yaml_vault 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2a0bdfb9602aac1932efba9fd68eab1083ed2c32
-  data.tar.gz: 2e8f8caede77d7f49d50f0354a39d9809b9cfbe5
+  metadata.gz: 69e1a7131d0d79028214fbc73d520ab3389dabc0
+  data.tar.gz: a6a1c6c272c99df46d821ddbfc5a7e67c2750a7b
 SHA512:
-  metadata.gz: 1b994e252cb2d603a1bc69944a0d5d575ad1c10e51b10ff834024f6ffe939c935a7483bc8cdd258651b734fcddc394e193f957d351021de0b8ca0f9372daaeec
-  data.tar.gz: 7e2893a031100688009d2a71ac912b816cd85cc45c2bc802bd581aa29728a5f69d6a436d7d3b86515cdb3f065fcdbfae4471aa3431fed61e2912ed15d2ced025
+  metadata.gz: 33938873fd2529c5cc4cf98692e4d8238acddc05a99d03b5df7f8b918600cc8c29ea180c6c4380f8ec61d80a68c574055c07eb646121b78914fde77d7079e64a
+  data.tar.gz: 9018d7ea4c777f25afeb8c1f0dc891086a4af8c9204b18f6c119339766210ad6d4413cc75f43ae8042fcd2ef31a9aa467eb644ae5c17637ab17ee056c6303c30

data/Dockerfile

@@ -0,0 +1,5 @@
+FROM ruby:2.3-alpine
+
+RUN gem install yaml_vault aws-sdk --no-document
+
+ENTRYPOINT ["yaml_vault"]

data/README.md

@@ -90,6 +90,20 @@ vault:
   - four: 4
 ```
 
+#### AWS KMS Encryption
+
+Max encryptable size is 4096 bytes. (value size as encoded by Base64)
+
+```
+% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=aws-kms \
+  --aws-region=ap-northeast-1 \
+  --aws-kms-key-id=<kms-cms-key-id> \
+  --aws-access-key-id=<AWS_ACCESS_KEY_ID> \
+  --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
+```
+
+If region, access_key_id, secret_access_key is not set, use `ENV["AWS_REGION"]`, `ENV["AWS_ACCESS_KEY_ID"]`, `ENV["AWS_SECRET_ACCESS_KEY"]`.
+
 ### Decrypt
 
 ```
@@ -99,6 +113,48 @@ Enter passphrase: <enter your passphrase>
 
 If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
 
+#### AWS KMS Decryption
+
+```
+% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=aws-kms \
+  --aws-region=ap-northeast-1 \
+  --aws-access-key-id=<AWS_ACCESS_KEY_ID> \
+  --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
+```
+
+### Direct Assignment
+
+```ruby
+# decrypt `configs['vault']` and `configs['production']['password']`
+
+# Simple Encryption
+configs = YamlVault::Main.from_file(
+  File.expand_path("../encrypted_sample.yml", __FILE__),
+  [["vault"], ["production", "password"]],
+  passphrase: ENV["YAML_VAULT_PASSPHRASE"], sign_passphrase: ENV["YAML_VAULT_SIGN_PASSPHRASE"]
+).decrypt
+
+# KMS
+configs = YamlVault::Main.from_file(
+  File.expand_path("../encrypted_sample.yml", __FILE__),
+  [["vault"], ["production", "password"]],
+  "kms",
+  aws_kms_key_id: ENV["AWS_KMS_KEY_ID"],
+  aws_region: ENV["AWS_REGION"],     # optional
+  aws_access_key_id: "xxxxxxx",      # optional
+  aws_secret_access_key: "xxxxxxx",  # optional
+).decrypt
+```
+
+## How to use with docker
+
+```bash
+docker run -it \
+  -v `pwd`/:/vol \
+  joker1007/yaml_vault \
+  encrypt /vol/secrets.yml -o /vol/encrypted_secrets.yml
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec yaml_vault` to use the gem in this directory, ignoring other installed copies of this gem.

