RubyGems - secure_credentials - Versions diffs - 0.1.1 → 0.2.1 - Mend

secure_credentials 0.1.1 → 0.2.1

Files changed (14) hide show

checksums.yaml +4 -4
data/.gitignore +2 -0
data/.travis.yml +3 -7
data/Appraisals +7 -0
data/CHANGELOG.md +5 -0
data/Gemfile +2 -0
data/README.md +16 -15
data/gemfiles/rails_5.1.gemfile +13 -0
data/gemfiles/rails_5.2.gemfile +13 -0
data/lib/secure_credentials/active_support/encrypted_file.rb +104 -0
data/lib/secure_credentials/encrypted_file.rb +5 -1
data/lib/secure_credentials/version.rb +1 -1
data/secure_credentials.gemspec +2 -2
metadata +12 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67f34834484a909ed1ca0cdb4da8d09a57f9c1f2381237c6a22f95081827d4c9
-  data.tar.gz: 2da212d3f2e4941c269937cbb40484b2e27d5d38609c224ca92a3b4d1af8d258
+  metadata.gz: 3f105345f86816004375c9c6aec5e6d48330f14768e4da243f0f0edf0894341b
+  data.tar.gz: c0a64940f0b7d72c8f338797dc4d35dd1493c88f8fdb2abd733ba6d7bb152947
 SHA512:
-  metadata.gz: b0bbf47d6d142af404268bbfe991c40e9f502dc065e780fdcf2d6fa003c7bc6eaf374ee7c2a2d9aa2d4795266e2c561641d115425ee539afce23b803b9542577
-  data.tar.gz: a6284aa14dd2998ca6cb6ca5fdd0bab26f5274a978704cf4339fc961ddca7df780352057b612a3f12786f782f659f4d247ad748de2ede16aaf951cd1eee7146d
+  metadata.gz: 36475092d3f12f08d1ab749694318bafe52c88a84b873149ab51fe3e13eaddd8dea317d1c05d541ec58a692a9c984d63a33cfe01c6094f64bc1484f71f265760
+  data.tar.gz: 6234c6c383e3ceff2c6db4f502e11a2325d7d61c8b1511588205d50f5750bbd90ebc26da5f0d631d7b67bc7aca246914abce0a0cecf0e9dc7a0873676fcecd74

data/.gitignore CHANGED Viewed

@@ -6,6 +6,8 @@
 /pkg/
 /spec/reports/
 /tmp/
+/gemfiles/.bundle
+/gemfiles/*.lock
 Gemfile.lock
 # rspec failure tracking

data/.travis.yml CHANGED Viewed

@@ -4,13 +4,9 @@ cache: bundler
 rvm:
   - 2.5
   - 2.4
+gemfile:
+  - gemfiles/rails_5.2.gemfile
+  - gemfiles/rails_5.1.gemfile
 notifications:
   email: false
-# for 2.5.0 until 2.5.1 is released:
-#   https://github.com/travis-ci/travis-ci/issues/8978
-#   https://github.com/travis-ci/travis-ci/issues/8969#issuecomment-354135622
-before_install:
-  - gem update --system
-  - gem install bundler

data/Appraisals ADDED Viewed

@@ -0,0 +1,7 @@
+appraise 'rails_5.2' do
+  gem 'activesupport', '~> 5.2.0'
+end
+appraise 'rails_5.1' do
+  gem 'activesupport', '~> 5.1.0'
+end

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,5 @@
+# 0.2.1
+- Rails 5.1 support.
+# 0.1.1
+- Initial release

data/Gemfile CHANGED Viewed

@@ -5,6 +5,8 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 # Specify your gem's dependencies in gemspec file
 gemspec
+gem 'appraisal'
 gem 'rspec', '~> 3.7'
 gem 'rspec-its', '~> 1.2'

