secure_credentials 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 67f34834484a909ed1ca0cdb4da8d09a57f9c1f2381237c6a22f95081827d4c9
+  data.tar.gz: 2da212d3f2e4941c269937cbb40484b2e27d5d38609c224ca92a3b4d1af8d258
+SHA512:
+  metadata.gz: b0bbf47d6d142af404268bbfe991c40e9f502dc065e780fdcf2d6fa003c7bc6eaf374ee7c2a2d9aa2d4795266e2c561641d115425ee539afce23b803b9542577
+  data.tar.gz: a6284aa14dd2998ca6cb6ca5fdd0bab26f5274a978704cf4339fc961ddca7df780352057b612a3f12786f782f659f4d247ad748de2ede16aaf951cd1eee7146d

data/.codeclimate.yml

@@ -0,0 +1,8 @@
+checks:
+  method-complexity:
+    config:
+      threshold: 6 # should be just fine
+
+plugins:
+  rubocop:
+    enabled: true

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+Gemfile.lock
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,44 @@
+# This config aims:
+#
+#   - compact, readable and reusable source,
+#   - consistent constructions (same things stay the same in different context),
+#   - consistent indentation,
+#   - avoiding unnecessary lines in diffs
+#   - wise usage of Ruby features and expressiveness.
+
+AllCops:
+  TargetRubyVersion: 2.2
+
+Layout/AlignParameters: {EnforcedStyle: with_fixed_indentation}
+
+# Allows copy-pasting to repl.
+Layout/DotPosition: {EnforcedStyle: trailing}
+
+Layout/SpaceInsideHashLiteralBraces: {EnforcedStyle: no_space}
+
+# # Keep everything consistent.
+Layout/SpaceBeforeBlockBraces: {EnforcedStyleForEmptyBraces: space}
+
+# Offences named scopes and `expect {}.to change {}`.
+Lint/AmbiguousBlockAssociation: {Enabled: false}
+
+# It's removed from next rubocop version.
+Lint/SplatKeywordArguments: {Enabled: false}
+
+# Other metrics are just enough.
+# This one offences all specs, routes and some initializers.
+Metrics/BlockLength: {Enabled: false}
+Metrics/LineLength: {Max: 100}
+Metrics/MethodLength: {Max: 30}
+
+Style/Alias: {EnforcedStyle: prefer_alias_method}
+
+Style/FrozenStringLiteralComment: {EnforcedStyle: never}
+
+Style/Lambda: {EnforcedStyle: literal}
+
+Style/RescueStandardError: {EnforcedStyle: implicit}
+Style/SignalException: {EnforcedStyle: only_raise}
+
+Style/TrailingCommaInArrayLiteral: {EnforcedStyleForMultiline: consistent_comma}
+Style/TrailingCommaInHashLiteral: {EnforcedStyleForMultiline: consistent_comma}

data/.travis.yml

@@ -0,0 +1,16 @@
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.5
+  - 2.4
+
+notifications:
+  email: false
+
+# for 2.5.0 until 2.5.1 is released:
+#   https://github.com/travis-ci/travis-ci/issues/8978
+#   https://github.com/travis-ci/travis-ci/issues/8969#issuecomment-354135622
+before_install:
+  - gem update --system
+  - gem install bundler

data/Gemfile

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in gemspec file
+gemspec
+
+gem 'rspec', '~> 3.7'
+gem 'rspec-its', '~> 1.2'
+
+gem 'rubocop', '~> 0.56'
+
+gem 'pry', '~> 0.11'
+gem 'pry-byebug', '~> 3.6'

