yaml_vault 1.0.1 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 4113736dbf8ce7c2b0c505b95fbbb2ba554a9376
4
- data.tar.gz: 84b726f8245e7e74210720aa27ed864acfb81ee1
2
+ SHA256:
3
+ metadata.gz: 5d971a272200b74721608df31003f4fe36c267debc941b249e046c9d3c0eda87
4
+ data.tar.gz: 05e9089f383a10b942b63c6378a876d23a9d24c00dd6bd5135c83955f3d857ce
5
5
  SHA512:
6
- metadata.gz: c27f4477a86e9d01c4f73aff041656e1b0c344f97add07b5e4643a7914c921fd0d3d788ae11f8b670a285f972b8064d3ac8231e862f685f8268982a09bfd604d
7
- data.tar.gz: 410fe9f926db4ab5f15537ce73d670b87aeaeaba9f5013e8a030dead403e3eb746f228e2fafbbcc9431a6d1c15d84a2368cd0bd55c13cc6b4360dd7eebf7635c
6
+ metadata.gz: 8c2604b1ecc2f4c85968fa4a673a3a6f34ad29c18805c63fbffb2a82a896fde931a0c45c77d4c64aa3f413ba2ba13010474f92cdc84f11b9cdf7f431e20c61da
7
+ data.tar.gz: 24102ad777468b515c728d686d496d93c92a77e5c5864899406a90e49200fa6dca6a9ee44fa237210b763084fe9be2fbe65fffba4112ea1c9b7786176b1de46e
data/.gitignore CHANGED
@@ -9,3 +9,4 @@
9
9
  /tmp/
10
10
 
11
11
  .envrc
12
+ .idea
data/.travis.yml CHANGED
@@ -1,5 +1,7 @@
1
+ sudo: false
1
2
  language: ruby
3
+ cache: bundler
2
4
  rvm:
3
- - 2.3.4
4
- - 2.4.2
5
- before_install: gem install bundler
5
+ - 2.6.2
6
+ - 2.5.2
7
+ before_install: gem install bundler -v 2.0.1
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2016 joker1007
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md CHANGED
@@ -180,6 +180,18 @@ vault:
180
180
 
181
181
  ex. `$.production.:slaves.[0].*.:password`
182
182
 
183
+ You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:
184
+
185
+ ```yml
186
+ # encrypted_secrets.yml
187
+
188
+ default: &default
189
+ ...
190
+ vault:
191
+ secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
192
+ ...
193
+ ```
194
+
183
195
  #### AWS KMS Encryption
184
196
 
185
197
  Max encryptable size is 4096 bytes. (value size as encoded by Base64)
@@ -215,6 +227,8 @@ Enter passphrase: <enter your passphrase>
215
227
 
216
228
  If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
217
229
 
230
+ Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.
231
+
218
232
  #### AWS KMS Decryption
219
233
 
