yaml_vault 1.1.3 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +27 -0
- data/.gitignore +1 -0
- data/README.md +15 -1
- data/exe/yaml_vault +6 -0
- data/lib/yaml_vault/rails.rb +1 -1
- data/lib/yaml_vault/version.rb +1 -1
- data/lib/yaml_vault/yaml_compat.rb +21 -0
- data/lib/yaml_vault/yaml_tree_builder.rb +19 -1
- data/lib/yaml_vault.rb +9 -5
- metadata +8 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e89611f7bd2e7ca8692e1b689c0087babeec416a2350d1513e35b05d3c1e6758
|
|
4
|
+
data.tar.gz: 0b10d6e6dca3dfd371cb6dc19b1131ffd046d32b8718d02acea57f058559ee4b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 735ba23c5e3c063da8f3fb98ad73486bb0bff7ee99d83fdc7a26875dbd9b53ff4666f0cf6cb2d8ecb7687f690b960c877e1dd2ceb10ef319b91dce07a003170c
|
|
7
|
+
data.tar.gz: 422238e47e86038790fe12aa481d20b832e7f6a8eb66996db8c3df304d493835202003cfd3a4ecd330265ef27425cf8d4a3e7c7964148de723f8c3974b060cc5
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
name: RSpec
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [ master ]
|
|
6
|
+
pull_request:
|
|
7
|
+
|
|
8
|
+
jobs:
|
|
9
|
+
test:
|
|
10
|
+
|
|
11
|
+
runs-on: ubuntu-latest
|
|
12
|
+
strategy:
|
|
13
|
+
matrix:
|
|
14
|
+
ruby-version: ['2.7', '3.0', '3.1']
|
|
15
|
+
|
|
16
|
+
steps:
|
|
17
|
+
- uses: actions/checkout@v2
|
|
18
|
+
- name: Set up Ruby
|
|
19
|
+
# To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
|
|
20
|
+
# change this to (see https://github.com/ruby/setup-ruby#versioning):
|
|
21
|
+
# uses: ruby/setup-ruby@v1
|
|
22
|
+
uses: ruby/setup-ruby@v1.110.0
|
|
23
|
+
with:
|
|
24
|
+
ruby-version: ${{ matrix.ruby-version }}
|
|
25
|
+
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
|
|
26
|
+
- name: Run tests
|
|
27
|
+
run: bundle exec rake
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# YamlVault
|
|
2
2
|
[](https://badge.fury.io/rb/yaml_vault)
|
|
3
|
-
[](https://github.com/joker1007/yaml_vault/actions/workflows/rspec.yml)
|
|
4
4
|
|
|
5
5
|
Yaml file encryption/decryption helper.
|
|
6
6
|
|
|
@@ -180,6 +180,18 @@ vault:
|
|
|
180
180
|
|
|
181
181
|
ex. `$.production.:slaves.[0].*.:password`
|
|
182
182
|
|
|
183
|
+
You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:
|
|
184
|
+
|
|
185
|
+
```yml
|
|
186
|
+
# encrypted_secrets.yml
|
|
187
|
+
|
|
188
|
+
default: &default
|
|
189
|
+
...
|
|
190
|
+
vault:
|
|
191
|
+
secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
|
|
192
|
+
...
|
|
193
|
+
```
|
|
194
|
+
|
|
183
195
|
#### AWS KMS Encryption
|
|
184
196
|
|
|
185
197
|
Max encryptable size is 4096 bytes. (value size as encoded by Base64)
|
|
@@ -215,6 +227,8 @@ Enter passphrase: <enter your passphrase>
|
|
|
215
227
|
|
|
216
228
|
If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
|
|
217
229
|
|
|
230
|
+
Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.