data/README.md

@@ -0,0 +1,103 @@
+# SecureCredentials
+
+[![Gem Version](https://badge.fury.io/rb/secure_credentials.svg)](http://badge.fury.io/rb/secure_credentials)
+[![Code Climate](https://codeclimate.com/github/printercu/secure_credentials/badges/gpa.svg)](https://codeclimate.com/github/printercu/secure_credentials)
+[![Build Status](https://travis-ci.org/printercu/secure_credentials.svg)](https://travis-ci.org/printercu/secure_credentials)
+
+Makes it possible to use best of encrypted credentials
+and environment-dependent secrets. Sharing encryption keys with
+every developer in a team is a security issue, and purpose of this gem
+is to help you to avoid it.
+
+## Rationale
+
+Rails 5.2 brings good idea of storing encrypted credentials in the repo:
+credentials are securely tracked in version control, less chances to face an issue
+during deployment, etc. However there are several drawbacks in current implementation:
+
+- It's hard to manage environment-specific credentials.
+  For example, use some different browser api keys in development and production,
+  one is whitelisted for `locahost` and other one for app's domain.
+- In most cases it's required to share `master.key` with every developer.
+  This is not acceptable for a lot of teams, and framework must serve their needs too.
+
+There are a couple ways to workaround this issues, but all of them brings
+unnecessary complexity. This gem takes best from new encrypted `credentials.yml.enc`
+and multi-environmental `secrets.yml`. It allows to use combination
+of encrypted and plain files for same configuration in different environments.
+For example, having encrypted `credentials.production.yml.enc` for production
+and multi-environmental `credentials.yml` for all other environments.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'secure_credentials'
+```
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+By default this gem patches Rails::Application to make `#credentials`, `#secrets` and `#encrypted`
+use Rails-compatible wrapper around SecureCredentials::Store.
+
+SecureCredentials::Store provides read-write interface for YAML configuration files. It supports:
+
+  - both encrypted and plain files,
+  - both file-per-environment and multi-environment files.
+
+It takes base path of configuration file (for example, `config/secrets`)
+and environment value. Then it tries to find the most appropriate file
+for this configuration in following order:
+
+    "#{base}.#{env}.yml.enc"
+    "#{base}.#{env}.yml"
+    "#{base}.yml.enc"
+    "#{base}.yml"
+
+If environment specific file is present, it's whole content is returned.
+Otherwise `env` is used to fetch appropriate section.
+
+Key for decoding encoded files can be passed:
+
+  - in `key` argument;
+  - envvar identified by `env_key`, default is to upcased basename appended with `_KEY`
+    (ex., `SECRETS_KEY`);
+  - in file found at `key_path`,
+    by default it uses filename and replaces `.yml.enc` with `.key`
+    (`secrets.production.key` for `secrets.production.yml.enc`);
+  - `SecureCredentials.master_key` which is read from `config/master.key` in Rails apps.
+
+Use `rails encrypted path/to/file.yml.enc -k path/to/key.key` to edit encrypted files.
+Missing `.key` and `.yml` files are automatically created when you edit them for the first time.
+
+## Best practices
+
+- __Don't keep master.key in local repo!__
+
+  It's the as PIN-code written on backside of credit card.
+  Keep it in secure place and use it when you need to modify credentials.
+
+- Don't share production credentials with those who must not access them.
+
+  Secrets get less secret every time they are shared.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies.
+Then, run `rake spec` to run the tests.
+You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+To release a new version, update the version number in `version.rb`,
+and then run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/printercu/secure_credentials.

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'secure_credentials'
+
+require 'pry'
+Pry.start

data/bin/git-hooks/pre-commit

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+pattern=$(echo -n '\.rb
+\.gemspec
+\.jbuilder
+\.rake
+config\.ru
+Gemfile
+Rakefile' | tr "\\n" '|')
+
+files=`git diff --cached --name-status | grep -E "^[AM].*($pattern)$" | cut -f2-`
+if [ -n "$files" ]; then
+  bundle exec rubocop $files --force-exclusion
+fi

data/bin/install_git_hooks

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+root = File.expand_path('../', __dir__)
+hooks_dir = "#{root}/bin/git-hooks"
+
+`ls -1 #{hooks_dir}`.each_line.map(&:strip).each do |file|
+  `ln -sf #{hooks_dir}/#{file} #{root}/.git/hooks/#{file}`
+end

data/bin/setup

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here
+bin/install_git_hooks

data/lib/secure_credentials.rb

@@ -0,0 +1,24 @@
+require 'secure_credentials/version'
+
+# Makes it possible to use best of encrypted credentials
+# and environment-dependent secrets. Sharing encryption keys with
+# every developer in a team is a security issue, and purpose of this gem
+# is to help you to avoid it.
+module SecureCredentials
+  class FileNotFound < StandardError; end
+
+  module_function
+
+  attr_writer :master_key
+
+  def master_key
+    return @master_key if @master_key
+    return unless defined?(::Rails)
+    key_path = ::Rails.root.join('config/master.key')
+    key_path.binread.strip if key_path.exist?
+  end
+end
+
+require 'secure_credentials/store'
+require 'secure_credentials/credentials'
+require 'secure_credentials/rails' if defined?(Rails)