220
234
  ```
data/exe/yaml_vault CHANGED
@@ -8,6 +8,8 @@ class YamlVault::Cli < Thor
8
8
  include Thor::Actions
9
9
 
10
10
  class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "$"
11
+ class_option :prefix, type: :string, banner: "PREFIX", desc: "prefix string to add to the encrypted value"
12
+ class_option :suffix, type: :string, banner: "SUFFIX", desc: "suffix string to add to the encrypted value"
11
13
  class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
12
14
 
13
15
  class_option :salt, aliases: "-s", type: :string
@@ -21,6 +23,7 @@ class YamlVault::Cli < Thor
21
23
  class_option :aws_region, type: :string
22
24
  class_option :aws_access_key_id, type: :string
23
25
  class_option :aws_secret_access_key, type: :string
26
+ class_option :aws_profile, type: :string
24
27
 
25
28
  class_option :gcp_kms_resource_id, type: :string
26
29
  class_option :gcp_credential_file, type: :string
@@ -32,6 +35,8 @@ class YamlVault::Cli < Thor
32
35
  encrypted_yaml = YamlVault::Main.from_file(
33
36
  yaml_file,
34
37
  target_keys,
38
+ options[:prefix],
39
+ options[:suffix],
35
40
  options[:cryptor],
36
41
  passphrase: passphrase,
37
42
  sign_passphrase: sign_passphrase,
@@ -41,6 +46,7 @@ class YamlVault::Cli < Thor
41
46
  aws_region: options[:aws_region],
42
47
  aws_access_key_id: options[:aws_access_key_id],
43
48
  aws_secret_access_key: options[:aws_secret_access_key],
49
+ aws_profile: options[:aws_profile],
44
50
  gcp_kms_resource_id: options[:gcp_kms_resource_id],
45
51
  gcp_credential_file: options[:gcp_credential_file]
46
52
  ).encrypt_yaml
@@ -55,6 +61,8 @@ class YamlVault::Cli < Thor
55
61
  decrypted_yaml = YamlVault::Main.from_file(
56
62
  yaml_file,
57
63
  target_keys,
64
+ options[:prefix],
65
+ options[:suffix],
58
66
  options[:cryptor],
59
67
  passphrase: passphrase,
60
68
  sign_passphrase: sign_passphrase,
@@ -63,6 +71,7 @@ class YamlVault::Cli < Thor
63
71
  aws_region: options[:aws_region],
64
72
  aws_access_key_id: options[:aws_access_key_id],
65
73
  aws_secret_access_key: options[:aws_secret_access_key],
74
+ aws_profile: options[:aws_profile],
66
75
  gcp_kms_resource_id: options[:gcp_kms_resource_id],
67
76
  gcp_credential_file: options[:gcp_credential_file]
68
77
  ).decrypt_yaml
data/lib/yaml_vault.rb CHANGED
@@ -11,22 +11,24 @@ require 'yaml_vault/yaml_tree_builder'
11
11
  module YamlVault
12
12
  class Main
13
13
  class << self
14
- def from_file(filename, keys, cryptor_name = nil, **options)
14
+ def from_file(filename, keys, prefix = nil, suffix = nil, cryptor_name = nil, **options)
15
15
  yaml_content = ERB.new(File.read(filename)).result
16
- new(yaml_content, keys, cryptor_name, **options)
16
+ new(yaml_content, keys, prefix, suffix, cryptor_name, **options)
17
17
  end
18
18
 
19
19
  alias :from_content :new
20
20
  end
21
21
 
22
22
  def initialize(
23
- yaml_content, keys, cryptor_name = nil,
23
+ yaml_content, keys, prefix = nil, suffix = nil, cryptor_name = nil,
24
24
  passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
25
- aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil,
25
+ aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil,
26
26
  gcp_kms_resource_id: nil, gcp_credential_file: nil
27
27
  )
28
28
  @yaml = yaml_content
29
29
  @keys = keys
30
+ @prefix = prefix
31
+ @suffix = suffix
30
32
 
31
33
  @passphrase = passphrase
32
34
  @sign_passphrase = sign_passphrase
@@ -40,6 +42,7 @@ module YamlVault
40
42
  @aws_region = aws_region
41
43
  @aws_access_key_id = aws_access_key_id
42
44
  @aws_secret_access_key = aws_secret_access_key
45
+ @aws_profile = aws_profile
43
46
 
44
47
  @gcp_kms_resource_id = gcp_kms_resource_id
45
48
  @gcp_credential_file = gcp_credential_file
@@ -48,12 +51,12 @@ module YamlVault
48
51
  end
49
52
 
50
53
  def encrypt
51
- parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :encrypt))
54
+ parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :encrypt))
52
55
  parser.parse(@yaml).handler.root
53
56
  end
54
57
 
55
58
  def decrypt
56
- parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :decrypt))
59
+ parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :decrypt))
57
60
  parser.parse(@yaml).handler.root
58
61
  end
59
62
 
@@ -80,7 +83,7 @@ module YamlVault
80
83
  when "simple"
81
84
  ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest, @key_len, @signature_key_len)
82
85
  when "aws-kms", "kms"
83
- ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
86
+ ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key, aws_profile: @aws_profile)
84
87
  when "gcp-kms"
85
88
  ValueCryptor::GCPKMS.new(@gcp_kms_resource_id, @gcp_credential_file)
86
89
  else
@@ -111,7 +114,7 @@ module YamlVault
111
114
  end
112
115
 
113
116
  class KMS
114
- def initialize(key_id, region: nil, aws_access_key_id: nil, aws_secret_access_key: nil)
117
+ def initialize(key_id, region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil)
115
118
  begin
116
119
  begin
117
120
  require 'aws-sdk-kms'
@@ -128,6 +131,7 @@ module YamlVault
128
131
  options[:region] = region if region
129
132
  options[:access_key_id] = aws_access_key_id if aws_access_key_id
130
133
  options[:secret_access_key] = aws_secret_access_key if aws_secret_access_key
134
