yaml_vault 1.0.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4113736dbf8ce7c2b0c505b95fbbb2ba554a9376
-  data.tar.gz: 84b726f8245e7e74210720aa27ed864acfb81ee1
+SHA256:
+  metadata.gz: 5d971a272200b74721608df31003f4fe36c267debc941b249e046c9d3c0eda87
+  data.tar.gz: 05e9089f383a10b942b63c6378a876d23a9d24c00dd6bd5135c83955f3d857ce
 SHA512:
-  metadata.gz: c27f4477a86e9d01c4f73aff041656e1b0c344f97add07b5e4643a7914c921fd0d3d788ae11f8b670a285f972b8064d3ac8231e862f685f8268982a09bfd604d
-  data.tar.gz: 410fe9f926db4ab5f15537ce73d670b87aeaeaba9f5013e8a030dead403e3eb746f228e2fafbbcc9431a6d1c15d84a2368cd0bd55c13cc6b4360dd7eebf7635c
+  metadata.gz: 8c2604b1ecc2f4c85968fa4a673a3a6f34ad29c18805c63fbffb2a82a896fde931a0c45c77d4c64aa3f413ba2ba13010474f92cdc84f11b9cdf7f431e20c61da
+  data.tar.gz: 24102ad777468b515c728d686d496d93c92a77e5c5864899406a90e49200fa6dca6a9ee44fa237210b763084fe9be2fbe65fffba4112ea1c9b7786176b1de46e

data/.gitignore

@@ -9,3 +9,4 @@
 /tmp/
 
 .envrc
+.idea

data/.travis.yml

@@ -1,5 +1,7 @@
+sudo: false
 language: ruby
+cache: bundler
 rvm:
-  - 2.3.4
-  - 2.4.2
-before_install: gem install bundler
+  - 2.6.2
+  - 2.5.2
+before_install: gem install bundler -v 2.0.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 joker1007
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -180,6 +180,18 @@ vault:
 
 ex. `$.production.:slaves.[0].*.:password`
 
+You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:
+
+```yml
+# encrypted_secrets.yml
+
+default: &default
+...
+vault:
+  secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
+...
+```
+
 #### AWS KMS Encryption
 
 Max encryptable size is 4096 bytes. (value size as encoded by Base64)
@@ -215,6 +227,8 @@ Enter passphrase: <enter your passphrase>
 
