yaml_vault 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7701aaf47f1f8a9aa15aa5a92cf42ba9faa683b6
-  data.tar.gz: bdd5eb6f504aadaabf6fb6b1404c6778a5365c7c
+  metadata.gz: d513c736945058b14e097674eb7f2a4743718a0b
+  data.tar.gz: 417af775003ec2105570ef50ce819303a2561d88
 SHA512:
-  metadata.gz: 605babf1e0e0000ea234cbe65a4d43e2176940da312d8df88cff698678590eea5d3b7668d0905ea7c6b13d06ff87791f4dea99adf983d34ab175a4e240d2b604
-  data.tar.gz: d7f18f1e1d329a939bba142eda79da0fbb4f7e389ddc7f9364799feb7c8ad87b1e07060a4749c8d7da4dea22ada0d23647020d86741675e92b18ff14216a897a
+  metadata.gz: fce2b4f85b47332badef4c03882d86fb83cfac33ee9da92b376512de571272b5bf4580dfccee0bcbe42e359c98356a282197c1b0466e9bee1fdb39a358ba2b35
+  data.tar.gz: 8e8abd2ec36cb12797f110d95043f5a8947f1ebf74246da0b967779252ccfb781aa80128a9a91716f6455f26fa2debb4acfe176cfe874955c8e5f09942089016

data/README.md

@@ -109,7 +109,19 @@ Max encryptable size is 4096 bytes. (value size as encoded by Base64)
   --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
 ```
 
-If region, access_key_id, secret_access_key is not set, use `ENV["AWS_REGION"]`, `ENV["AWS_ACCESS_KEY_ID"]`, `ENV["AWS_SECRET_ACCESS_KEY"]`.
+If region, access_key_id, secret_access_key is not set, use `ENV["AWS_REGION"]`, `ENV["AWS_ACCESS_KEY_ID"]`, `ENV["AWS_SECRET_ACCESS_KEY"]` or default credentials or Instance Profile.
+
+#### GCP KMS Encryption
+
+```
+% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=gcp-kms \
+  --gcp-kms-resource-id=<kms-resource-id> \
+  --gcp-credential-file=<credential-json-file-path>
+```
+
+ex. `--gcp-kms-resource-id=projects/<PROJECT_ID>/locations/global/keyRings/<KEYRING_ID>/cryptoKeys/<KEY_ID>`
+
+If gcp_credential_file is not set, use Google Application Default Credentials flow (https://developers.google.com/identity/protocols/application-default-credentials)
 
 ### Decrypt
 
@@ -129,6 +141,14 @@ If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
   --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
 ```
 
+#### GCP KMS Decryption
+
+```
+% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=gcp-kms \
+  --gcp-kms-resource-id=<kms-resource-id> \
+  --gcp-credential-file=<credential-json-file-path>
+```
+
 ### Direct Assignment
 
 ```ruby
@@ -141,7 +161,7 @@ configs = YamlVault::Main.from_file(
   passphrase: ENV["YAML_VAULT_PASSPHRASE"], sign_passphrase: ENV["YAML_VAULT_SIGN_PASSPHRASE"]
 ).decrypt
 
-# KMS
+# AWS KMS
 configs = YamlVault::Main.from_file(
   File.expand_path("../encrypted_sample.yml", __FILE__),
   [["vault"], ["production", "password"]],
@@ -151,6 +171,15 @@ configs = YamlVault::Main.from_file(
   aws_access_key_id: "xxxxxxx",      # optional
   aws_secret_access_key: "xxxxxxx",  # optional
 ).decrypt
+
+# GCP KMS
+configs = YamlVault::Main.from_file(
+  File.expand_path("../encrypted_sample.yml", __FILE__),
+  [["vault"], ["production", "password"]],
+  "gcp-kms",
+  gcp_kms_resource_id: "xxxxxxx",
+  gcp_credential_file: File.expand_path("../credential.json", __FILE__)
+).decrypt
 ```
 
 ## How to use with docker

data/exe/yaml_vault

@@ -8,7 +8,7 @@ class YamlVault::Cli < Thor
   include Thor::Actions
 
   class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "vault"
-  class_option :cryptor, type: :string, enum: %w(simple aws-kms), default: "simple"
+  class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
 
   class_option :salt, aliases: "-s", type: :string
   class_option :cipher, type: :string, desc: "Encrypt cipher (see. OpenSSL::Cipher.ciphers)", default: "aes-256-cbc"
@@ -22,6 +22,9 @@ class YamlVault::Cli < Thor
   class_option :aws_access_key_id, type: :string
   class_option :aws_secret_access_key, type: :string
 