+ options[:profile] = aws_profile if aws_profile
131
135
  @client = Aws::KMS::Client.new(options)
132
136
  @key_id = key_id
133
137
  end
@@ -9,13 +9,21 @@ module YamlVault
9
9
  if File.exist?(yaml)
10
10
  all_secrets = YamlVault::Main.from_content(IO.read(yaml), keys, cryptor_name, **options).decrypt_hash
11
11
  env_secrets = all_secrets[::Rails.env]
12
- secrets.merge!(env_secrets.symbolize_keys) if env_secrets
12
+ if env_secrets
13
+ if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
14
+ # In Rails 5.1, nested keys are also symbolized
15
+ # cf. https://github.com/rails/rails/pull/26929
16
+ secrets.merge!(env_secrets.deep_symbolize_keys)
17
+ else
18
+ secrets.merge!(env_secrets.symbolize_keys)
19
+ end
20
+ end
13
21
  end
14
22
 
15
23
  # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
16
24
  secrets.secret_key_base ||= config.secret_key_base
17
25
  # Fallback to config.secret_token if secrets.secret_token isn't set
18
- secrets.secret_token ||= config.secret_token
26
+ secrets.secret_token ||= config&.secret_token if config.respond_to?(:secret_token)
19
27
 
20
28
  secrets
21
29
  end
@@ -1,3 +1,3 @@
1
1
  module YamlVault
2
- VERSION = "1.0.1"
2
+ VERSION = "1.2.0"
3
3
  end
@@ -3,11 +3,13 @@ require 'yaml'
3
3
 
4
4
  module YamlVault
5
5
  class YAMLTreeBuilder < YAML::TreeBuilder
6
- def initialize(target_paths, cryptor, mode)
6
+ def initialize(target_paths, prefix, suffix, cryptor, mode)
7
7
  super()
8
8
 
9
9
  @path_stack = []
10
10
  @target_paths = target_paths
11
+ @prefix = prefix
12
+ @suffix = suffix
11
13
  @cryptor = cryptor
12
14
  @mode = mode
13
15
  end
@@ -74,7 +76,9 @@ module YamlVault
74
76
  else
75
77
  result.value = @cryptor.encrypt(value)
76
78
  end
79
+ result.value = add_prefix_and_suffix(result.value)
77
80
  else
81
+ value = remove_prefix_and_suffix(value)
78
82
  decrypted_value = @cryptor.decrypt(value).to_s
79
83
  if decrypted_value =~ /\A(!.*?)\s+(.*)\z/
80
84
  result.tag = $1
@@ -92,12 +96,28 @@ module YamlVault
92
96
  end
93
97
 
94
98
  def alias(anchor)
95
- @path_stack.pop
99
+ unless @last.is_a?(YAML::Nodes::Sequence)
100
+ @path_stack.pop
101
+ end
96
102
  super
97
103
  end
98
104
 
99
105
  private
100
106
 
107
+ def add_prefix_and_suffix(value)
108
+ return "#{@prefix}#{value}#{@suffix}"
109
+ end
110
+
111
+ def remove_prefix_and_suffix(value)
112
+ if @prefix != nil && value.start_with?(@prefix)
113
+ value = value.delete_prefix(@prefix)
114
+ end
115
+ if @suffix != nil && value.end_with?(@suffix)
116
+ value = value.delete_suffix(@suffix)
117
+ end
118
+ value
119
+ end
120
+
101
121
  def match_path?
102
122
  @target_paths.any? do |target_path|
103
123
  target_path.each_with_index.all? do |path, i|
data/yaml_vault.gemspec CHANGED
@@ -12,6 +12,7 @@ Gem::Specification.new do |spec|
12
12
  spec.summary = %q{yaml encryption/decryption helper.}
13
13
  spec.description = %q{yaml encryption/decryption helper.}
14
14
  spec.homepage = "https://github.com/joker1007/yaml_vault"
15
+ spec.license = "MIT"
15
16
 
16
17
  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
17
18
  spec.bindir = "exe"
@@ -21,7 +22,7 @@ Gem::Specification.new do |spec|
21
22
  spec.add_runtime_dependency "activesupport", ">= 4"
22
23
  spec.add_runtime_dependency "thor"
23
24
 
24
- spec.add_development_dependency "bundler", "~> 1.11"
25
- spec.add_development_dependency "rake", "~> 10.0"
25
+ spec.add_development_dependency "bundler", "~> 2.0"
26
+ spec.add_development_dependency "rake", "~> 12.0"
26
27
  spec.add_development_dependency "rspec", "~> 3.0"
27
28
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yaml_vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - joker1007
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-10-05 00:00:00.000000000 Z
11
+ date: 2021-04-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -44,28 +44,28 @@ dependencies:
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: '1.11'
47
+ version: '2.0'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: '1.11'
54
+ version: '2.0'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: rake
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '10.0'
61
+ version: '12.0'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '10.0'
68
+ version: '12.0'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rspec
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -94,6 +94,7 @@ files:
94
94
  - ".travis.yml"
95
95
  - Dockerfile
96
96
  - Gemfile
97
+ - LICENSE.txt
97
98
  - README.md
98
99
  - Rakefile
99
100
  - bin/console
@@ -106,9 +107,10 @@ files:
106
107
  - lib/yaml_vault/yaml_tree_builder.rb
107
108
  - yaml_vault.gemspec
108
109
  homepage: https://github.com/joker1007/yaml_vault
109
- licenses: []
110
+ licenses:
111
+ - MIT
110
112
  metadata: {}
111
- post_install_message:
113
+ post_install_message:
112
114
  rdoc_options: []
113
115
  require_paths:
114
116
  - lib
@@ -123,9 +125,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
123
125
  - !ruby/object:Gem::Version
124
126
  version: '0'
125
127
  requirements: []
126
- rubyforge_project:
127
- rubygems_version: 2.6.13
128
- signing_key:
128
+ rubygems_version: 3.2.3
129
+ signing_key:
129
130
  specification_version: 4
130
131
  summary: yaml encryption/decryption helper.
131
132
  test_files: []