vault_env_secrets 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a239afd0a1d9d133166b8c3f88f15162d9b4537437b5eee5ac602f99246ba196
+  data.tar.gz: 07ad320f88de1b735c9f5be34a95be6b6897fe71ae8943e5e36cd8e141c685ee
+SHA512:
+  metadata.gz: 10feaf9ceffbb1892c20702623cbcec3c07b62bfbdcef60e216d4b1b9063ce3e68e70afbe1ec28710d0640be1f412b59ab9025322c841fd149c4c625770916dc
+  data.tar.gz: 475a66ab45ef7e558a1c7c09f919af52207695ec1d9691918df9087b4efb3388d0c35e1e45b0a4d47fc52488bae233f45c4425b6a71d33afac1e9088f7ff7aa1

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/testdouble/standard
+ruby_version: 2.6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# VaultEnvSecrets Change Log
+
+## [1.0.0] - 2023-08-19
+
+- Initial release

data/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in vault_env_secrets.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "minitest", "~> 5.0"
+
+gem "standard", "~> 1.3"

data/Gemfile.lock

@@ -0,0 +1,68 @@
+PATH
+  remote: .
+  specs:
+    vault_env_secrets (1.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    base64 (0.1.1)
+    json (2.6.3)
+    language_server-protocol (3.17.0.3)
+    lint_roller (1.1.0)
+    minitest (5.19.0)
+    parallel (1.23.0)
+    parser (3.2.2.3)
+      ast (~> 2.4.1)
+      racc
+    racc (1.7.1)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.8.1)
+    rexml (3.2.6)
+    rubocop (1.56.0)
+      base64 (~> 0.1.1)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.2.2.3)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
+    rubocop-performance (1.19.0)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    ruby-progressbar (1.13.0)
+    standard (1.31.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.56.0)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.2)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.2.0)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.19.0)
+    unicode-display_width (2.4.2)
+
+PLATFORMS
+  arm64-darwin-21
+  ruby
+  x86_64-linux
+
+DEPENDENCIES
+  minitest (~> 5.0)
+  rake (~> 13.0)
+  standard (~> 1.3)
+  vault_env_secrets!
+
+BUNDLED WITH
+   2.4.10

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Nick Muerdter
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,113 @@
+# VaultEnvSecrets
+
+A small gem to load secrets from [Vault](https://www.vaultproject.io) into environment variables by way of a [consul-template](https://github.com/hashicorp/consul-template) YAML template. Automatic integration with Rails is supported.
+
+## Requirements/Assumptions
+
+- By default, a `consul-template` config file needs to be present in `config/vault.hcl` that defines a `template` that will render secrets in a YAML output file to `tmp/vault/secrets.yml`.
+- You must be authenticate to Vault in some fashion outside of this library (eg, `vault login` is used before startup and `~/.vault-token` is present, or `VAULT_TOKEN` is set, etc).
+- For Rails integration, secrets will only be read once on application startup (so to pick up changes in development, you must restart the Rails server).
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+```sh
+bundle add vault_env_secrets
+```
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+```sh
+gem install vault_env_secrets
+```
+
+## Example Usage
+
+This gem mostly defers to to [`consul-template`](https://github.com/hashicorp/consul-template), with the assumption that there will be a YAML output file that can be read in. There are a variety of ways to use this, but as an example:
+
+1. Authenticate against Vault:
+
+    ```sh
+    vault login
+    ```
+
+2. Define a `consul-template` [configuration file](https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file) in the default `config/vault.hcl` location:
+
+    ```hcl
+    vault {
+      address = "https://vault.example.com/"
+      renew_token = true
+
+      retry {
+        enabled = false
+      }
+    }
+
+    template {
+      source = "./config/vault/secrets.yml.ctmpl"
+      destination = "./tmp/vault/secrets.yml"
+      error_on_missing_key = true
+      perms = 0600
+    }
+    ```
+
+3. Define the template that the `config/vault.hcl` config file references (which should be configured to output to `tmp/vault/secrets.yml` by default). In this example the secret key base and database credentials are fetched from a `secret/my-app/<rails_env>/web` item:
+
+    ```ctmpl
+    {{ $rails_env := (envOrDefault "RAILS_ENV" "development") }}
+
+    {{ with secret (printf "secret/my-app/%s/web" $deploy_env) }}
+      {{ scratch.MapSet "secrets" "SECRET_KEY_BASE" .Data.data.secret_key_base }}
+      {{ scratch.MapSet "secrets" "SECRET_DB_HOST" .Data.data.db_host }}
+      {{ scratch.MapSet "secrets" "SECRET_DB_NAME" .Data.data.db_name }}
+      {{ scratch.MapSet "secrets" "SECRET_DB_USERNAME" .Data.data.db_username }}
+      {{ scratch.MapSet "secrets" "SECRET_DB_PASSWORD" .Data.data.db_password }}
+    {{ end }}
+
+    {{ scratch.Get "secrets" | toYAML }}
+    ```
+
+4. With the gem installed, any variables defined in the output YAML from the `consul-template` template will be set as environment variables on Rails startup. The environment variable names will depend on the names in the YAML output. So in the above example, `ENV["SECRET_KEY_BASE"]`, `ENV["SECRET_DB_HOST"]`, `ENV["SECRET_DB_PASSWORD"]`, etc would all be available to the app.
+
+## Configuration
+
+You may adjust VaultEnvSecrets configuration by adding a `config/initializers/vault_env_secrets.rb` file with setting changes. Note that the initializer must exist at this path and filename to be properly loaded (this ensures that VaultEnvSecrets is available early on in the Rails load process, so other parts of Rails and other gems can integrate with it).
+
+#### `VaultEnvSecrets.enabled`
+
+Optionally disable loading VaultEnvSecrets (for example, if this gem only needs to be active in certain Rails environments).
+
+```ruby
+VaultEnvSecrets.enabled = false # Defaults to `true`
+```
+
+#### `VaultEnvSecrets.consul_template_config`
+
+Set a custom path to the `consul-template` config file.
+
+```ruby
+VaultEnvSecrets.consul_template_config = "config/my_config.hcl" # Defaults to `config/vault.hcl`
+```
+
+#### `VaultEnvSecrets.consul_template_output`
+
+Set a custom path to the YAML output file generated from the `consul-template` template.
+
+```ruby
+VaultEnvSecrets.consul_template_output = "tmp/my_secrets.yml" # Defaults to `tmp/vault/secrets.yml`
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/GUI/vault_env_secrets.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+require "standard/rake"
+
+task default: %i[test standard]