|
|
231
|
+
|
|
218
232
|
#### AWS KMS Decryption
|
|
219
233
|
|
|
220
234
|
```
|
data/exe/yaml_vault
CHANGED
|
@@ -8,6 +8,8 @@ class YamlVault::Cli < Thor
|
|
|
8
8
|
include Thor::Actions
|
|
9
9
|
|
|
10
10
|
class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "$"
|
|
11
|
+
class_option :prefix, type: :string, banner: "PREFIX", desc: "prefix string to add to the encrypted value"
|
|
12
|
+
class_option :suffix, type: :string, banner: "SUFFIX", desc: "suffix string to add to the encrypted value"
|
|
11
13
|
class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
|
|
12
14
|
|
|
13
15
|
class_option :salt, aliases: "-s", type: :string
|
|
@@ -34,6 +36,8 @@ class YamlVault::Cli < Thor
|
|
|
34
36
|
yaml_file,
|
|
35
37
|
target_keys,
|
|
36
38
|
options[:cryptor],
|
|
39
|
+
options[:prefix],
|
|
40
|
+
options[:suffix],
|
|
37
41
|
passphrase: passphrase,
|
|
38
42
|
sign_passphrase: sign_passphrase,
|
|
39
43
|
salt: options[:salt], cipher: options[:cipher], key_len: options[:key_len],
|
|
@@ -58,6 +62,8 @@ class YamlVault::Cli < Thor
|
|
|
58
62
|
yaml_file,
|
|
59
63
|
target_keys,
|
|
60
64
|
options[:cryptor],
|
|
65
|
+
options[:prefix],
|
|
66
|
+
options[:suffix],
|
|
61
67
|
passphrase: passphrase,
|
|
62
68
|
sign_passphrase: sign_passphrase,
|
|
63
69
|
salt: options[:salt], cipher: options[:cipher], digest: options[:digest],
|
data/lib/yaml_vault/rails.rb
CHANGED
|
@@ -23,7 +23,7 @@ module YamlVault
|
|
|
23
23
|
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
|
|
24
24
|
secrets.secret_key_base ||= config.secret_key_base
|
|
25
25
|
# Fallback to config.secret_token if secrets.secret_token isn't set
|
|
26
|
-
secrets.secret_token ||= config.secret_token
|
|
26
|
+
secrets.secret_token ||= config&.secret_token if config.respond_to?(:secret_token)
|
|
27
27
|
|
|
28
28
|
secrets
|
|
29
29
|
end
|
data/lib/yaml_vault/version.rb
CHANGED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
module YamlVault
|
|
2
|
+
module YAMLCompat
|
|
3
|
+
refine YAML.singleton_class do
|
|
4
|
+
def load(yaml, **kw)
|
|
5
|
+
if YAML.respond_to?(:unsafe_load)
|
|
6
|
+
YAML.unsafe_load(yaml, **kw)
|
|
7
|
+
else
|
|
8
|
+
super(yaml, **kw)
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def load_file(filename, **kw)
|
|
13
|
+
if YAML.respond_to?(:unsafe_load_file)
|
|
14
|
+
YAML.unsafe_load_file(filename, **kw)
|
|
15
|
+
else
|
|
16
|
+
super(filename, **kw)
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -3,11 +3,13 @@ require 'yaml'
|
|
|
3
3
|
|
|
4
4
|
module YamlVault
|
|
5
5
|
class YAMLTreeBuilder < YAML::TreeBuilder
|
|
6
|
-
def initialize(target_paths, cryptor, mode)
|
|
6
|
+
def initialize(target_paths, prefix, suffix, cryptor, mode)
|
|
7
7
|
super()
|
|
8
8
|
|
|
9
9
|
@path_stack = []
|
|
10
10
|
@target_paths = target_paths
|
|
11
|
+
@prefix = prefix
|
|
12
|
+
@suffix = suffix
|
|
11
13
|
@cryptor = cryptor
|
|
12
14
|
@mode = mode
|
|
13
15
|
end
|
|
@@ -74,7 +76,9 @@ module YamlVault
|
|
|
74
76
|
else
|
|
75
77
|
result.value = @cryptor.encrypt(value)
|
|
76
78
|
end
|
|
79
|
+
result.value = add_prefix_and_suffix(result.value)
|
|
77
80
|
else
|
|
81
|
+
value = remove_prefix_and_suffix(value)
|
|
78
82
|
decrypted_value = @cryptor.decrypt(value).to_s
|
|
79
83
|
if decrypted_value =~ /\A(!.*?)\s+(.*)\z/
|
|
80
84
|
result.tag = $1
|
|
@@ -100,6 +104,20 @@ module YamlVault
|
|
|
100
104
|
|
|
101
105
|
private
|
|
102
106
|
|
|
107
|
+
def add_prefix_and_suffix(value)
|
|
108
|
+
return "#{@prefix}#{value}#{@suffix}"
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
def remove_prefix_and_suffix(value)
|
|
112
|
+
if @prefix != nil && value.start_with?(@prefix)
|
|
113
|
+
value = value.delete_prefix(@prefix)
|
|
114
|
+
end
|
|
115
|
+
if @suffix != nil && value.end_with?(@suffix)
|
|
116
|
+
value = value.delete_suffix(@suffix)
|
|
117
|
+
end
|
|
118
|
+
value
|
|
119
|
+
end
|
|
120
|
+
|
|
103
121
|
def match_path?