 If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
 
+Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.
+
 #### AWS KMS Decryption
 
 ```

data/exe/yaml_vault

@@ -8,6 +8,8 @@ class YamlVault::Cli < Thor
   include Thor::Actions
 
   class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "$"
+  class_option :prefix, type: :string, banner: "PREFIX", desc: "prefix string to add to the encrypted value"
+  class_option :suffix, type: :string, banner: "SUFFIX", desc: "suffix string to add to the encrypted value"
   class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
 
   class_option :salt, aliases: "-s", type: :string
@@ -21,6 +23,7 @@ class YamlVault::Cli < Thor
   class_option :aws_region, type: :string
   class_option :aws_access_key_id, type: :string
   class_option :aws_secret_access_key, type: :string
+  class_option :aws_profile, type: :string
 
   class_option :gcp_kms_resource_id, type: :string
   class_option :gcp_credential_file, type: :string
@@ -32,6 +35,8 @@ class YamlVault::Cli < Thor
     encrypted_yaml = YamlVault::Main.from_file(
       yaml_file,
       target_keys,
+      options[:prefix],
+      options[:suffix],
       options[:cryptor],
       passphrase: passphrase,
       sign_passphrase: sign_passphrase,
@@ -41,6 +46,7 @@ class YamlVault::Cli < Thor
       aws_region: options[:aws_region],
       aws_access_key_id: options[:aws_access_key_id],
       aws_secret_access_key: options[:aws_secret_access_key],
+      aws_profile: options[:aws_profile],
       gcp_kms_resource_id: options[:gcp_kms_resource_id],
       gcp_credential_file: options[:gcp_credential_file]
     ).encrypt_yaml
@@ -55,6 +61,8 @@ class YamlVault::Cli < Thor
     decrypted_yaml = YamlVault::Main.from_file(
       yaml_file,
       target_keys,
+      options[:prefix],
+      options[:suffix],
       options[:cryptor],
       passphrase: passphrase,
       sign_passphrase: sign_passphrase,
@@ -63,6 +71,7 @@ class YamlVault::Cli < Thor
       aws_region: options[:aws_region],
       aws_access_key_id: options[:aws_access_key_id],
       aws_secret_access_key: options[:aws_secret_access_key],
+      aws_profile: options[:aws_profile],
       gcp_kms_resource_id: options[:gcp_kms_resource_id],
       gcp_credential_file: options[:gcp_credential_file]
     ).decrypt_yaml

data/lib/yaml_vault.rb

@@ -11,22 +11,24 @@ require 'yaml_vault/yaml_tree_builder'
 module YamlVault
   class Main
     class << self
-      def from_file(filename, keys, cryptor_name = nil, **options)
+      def from_file(filename, keys, prefix = nil, suffix = nil, cryptor_name = nil, **options)
         yaml_content = ERB.new(File.read(filename)).result
-        new(yaml_content, keys, cryptor_name, **options)
+        new(yaml_content, keys, prefix, suffix, cryptor_name, **options)
       end
 
       alias :from_content :new
     end
 
     def initialize(
-      yaml_content, keys, cryptor_name = nil,
+      yaml_content, keys, prefix = nil, suffix = nil, cryptor_name = nil,
       passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
-      aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil,
+      aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil,
       gcp_kms_resource_id: nil, gcp_credential_file: nil
     )
       @yaml = yaml_content
       @keys = keys
+      @prefix = prefix
+      @suffix = suffix
 
       @passphrase = passphrase
       @sign_passphrase = sign_passphrase
@@ -40,6 +42,7 @@ module YamlVault
       @aws_region = aws_region
       @aws_access_key_id = aws_access_key_id
       @aws_secret_access_key = aws_secret_access_key
+      @aws_profile = aws_profile
 
       @gcp_kms_resource_id = gcp_kms_resource_id
       @gcp_credential_file = gcp_credential_file
@@ -48,12 +51,12 @@ module YamlVault
     end
 
     def encrypt
-      parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :encrypt))
+      parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :encrypt))
       parser.parse(@yaml).handler.root
     end
 
     def decrypt
-      parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :decrypt))
+      parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :decrypt))
       parser.parse(@yaml).handler.root
     end
 
@@ -80,7 +83,7 @@ module YamlVault
       when "simple"
         ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest, @key_len, @signature_key_len)
       when "aws-kms", "kms"
-        ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
+        ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key, aws_profile: @aws_profile)
       when "gcp-kms"
         ValueCryptor::GCPKMS.new(@gcp_kms_resource_id, @gcp_credential_file)
       else
@@ -111,7 +114,7 @@ module YamlVault
       end
 
       class KMS
-        def initialize(key_id, region: nil, aws_access_key_id: nil, aws_secret_access_key: nil)