data/README.md CHANGED Viewed

@@ -4,30 +4,29 @@
 [![Code Climate](https://codeclimate.com/github/printercu/secure_credentials/badges/gpa.svg)](https://codeclimate.com/github/printercu/secure_credentials)
 [![Build Status](https://travis-ci.org/printercu/secure_credentials.svg)](https://travis-ci.org/printercu/secure_credentials)
-Makes it possible to use best of encrypted credentials
-and environment-dependent secrets. Sharing encryption keys with
-every developer in a team is a security issue, and purpose of this gem
-is to help you to avoid it.
 ## Rationale
 Rails 5.2 brings good idea of storing encrypted credentials in the repo:
-credentials are securely tracked in version control, less chances to face an issue
+credentials are securely tracked in version control, less chance to face an issue
 during deployment, etc. However there are several drawbacks in current implementation:
 - It's hard to manage environment-specific credentials.
-  For example, use some different browser api keys in development and production,
+  For example, to use different browser api keys in development and production,
   one is whitelisted for `locahost` and other one for app's domain.
 - In most cases it's required to share `master.key` with every developer.
   This is not acceptable for a lot of teams, and framework must serve their needs too.
 There are a couple ways to workaround this issues, but all of them brings
-unnecessary complexity. This gem takes best from new encrypted `credentials.yml.enc`
-and multi-environmental `secrets.yml`. It allows to use combination
+unnecessary complexity. This gem takes best from new encrypted credentials (`credentials.yml.enc`)
+and multi-environmental secrets (`secrets.yml`). It allows to use combination
 of encrypted and plain files for same configuration in different environments.
 For example, having encrypted `credentials.production.yml.enc` for production
 and multi-environmental `credentials.yml` for all other environments.
+There are some other issues caused by storing `master.key` in local repo.
+See this wiki page for details:<br>
+[Rails 5.2 credentials are not secure](https://github.com/printercu/secure_credentials/wiki/Rails-5.2-credentials-are-not-secure).
 ## Installation
 Add this line to your application's Gemfile:
@@ -45,7 +44,7 @@ And then execute:
 By default this gem patches Rails::Application to make `#credentials`, `#secrets` and `#encrypted`
 use Rails-compatible wrapper around SecureCredentials::Store.
-SecureCredentials::Store provides read-write interface for YAML configuration files. It supports:
+SecureCredentials::Store provides read-write access to YAML configuration files. It supports:
   - both encrypted and plain files,
   - both file-per-environment and multi-environment files.
@@ -65,26 +64,28 @@ Otherwise `env` is used to fetch appropriate section.
 Key for decoding encoded files can be passed:
   - in `key` argument;
-  - envvar identified by `env_key`, default is to upcased basename appended with `_KEY`
+  - in envvar identified by `env_key`, default is to upcased basename appended with `_KEY`
     (ex., `SECRETS_KEY`);
   - in file found at `key_path`,
     by default it uses filename and replaces `.yml.enc` with `.key`
     (`secrets.production.key` for `secrets.production.yml.enc`);
   - `SecureCredentials.master_key` which is read from `config/master.key` in Rails apps.
-Use `rails encrypted path/to/file.yml.enc -k path/to/key.key` to edit encrypted files.
+To edit encrypted files use `rails encrypted:edit path/to/file.yml.enc -k path/to/key.key`.
 Missing `.key` and `.yml` files are automatically created when you edit them for the first time.
 ## Best practices
-- __Don't keep master.key in local repo!__
+- __Don't keep master.key in local working directory!__
-  It's the as PIN-code written on backside of credit card.
+  It's like a PIN-code written on backside of credit card.
   Keep it in secure place and use it when you need to modify credentials.
-- Don't share production credentials with those who must not access them.
+- Don't share production credentials with those team members who don't need to access them.
   Secrets get less secret every time they are shared.
+  It's better to share some particular keys to selected developers,
+  instead of giving everybody access to all keys.
 ## Development

data/gemfiles/rails_5.1.gemfile ADDED Viewed

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+source "https://rubygems.org"
+gem "appraisal"
+gem "rspec", "~> 3.7"
+gem "rspec-its", "~> 1.2"
+gem "rubocop", "~> 0.56"
+gem "pry", "~> 0.11"
+gem "pry-byebug", "~> 3.6"
+gem "activesupport", "~> 5.1.0"
+gemspec path: "../"

data/gemfiles/rails_5.2.gemfile ADDED Viewed

@@ -0,0 +1,13 @@
+# This file was generated by Appraisal
+source "https://rubygems.org"
+gem "appraisal"
+gem "rspec", "~> 3.7"
+gem "rspec-its", "~> 1.2"
+gem "rubocop", "~> 0.56"
+gem "pry", "~> 0.11"
+gem "pry-byebug", "~> 3.6"
+gem "activesupport", "~> 5.2.0"
+gemspec path: "../"

data/lib/secure_credentials/active_support/encrypted_file.rb ADDED Viewed

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+# Copied from activesupport 5.2
+# rubocop:disable all
+require "pathname"
+require "active_support/message_encryptor"
+module ActiveSupport
+  class EncryptedFile
+    class MissingContentError < RuntimeError
+      def initialize(content_path)
+        super "Missing encrypted content file in #{content_path}."
+      end
+    end
+    class MissingKeyError < RuntimeError
+      def initialize(key_path:, env_key:)
+        super \
+          "Missing encryption key to decrypt file with. " +
+          "Ask your team for your master key and write it to #{key_path} or put it in the ENV['#{env_key}']."
+      end
+    end
+    CIPHER = "aes-128-gcm"
+    def self.generate_key
+      SecureRandom.hex(ActiveSupport::MessageEncryptor.key_len(CIPHER))
+    end
+    attr_reader :content_path, :key_path, :env_key, :raise_if_missing_key
+    def initialize(content_path:, key_path:, env_key:, raise_if_missing_key:)
+      @content_path, @key_path = Pathname.new(content_path), Pathname.new(key_path)
+      @env_key, @raise_if_missing_key = env_key, raise_if_missing_key
+    end
+    def key
+      read_env_key || read_key_file || handle_missing_key
+    end
+    def read
+      if !key.nil? && content_path.exist?
+        decrypt content_path.binread
+      else
+        raise MissingContentError, content_path
+      end
+    end
+    def write(contents)
+      IO.binwrite "#{content_path}.tmp", encrypt(contents)
+      FileUtils.mv "#{content_path}.tmp", content_path
+    end
+    def change(&block)
+      writing read, &block
+    end
+    private
+      def writing(contents)
+        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+        tmp_path.binwrite contents
+        yield tmp_path
+        updated_contents = tmp_path.binread
+        write(updated_contents) if updated_contents != contents
+      ensure
+        FileUtils.rm(tmp_path) if tmp_path.exist?
+      end
+      def encrypt(contents)
+        encryptor.encrypt_and_sign contents
+      end
+      def decrypt(contents)
+        encryptor.decrypt_and_verify contents
+      end
+      def encryptor
+        @encryptor ||= ActiveSupport::MessageEncryptor.new([ key ].pack("H*"), cipher: CIPHER)
+      end
+      def read_env_key
+        ENV[env_key]
+      end
+      def read_key_file
+        key_path.binread.strip if key_path.exist?
+      end
+      def handle_missing_key
+        raise MissingKeyError, key_path: key_path, env_key: env_key if raise_if_missing_key
+      end
+  end
+end
+# rubocop:enable all

data/lib/secure_credentials/encrypted_file.rb CHANGED Viewed

@@ -1,5 +1,9 @@
 require 'securerandom'
-require 'active_support/encrypted_file'
+begin
+  require 'active_support/encrypted_file'
+rescue LoadError
+  require 'secure_credentials/active_support/encrypted_file'
+end
 module SecureCredentials
   # Wraps ActiveSupport::EncryptedFile and provides passing key as an argument.

data/lib/secure_credentials/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureCredentials
-  VERSION = '0.1.1'.freeze
+  VERSION = '0.2.1'.freeze
 end

data/secure_credentials.gemspec CHANGED Viewed

@@ -19,8 +19,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
-  spec.add_dependency 'activesupport', '~> 5.2'
+  spec.add_dependency 'activesupport', '~> 5.1'
-  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'bundler', '> 1.16'
   spec.add_development_dependency 'rake', '~> 10.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_credentials
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.1
 platform: ruby
 authors:
 - Max Melentiev
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-06-01 00:00:00.000000000 Z
+date: 2019-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,26 +16,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">"
       - !ruby/object:Gem::Version
         version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">"
       - !ruby/object:Gem::Version
         version: '1.16'
 - !ruby/object:Gem::Dependency
@@ -64,6 +64,8 @@ files:
 - ".rspec"
 - ".rubocop.yml"
 - ".travis.yml"
+- Appraisals
+- CHANGELOG.md
 - Gemfile
 - README.md
 - Rakefile
@@ -71,7 +73,10 @@ files:
 - bin/git-hooks/pre-commit
 - bin/install_git_hooks
 - bin/setup
+- gemfiles/rails_5.1.gemfile
+- gemfiles/rails_5.2.gemfile
 - lib/secure_credentials.rb
+- lib/secure_credentials/active_support/encrypted_file.rb
 - lib/secure_credentials/credentials.rb
 - lib/secure_credentials/encrypted_file.rb
 - lib/secure_credentials/no_rails_patch.rb
@@ -98,8 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Rails credentials without security issues. With environments support.