data/exe/yaml_vault

@@ -24,7 +24,7 @@ class YamlVault::Cli < Thor
   method_option :output, aliases: "-o", type: :string, required: true
   def encrypt(yaml_file)
     passphrase, sign_passphrase = get_passphrase
-    encrypted_yaml = YamlVault::Main.new(
+    encrypted_yaml = YamlVault::Main.from_file(
       yaml_file,
       target_keys,
       options[:cryptor],
@@ -44,7 +44,7 @@ class YamlVault::Cli < Thor
   method_option :output, aliases: "-o", type: :string, required: true
   def decrypt(yaml_file)
     passphrase, sign_passphrase = get_passphrase
-    decrypted_yaml = YamlVault::Main.new(
+    decrypted_yaml = YamlVault::Main.from_file(
       yaml_file,
       target_keys,
       options[:cryptor],

data/lib/yaml_vault.rb

@@ -6,12 +6,21 @@ require 'active_support'
 
 module YamlVault
   class Main
+    class << self
+      def from_file(filename, keys, cryptor_name = nil, **options)
+        yaml_content = ERB.new(File.read(filename)).result
+        new(yaml_content, keys, cryptor_name, **options)
+      end
+
+      alias :from_content :new
+    end
+
     def initialize(
-      yaml, keys, cryptor_name = nil,
+      yaml_content, keys, cryptor_name = nil,
       passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", digest: "SHA256",
       aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil
     )
-      @yaml = yaml
+      @data = YAML.load(yaml_content)
       @keys = keys
 
       @passphrase = passphrase
@@ -28,24 +37,33 @@ module YamlVault
       @cryptor = get_cryptor(cryptor_name)
     end
 
-    def encrypt_yaml
+    def encrypt
       process_yaml do |data|
         do_process(data, :encrypt)
       end
     end
 
-    def decrypt_yaml
+    def decrypt
       process_yaml do |data|
         do_process(data, :decrypt)
       end
     end
 
+    def encrypt_yaml
+      encrypt.to_yaml
+    end
+
+    def decrypt_yaml
+      decrypt.to_yaml
+    end
+
     private
 
     def get_cryptor(name)
-      if name == "simple"
+      case name
+      when "simple"
         ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
-      elsif name == "aws-kms"
+      when "aws-kms", "kms"
         ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
       else
         ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
@@ -53,20 +71,19 @@ module YamlVault
     end
 
     def process_yaml
-      data = YAML.load(ERB.new(File.read(@yaml)).result)
       @keys.each do |key|
-        target = key.inject(data) do |t, part|
+        target = key.inject(@data) do |t, part|
           t[part]
         end
 
         vault_data = yield target
 
-        target_parent = key[0..-2].inject(data) do |t, part|
+        target_parent = key[0..-2].inject(@data) do |t, part|
           t[part]
         end
         target_parent[key[-1]] = vault_data
       end
-      data.to_yaml
+      @data
     end
 
     def do_process(data, method)

data/lib/yaml_vault/rails.rb

@@ -0,0 +1,25 @@
+module YamlVault
+  module Rails
+    class << self
+      def override_secrets(keys, cryptor_name = nil, **options)
+        config = ::Rails.application.config
+        ::Rails.application.secrets = begin
+          secrets = ActiveSupport::OrderedOptions.new
+          yaml = config.paths["config/secrets"].first
+          if File.exist?(yaml)
+            all_secrets = YamlVault::Main.from_content(IO.read(yaml), keys, cryptor_name, **options).decrypt
+            env_secrets = all_secrets[::Rails.env]
+            secrets.merge!(env_secrets.symbolize_keys) if env_secrets
+          end
+
+          # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
+          secrets.secret_key_base ||= config.secret_key_base
+          # Fallback to config.secret_token if secrets.secret_token isn't set
+          secrets.secret_token ||= config.secret_token
+
+          secrets
+        end
+      end
+    end
+  end
+end

data/lib/yaml_vault/version.rb

@@ -1,3 +1,3 @@
 module YamlVault
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yaml_vault
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - joker1007
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-05-24 00:00:00.000000000 Z
+date: 2016-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -105,6 +105,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- Dockerfile
 - Gemfile
 - README.md
 - Rakefile
@@ -112,6 +113,7 @@ files:
 - bin/setup
 - exe/yaml_vault
 - lib/yaml_vault.rb
+- lib/yaml_vault/rails.rb
 - lib/yaml_vault/version.rb
 - yaml_vault.gemspec
 homepage: https://github.com/joker1007/yaml_vault