trapdoor 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +7 -0
  2. data/README.md +33 -0
  3. data/lib/fs.rb +21 -0
  4. data/lib/hash.rb +17 -0
  5. data/lib/trapdoor.rb +47 -0
  6. metadata +46 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: fc2362b2a0d309422e3496c6f5d7bc48e43515ff2b69cd5e647455efe932baa9
4
+ data.tar.gz: 15bd431d03de752a46c04ba482be0d4109d6b6bb960bca2ed40675aaae855885
5
+ SHA512:
6
+ metadata.gz: a379e920d73e48565ecfad445980935e630e180f311539538e81e913b35214dce869f283ab8f91130f0f6ac4fc9383095fdd09b65ca40b29f4fb3c932cd7aa1f
7
+ data.tar.gz: e565d57865346e4fe8010adfd8e3100d07374ffc384494f6e1bc661f0dbad5d1513a5fb3ded7111b8c368c879a3ee3aa241766dfd536320eda5e3664b31bbd14
data/README.md ADDED
@@ -0,0 +1,33 @@
1
+ # trapdoor
2
+
3
+ trapdoor monkeypatches `ENV` so any secret values are available when asked for by name (i.e. `ENV['SOME_SECRET']`) but are hidden when requested in bulk (i.e. `ENV.to_h`, `ENV.inspect`, iterators). This was designed to be a drop in replacement for codebases that use `ENV` to hold secrets but also use developer tools that may cause these values to be accidentally logged.
4
+
5
+ ## Installation
6
+
7
+ 1. Add to your Gemfile and install with bundle, or `gem install trapdoor`
8
+ 2. `require 'trapdoor'`
9
+
10
+ ## Walkthrough
11
+
12
+ Let's start by inspecting the environment in the repl. We can see `SECRET_API_TOKEN` and its value.
13
+
14
+ ```
15
+ > ENV
16
+ => {... "SECRET_API_TOKEN"=>"987tfghjo0987yt"}
17
+ ```
18
+
19
+ After loading `trapdoor`, let's tell it to hide this specific value then inspect the environment again.
20
+
21
+ ```
22
+ > ENV.hide "SECRET_API_TOKEN"
23
+ > ENV
24
+ => {... "SECRET_API_TOKEN"=>"**REDACTED**"}
25
+ ```
26
+
27
+ But we can see this value can still be accessed just like before:
28
+ ```
29
+ > ENV['SECRET_API_TOKEN']
30
+ => "987tfghjo0987yt"
31
+ ```
32
+
33
+ Additionally, we can call `ENV.start_smuggling` to start redacting all new environment variables. This can be useful if you insert sensitive variables into the environment afterwards so that any non-pre loaded values are redacted.
data/lib/fs.rb ADDED
@@ -0,0 +1,21 @@
1
+ class Secret_FS
2
+ def initialize(base:)
3
+ @base = base
4
+ @cache = {}
5
+ end
6
+
7
+ def [](key)
8
+ return @cache[key] if @cache.include? key
9
+ return @cache[key] = get_secret(secret: key)
10
+ end
11
+
12
+ def []=(key, value)
13
+ raise "NOOOOOOOOOO"
14
+ end
15
+
16
+ private
17
+
18
+ def get_secret(secret:)
19
+ open("#{@base}/#{secret.downcase}.txt").read
20
+ end
21
+ end
data/lib/hash.rb ADDED
@@ -0,0 +1,17 @@
1
+ class Secret_Hash
2
+ attr_accessor :hash
3
+
4
+ def initialize(hash:)
5
+ @hash = hash
6
+ end
7
+
8
+ def [](key)
9
+ @hash[key]
10
+ end
11
+
12
+ def []=(key, value)
13
+ raise "No writing please"
14
+
15
+ @hash[key] = value
16
+ end
17
+ end
data/lib/trapdoor.rb ADDED
@@ -0,0 +1,47 @@
1
+ require './lib/fs'
2
+ require './lib/hash'
3
+
4
+ ENV.instance_eval do
5
+ OLD_ASSIGN = ENV.method(:[]=)
6
+ OLD_HASH = ENV.method(:[])
7
+ OLD_TO_H = ENV.method(:to_h)
8
+ SMUGGLED = {}
9
+ @smuggling = false
10
+
11
+ def start_smuggling(backend:)
12
+ @backend = backend
13
+ @smuggling = true
14
+ end
15
+
16
+ def [](key)
17
+ value = OLD_HASH.call key
18
+ return value unless value.nil?
19
+ return @backend[key] if @smuggling
20
+ end
21
+
22
+ def []=(key, value)
23
+ if @smuggling
24
+ @backend[key] = value
25
+ else
26
+ OLD_ASSIGN.call(key, value)
27
+ end
28
+ end
29
+
30
+ def smuggle(key, value)
31
+ @backend[key] = value
32
+ end
33
+
34
+ def hide(key)
35
+ ENV.delete key
36
+ end
37
+
38
+ def to_h
39
+ OLD_TO_H.call.merge(@backend.hash.map { |k,v|
40
+ [k, "**REDACTED**"]
41
+ }.to_h)
42
+ end
43
+
44
+ def inspect
45
+ to_h.inspect
46
+ end
47
+ end
metadata ADDED
@@ -0,0 +1,46 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: trapdoor
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.4.0
5
+ platform: ruby
6
+ authors:
7
+ - OMAR
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2023-01-22 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: trapdoor
14
+ email:
15
+ executables: []
16
+ extensions: []
17
+ extra_rdoc_files: []
18
+ files:
19
+ - README.md
20
+ - lib/fs.rb
21
+ - lib/hash.rb
22
+ - lib/trapdoor.rb
23
+ homepage: https://github.com/ancat/trapdoor
24
+ licenses:
25
+ - MIT
26
+ metadata: {}
27
+ post_install_message:
28
+ rdoc_options: []
29
+ require_paths:
30
+ - lib
31
+ required_ruby_version: !ruby/object:Gem::Requirement
32
+ requirements:
33
+ - - ">="
34
+ - !ruby/object:Gem::Version
35
+ version: '2.5'
36
+ required_rubygems_version: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ requirements: []
42
+ rubygems_version: 3.1.6
43
+ signing_key:
44
+ specification_version: 4
45
+ summary: Expose sensitive values to your environment without leaking them
46
+ test_files: []