca2c4c399f7a1437fcdf41b6dfc1dee7cd0047957b8fc5d7323188bad374fa6e7dd0338b50f9bff3c7ea522770be9acdd4cf0809c4cb011f5977
+  data.tar.gz: bdfb15987e387471426c3abbcd05d843afbdce137f0e52135876a6c2f6ebfdcce58a1e9dc2f3416092d408c14ebc487c00549e06ac70ea601b30125564a9a9fd

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2018 hmatic
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,112 @@
+# Secrets Manager gem
+Easy secrets management for AWS Secret Manager service.
+This gem provides:
+- Rails hook (injects secrets directly into ENV when booting Rails)
+- CLI (pull, read, delete, update secrets using simple CLI interface) 
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'secrets_manager'
+```
+
+And then execute:
+```bash
+$ bundle install
+```
+
+Or install it yourself as:
+```bash
+$ gem install secrets_manager
+```
+
+## Configure
+Secret_manager uses `secrets.json` to configure how it handles secrets. Here is example of secrets.json file together with explaination of each option:
+
+```json
+{
+  "app": {
+    "id": "$environment/app",
+    "input": "json",
+    "type": "env",
+    "path": "config/application.yml"
+  },
+  "tmp_file_secret": {
+    "id": "production/tmp_secret",
+    "input": "plaintext",
+    "type": "file",
+    "path": "tmp/tmp_secret.txt"
+  }
+}
+```
+ID is obligatory, other options can be left out and default will be used.
+
+#### ID
+Represents secret_id used to retrieve secret from AWS Secret Manager.
+
+It is possible to provide `$environment` which will be interpolated to:
+- value provided in `--environment` or `-e` option when using CLI commands
+- `Rails.env` when using Rails hook
+
+#### INPUT
+Defines format of secret coming from AWS Secret Manager. Two possible values: `json` and `plaintext`.
+
+If specified as `json`, secret will be parsed in KEY-VALUE format.
+
+If specified as `plaintext`, secret will be treated as string.
+
+Defaults to `json`.
+
+#### TYPE
+Defines type of injection during boot. Two possible values: `env` and `file`.
+
+If specified as `env`, secret will be injected into ENV variables during Rails boot.
+
+If specified as `file`, file containing secret will be created during Rails boot.
+
+Defaults to `env`.
+
+#### PATH
+Defines path where secrets will be pulled when using CLI.
+
+Rails hook will check if this file exists. If it exists, Rails hook will ignore secrets which have this path specified in configuration.
+
+Defaults to `config/application.yml`.
+
+## Authorization
+Use same authorization process as AWS-CLI:
+https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
+
+## Rails usage
+In order to use Rails hook, it's enough to define this gem in Gemfile.
+
+## CLI usage
+Secrets Manager CLI provides several commands:
+
+### HELP
+List all commands and their descriptions:
+```
+secrets-manager help
+```
+You can use it with specific command:
+```
+secrets-manager help <command>
+```
+
+### PULL
+Pull secrets locally:
+```
+secrets-manager pull
+```
+Options:
+- `--environment` (`-e`) - interpolate $environment variable in configuration (defaults to **development**)
+- `--path` (`-p`) - path to configuration file (defaults to **secrets.json**)
+
+### More commands coming soon :)
+
+## Contributing
+Contributing is possible once v1.0 is released. Feel free to open PRs/issues.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,27 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SecretsManager'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/bin/secrets-manager

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "secrets_manager/cli"
+
+SecretsManager::CLI.start

data/bin/secrets_manager

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "secrets_manager/cli"
+
+SecretsManager::CLI.start

data/lib/secrets_manager/cli/base.rb

@@ -0,0 +1,41 @@
+require 'secrets_manager/config'
+require 'secrets_manager/client'
+require 'secrets_manager/helpers'
+
+module SecretsManager
+  module Cli
+    class Base
+      include SecretsManager::Helpers
+
+      attr_reader :client
+
+      def initialize(options)
+        @options = options
+        @client = SecretsManager::Client.new
+      end
+
+      def run
+        config.init
+        execute
+      end
+
+      private
+
+      def execute
+        raise NotImplementedError
+      end
+
+      def config_path
+        File.join(Dir.pwd, @options['path'])
+      end
+
+      def environment
+        @options['environment']
+      end
+
+      def config
+        @config ||= SecretsManager::Config.new(config_path, environment)
+      end
+    end
+  end
+end

data/lib/secrets_manager/cli/pull.rb

@@ -0,0 +1,31 @@
+require 'secrets_manager/cli/base'
+require 'yaml'
+
+module SecretsManager
+  module Cli
+    class Pull < Base
+
+      private
+
+      def execute
+        config.secrets.each do |secret|
+          write_to_file(output(secret), secret.path) && sucess_msg(secret)
+        end
+      end
+
+      def output(secret)
+        return client.get_secret_string(secret.id) if secret.plaintext?
+
+        secret_hash = client.get_secret_hash(secret.id)
+
+        return if secret_hash.nil?
+        return secret_hash.to_yaml[4..-1] if secret.yaml_output?
+        return JSON.pretty_generate secret_hash if secret.json_output?
+      end
+
+      def sucess_msg(secret)
+        puts "Pulled \"#{secret.id}\" secret to \"#{secret.path}\"."
+      end
+    end
+  end
+end