data/lib/secure_credentials/credentials.rb

@@ -0,0 +1,31 @@
+require 'active_support/ordered_options'
+require 'active_support/core_ext/hash/keys'
+require 'active_support/core_ext/module/delegation'
+
+module SecureCredentials
+  # Wraps store into compatible with Rails::Application#credentials interface.
+  class Credentials
+    attr_reader :store
+    private :store
+
+    delegate_missing_to :data
+
+    def initialize(store)
+      @store = store
+    end
+
+    # Required by `rails encrypted` command.
+    delegate :change, :read, to: :store
+
+    # Required by `rails encrypted` command.
+    def key
+      store.send(:encrypted_file).key if store.encrypted?
+    rescue ActiveSupport::EncryptedFile::MissingKeyError
+      nil
+    end
+
+    def data
+      @data ||= ActiveSupport::OrderedOptions.new.merge(store.content.deep_symbolize_keys)
+    end
+  end
+end

data/lib/secure_credentials/encrypted_file.rb

@@ -0,0 +1,29 @@
+require 'securerandom'
+require 'active_support/encrypted_file'
+
+module SecureCredentials
+  # Wraps ActiveSupport::EncryptedFile and provides passing key as an argument.
+  # Automatically generates missing key filenames based on store filename.
+  class EncryptedFile < ActiveSupport::EncryptedFile
+    class << self
+      # Same file name but with `.key` extension instead of `.enc`.
+      def default_key_path_for(filename)
+        filename.sub_ext('.key')
+      end
+    end
+
+    def initialize(path, key = nil, key_path: nil, env_key: nil)
+      @key = key
+      super(
+        content_path: path,
+        key_path: key_path || self.class.default_key_path_for(path),
+        env_key: env_key,
+        raise_if_missing_key: true,
+      )
+    end
+
+    def key
+      @key || read_env_key || read_key_file || SecureCredentials.master_key || handle_missing_key
+    end
+  end
+end

data/lib/secure_credentials/no_rails_patch.rb

@@ -0,0 +1,4 @@
+# Use `gem 'rails-secure_credentials', require: 'secure_credentials/no_rails_patch'
+# to load gem without patching rails.
+RAILS_SECURE_CREDENTIALS_SKIP_PATCH = true
+require 'secure_credentials'

data/lib/secure_credentials/rails.rb

@@ -0,0 +1,4 @@
+unless defined?(RAILS_SECURE_CREDENTIALS_SKIP_PATCH)
+  require 'secure_credentials/rails/application_methods'
+  Rails::Application.prepend SecureCredentials::Rails::ApplicationMethods
+end

data/lib/secure_credentials/rails/application_methods.rb

@@ -0,0 +1,27 @@
+require 'secure_credentials/credentials'
+require 'secure_credentials/store'
+
+module SecureCredentials
+  module Rails
+    # Provides patch for Rails::Application, to make it use SecureCredentials
+    # as a replacement for built-in `#credentials` and `#secrets`.
+    module ApplicationMethods
+      def secrets
+        @secrets ||= read_secure_credentials('config/secrets')
+      end
+
+      def credentials
+        @credentials ||= read_secure_credentials('config/credentials')
+      end
+
+      def read_secure_credentials(path, key_path: nil, **options)
+        key_path &&= ::Rails.root.join(key_path)
+        store = Store.new(::Rails.root.join(path), key_path: key_path, env: ::Rails.env, **options)
+        Credentials.new(store)
+      end
+
+      # Override default #credentials method.
+      alias_method :encrypted, :read_secure_credentials
+    end
+  end
+end