data/lib/vault_env_secrets/errors.rb

@@ -0,0 +1,3 @@
+module VaultEnvSecrets
+  class Error < StandardError; end
+end

data/lib/vault_env_secrets/railtie.rb

@@ -0,0 +1,26 @@
+require "rails/railtie"
+
+module VaultEnvSecrets
+  class Railtie < ::Rails::Railtie
+    # Load the secret keys as early as possible, so it can be used in other
+    # parts of the Rails configuration, like database.yml files.
+    config.before_configuration do
+      # Load the optional initializer manually (since this before_configuration
+      # phase is before when initializers are usually loaded), so that any
+      # customizations can be read in.
+      initializer = ::Rails.root.join("config", "initializers", "vault_env_secrets.rb")
+      require initializer if File.exist?(initializer)
+
+      VaultEnvSecrets.load
+    end
+
+    # Try to ensure our own "before_configuration" hook gets loaded before any
+    # others that have already been loaded, so that these secrets can be used
+    # as part of other gem's own before_configuration hooks (eg, in the
+    # "config" gem's settings.yml files).
+    load_hooks = ActiveSupport.instance_variable_get(:@load_hooks)
+    if load_hooks && load_hooks[:before_configuration]
+      load_hooks[:before_configuration] = load_hooks[:before_configuration].rotate(-1)
+    end
+  end
+end

data/lib/vault_env_secrets/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module VaultEnvSecrets
+  VERSION = "1.0.0"
+end

data/lib/vault_env_secrets.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "yaml"
+
+require_relative "vault_env_secrets/errors"
+require_relative "vault_env_secrets/version"
+
+module VaultEnvSecrets
+  @enabled = true
+  @consul_template_config = "config/vault.hcl"
+  @consul_template_output = "tmp/vault/secrets.yml"
+
+  class << self
+    attr_accessor :enabled
+    attr_accessor :consul_template_config
+    attr_accessor :consul_template_output
+
+    def load(env: {})
+      if enabled
+        # Check that the expected consul-template config file exists.
+        config_path = Pathname.new(consul_template_config)
+        if defined?(::Rails) && config_path.relative?
+          config_path = Rails.root.join(consul_template_config)
+        end
+        unless config_path.exist?
+          raise Error.new("consul-template config path (#{config_path.to_s.inspect}) does not exist")
+        end
+
+        # Run consul-template to render any template files.
+        system(env, "consul-template", "-config", config_path.to_s, "-once", exception: true)
+
+        # Check that the expected output file exists.
+        output_path = Pathname.new(consul_template_output)
+        if defined?(::Rails) && output_path.relative?
+          output_path = Rails.root.join(consul_template_output)
+        end
+        unless output_path.exist?
+          raise Error.new("consul-template rendered output path (#{output_path.to_s.inspect}) does not exist")
+        end
+
+        # Read the output YAML file and set any of the variables as environment
+        # variables.
+        secrets = YAML.safe_load_file(output_path)
+        if secrets
+          # Make sure the YAML output is an expected hash.
+          unless secrets.is_a?(Hash)
+            raise Error.new("YAML in consul-template output file does not of expected Hash type (#{output_path.to_s.inspect})")
+          end
+
+          secrets.each do |key, value|
+            # Reject nested values that can't be set as simple string values
+            # for environment variable purposes.
+            if value.is_a?(Array) || value.is_a?(Hash)
+              raise Error.new("YAML in consul-template output file has nested data that cannot be set as environment variables (#{output_path.to_s.inspect}: #{key.inspect} type #{value.class.name})")
+            end
+
+            ENV[key] = value.to_s
+          end
+        end
+      end
+    end
+  end
+end
+
+if defined?(::Rails)
+  require_relative "vault_env_secrets/railtie"
+end

data/sig/vault_env_secrets.rbs

@@ -0,0 +1,4 @@
+module VaultEnvSecrets
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,59 @@
+--- !ruby/object:Gem::Specification
+name: vault_env_secrets
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Nick Muerdter
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2023-08-19 00:00:00.000000000 Z
+dependencies: []
+description:
+email:
+- 12112+GUI@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".standard.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/vault_env_secrets.rb
+- lib/vault_env_secrets/errors.rb
+- lib/vault_env_secrets/railtie.rb
+- lib/vault_env_secrets/version.rb
+- sig/vault_env_secrets.rbs
+homepage: https://github.com/GUI/vault_env_secrets
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/GUI/vault_env_secrets
+  source_code_uri: https://github.com/GUI/vault_env_secrets/tree/v1.0.0
+  changelog_uri: https://github.com/GUI/vault_env_secrets/blob/v1.0.0/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: Load secrets from Vault into environment variables (via consul-template config
+  and with Rails integration)
+test_files: []