data/lib/secrets_manager/cli.rb

@@ -0,0 +1,28 @@
+require 'thor'
+
+module SecretsManager
+  class CLI < Thor
+    # secrets-manager pull
+    desc "pull", "Pull secrets"
+
+    method_option 'path',
+      aliases: ['-p'],
+      default: 'secrets.json',
+      desc: 'Specify a json configuration file path'
+    method_option 'environment',
+      aliases: ['-e'],
+      default: 'development',
+      desc: 'Specify current environment'
+
+    def pull
+      require 'secrets_manager/cli/pull'
+      SecretsManager::Cli::Pull.new(options).run
+    end
+
+    # TODO: secrets-manager read
+    # TODO: secrets-manager delete
+    # TODO: secrets-manager update
+    # TODO: secrets-manager update-value
+    # TODO: secrets-manager create
+  end
+end

data/lib/secrets_manager/client.rb

@@ -0,0 +1,32 @@
+require 'aws-sdk-secretsmanager'
+
+module SecretsManager
+  class Client
+    def initialize
+      @client = Aws::SecretsManager::Client.new
+    end
+
+    def get_secret_string(secret_id)
+      @client.get_secret_value(secret_id: secret_id).secret_string
+    rescue Aws::SecretsManager::Errors::ServiceError
+      aws_error(secret_id)
+    end
+
+    def get_secret_hash(secret_id)
+      return if (secret_string = get_secret_string(secret_id)).nil?
+
+      JSON.parse(secret_string)
+    rescue JSON::ParserError
+      json_parsing_error(secret_id)
+    end
+
+    def json_parsing_error(secret_id)
+      puts "Could not parse JSON in \"#{secret_id}\" secret. Please check your secret contents."
+      puts 'You can also define your secret type as "plaintext".'
+    end
+
+    def aws_error(secret_id)
+      puts "Could not retrieve \"#{secret_id}\" secret from AWS. Please check you configured everything correctly."
+    end
+  end
+end

data/lib/secrets_manager/config.rb

@@ -0,0 +1,64 @@
+require 'json'
+
+module SecretsManager
+  class Config
+    attr_reader :secrets
+
+    def initialize(config_path, environment)
+      @config_path = config_path
+      @environment = environment
+      @secrets = []
+    end
+
+    def init
+      return unless File.file?(@config_path)
+
+      configuration = JSON.parse(config_string, symbolize_names: true)
+      configuration.each do |k, v|
+        @secrets << SecretConfig.new(k, v[:id], v[:input], v[:type], v[:path])
+      end
+
+      self
+    end
+
+    def config_string
+      File.read(@config_path).gsub('$environment', @environment)
+    end
+
+    class SecretConfig
+      attr_reader :name, :id, :input, :type, :path
+
+      def initialize(name, id, input, type, path)
+        @name = name
+        @id = id
+        @input = input || 'json'
+        @type = type || 'env'
+        @path = path || 'config/application.yml'
+      end
+
+      def plaintext?
+        input == 'plaintext'
+      end
+
+      def json?
+        input == 'json'
+      end
+
+      def to_env?
+        type == 'env'
+      end
+
+      def to_file?
+        type == 'file'
+      end
+
+      def yaml_output?
+        path.strip.end_with? '.yml'
+      end
+
+      def json_output?
+        path.strip.end_with? '.json'
+      end
+    end
+  end
+end

data/lib/secrets_manager/helpers.rb

@@ -0,0 +1,16 @@
+require 'pathname'
+
+module SecretsManager
+  module Helpers
+    def write_to_file(content, file_path)
+      return false if content.nil? || content.empty?
+
+      Pathname(file_path).dirname.mkpath
+      File.open(File.join(Dir.pwd, file_path), 'w') do |f|
+        f.puts content
+      end
+
+      true
+    end
+  end
+end

data/lib/secrets_manager/version.rb

@@ -0,0 +1,3 @@
+module SecretsManager
+  VERSION = '0.1.0.rc1'.freeze
+end

data/lib/secrets_manager.rb

@@ -0,0 +1,5 @@
+require "secrets_manager/railtie"
+
+module SecretsManager
+
+end

data/lib/tasks/productive_secrets_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :productive_secrets do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: secrets_manager
+version: !ruby/object:Gem::Version
+  version: 0.1.0.rc1
+platform: ruby
+authors:
+- hmatic
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-12-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-secretsmanager
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.20.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.20.0
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Gem provides CLI for secrets manipulation and Rails hook which injects
+  secrets into ENV upon booting.
+email:
+- web.hmatic@gmail.com
+executables:
+- secrets_manager
+- secrets-manager
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- bin/secrets-manager
+- bin/secrets_manager
+- lib/secrets_manager.rb
+- lib/secrets_manager/cli.rb
+- lib/secrets_manager/cli/base.rb
+- lib/secrets_manager/cli/pull.rb
+- lib/secrets_manager/client.rb
+- lib/secrets_manager/config.rb
+- lib/secrets_manager/helpers.rb
+- lib/secrets_manager/version.rb
+- lib/tasks/productive_secrets_tasks.rake
+homepage: http://hrvojematic.com
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.8
+signing_key: 
+specification_version: 4
+summary: Easy secret management for AWS Secret Manager
+test_files: []