+        def initialize(key_id, region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil)
           begin
             begin
               require 'aws-sdk-kms'
@@ -128,6 +131,7 @@ module YamlVault
           options[:region] = region if region
           options[:access_key_id] = aws_access_key_id if aws_access_key_id
           options[:secret_access_key] = aws_secret_access_key if aws_secret_access_key
+          options[:profile] = aws_profile if aws_profile
           @client = Aws::KMS::Client.new(options)
           @key_id = key_id
         end

data/lib/yaml_vault/rails.rb

@@ -9,13 +9,21 @@ module YamlVault
           if File.exist?(yaml)
             all_secrets = YamlVault::Main.from_content(IO.read(yaml), keys, cryptor_name, **options).decrypt_hash
             env_secrets = all_secrets[::Rails.env]
-            secrets.merge!(env_secrets.symbolize_keys) if env_secrets
+            if env_secrets
+              if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5.1")
+                # In Rails 5.1, nested keys are also symbolized
+                # cf. https://github.com/rails/rails/pull/26929
+                secrets.merge!(env_secrets.deep_symbolize_keys)
+              else
+                secrets.merge!(env_secrets.symbolize_keys)
+              end
+            end
           end
 
           # Fallback to config.secret_key_base if secrets.secret_key_base isn't set
           secrets.secret_key_base ||= config.secret_key_base
           # Fallback to config.secret_token if secrets.secret_token isn't set
-          secrets.secret_token ||= config.secret_token
+          secrets.secret_token ||= config&.secret_token if config.respond_to?(:secret_token)
 
           secrets
         end

data/lib/yaml_vault/version.rb

@@ -1,3 +1,3 @@
 module YamlVault
-  VERSION = "1.0.1"
+  VERSION = "1.2.0"
 end

data/lib/yaml_vault/yaml_tree_builder.rb

@@ -3,11 +3,13 @@ require 'yaml'
 
 module YamlVault
   class YAMLTreeBuilder < YAML::TreeBuilder
-    def initialize(target_paths, cryptor, mode)
+    def initialize(target_paths, prefix, suffix, cryptor, mode)
       super()
 
       @path_stack = []
       @target_paths = target_paths
+      @prefix = prefix
+      @suffix = suffix
       @cryptor = cryptor
       @mode = mode
     end
@@ -74,7 +76,9 @@ module YamlVault
           else
             result.value = @cryptor.encrypt(value)
           end
+          result.value = add_prefix_and_suffix(result.value)
         else
+          value = remove_prefix_and_suffix(value)
           decrypted_value = @cryptor.decrypt(value).to_s
           if decrypted_value =~ /\A(!.*?)\s+(.*)\z/
             result.tag = $1
@@ -92,12 +96,28 @@ module YamlVault
     end
 
     def alias(anchor)
-      @path_stack.pop
+      unless @last.is_a?(YAML::Nodes::Sequence)
+        @path_stack.pop
+      end
       super
     end
 
     private
 
+    def add_prefix_and_suffix(value)
+      return "#{@prefix}#{value}#{@suffix}"
+    end
+
+    def remove_prefix_and_suffix(value)
+      if @prefix != nil && value.start_with?(@prefix)
+        value = value.delete_prefix(@prefix)
+      end
+      if @suffix != nil && value.end_with?(@suffix)
+        value = value.delete_suffix(@suffix)
+      end
+      value
+    end
+
     def match_path?
       @target_paths.any? do |target_path|
         target_path.each_with_index.all? do |path, i|

data/yaml_vault.gemspec

@@ -12,6 +12,7 @@ Gem::Specification.new do |spec|
   spec.summary       = %q{yaml encryption/decryption helper.}
   spec.description   = %q{yaml encryption/decryption helper.}
   spec.homepage      = "https://github.com/joker1007/yaml_vault"
+  spec.license       = "MIT"
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = "exe"
@@ -21,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "activesupport", ">= 4"
   spec.add_runtime_dependency "thor"
 
-  spec.add_development_dependency "bundler", "~> 1.11"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.0"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yaml_vault
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.2.0
 platform: ruby
 authors:
 - joker1007
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-10-05 00:00:00.000000000 Z
+date: 2021-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -44,28 +44,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +94,7 @@ files:
 - ".travis.yml"
 - Dockerfile
 - Gemfile
+- LICENSE.txt
 - README.md
 - Rakefile
 - bin/console
@@ -106,9 +107,10 @@ files:
 - lib/yaml_vault/yaml_tree_builder.rb
 - yaml_vault.gemspec
 homepage: https://github.com/joker1007/yaml_vault
-licenses: []
+licenses:
+- MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -123,9 +125,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: yaml encryption/decryption helper.
 test_files: []