yaml_vault 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +5 -0
- data/README.md +56 -0
- data/exe/yaml_vault +2 -2
- data/lib/yaml_vault.rb +27 -10
- data/lib/yaml_vault/rails.rb +25 -0
- data/lib/yaml_vault/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 69e1a7131d0d79028214fbc73d520ab3389dabc0
|
4
|
+
data.tar.gz: a6a1c6c272c99df46d821ddbfc5a7e67c2750a7b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 33938873fd2529c5cc4cf98692e4d8238acddc05a99d03b5df7f8b918600cc8c29ea180c6c4380f8ec61d80a68c574055c07eb646121b78914fde77d7079e64a
|
7
|
+
data.tar.gz: 9018d7ea4c777f25afeb8c1f0dc891086a4af8c9204b18f6c119339766210ad6d4413cc75f43ae8042fcd2ef31a9aa467eb644ae5c17637ab17ee056c6303c30
|
data/Dockerfile
ADDED
data/README.md
CHANGED
@@ -90,6 +90,20 @@ vault:
|
|
90
90
|
- four: 4
|
91
91
|
```
|
92
92
|
|
93
|
+
#### AWS KMS Encryption
|
94
|
+
|
95
|
+
Max encryptable size is 4096 bytes. (value size as encoded by Base64)
|
96
|
+
|
97
|
+
```
|
98
|
+
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=aws-kms \
|
99
|
+
--aws-region=ap-northeast-1 \
|
100
|
+
--aws-kms-key-id=<kms-cms-key-id> \
|
101
|
+
--aws-access-key-id=<AWS_ACCESS_KEY_ID> \
|
102
|
+
--aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
|
103
|
+
```
|
104
|
+
|
105
|
+
If region, access_key_id, secret_access_key is not set, use `ENV["AWS_REGION"]`, `ENV["AWS_ACCESS_KEY_ID"]`, `ENV["AWS_SECRET_ACCESS_KEY"]`.
|
106
|
+
|
93
107
|
### Decrypt
|
94
108
|
|
95
109
|
```
|
@@ -99,6 +113,48 @@ Enter passphrase: <enter your passphrase>
|
|
99
113
|
|
100
114
|
If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
|
101
115
|
|
116
|
+
#### AWS KMS Decryption
|
117
|
+
|
118
|
+
```
|
119
|
+
% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=aws-kms \
|
120
|
+
--aws-region=ap-northeast-1 \
|
121
|
+
--aws-access-key-id=<AWS_ACCESS_KEY_ID> \
|
122
|
+
--aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>
|
123
|
+
```
|
124
|
+
|
125
|
+
### Direct Assignment
|
126
|
+
|
127
|
+
```ruby
|
128
|
+
# decrypt `configs['vault']` and `configs['production']['password']`
|
129
|
+
|
130
|
+
# Simple Encryption
|
131
|
+
configs = YamlVault::Main.from_file(
|
132
|
+
File.expand_path("../encrypted_sample.yml", __FILE__),
|
133
|
+
[["vault"], ["production", "password"]],
|
134
|
+
passphrase: ENV["YAML_VAULT_PASSPHRASE"], sign_passphrase: ENV["YAML_VAULT_SIGN_PASSPHRASE"]
|
135
|
+
).decrypt
|
136
|
+
|
137
|
+
# KMS
|
138
|
+
configs = YamlVault::Main.from_file(
|
139
|
+
File.expand_path("../encrypted_sample.yml", __FILE__),
|
140
|
+
[["vault"], ["production", "password"]],
|
141
|
+
"kms",
|
142
|
+
aws_kms_key_id: ENV["AWS_KMS_KEY_ID"],
|
143
|
+
aws_region: ENV["AWS_REGION"], # optional
|
144
|
+
aws_access_key_id: "xxxxxxx", # optional
|
145
|
+
aws_secret_access_key: "xxxxxxx", # optional
|
146
|
+
).decrypt
|
147
|
+
```
|
148
|
+
|
149
|
+
## How to use with docker
|
150
|
+
|
151
|
+
```bash
|
152
|
+
docker run -it \
|
153
|
+
-v `pwd`/:/vol \
|
154
|
+
joker1007/yaml_vault \
|
155
|
+
encrypt /vol/secrets.yml -o /vol/encrypted_secrets.yml
|
156
|
+
```
|
157
|
+
|
102
158
|
## Development
|
103
159
|
|
104
160
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec yaml_vault` to use the gem in this directory, ignoring other installed copies of this gem.
|
data/exe/yaml_vault
CHANGED
@@ -24,7 +24,7 @@ class YamlVault::Cli < Thor
|
|
24
24
|
method_option :output, aliases: "-o", type: :string, required: true
|
25
25
|
def encrypt(yaml_file)
|
26
26
|
passphrase, sign_passphrase = get_passphrase
|
27
|
-
encrypted_yaml = YamlVault::Main.
|
27
|
+
encrypted_yaml = YamlVault::Main.from_file(
|
28
28
|
yaml_file,
|
29
29
|
target_keys,
|
30
30
|
options[:cryptor],
|
@@ -44,7 +44,7 @@ class YamlVault::Cli < Thor
|
|
44
44
|
method_option :output, aliases: "-o", type: :string, required: true
|
45
45
|
def decrypt(yaml_file)
|
46
46
|
passphrase, sign_passphrase = get_passphrase
|
47
|
-
decrypted_yaml = YamlVault::Main.