data/lib/secure_credentials/store.rb

@@ -0,0 +1,113 @@
+require 'secure_credentials/encrypted_file'
+require 'yaml'
+
+module SecureCredentials
+  # Store provides read-write interface for YAML configuration files. It supports:
+  #
+  #   - both encrypted and plain files,
+  #   - both file-per-environment and multi-environment files.
+  #
+  # It takes base path of configuration file (for example, `config/secrets`)
+  # and environment value. Then it tries to find the most appropriate file
+  # for this configuration in following order:
+  #
+  #     "#{base}.#{env}.yml.enc"
+  #     "#{base}.#{env}.yml"
+  #     "#{base}.yml.enc"
+  #     "#{base}.yml"
+  #
+  # Key for decoding encoded files can be passed:
+  #
+  #   - in `key` argument;
+  #   - envvar identified by `env_key`, default is to upcased basename appended with `_KEY`
+  #     (ex., `SECRETS_KEY`);
+  #   - in file found at `key_path`,
+  #     by default it uses filename and replaces `.yml.enc` with `.key`
+  #     (`secrets.production.key` for `secrets.production.yml.enc`);
+  #   - SecureCredentials.master_key.
+  #
+  # If environment specific file is present, it's whole content is returned.
+  # Otherwise `env` is used to fetch appropriate section.
+  class Store
+    class << self
+      # Finds the most appropriate existing file for given path and env.
+      # Returns `[environmental?, encrypted?, filename]`.
+      def detect_filename(path, env)
+        stub_ext_path = Pathname.new("#{path}.stub")
+        if path.basename.to_s.include?('.yml')
+          [false, path.basename.to_s.end_with?('.enc'), path]
+        else
+          [
+            [true,  true,   stub_ext_path.sub_ext(".#{env}.yml.enc")],
+            [true,  false,  stub_ext_path.sub_ext(".#{env}.yml")],
+            [false, true,   stub_ext_path.sub_ext('.yml.enc')],
+            [false, false,  stub_ext_path.sub_ext('.yml')],
+          ].find { |x| x[2].exist? }
+        end
+      end
+
+      def env_key_for(path)
+        "#{path.basename.to_s.upcase}_KEY"
+      end
+
+      # ERB -> YAML.safe_load with aliases support.
+      def load_yaml(string)
+        YAML.safe_load(ERB.new(string).result, [], [], true)
+      end
+    end
+
+    attr_reader :path, :filename, :env, :environmental, :encrypted
+    alias_method :environmental?, :environmental
+    alias_method :encrypted?, :encrypted
+
+    def initialize(path, key = nil, env: nil, key_path: nil, env_key: nil)
+      @path = path = Pathname.new(path)
+      @env = env
+      @environmental, @encrypted, @filename = self.class.detect_filename(path, env)
+      @key = key
+      @key_path = key_path || filename && filename.sub_ext('').sub_ext('.key')
+      @env_key = env_key || self.class.env_key_for(path)
+    end
+
+    # Fetches appropriate environmental content or returns whole content
+    # in the case of single-environment file.
+    def content
+      result = environmental? ? full_content : full_content[env.to_s]
+      result || {}
+    end
+
+    # Read file content.
+    def read
+      return '' unless filename && filename.exist?
+      if encrypted?
+        encrypted_file.read
+      else
+        filename.read
+      end
+    end
+
+    # Prepares file for edition, yields filename and then saves updated file.
+    def change(&block)
+      raise FileNotFound, "File not found for '#{path}'" unless filename && filename.exist?
+      if encrypted?
+        encrypted_file.change(&block)
+      else
+        yield filename
+      end
+    end
+
+    private
+
+    attr_reader :key, :key_path, :env_key
+
+    def full_content
+      string = read
+      result = self.class.load_yaml(string) if string.present?
+      result || {}
+    end
+
+    def encrypted_file
+      EncryptedFile.new(filename, key, key_path: key_path, env_key: env_key)
+    end
+  end
+end

data/lib/secure_credentials/version.rb

@@ -0,0 +1,3 @@
+module SecureCredentials
+  VERSION = '0.1.1'.freeze
+end

data/secure_credentials.gemspec

@@ -0,0 +1,26 @@
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'secure_credentials/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'secure_credentials'
+  spec.version       = SecureCredentials::VERSION
+  spec.authors       = ['Max Melentiev']
+  spec.email         = ['melentievm@gmail.com']
+
+  spec.summary       = 'Rails credentials without security issues. With environments support.'
+  spec.homepage      = 'https://github.com/printercu/secure_credentials'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'activesupport', '~> 5.2'
+
+  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'rake', '~> 10.0'
+end

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: secure_credentials
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Max Melentiev
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-06-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: 
+email:
+- melentievm@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".codeclimate.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/git-hooks/pre-commit
+- bin/install_git_hooks
+- bin/setup
+- lib/secure_credentials.rb
+- lib/secure_credentials/credentials.rb
+- lib/secure_credentials/encrypted_file.rb
+- lib/secure_credentials/no_rails_patch.rb
+- lib/secure_credentials/rails.rb
+- lib/secure_credentials/rails/application_methods.rb
+- lib/secure_credentials/store.rb
+- lib/secure_credentials/version.rb
+- secure_credentials.gemspec
+homepage: https://github.com/printercu/secure_credentials
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Rails credentials without security issues. With environments support.
+test_files: []