yaml_vault 1.1.3 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/README.md +14 -0
- data/exe/yaml_vault +6 -0
- data/lib/yaml_vault.rb +7 -5
- data/lib/yaml_vault/rails.rb +1 -1
- data/lib/yaml_vault/version.rb +1 -1
- data/lib/yaml_vault/yaml_tree_builder.rb +19 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5d971a272200b74721608df31003f4fe36c267debc941b249e046c9d3c0eda87
|
|
4
|
+
data.tar.gz: 05e9089f383a10b942b63c6378a876d23a9d24c00dd6bd5135c83955f3d857ce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8c2604b1ecc2f4c85968fa4a673a3a6f34ad29c18805c63fbffb2a82a896fde931a0c45c77d4c64aa3f413ba2ba13010474f92cdc84f11b9cdf7f431e20c61da
|
|
7
|
+
data.tar.gz: 24102ad777468b515c728d686d496d93c92a77e5c5864899406a90e49200fa6dca6a9ee44fa237210b763084fe9be2fbe65fffba4112ea1c9b7786176b1de46e
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -180,6 +180,18 @@ vault:
|
|
|
180
180
|
|
|
181
181
|
ex. `$.production.:slaves.[0].*.:password`
|
|
182
182
|
|
|
183
|
+
You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:
|
|
184
|
+
|
|
185
|
+
```yml
|
|
186
|
+
# encrypted_secrets.yml
|
|
187
|
+
|
|
188
|
+
default: &default
|
|
189
|
+
...
|
|
190
|
+
vault:
|
|
191
|
+
secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
|
|
192
|
+
...
|
|
193
|
+
```
|
|
194
|
+
|
|
183
195
|
#### AWS KMS Encryption
|
|
184
196
|
|
|
185
197
|
Max encryptable size is 4096 bytes. (value size as encoded by Base64)
|
|
@@ -215,6 +227,8 @@ Enter passphrase: <enter your passphrase>
|
|
|
215
227
|
|
|
216
228
|
If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
|
|
217
229
|
|
|
230
|
+
Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.
|
|
231
|
+
|
|
218
232
|
#### AWS KMS Decryption
|
|
219
233
|
|
|
220
234
|
```
|
data/exe/yaml_vault
CHANGED
|
@@ -8,6 +8,8 @@ class YamlVault::Cli < Thor
|
|
|
8
8
|
include Thor::Actions
|
|
9
9
|
|
|
10
10
|
class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "$"
|
|
11
|
+
class_option :prefix, type: :string, banner: "PREFIX", desc: "prefix string to add to the encrypted value"
|
|
12
|
+
class_option :suffix, type: :string, banner: "SUFFIX", desc: "suffix string to add to the encrypted value"
|
|
11
13
|
class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
|
|
12
14
|
|
|
13
15
|
class_option :salt, aliases: "-s", type: :string
|
|
@@ -33,6 +35,8 @@ class YamlVault::Cli < Thor
|
|
|
33
35
|
encrypted_yaml = YamlVault::Main.from_file(
|
|
34
36
|
yaml_file,
|
|
35
37
|
target_keys,
|
|
38
|
+
options[:prefix],
|
|
39
|
+
options[:suffix],
|
|
36
40
|
options[:cryptor],
|
|
37
41
|
passphrase: passphrase,
|
|
38
42
|
sign_passphrase: sign_passphrase,
|
|
@@ -57,6 +61,8 @@ class YamlVault::Cli < Thor
|
|
|
57
61
|
decrypted_yaml = YamlVault::Main.from_file(
|
|
58
62
|
yaml_file,
|
|
59
63
|
target_keys,
|
|
64
|
+
options[:prefix],
|
|
65
|
+
options[:suffix],
|
|
60
66
|
options[:cryptor],
|
|
61
67
|
passphrase: passphrase,
|
|
62
68
|
sign_passphrase: sign_passphrase,
|
data/lib/yaml_vault.rb
CHANGED
|
@@ -11,22 +11,24 @@ require 'yaml_vault/yaml_tree_builder'
|
|
|
11
11
|
module YamlVault
|
|
12
12
|
class Main
|
|
13
13
|
class << self
|
|
14
|
-
def from_file(filename, keys, cryptor_name = nil, **options)
|
|
14
|
+
def from_file(filename, keys, prefix = nil, suffix = nil, cryptor_name = nil, **options)
|
|
15
15
|
yaml_content = ERB.new(File.read(filename)).result
|
|
16
|
-
new(yaml_content, keys, cryptor_name, **options)
|
|
16
|
+
new(yaml_content, keys, prefix, suffix, cryptor_name, **options)
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
alias :from_content :new
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def initialize(
|
|
23
|
-
yaml_content, keys, cryptor_name = nil,
|
|
23
|
+
yaml_content, keys, prefix = nil, suffix = nil, cryptor_name = nil,
|
|
24
24
|
passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
|
|
25
25
|
aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil,
|
|
26
26
|
gcp_kms_resource_id: nil, gcp_credential_file: nil
|
|
27
27
|
)
|
|
28
28
|
@yaml = yaml_content
|
|
29
29
|
@keys = keys
|
|
30
|
+
@prefix = prefix
|
|
31
|
+
@suffix = suffix
|
|
30
32
|
|
|
31
33
|
@passphrase = passphrase
|
|
32
34
|
@sign_passphrase = sign_passphrase
|
|
@@ -49,12 +51,12 @@ module YamlVault
|
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
def encrypt
|
|
52
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :encrypt))
|
|
54
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :encrypt))
|
|
53
55
|
parser.parse(@yaml).handler.root
|
|
54
56
|
end
|
|
55
57
|
|
|
56
58
|
def decrypt
|
|
57
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :decrypt))
|
|
59
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :decrypt))
|
|
58
60
|
parser.parse(@yaml).handler.root
|
|
59
61
|
end
|
|
60
62
|
|
data/lib/yaml_vault/rails.rb
CHANGED
|
@@ -23,7 +23,7 @@ module YamlVault
|
|
|
23
23
|
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
|
|
24
24
|
secrets.secret_key_base ||= config.secret_key_base
|
|
25
25
|
# Fallback to config.secret_token if secrets.secret_token isn't set
|
|
26
|
-
secrets.secret_token ||= config.secret_token
|
|
26
|
+
secrets.secret_token ||= config&.secret_token if config.respond_to?(:secret_token)
|
|
27
27
|
|
|
28
28
|
secrets
|
|
29
29
|
end
|
data/lib/yaml_vault/version.rb
CHANGED
|
@@ -3,11 +3,13 @@ require 'yaml'
|
|
|
3
3
|
|
|
4
4
|
module YamlVault
|
|
5
5
|
class YAMLTreeBuilder < YAML::TreeBuilder
|
|
6
|
-
def initialize(target_paths, cryptor, mode)
|
|
6
|
+
def initialize(target_paths, prefix, suffix, cryptor, mode)
|
|
7
7
|
super()
|
|
8
8
|
|
|
9
9
|
@path_stack = []
|
|
10
10
|
@target_paths = target_paths
|
|
11
|
+
@prefix = prefix
|
|
12
|
+
@suffix = suffix
|
|
11
13
|
@cryptor = cryptor
|
|
12
14
|
@mode = mode
|
|
13
15
|
end
|
|
@@ -74,7 +76,9 @@ module YamlVault
|
|
|
74
76
|
else
|
|
75
77
|
result.value = @cryptor.encrypt(value)
|
|
76
78
|
end
|
|
79
|
+
result.value = add_prefix_and_suffix(result.value)
|
|
77
80
|
else
|
|
81
|
+
value = remove_prefix_and_suffix(value)
|
|
78
82
|
decrypted_value = @cryptor.decrypt(value).to_s
|
|
79
83
|
if decrypted_value =~ /\A(!.*?)\s+(.*)\z/
|
|
80
84
|
result.tag = $1
|
|
@@ -100,6 +104,20 @@ module YamlVault
|
|
|
100
104
|
|
|
101
105
|
private
|
|
102
106
|
|
|
107
|
+
def add_prefix_and_suffix(value)
|
|
108
|
+
return "#{@prefix}#{value}#{@suffix}"
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
def remove_prefix_and_suffix(value)
|
|
112
|
+
if @prefix != nil && value.start_with?(@prefix)
|
|
113
|
+
value = value.delete_prefix(@prefix)
|
|
114
|
+
end
|
|
115
|
+
if @suffix != nil && value.end_with?(@suffix)
|
|
116
|
+
value = value.delete_suffix(@suffix)
|
|
117
|
+
end
|
|
118
|
+
value
|
|
119
|
+
end
|
|
120
|
+
|
|
103
121
|
def match_path?
|
|
104
122
|
@target_paths.any? do |target_path|
|
|
105
123
|
target_path.each_with_index.all? do |path, i|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yaml_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- joker1007
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-04-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -110,7 +110,7 @@ homepage: https://github.com/joker1007/yaml_vault
|
|
|
110
110
|
licenses:
|
|
111
111
|
- MIT
|
|
112
112
|
metadata: {}
|
|
113
|
-
post_install_message:
|
|
113
|
+
post_install_message:
|
|
114
114
|
rdoc_options: []
|
|
115
115
|
require_paths:
|
|
116
116
|
- lib
|
|
@@ -125,8 +125,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
125
125
|
- !ruby/object:Gem::Version
|
|
126
126
|
version: '0'
|
|
127
127
|
requirements: []
|
|
128
|
-
rubygems_version: 3.
|
|
129
|
-
signing_key:
|
|
128
|
+
rubygems_version: 3.2.3
|
|
129
|
+
signing_key:
|
|
130
130
|
specification_version: 4
|
|
131
131
|
summary: yaml encryption/decryption helper.
|
|
132
132
|
test_files: []
|