diff options
author | Wojciech Wnętrzak <w.wnetrzak@gmail.com> | 2017-11-14 11:44:23 +0100 |
---|---|---|
committer | Kasper Timm Hansen <kaspth@gmail.com> | 2017-11-15 21:29:15 +0100 |
commit | 7a8728a03986489e1c843ed850afc2c16fb6eb06 (patch) | |
tree | 697428ddbb785a4ce32a77a43a5487914d28d3d1 /railties/lib/rails/generators | |
parent | ed100166874fb4a542c5aaba933a4cca5ed72269 (diff) | |
download | rails-7a8728a03986489e1c843ed850afc2c16fb6eb06.tar.gz rails-7a8728a03986489e1c843ed850afc2c16fb6eb06.tar.bz2 rails-7a8728a03986489e1c843ed850afc2c16fb6eb06.zip |
Add CLI to manage encrypted files/configs.
To edit/show encrypted file:
```
bin/rails encrypted:edit config/staging_tokens.yml.enc
bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging_tokens.yml.enc
```
Also provides a backing Rails.application.encrypted API for Ruby access:
```ruby
Rails.application.encrypted("config/staging_tokens.yml.enc").read
Rails.application.encrypted("config/staging_tokens.yml.enc").config
Rails.application.encrypted("config/staging_tokens.yml.enc", key: "config/staging.key")
```
Diffstat (limited to 'railties/lib/rails/generators')
4 files changed, 110 insertions, 24 deletions
diff --git a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb index 52cb4bd8bf..ab15da5423 100644 --- a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb +++ b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb @@ -7,14 +7,11 @@ require "active_support/encrypted_configuration" module Rails module Generators class CredentialsGenerator < Base - CONFIG_PATH = "config/credentials.yml.enc" - KEY_PATH = "config/master.key" - def add_credentials_file - unless File.exist?(CONFIG_PATH) + unless credentials.exist? template = credentials_template - say "Adding #{CONFIG_PATH} to store encrypted credentials." + say "Adding #{credentials.content_path} to store encrypted credentials." say "" say "The following content has been encrypted with the Rails master key:" say "" @@ -29,13 +26,17 @@ module Rails end def add_credentials_file_silently(template = nil) - unless File.exist?(CONFIG_PATH) - setup = { config_path: CONFIG_PATH, key_path: KEY_PATH, env_key: "RAILS_MASTER_KEY" } - ActiveSupport::EncryptedConfiguration.new(setup).write(credentials_template) - end + credentials.write(credentials_template) end private + def credentials + ActiveSupport::EncryptedConfiguration.new \ + config_path: "config/credentials.yml.enc", + key_path: "config/master.key", + env_key: "RAILS_MASTER_KEY" + end + def credentials_template "# aws:\n# access_key_id: 123\n# secret_access_key: 345\n\n" + "# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.\n" + diff --git a/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb new file mode 100644 index 0000000000..ddce5f6fe2 --- /dev/null +++ b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require "rails/generators/base" +require "active_support/encrypted_file" + +module Rails + module Generators + class EncryptedFileGenerator < Base + def add_encrypted_file(file_path, key_path) + unless File.exist?(file_path) + say "Adding #{file_path} to store encrypted content." + say "" + say "The following content has been encrypted with the encryption key:" + say "" + say template, :on_green + say "" + + add_encrypted_file_silently(file_path, key_path) + + say "You can edit encrypted file with `bin/rails encrypted:edit #{file_path}`." + say "" + end + end + + def add_encrypted_file_silently(file_path, key_path, template = encrypted_file_template) + unless File.exist?(file_path) + setup = { content_path: file_path, key_path: key_path, env_key: "RAILS_MASTER_KEY" } + ActiveSupport::EncryptedFile.new(setup).write(template) + end + end + + private + def encrypted_file_template + "# aws:\n# access_key_id: 123\n# secret_access_key: 345\n\n" + end + end + end +end diff --git a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb new file mode 100644 index 0000000000..dd0d0c6c66 --- /dev/null +++ b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +require "pathname" +require "rails/generators/base" +require "active_support/encrypted_file" + +module Rails + module Generators + class EncryptionKeyFileGenerator < Base + def add_key_file(key_path) + key_path = Pathname.new(key_path) + + unless key_path.exist? + key = ActiveSupport::EncryptedFile.generate_key + + log "Adding #{key_path} to store the encryption key: #{key}" + log "" + log "Save this in a password manager your team can access." + log "" + log "If you lose the key, no one, including you, can access anything encrypted with it." + + log "" + add_key_file_silently(key_path, key) + log "" + end + end + + def add_key_file_silently(key_path, key = nil) + create_file key_path, key || ActiveSupport::EncryptedFile.generate_key + end + + def ignore_key_file(key_path, ignore: key_ignore(key_path)) + if File.exist?(".gitignore") + unless File.read(".gitignore").include?(ignore) + log "Ignoring #{key_path} so it won't end up in Git history:" + log "" + append_to_file ".gitignore", ignore + log "" + end + else + log "IMPORTANT: Don't commit #{key_path}. Add this to your ignore file:" + log ignore, :on_green + log "" + end + end + + private + def key_ignore(key_path) + [ "", "/#{key_path}", "" ].join("\n") + end + end + end +end diff --git a/railties/lib/rails/generators/rails/master_key/master_key_generator.rb b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb index 29d83f5d81..e57f07c1ae 100644 --- a/railties/lib/rails/generators/rails/master_key/master_key_generator.rb +++ b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb @@ -1,7 +1,8 @@ # frozen_string_literal: true -require "rails/generators/base" require "pathname" +require "rails/generators/base" +require "rails/generators/rails/encryption_key_file/encryption_key_file_generator" require "active_support/encrypted_file" module Rails @@ -20,31 +21,24 @@ module Rails log "If you lose the key, no one, including you, can access anything encrypted with it." log "" - add_master_key_file_silently key + add_master_key_file_silently(key) log "" end end def add_master_key_file_silently(key = nil) - create_file MASTER_KEY_PATH, key || ActiveSupport::EncryptedFile.generate_key + key_file_generator.add_key_file_silently(MASTER_KEY_PATH, key) end def ignore_master_key_file - if File.exist?(".gitignore") - unless File.read(".gitignore").include?(key_ignore) - log "Ignoring #{MASTER_KEY_PATH} so it won't end up in Git history:" - log "" - append_to_file ".gitignore", key_ignore - log "" - end - else - log "IMPORTANT: Don't commit #{MASTER_KEY_PATH}. Add this to your ignore file:" - log key_ignore, :on_green - log "" - end + key_file_generator.ignore_key_file(MASTER_KEY_PATH, ignore: key_ignore) end private + def key_file_generator + EncryptionKeyFileGenerator.new + end + def key_ignore [ "", "# Ignore master key for decrypting credentials and more.", "/#{MASTER_KEY_PATH}", "" ].join("\n") end |