|
|
104
122
|
@target_paths.any? do |target_path|
|
|
105
123
|
target_path.each_with_index.all? do |path, i|
|
data/lib/yaml_vault.rb
CHANGED
|
@@ -7,26 +7,30 @@ require 'pp'
|
|
|
7
7
|
|
|
8
8
|
require 'yaml_vault/key_parser'
|
|
9
9
|
require 'yaml_vault/yaml_tree_builder'
|
|
10
|
+
require 'yaml_vault/yaml_compat'
|
|
10
11
|
|
|
11
12
|
module YamlVault
|
|
13
|
+
using YamlVault::YAMLCompat
|
|
12
14
|
class Main
|
|
13
15
|
class << self
|
|
14
|
-
def from_file(filename, keys, cryptor_name = nil, **options)
|
|
16
|
+
def from_file(filename, keys, cryptor_name = nil, prefix = nil, suffix = nil, **options)
|
|
15
17
|
yaml_content = ERB.new(File.read(filename)).result
|
|
16
|
-
new(yaml_content, keys, cryptor_name, **options)
|
|
18
|
+
new(yaml_content, keys, cryptor_name, prefix, suffix, **options)
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
alias :from_content :new
|
|
20
22
|
end
|
|
21
23
|
|
|
22
24
|
def initialize(
|
|
23
|
-
yaml_content, keys, cryptor_name = nil,
|
|
25
|
+
yaml_content, keys, cryptor_name = nil, prefix = nil, suffix = nil,
|
|
24
26
|
passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
|
|
25
27
|
aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil,
|
|
26
28
|
gcp_kms_resource_id: nil, gcp_credential_file: nil
|
|
27
29
|
)
|
|
28
30
|
@yaml = yaml_content
|
|
29
31
|
@keys = keys
|
|
32
|
+
@prefix = prefix
|
|
33
|
+
@suffix = suffix
|
|
30
34
|
|
|
31
35
|
@passphrase = passphrase
|
|
32
36
|
@sign_passphrase = sign_passphrase
|
|
@@ -49,12 +53,12 @@ module YamlVault
|
|
|
49
53
|
end
|
|
50
54
|
|
|
51
55
|
def encrypt
|
|
52
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :encrypt))
|
|
56
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :encrypt))
|
|
53
57
|
parser.parse(@yaml).handler.root
|
|
54
58
|
end
|
|
55
59
|
|
|
56
60
|
def decrypt
|
|
57
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :decrypt))
|
|
61
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :decrypt))
|
|
58
62
|
parser.parse(@yaml).handler.root
|
|
59
63
|
end
|
|
60
64
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yaml_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- joker1007
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-06-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -89,6 +89,7 @@ extensions: []
|
|
|
89
89
|
extra_rdoc_files: []
|
|
90
90
|
files:
|
|
91
91
|
- ".dockerignore"
|
|
92
|
+
- ".github/workflows/rspec.yml"
|
|
92
93
|
- ".gitignore"
|
|
93
94
|
- ".rspec"
|
|
94
95
|
- ".travis.yml"
|
|
@@ -104,13 +105,14 @@ files:
|
|
|
104
105
|
- lib/yaml_vault/key_parser.rb
|
|
105
106
|
- lib/yaml_vault/rails.rb
|
|
106
107
|
- lib/yaml_vault/version.rb
|
|
108
|
+
- lib/yaml_vault/yaml_compat.rb
|
|
107
109
|
- lib/yaml_vault/yaml_tree_builder.rb
|
|
108
110
|
- yaml_vault.gemspec
|
|
109
111
|
homepage: https://github.com/joker1007/yaml_vault
|
|
110
112
|
licenses:
|
|
111
113
|
- MIT
|
|
112
114
|
metadata: {}
|
|
113
|
-
post_install_message:
|
|
115
|
+
post_install_message:
|
|
114
116
|
rdoc_options: []
|
|
115
117
|
require_paths:
|
|
116
118
|
- lib
|
|
@@ -125,8 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
125
127
|
- !ruby/object:Gem::Version
|
|
126
128
|
version: '0'
|
|
127
129
|
requirements: []
|
|
128
|
-
rubygems_version: 3.
|
|
129
|
-
signing_key:
|
|
130
|
+
rubygems_version: 3.3.3
|
|
131
|
+
signing_key:
|
|
130
132
|
specification_version: 4
|
|
131
133
|
summary: yaml encryption/decryption helper.
|
|
132
134
|
test_files: []
|