+  class_option :gcp_kms_resource_id, type: :string
+  class_option :gcp_credential_file, type: :string
+
   desc "encrypt YAML_FILE", "Encrypt yaml file"
   method_option :output, aliases: "-o", type: :string, required: true
   def encrypt(yaml_file)
@@ -37,7 +40,9 @@ class YamlVault::Cli < Thor
       aws_kms_key_id: options[:aws_kms_key_id],
       aws_region: options[:aws_region],
       aws_access_key_id: options[:aws_access_key_id],
-      aws_secret_access_key: options[:aws_secret_access_key]
+      aws_secret_access_key: options[:aws_secret_access_key],
+      gcp_kms_resource_id: options[:gcp_kms_resource_id],
+      gcp_credential_file: options[:gcp_credential_file]
     ).encrypt_yaml
     puts "encrypted #{yaml_file} -> #{options[:output]}"
     File.open(options[:output], "w") { |f| f.write encrypted_yaml }
@@ -57,7 +62,9 @@ class YamlVault::Cli < Thor
       aws_kms_key_id: options[:aws_kms_key_id],
       aws_region: options[:aws_region],
       aws_access_key_id: options[:aws_access_key_id],
-      aws_secret_access_key: options[:aws_secret_access_key]
+      aws_secret_access_key: options[:aws_secret_access_key],
+      gcp_kms_resource_id: options[:gcp_kms_resource_id],
+      gcp_credential_file: options[:gcp_credential_file]
     ).decrypt_yaml
     puts "decrypted #{yaml_file} -> #{options[:output]}"
     File.open(options[:output], "w") { |f| f.write decrypted_yaml }

data/lib/yaml_vault/version.rb

@@ -1,3 +1,3 @@
 module YamlVault
-  VERSION = "0.5.0"
+  VERSION = "0.6.0"
 end

data/lib/yaml_vault.rb

@@ -18,7 +18,8 @@ module YamlVault
     def initialize(
       yaml_content, keys, cryptor_name = nil,
       passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
-      aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil
+      aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil,
+      gcp_kms_resource_id: nil, gcp_credential_file: nil
     )
       @data = YAML.load(yaml_content)
       @keys = keys
@@ -36,6 +37,9 @@ module YamlVault
       @aws_access_key_id = aws_access_key_id
       @aws_secret_access_key = aws_secret_access_key
 
+      @gcp_kms_resource_id = gcp_kms_resource_id
+      @gcp_credential_file = gcp_credential_file
+
       @cryptor = get_cryptor(cryptor_name)
     end
 
@@ -67,6 +71,8 @@ module YamlVault
         ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest, @key_len, @signature_key_len)
       when "aws-kms", "kms"
         ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
+      when "gcp-kms"
+        ValueCryptor::GCPKMS.new(@gcp_kms_resource_id, @gcp_credential_file)
       else
         ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest, @key_len, @signature_key_len)
       end
@@ -154,6 +160,39 @@ module YamlVault
           YAML.load(resp.plaintext)
         end
       end
+
+      class GCPKMS
+        def initialize(resource_id, credential_file)
+          raise "Need key resource id" unless resource_id
+          require 'googleauth'
+          require 'google/apis/cloudkms_v1'
+
+          scope = [
+            'https://www.googleapis.com/auth/cloud-platform'
+          ]
+
+          @resource_id = resource_id
+          @client = Google::Apis::CloudkmsV1::CloudKMSService.new
+          if credential_file
+            @client.authorization = Google::Auth::DefaultCredentials.make_creds(
+              json_key_io: File.open(credential_file),
+              scope: scope
+            )
+          else
+            @client.authorization = Google::Auth.get_application_default(scope)
+          end
+        end
+
+        def encrypt(value)
+          response = @client.encrypt_crypto_key(@resource_id, {plaintext: YAML.dump(value)}, {})
+          Base64.strict_encode64(response.ciphertext)
+        end
+
+        def decrypt(value)
+          response = @client.decrypt_crypto_key(@resource_id, {ciphertext: Base64.strict_decode64(value)}, {})
+          YAML.load(response.plaintext)
+        end
+      end
     end
 
     private_constant :ValueCryptor

data/yaml_vault.gemspec

@@ -20,6 +20,8 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency "activesupport", ">= 4"
   spec.add_runtime_dependency "aws-sdk", "~> 2.0"
+  spec.add_runtime_dependency "google-api-client", "~> 0.11"
+  spec.add_runtime_dependency "googleauth", "~> 0.4"
   spec.add_runtime_dependency "thor"
 
   spec.add_development_dependency "bundler", "~> 1.11"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yaml_vault
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - joker1007
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-03-31 00:00:00.000000000 Z
+date: 2017-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -38,6 +38,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: google-api-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: googleauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement