yaml_vault 1.1.3 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/README.md +14 -0
- data/exe/yaml_vault +6 -0
- data/lib/yaml_vault.rb +7 -5
- data/lib/yaml_vault/rails.rb +1 -1
- data/lib/yaml_vault/version.rb +1 -1
- data/lib/yaml_vault/yaml_tree_builder.rb +19 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5d971a272200b74721608df31003f4fe36c267debc941b249e046c9d3c0eda87
|
|
4
|
+
data.tar.gz: 05e9089f383a10b942b63c6378a876d23a9d24c00dd6bd5135c83955f3d857ce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8c2604b1ecc2f4c85968fa4a673a3a6f34ad29c18805c63fbffb2a82a896fde931a0c45c77d4c64aa3f413ba2ba13010474f92cdc84f11b9cdf7f431e20c61da
|
|
7
|
+
data.tar.gz: 24102ad777468b515c728d686d496d93c92a77e5c5864899406a90e49200fa6dca6a9ee44fa237210b763084fe9be2fbe65fffba4112ea1c9b7786176b1de46e
|
data/.gitignore
CHANGED
data/README.md
CHANGED
|
@@ -180,6 +180,18 @@ vault:
|
|
|
180
180
|
|
|
181
181
|
ex. `$.production.:slaves.[0].*.:password`
|
|
182
182
|
|
|
183
|
+
You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:
|
|
184
|
+
|
|
185
|
+
```yml
|
|
186
|
+
# encrypted_secrets.yml
|
|
187
|
+
|
|
188
|
+
default: &default
|
|
189
|
+
...
|
|
190
|
+
vault:
|
|
191
|
+
secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
|
|
192
|
+
...
|
|
193
|
+
```
|
|
194
|
+
|
|
183
195
|
#### AWS KMS Encryption
|
|
184
196
|
|
|
185
197
|
Max encryptable size is 4096 bytes. (value size as encoded by Base64)
|
|
@@ -215,6 +227,8 @@ Enter passphrase: <enter your passphrase>
|
|
|
215
227
|
|
|
216
228
|
If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase
|
|
217
229
|
|
|
230
|
+
Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.
|
|
231
|
+
|
|
218
232
|
#### AWS KMS Decryption
|
|
219
233
|
|
|
220
234
|
```
|
data/exe/yaml_vault
CHANGED
|
@@ -8,6 +8,8 @@ class YamlVault::Cli < Thor
|
|
|
8
8
|
include Thor::Actions
|
|
9
9
|
|
|
10
10
|
class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "$"
|
|
11
|
+
class_option :prefix, type: :string, banner: "PREFIX", desc: "prefix string to add to the encrypted value"
|
|
12
|
+
class_option :suffix, type: :string, banner: "SUFFIX", desc: "suffix string to add to the encrypted value"
|
|
11
13
|
class_option :cryptor, type: :string, enum: %w(simple aws-kms gcp-kms), default: "simple"
|
|
12
14
|
|
|
13
15
|
class_option :salt, aliases: "-s", type: :string
|
|
@@ -33,6 +35,8 @@ class YamlVault::Cli < Thor
|
|
|
33
35
|
encrypted_yaml = YamlVault::Main.from_file(
|
|
34
36
|
yaml_file,
|
|
35
37
|
target_keys,
|
|
38
|
+
options[:prefix],
|
|
39
|
+
options[:suffix],
|
|
36
40
|
options[:cryptor],
|
|
37
41
|
passphrase: passphrase,
|
|
38
42
|
sign_passphrase: sign_passphrase,
|
|
@@ -57,6 +61,8 @@ class YamlVault::Cli < Thor
|
|
|
57
61
|
decrypted_yaml = YamlVault::Main.from_file(
|
|
58
62
|
yaml_file,
|
|
59
63
|
target_keys,
|
|
64
|
+
options[:prefix],
|
|
65
|
+
options[:suffix],
|
|
60
66
|
options[:cryptor],
|
|
61
67
|
passphrase: passphrase,
|
|
62
68
|
sign_passphrase: sign_passphrase,
|
data/lib/yaml_vault.rb
CHANGED
|
@@ -11,22 +11,24 @@ require 'yaml_vault/yaml_tree_builder'
|
|
|
11
11
|
module YamlVault
|
|
12
12
|
class Main
|
|
13
13
|
class << self
|
|
14
|
-
def from_file(filename, keys, cryptor_name = nil, **options)
|
|
14
|
+
def from_file(filename, keys, prefix = nil, suffix = nil, cryptor_name = nil, **options)
|
|
15
15
|
yaml_content = ERB.new(File.read(filename)).result
|
|
16
|
-
new(yaml_content, keys, cryptor_name, **options)
|
|
16
|
+
new(yaml_content, keys, prefix, suffix, cryptor_name, **options)
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
alias :from_content :new
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def initialize(
|
|
23
|
-
yaml_content, keys, cryptor_name = nil,
|
|
23
|
+
yaml_content, keys, prefix = nil, suffix = nil, cryptor_name = nil,
|
|
24
24
|
passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", key_len: 32, signature_key_len: 64, digest: "SHA256",
|
|
25
25
|
aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil, aws_profile: nil,
|
|
26
26
|
gcp_kms_resource_id: nil, gcp_credential_file: nil
|
|
27
27
|
)
|
|
28
28
|
@yaml = yaml_content
|
|
29
29
|
@keys = keys
|
|
30
|
+
@prefix = prefix
|
|
31
|
+
@suffix = suffix
|
|
30
32
|
|
|
31
33
|
@passphrase = passphrase
|
|
32
34
|
@sign_passphrase = sign_passphrase
|
|
@@ -49,12 +51,12 @@ module YamlVault
|
|
|
49
51
|
end
|
|
50
52
|
|
|
51
53
|
def encrypt
|
|
52
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :encrypt))
|
|
54
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :encrypt))
|
|
53
55
|
parser.parse(@yaml).handler.root
|
|
54
56
|
end
|
|
55
57
|
|
|
56
58
|
def decrypt
|
|
57
|
-
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @cryptor, :decrypt))
|
|
59
|
+
parser = YAML::Parser.new(YamlVault::YAMLTreeBuilder.new(@keys, @prefix, @suffix, @cryptor, :decrypt))
|
|
58
60
|
parser.parse(@yaml).handler.root
|
|
59
61
|
end
|
|
60
62
|
|
data/lib/yaml_vault/rails.rb
CHANGED
|
@@ -23,7 +23,7 @@ module YamlVault
|
|
|
23
23
|
# Fallback to config.secret_key_base if secrets.secret_key_base isn't set
|
|
24
24
|
secrets.secret_key_base ||= config.secret_key_base
|
|
25
25
|
# Fallback to config.secret_token if secrets.secret_token isn't set
|
|
26
|
-
secrets.secret_token ||= config.secret_token
|
|
26
|
+
secrets.secret_token ||= config&.secret_token if config.respond_to?(:secret_token)
|
|
27
27
|
|
|
28
28
|
secrets
|
|
29
29
|
end
|
data/lib/yaml_vault/version.rb
CHANGED
|
@@ -3,11 +3,13 @@ require 'yaml'
|
|
|
3
3
|
|
|
4
4
|
module YamlVault
|
|
5
5
|
class YAMLTreeBuilder < YAML::TreeBuilder
|
|
6
|
-
def initialize(target_paths, cryptor, mode)
|
|
6
|
+
def initialize(target_paths, prefix, suffix, cryptor, mode)
|
|
7
7
|
super()
|
|
8
8
|
|
|
9
9
|
@path_stack = []
|
|
10
10
|
@target_paths = target_paths
|
|
11
|
+
@prefix = prefix
|
|
12
|
+
@suffix = suffix
|
|
11
13
|
@cryptor = cryptor
|
|
12
14
|
@mode = mode
|
|
13
15
|
end
|
|
@@ -74,7 +76,9 @@ module YamlVault
|
|
|
74
76
|
else
|
|
75
77
|
result.value = @cryptor.encrypt(value)
|
|
76
78
|
end
|
|
79
|
+
result.value = add_prefix_and_suffix(result.value)
|
|
77
80
|
else
|
|
81
|
+
value = remove_prefix_and_suffix(value)
|
|
78
82
|
decrypted_value = @cryptor.decrypt(value).to_s
|
|
79
83
|
if decrypted_value =~ /\A(!.*?)\s+(.*)\z/
|
|
80
84
|
result.tag = $1
|
|
@@ -100,6 +104,20 @@ module YamlVault
|
|
|
100
104
|
|
|
101
105
|
private
|
|
102
106
|
|
|
107
|
+
def add_prefix_and_suffix(value)
|
|
108
|
+
return "#{@prefix}#{value}#{@suffix}"
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
def remove_prefix_and_suffix(value)
|
|
112
|
+
if @prefix != nil && value.start_with?(@prefix)
|
|
113
|
+
value = value.delete_prefix(@prefix)
|
|
114
|
+
end
|
|
115
|
+
if @suffix != nil && value.end_with?(@suffix)
|
|
116
|
+
value = value.delete_suffix(@suffix)
|
|
117
|
+
end
|
|
118
|
+
value
|
|
119
|
+
end
|
|
120
|
+
|
|
103
121
|
def match_path?
|
|
104
122
|
@target_paths.any? do |target_path|
|
|
105
123
|
target_path.each_with_index.all? do |path, i|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yaml_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- joker1007
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-04-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -110,7 +110,7 @@ homepage: https://github.com/joker1007/yaml_vault
|
|
|
110
110
|
licenses:
|
|
111
111
|
- MIT
|
|
112
112
|
metadata: {}
|
|
113
|
-
post_install_message:
|
|
113
|
+
post_install_message:
|
|
114
114
|
rdoc_options: []
|
|
115
115
|
require_paths:
|
|
116
116
|
- lib
|
|
@@ -125,8 +125,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
125
125
|
- !ruby/object:Gem::Version
|
|
126
126
|
version: '0'
|
|
127
127
|
requirements: []
|
|
128
|
-
rubygems_version: 3.
|
|
129
|
-
signing_key:
|
|
128
|
+
rubygems_version: 3.2.3
|
|
129
|
+
signing_key:
|
|
130
130
|
specification_version: 4
|
|
131
131
|
summary: yaml encryption/decryption helper.
|
|
132
132
|
test_files: []
|