vaml 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: be6b490176d6f15d95fcc857f59070092e8b6a4d
+  data.tar.gz: 508da870ab0559220448c30b2a23879b185242ef
+SHA512:
+  metadata.gz: eed59d3d4c072a25d87a3a906e9b5df3a35c15f645a3d7c164eb47386c8b75f353692f9ab4041f23007c1e96b4e40d6f7d76b2440d71a9bf85ce6d91642bd297
+  data.tar.gz: a1ed95d6cd38d82f3bef07ddf9a2b0b9ab1df483ebead2a0b6c2ba8ed416549c736d4e821308ba0a83b063334d1ef94b6bd5e364f8749a1bb4af31206e4ac894

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in vaml.gemspec
+gemspec
+gem 'psych'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Dipesh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,149 @@
+# Vaml
+
+Vaml is Vault with YAML, and a little sweet of Github. It helps you manage your app's secrets from your yml files.
+It also provides support for Github Auth Integration, so you can easily control key access to developers.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'vaml'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install vaml
+
+## Usage
+
+### Configuration
+```
+Vaml.configure do |v|
+  v.host = "http://127.0.0.1:8200"
+  v.organization = 'xxx'
+  v.token = ENV['VAULT_TOKEN']
+end
+```
+
+or
+
+`Vaml.configure(host: 'xxx', organization: 'xxx', token: 'xxx')`
+
+
+## Adding secrets
+The gem provides a rake task that you can use to add secrets. As a developer, if you want to add a new secret:
+
+* Use the following syntax in you YML. It is not necessary to follow the syntax, but it is highly recommended.
+  `access_id: vault:/secret/staging/aws/access_id`
+
+* Then, add your secret with `rake vaml:add_secret`. You will need to set an `ENV['VAULT_TOKEN']` to run this command. If Github integration is activated, Go your Developer Settings > Personal Access Token and select the `admin:org` scope. You can now use the token generated by Github with the command.
+
+`VAULT_TOKEN=my_token rake vaml:add_secret /secrets/staging/aws/access_id AXXSAWEDFSF`
+
+* After you configure vault, you can also add secrets from the rails console using the same token.
+
+  ```
+  Vaml::Github.auth(my_token)
+  Vaml.write(key, value)
+  ```
+
+If you have been given proper access rights, you will be able to successfully write the secret.
+
+### YAML Integration
+
+Given, you have an input yml that looks like:
+```
+development:
+  aws:
+    access_id: 'XXX'
+staging:
+  aws:
+    access_id: vault:/secret/staging/aws/access_id
+production:
+  aws:
+    access_id: vault:/secret/production/aws/access_id
+```
+
+and you write these secrets with:
+```
+VAULT_TOKEN=my_token rake vaml:add_secret /secret/staging/aws/access_id ABC
+VAULT_TOKEN=my_token rake vaml:add_secret /secret/production/aws/access_id DEF
+```
+
+When you access these secrets from vault,
+
+`Vaml.from_yaml(File.read('input_yml.yml'))`
+
+Vaml gives you back a ruby hash that looks like:
+
+```
+{
+  "development" => {"aws"=>{"access_id"=>"XXX"}},
+  "staging" => {"aws"=>{"access_id"=>"ABC"}},
+  "production" => {"aws"=>{"access_id"=>"ABC"}}
+}
+```
+Note that this does not actually write back to the file, and it is upto you to use this result as you want.
+One strategy is to store these into the Rails configuration object when Rails initializes, so you will have it available to your process, but you won't need to write any secret anywhere. Bye bye to leaky ENV variables!
+
+
+
+### Policies
+
+You can add and list Policies
+
+* List policies
+
+`Vaml.list_policies`
+
+* Add policies
+
+```
+#   policy_definition = <<-EOH
+#     path "sys" {
+#       policy = "deny"
+#     }
+#   EOH
+
+Vaml.add_policy(policy_name, policy_definition)
+```
+Internally all this does is the original call to Vault.
+
+`Vault.sys.put_policy("dev", policy)`
+
+
+## Github Integration
+
+```
+Vaml::Github.enable_auth(organization)
+Vaml::Github.grant_policy(team_name, policy_name)
+```
+
+## Using Vault in your Local System
+
+OSX
+
+```
+brew install vault
+vault server --dev
+```
+And Follow the official Vault documentation.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/dgtm/vaml.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "vaml"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/vaml

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+require "vaml"

data/lib/tasks/add_secret.rake

@@ -0,0 +1,20 @@
+desc 'Add a secret to Vault'
+namespace :vaml do
+  task :add_secret, [:arg1, :arg2] do |t, args|
+    key, value = ARGV[1], ARGV[2]
+    unless key && value
+      puts "Usage: VAULT_HOST=xxx VAULT_TOKEN=xxx rake vaml:add_secret /secret/development/xxx value"
+      raise
+    end
+    Vaml.configure(host: ENV['VAULT_HOST'], token: ENV['VAULT_TOKEN'])
+    Vaml.write_string(key, value)
+    puts "the rake task did something"
+    exit
+  end
+
+  task :read_secret do
+    Vaml.configure(host: ENV['VAULT_HOST'], token: ENV['VAULT_TOKEN'])
+    puts Vaml.read_string(ARGV[1])
+    exit
+  end
+end

data/lib/vaml.rb

@@ -0,0 +1,79 @@
+require 'psych'
+require 'yaml'
+require 'vaml/config_handler'
+require 'vaml/version'
+require 'vaml/vault_config'
+require 'vaml/configuration'
+require 'vaml/github'
+require 'vaml/railtie' if defined?(Rails)
+require 'pry'
+
+module Vaml
+
+  class << self
+    attr_accessor :configuration
+
+    # @param [Hash] options {host: '0.0.0.0:8200', token: ENV["VTOKEN"], organization: ''}
+    def configure(options)
+      options[:host] ||= 'http://127.0.0.1:8200'
+      options[:token] ||= ENV['VAULT_TOKEN']
+
+      self.configuration ||= Configuration.new(options)
+      yield configuration if block_given?
+
+      # Configures Vault itself.
+      Vaml::VaultConfig.configure!
+      self
+    end
+
+    def write_string(key, value)
+      write(key, {value: value})
+    end
+
+    def read_string(key)
+      read(key).data[:value]
+    end
+
+    def from_yaml(yml)
+      handler = Vaml::ConfigHandler.new
+      parser = Psych::Parser.new(handler)
+      parser.parse(yml)
+      handler.root.to_ruby.first
+    end
+
+    def read(query)
+      Vault.with_retries(Vault::HTTPConnectionError) do
+        val = Vault.logical.read(query)
+        raise "VamlError: No secret was stored for #{query}" unless val
+        val
+      end
+    end
+
+
+    def write(key, value)
+      Vault.with_retries(Vault::HTTPConnectionError) do
+        Vault.logical.write(key, value)
+      end
+    end
+
+    def auth_with_github(token)
+      Vaml::Github.auth(token)
+    end
+
+    #   policy = <<-EOH
+    #     path "sys" {
+    #       policy = "deny"
+    #     }
+    #   EOH
+    #   Vault.sys.put_policy("dev", policy)
+    def add_policy(policy_name, policy_definition)
+      Vault.sys.put_policy(policy_name, policy_definition)
+    end
+
+    def list_policies
+      Vault.sys.policies.map do |name|
+        Vault.sys.policy(name)
+      end
+    end
+  end
+end

data/lib/vaml/config_handler.rb

@@ -0,0 +1,14 @@
+module Vaml
+  class ConfigHandler < Psych::TreeBuilder
+    def scalar value, anchor, tag, plain, quoted, style
+      vault_regex = /vault:/
+      translated = if value.match(vault_regex)
+        query = value.gsub(vault_regex, '')
+        Vaml.read_string(query)
+      else
+        value
+      end
+      super translated, anchor, tag, plain, quoted, style
+    end
+  end
+end

data/lib/vaml/configuration.rb

@@ -0,0 +1,10 @@
+module Vaml
+  class Configuration
+    attr_accessor :organization, :host, :token
+    def initialize(options)
+      @host = options[:host]
+      @token = options[:token]
+      @organization = options[:organization]
+    end
+  end
+end

data/lib/vaml/github.rb

@@ -0,0 +1,19 @@
+module Vaml
+  module Github
+    def self.enable_auth(org = Vaml.configuration.organization)
+      puts "Enabling auth for #{org} ... "
+      Vault.sys.enable_auth("github", "github")
+      Vault.logical.write("auth/github/config", organization: org)
+    end
+
+    def self.grant_policy(team_name, policy_name)
+      Vault.client.post("/v1/auth/github/map/teams/#{team_name}", policy_name)
+      # Vault.logical.write("auth/github/map/teams/#{team_name}", policy_name)
+    end
+
+    def self.auth(token)
+      puts "Authenticating to Github ... "
+      Vault.auth.github(token)
+    end
+  end
+end

data/lib/vaml/railtie.rb

@@ -0,0 +1,10 @@
+require 'rails'
+module Vaml
+  class Railtie < Rails::Railtie
+    railtie_name :vaml
+
+    rake_tasks do
+      load "tasks/add_secret.rake"
+    end
+  end
+end

data/lib/vaml/vault_config.rb

@@ -0,0 +1,16 @@
+require 'vault'
+module Vaml
+  module VaultConfig
+    def self.configure!
+      ::Vault.configure do |config|
+        config.address = Vaml.configuration.host
+        config.token = Vaml.configuration.token
+        config.ssl_verify = false
+        config.timeout = 30
+        config.ssl_timeout  = 5
+        config.open_timeout = 5
+        config.read_timeout = 30
+      end
+    end
+  end
+end

data/lib/vaml/version.rb

@@ -0,0 +1,3 @@
+module Vaml
+  VERSION = "0.1.0"
+end

data/vaml.gemspec

@@ -0,0 +1,38 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "vaml/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "vaml"
+  spec.version       = Vaml::VERSION
+  spec.authors       = ["Dipesh"]
+  spec.email         = ["dipeshgtm@gmail.com"]
+
+  spec.summary       = %q{Do not expose your secret keys}
+  spec.description   = %q{Get your secrets from vault}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = "https://rubygems.org"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "vault", "~> 0.10"
+
+  spec.add_development_dependency "bundler", "~> 1.15"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "pry"
+end

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: vaml
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Dipesh
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-07-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Get your secrets from vault
+email:
+- dipeshgtm@gmail.com
+executables:
+- vaml
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/vaml
+- lib/tasks/add_secret.rake
+- lib/vaml.rb
+- lib/vaml/config_handler.rb
+- lib/vaml/configuration.rb
+- lib/vaml/github.rb
+- lib/vaml/railtie.rb
+- lib/vaml/vault_config.rb
+- lib/vaml/version.rb
+- vaml.gemspec
+homepage: ''
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Do not expose your secret keys
+test_files: []