|
47
|
+
decrypted_yaml = YamlVault::Main.from_file(
|
48
48
|
yaml_file,
|
49
49
|
target_keys,
|
50
50
|
options[:cryptor],
|
data/lib/yaml_vault.rb
CHANGED
@@ -6,12 +6,21 @@ require 'active_support'
|
|
6
6
|
|
7
7
|
module YamlVault
|
8
8
|
class Main
|
9
|
+
class << self
|
10
|
+
def from_file(filename, keys, cryptor_name = nil, **options)
|
11
|
+
yaml_content = ERB.new(File.read(filename)).result
|
12
|
+
new(yaml_content, keys, cryptor_name, **options)
|
13
|
+
end
|
14
|
+
|
15
|
+
alias :from_content :new
|
16
|
+
end
|
17
|
+
|
9
18
|
def initialize(
|
10
|
-
|
19
|
+
yaml_content, keys, cryptor_name = nil,
|
11
20
|
passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", digest: "SHA256",
|
12
21
|
aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil
|
13
22
|
)
|
14
|
-
@
|
23
|
+
@data = YAML.load(yaml_content)
|
15
24
|
@keys = keys
|
16
25
|
|
17
26
|
@passphrase = passphrase
|
@@ -28,24 +37,33 @@ module YamlVault
|
|
28
37
|
@cryptor = get_cryptor(cryptor_name)
|
29
38
|
end
|
30
39
|
|
31
|
-
def
|
40
|
+
def encrypt
|
32
41
|
process_yaml do |data|
|
33
42
|
do_process(data, :encrypt)
|
34
43
|
end
|
35
44
|
end
|
36
45
|
|
37
|
-
def
|
46
|
+
def decrypt
|
38
47
|
process_yaml do |data|
|
39
48
|
do_process(data, :decrypt)
|
40
49
|
end
|
41
50
|
end
|
42
51
|
|
52
|
+
def encrypt_yaml
|
53
|
+
encrypt.to_yaml
|
54
|
+
end
|
55
|
+
|
56
|
+
def decrypt_yaml
|
57
|
+
decrypt.to_yaml
|
58
|
+
end
|
59
|
+
|
43
60
|
private
|
44
61
|
|
45
62
|
def get_cryptor(name)
|
46
|
-
|
63
|
+
case name
|
64
|
+
when "simple"
|
47
65
|
ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
|
48
|
-
|
66
|
+
when "aws-kms", "kms"
|
49
67
|
ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
|
50
68
|
else
|
51
69
|
ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
|
@@ -53,20 +71,19 @@ module YamlVault
|
|
53
71
|
end
|
54
72
|
|
55
73
|
def process_yaml
|
56
|
-
data = YAML.load(ERB.new(File.read(@yaml)).result)
|
57
74
|
@keys.each do |key|
|
58
|
-
target = key.inject(data) do |t, part|
|
75
|
+
target = key.inject(@data) do |t, part|
|
59
76
|
t[part]
|
60
77
|
end
|
61
78
|
|
62
79
|
vault_data = yield target
|
63
80
|
|
64
|
-
target_parent = key[0..-2].inject(data) do |t, part|
|
81
|
+
target_parent = key[0..-2].inject(@data) do |t, part|
|
65
82
|
t[part]
|
66
83
|
end
|
67
84
|
target_parent[key[-1]] = vault_data
|
68
85
|
end
|
69
|
-
data
|
86
|
+
@data
|
70
87
|
end
|
71
88
|
|
72
89
|
def do_process(data, method)
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module YamlVault
|
2
|
+
module Rails
|
3
|
+
class << self
|
4
|
+
def override_secrets(keys, cryptor_name = nil, **options)
|
5
|
+
config = ::Rails.application.config
|
6
|
+
::Rails.application.secrets = begin
|
7
|
+
secrets = ActiveSupport::OrderedOptions.new
|
8
|
+
yaml = config.paths["config/secrets"].first
|
9
|
+
if File.exist?(yaml)
|
10
|
+
all_secrets = YamlVault::Main.from_content(IO.read(yaml), keys, cryptor_name, **options).decrypt
|
11
|
+
env_secrets = all_secrets[::Rails.env]
|
12
|
+
secrets.merge!(env_secrets.symbolize_keys) if env_secrets
|
13
|
+
end
|
14
|
+
|
15
|
+
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
|
16
|
+
secrets.secret_key_base ||= config.secret_key_base
|
17
|
+
# Fallback to config.secret_token if secrets.secret_token isn't set
|
18
|
+
secrets.secret_token ||= config.secret_token
|
19
|
+
|
20
|
+
secrets
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
data/lib/yaml_vault/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: yaml_vault
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- joker1007
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-06-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -105,6 +105,7 @@ files:
|
|
105
105
|
- ".gitignore"
|
106
106
|
- ".rspec"
|
107
107
|
- ".travis.yml"
|
108
|
+
- Dockerfile
|
108
109
|
- Gemfile
|
109
110
|
- README.md
|
110
111
|
- Rakefile
|
@@ -112,6 +113,7 @@ files:
|
|
112
113
|
- bin/setup
|
113
114
|
- exe/yaml_vault
|
114
115
|
- lib/yaml_vault.rb
|
116
|
+
- lib/yaml_vault/rails.rb
|
115
117
|
- lib/yaml_vault/version.rb
|
116
118
|
- yaml_vault.gemspec
|
117
119
|
homepage: https://github.com/joker1007/yaml_vault
|